Social Networking and E-Mail: Is Privacy Dead?
Facebook has now overtaken Google as the most visited website. How smart is it to share your life on Facebook or other social networking sites? This week, the keynote speaker at the South by Southwest Interactive (SXSWi) festival proclaimed privacy is not dead in the era of social networking, it just needs fixing. The speaker, Danah Boyd, works for Microsoft.
I disagree. It's very much dead, not only for social media but for e-mail. The evidence? Take a look at Facebook's subpoena and search warrant guide -- or Google's or AOL's or anyone else's. Or, take a look at the Stored Communications Act (18 USC 2703) and see how easy it is for law enforcement to get your personal information and contacts, and with a search warrant, the content of your communications.
How are you going to find those guides? I'm not going to publish them, but you can find them on Cryptome.org. I will tell you a little about what they will turn over: [More...]
According to its 2008 guide, Facebook will turn over: an expanded view of your profile, called a "neoprint"; all non-deleted photos you have uploaded to Facebook, and all photos others have uploaded in which you are "tagged" -- this is called a "photoprint"; all of your non-deleted contact information, regardless of whether you have marked it private -- including your phone numbers, email address and AIM screen name (excluding historical data which it does not keep); a user's IP logs, showing the IP addresses of the computer used to log onto Facebook -- they keep this for around 90 days, maybe longer;
You think law enforcement doesn't know about you or your Facebook account? Have you ever signed up to be a member of a Facebook group? Facebook will turn over a list of all members of the group. Once they have the list, there's nothing to stop law enforcement from requesting the information on any or every group member.
AOL is particularly helpful to law enforcement. It's 18 page guide even contains sample language with what information to ask for. In addition to your contact information, they will turn over your billing records and dates and times you were online, your payment source, including credit card and bank account information, your IP address (either the most recent, or upon request, the one used at a specific date and time) and subscriber information for a particular screen name, AOL even offers instructions for when law enforcement is seeking records for more than 10 screen names in a single request.
With a search warrant, AOL will also turn over the contents of your communications, including e-mails, photos and attachments and embedded files, your buddy lists, your address book, the dates you have had service with AOL....even the dates you asked AOL for support with your account. It will turn over this information whether it is in AOL's electronic storage or if AOL is used as a remote computing service. With a probable cause order, they will also turn over X-drive information and contents.
AOL will also preserve the requested information upon receipt of a faxed request, before the court order is obtained.
On to Google and G-Mail. With a search warrant, Google will turn over not only your mail, but the information in other Google services you use, such as your Google reader, calendar, talk, search history, spreadsheets and Finance and Toobar. Once you delete the account, Google may or may not be able to turn it over.
For example, in the recent case of Bear Sterns exec Matthew Tanning (U.S. v. Cioffi et al),in 2009 the Government served Google with a search warrant seeking an email Tanning had written in 2006. Google first responded to the AUSA that because the account had been deleted, it didn't have access to the information. Later, on the eve of trial, Google notified the AUSA it had been able to find a copy of the account (and what was in it) as of November, 2007. It supplied the Government with a cd-rom with the requested information. In it was the e-mail Tanning had written himself (like a diary entry) from November, 2006. The Court found the warrant was overbroad and violated the 4th Amendment. (Opinion here.) But the Government had already seen the contents.
In the Tanning case, other publicly filed documents show Google keeps e-mail and information in closed accounts on its active servers for up to 60 days and indefinitely on its backup servers.
The Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2701-2712) sets forth the appropriate legal process required to compel online services records custodians to disclose customer records and contents. Some can be gotten by simple subpoena (no court order), some require a court order where all they have to show is reasonable grounds to believe that the data is "relevant and material to an ongoing criminal investigation" and only those containing "content" require a search warrant.
There are similar instructional guides for law enforcement put out by everyone from EBay and Paypal to Comcast and Microsoft (Windows Live, Hotmail, MSN Groups.)
Every time you use an online service and your information goes into "the cloud", it's retrievable somewhere, somehow, if someone wants it badly enough. Nothing is private. Not social media, not your e-mail, not your Twitter, YouTube and Flickr accounts, not even the online services you use to store or backup your data, photos and videos.
|< Health Care Rules Switch May Be a Game Changer | Will The Health Bills Really Be "The Most Important Thing They Will Ever Do?" >|