This month, we were reminded how important it is that social media companies do what they can to protect the sensitive data they hold from the prying eyes of the government. As many news outlets have reported, the US Department of Justice recently obtained a court order for records from Twitter on several of its users related to the WikiLeaks disclosures. Instead of just turning over this information, Twitter “beta-tested a spine” and notified its users of the court order, thus giving them the opportunity to challenge it in court.
We have been investigating how the government seeks information from social networking sites such as Twitter and how the sites respond to these requests in our ongoing social networking Freedom of Information Act (FOIA) request, filed with the help of UC Berkeley’s Samuelson Law, Technology & Public Policy Clinic. As part of our request to the Department of Justice and other federal agencies, we asked for copies of the guides the sites themselves send out to law enforcement explaining how agents can obtain information about a site’s users and what kinds of information are available. The information we got back enabled us to make an unprecedented comparison of these critical documents, as most of the information was not available publicly before now.
We received copies of guides from 13 companies, including Facebook, MySpace, AOL, eBay, Ning, Tagged, Craigslist and others, and for some of the companies we received several versions of the guide. We have combed through the data in these guides and, with the Samuelson Clinic’s help, organized it into a comprehensive spreadsheet (in .xls and .pdf) that compares how the companies handle requests for user information such as contact information, photos, IP logs, friend networks, buying history, and private messages. And although we didn’t receive a copy of Twitter’s law enforcement guide, Twitter publishes some relevant information on its site, so we have included that in our spreadsheet for comparison.
The guides we received, which were dated between 2005 and 2010, show that social networking sites have struggled to develop consistent, straightforward policies to govern how and when they will provide private user information to law enforcement agencies. The guides also show how those policies (and how the companies present their policies to law enforcement) have evolved over time.
For example, the 2008 version of Facebook’s guide explains in detail the different types of information it collects on its users, but it does not address the legal requirements necessary to obtain this data. In contrast, the 2009 version groups this information into three categories (basic subscriber information, limited content, and remaining content) and describes, under the Electronic Communications Privacy Act (ECPA), the different legal processes required to obtain the various data. However, the 2010 version merely says that the company “will provide records as required by law.” Facebook doesn’t explain why it changed its language from year to year. While the 2010 guide’s language may allow the company to be flexible in responding to requests under a complicated and outdated statute, it does so through a loss of transparency into how it handles these requests.
MySpace’s guides also show an evolution. The September 2005 and March 2006 versions of MySpace’s guides distinguish between public and private user information, requiring only a subpoena for IP logs, contact information, and private messages. The June 2006 and November 2007 versions establish several different categories of user information that require different legal processes, ranging from a subpoena for a user’s name to a search warrant for access to a user’s private messages.
Also, in early versions of its guide, MySpace outlines that it will preserve data requested by law enforcement agents for 90 days. Law enforcement agents can then request a 90-day extension for a total preservation period of 180 days. This changed in the November 2007 guide, where MySpace said that it would “preserve the specific information identified in the request for up to 180 days and will extend the preservation as necessary at your request.” The November 2007 guide also describes MySpace’s Sentinel SAFE project, a previously unmentioned campaign designed to identify and remove registered sex offenders from the social network. Once MySpace matches a profile to a registered sex offender, it removes the user from the site and preserves the complete profile. Law enforcement officers who provide the appropriate legal process can then access the profile. The November 2007 guide goes even further in helping law enforcement—it details how agents can find MySpace information on a user’s computer, such as through IM client logs, cookie data, cached MySpace pages, and stored login information. The guide doesn’t say what prompted these substantial changes, but it is likely linked to the controversy surrounding alleged sexual predators on MySpace and the agreement MySpace made with several state attorneys general to do more to protect children.
There were also more subtle differences between the guides. While the guides are written to educate law enforcement about the type of user information the companies maintain and the legal process required to get it, some, such as MySpace and Yahoo!, provide law enforcement with sample language for data request letters, subpoenas, and search warrants. The requesting law enforcement agency can then use the template created by the companies.
Also, while ECPA allows companies to charge law enforcement for the time it takes to get the requested user information, only Yahoo!’s guide actually discusses this issue. The Yahoo! guide includes a fee schedule to approximate how much law enforcement will have to pay to obtain various types of user data from the company. For example, Yahoo! charges approximately $20 for basic subscriber records or “groups with a single moderator” and approximately $30-40 per user for the contents of subscriber accounts, including email. Also, where law enforcement requests deleted content, Yahoo! states it will “seek reimbursement for any engineer time incurred in connection with the request.”
Another difference between the guides shows up in how the companies deal with emergency requests from law enforcement. Under ECPA, the sites are allowed to disclose information without legal process when the companies believe there is a threat of death or serious physical injury. Most companies merely note that ECPA permits them to disclose this information in certain defined situations. However, some companies seem to go above and beyond the ECPA requirements. For example, MSN states that it “will respond” to these requests “outside normal business hours,” and eBay and MySpace have set up a special hotline or “First Responder” service that can (in eBay’s case) “return calls within 24 hours and process complaints quickly.” In all the guides we received, Yahoo!’s was the only one to remind law enforcement that Yahoo! “is not required” to disclose this information. Yahoo also requires law enforcement officers to explain why normal disclosure would be insufficient and why the information Yahoo! has will help avert the threat.
Facebook was the only company to make clear that its strict policies against fake accounts apply to law enforcement as well. In its 2008 and 2009 guides it notes that it will disable all accounts that provide false or misleading information, including police accounts, and in its 2010 guide it notes that it will “always disable accounts that supply false or misleading profile information or attempt to technically or socially circumvent site privacy measures.”
Of the guides we received, only Craigslist provides law enforcement disclosure information on its website (Twitter does too, but we didn’t get a copy of its guide in response to our FOIA request). This is unfortunate. Social media sites’ users should be able to see how the companies that hold their data respond to government requests for it. And, as we know, this affects a large number of real people. Twitter states that it has 175 million users. Myspace has over 100 million, and Facebook states it has 500 million. Without access to this information, it is impossible to evaluate how well these companies protect their users’ data.
This article was written by Jennifer Lynch and first published on Electronic Frontier Foundation.