Social Media and Law Enforcement: Who Gets What Data and When?

The guides EFF has received, which were dated between 2005 and 2010, show that social networking sites have struggled to develop consistent, straightforward policies to govern how and when they will provide private user information to law enforcement agencies. (photo: cambodia4kidsorg)

Social Media and Law Enforcement: Who Gets What Data and When?

This month, we were reminded how important it is that social media
companies do what they can to protect the sensitive data they hold from
the prying eyes of the government. As many news outlets have reported,
the US Department of Justice recently obtained a court order for
records from Twitter on several of its users related to the WikiLeaks
disclosures. Instead of just turning over this information, Twitter "beta-tested a spine" and notified its users of the court order, thus giving them the opportunity to challenge it in court.

We have been investigating how the government seeks information from
social networking sites such as Twitter and how the sites respond to
these requests in our ongoing social networking Freedom of Information Act (FOIA) request, filed with the help of UC Berkeley's Samuelson Law, Technology & Public Policy Clinic.
As part of our request to the Department of Justice and other federal
agencies, we asked for copies of the guides the sites themselves send
out to law enforcement explaining how agents can obtain information
about a site's users and what kinds of information are available. The
information we got back enabled us to make an unprecedented comparison
of these critical documents, as most of the information was not
available publicly before now.

We received copies of guides from 13 companies, including Facebook,
MySpace, AOL, eBay, Ning, Tagged, Craigslist and others, and for some of
the companies we received several versions of the guide. We have combed
through the data in these guides and, with the Samuelson Clinic's help,
organized it into a comprehensive spreadsheet (in .xls and .pdf)
that compares how the companies handle requests for user information
such as contact information, photos, IP logs, friend networks, buying
history, and private messages. And although we didn't receive a copy of
Twitter's law enforcement guide, Twitter publishes some relevant information on its site, so we have included that in our spreadsheet for comparison.

The guides we received, which were dated between 2005 and 2010, show
that social networking sites have struggled to develop consistent,
straightforward policies to govern how and when they will provide
private user information to law enforcement agencies. The guides also
show how those policies (and how the companies present their policies to
law enforcement) have evolved over time.

For example, the 2008 version of Facebook's guide explains in detail
the different types of information it collects on its users, but it does
not address the legal requirements necessary to obtain this data. In
contrast, the 2009 version groups this information into three categories
(basic subscriber information, limited content, and remaining content)
and describes, under the Electronic Communications Privacy Act (ECPA),
the different legal processes required to obtain the various data.
However, the 2010 version merely says that the company "will provide
records as required by law." Facebook doesn't explain why it changed its
language from year to year. While the 2010 guide's language may allow
the company to be flexible in responding to requests under a complicated
and outdated statute, it does so through a loss of transparency into
how it handles these requests.

MySpace's guides also show an evolution. The September 2005 and March
2006 versions of MySpace's guides distinguish between public and
private user information, requiring only a subpoena for IP logs, contact
information, and private messages. The June 2006 and November 2007
versions establish several different categories of user information that
require different legal processes, ranging from a subpoena for a user's
name to a search warrant for access to a user's private messages.

Also, in early versions of its guide, MySpace outlines that it will
preserve data requested by law enforcement agents for 90 days. Law
enforcement agents can then request a 90-day extension for a total
preservation period of 180 days. This changed in the November 2007
guide, where MySpace said that it would "preserve the specific
information identified in the request for up to 180 days and will extend
the preservation as necessary at your request." The November 2007 guide
also describes MySpace's Sentinel SAFE project, a previously
unmentioned campaign designed to identify and remove registered sex
offenders from the social network. Once MySpace matches a profile to a
registered sex offender, it removes the user from the site and preserves
the complete profile. Law enforcement officers who provide the
appropriate legal process can then access the profile. The November 2007
guide goes even further in helping law enforcement-it details how
agents can find MySpace information on a user's computer, such as
through IM client logs, cookie data, cached MySpace pages, and stored
login information. The guide doesn't say what prompted these substantial
changes, but it is likely linked to the controversy surrounding alleged
sexual predators on MySpace and the agreement MySpace made with several state attorneys general to do more to protect children.

There were also more subtle differences between the guides. While the
guides are written to educate law enforcement about the type of user
information the companies maintain and the legal process required to get
it, some, such as MySpace and Yahoo!, provide law enforcement with
sample language for data request letters, subpoenas, and search
warrants. The requesting law enforcement agency can then use the
template created by the companies.

Also, while ECPA allows companies to charge law enforcement for the
time it takes to get the requested user information, only Yahoo!'s guide
actually discusses this issue. The Yahoo! guide includes a fee schedule
to approximate how much law enforcement will have to pay to obtain
various types of user data from the company. For example, Yahoo! charges
approximately $20 for basic subscriber records or "groups with a single
moderator" and approximately $30-40 per user for the contents of
subscriber accounts, including email. Also, where law enforcement
requests deleted content, Yahoo! states it will "seek reimbursement for
any engineer time incurred in connection with the request."

Another difference between the guides shows up in how the companies
deal with emergency requests from law enforcement. Under ECPA, the sites
are allowed to disclose information without legal process when the
companies believe there is a threat of death or serious physical injury.
Most companies merely note that ECPA permits them to disclose this
information in certain defined situations. However, some companies seem
to go above and beyond the ECPA requirements. For example, MSN states
that it "will respond" to these requests "outside normal business
hours," and eBay and MySpace have set up a special hotline or "First
Responder" service that can (in eBay's case) "return calls within 24
hours and process complaints quickly." In all the guides we received,
Yahoo!'s was the only one to remind law enforcement that Yahoo! "is not
required" to disclose this information. Yahoo also requires law
enforcement officers to explain why normal disclosure would be
insufficient and why the information Yahoo! has will help avert the
threat.

Facebook was the only company to make clear that its strict policies
against fake accounts apply to law enforcement as well. In its 2008 and
2009 guides it notes that it will disable all accounts that provide
false or misleading information, including police accounts, and in its
2010 guide it notes that it will "always disable accounts that supply
false or misleading profile information or attempt to technically or
socially circumvent site privacy measures."

Of the guides we received, only Craigslist provides law enforcement disclosure information on its website (Twitter does too,
but we didn't get a copy of its guide in response to our FOIA request).
This is unfortunate. Social media sites' users should be able to see
how the companies that hold their data respond to government requests
for it. And, as we know, this affects a large number of real people.
Twitter states that it has 175 million users. Myspace has over 100 million, and Facebook states it has 500 million. Without access to this information, it is impossible to evaluate how well these companies protect their users' data.

For more information on how social media companies treat their users' data, see our spreadsheet, available in .xls and .pdf, or the individual guides here.

Our work is licensed under Creative Commons (CC BY-NC-ND 3.0). Feel free to republish and share widely.