FB, Google Get Limited Disclosure Approval

The Government has agreed to let Facebook and other web companies publish some details about the number of surveillance requests it has received.

Facebook has already posted their numbers. For the last six months of 2012, it received between 9,000 and 10,000 requests for user data pertaining to 18,000 to 19,000 of user accounts. This includes requests from all government entities in the U.S. (local, state, and federal, and including criminal and national security-related requests)

Here is Facebook's statement on the release. What's allowed to be disclosed: [More...]

all U.S. national security-related requests (including FISA as well as National Security Letters) – which until now no company has been permitted to do.

Continued restrictions:

As of today, the government will only authorize us to communicate about these numbers in aggregate, and as a range. This is progress, but we’re continuing to push for even more transparency, so that our users around the world can understand how infrequently we are asked to provide user data on national security grounds.

FB points out it has over 1 billion users so the requests affect a very small amount of users and data. The numbers also include law enforcement requests for things like missing child investigations.

I'm not sure what FB is crowing about, since Google's Transparency Report has included the number of requests and user accounts affected since 2010. For the last six months of 2012, law enforcement requested information more than 21,000 times on 33,000+ users.

Personally, I think use of all social media sites carry a tremendous privacy risk. Take a look at FB's page on Data Privacy page and see how much information it stores about you. You need to check three places, the Activities Log, Expanded Archives and Downloaded Info and Activity Logs.

To save you some time, I combined them in this slideshow. The complete data use policy is here.

One thing you can do to reduce the amount of information you share is to turn off the locations services on your smartphones and don't connect your accounts to each other. Tell your smartphone NOT to record the location where photos are taken. Otherwise the location is embedded in the photo's data and viewable by anyone who views the photo.

Why would people other than teenagers who live with their parents announce where they are on sites like FourSquare? It tells people you aren't home, it's an invitation for home invasions.

Don't feed Mr. Nosey. If you run across a media site that wants you to log in with your FB or Twitter account to comment, run the other way.

Here are Twitter's Guidelines for Law Enforcement. Its privacy and data retention policies are here. Take a few minutes to read through it and see how much they collect and for how long. You can download all the data in your Twitter account here.

Here's a listing of metadata collected by both Twitter and Facebook (they are different.)

Courts are also getting savvy about giving your social media information -- including content--to prosecutors, defense lawyers and civil litigants. A few things courts have ordered:

  • Ordered a juror to “execute a consent form sufficient to satisfy the exception” in the SCA to allow Facebook to produce the juror’s wall posts to defense counsel. Juror No. One v. Cal., No. CIV. 2:11397 WBS JFM, 2011 WL 567356, at *1 (E.D.Cal. Feb. 14, 2011).
  • Ordered a party to briefly change his Facebook profile to include a prior photograph so that his Facebook pages could be printed as they existed at a prior time. Katiroll Co. v. Kati Roll & Platters, Inc., Civil Action No. 10 3620 (GEB), 2011 WL 3583408, at *4 (D.N.J. Aug. 3, 2011).
  • Recommended that an individual “friend” the judge on Facebook in order to facilitate an in camera review of Facebook photos and comments. Barnes v. CUS Nashville, LLC, No. 3:09cv00764, 2010.
  • (4) Ordered parties to exchange social media account user names and passwords, Gallion v. Gallion, No. FA114116955S, 2011 WL 4953451, at *1 (Conn. Super.Ct. Sept. 30, 2011) (court ordered parties to exchange passwords to Facebook and a dating website.) McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD, 2010 WL 4403285 (Pa. Ct. Com. Pl. Sept. 9, 2010) (court ordered plaintiff to produce Facebook and MySpace login credentials to opposing counsel for “readonly access”)

The location information on your smartphone is the most revealing. It gives a complete picture of your patterns, habits and more. It will disclose if you visit an abortion clinic, a bar, or a political rally and how often.

There are companies out there who specialize in assisting law enforcement (and private parties) in extracting and verifying the information obtained from your social media accounts. They now provide "digital notary services." I can't find the link for where I got this right now, but here's the description:

A digital notary attests to the authenticity of a digital item as it is reflected at a particular date and time. In simple terms, digital notaries "seal" a digital item with specialized software in order to preserve the integrity of the item and digitally date and timestamp the item. Digital notaries perform a wide variety of services, including the authentication of the data on computer hard drives, e-mails, website ESI, Internet postings, digital photographs, and text messages or instant messages.

If law enforcement gets their hand on your phone, it's worse. Check out Cellebrite's description of its signature program, the UFED Touch Ultimate. Here is Cellebrite's page for its Physical Analyzer software.
Available with the UFED Touch Ultimate and UFED Classic Ultimate is the UFED Physical Analyzer: the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.

The UFED Physical Analyzer: the most advanced analysis, decoding and reporting application in the mobile forensic industry. It includes malware detection, enhanced decoding and reporting functions, project analytics, timeline graph, exporting data capabilities and much more.

We may not be able to do anything about the government obtaining our data from social media, but we can do things to reduce what it receives in response to its demands.

< TalkLeft Birthday and Open Thread | Saturday Open Thread >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft

  • Display: Sort:
    It jiust never ends, does it? (5.00 / 2) (#4)
    by Anne on Sat Jun 15, 2013 at 08:28:26 AM EST
    Here's some more, from Bloomberg, about how corporations are essentially partnering with the government/NSA to exchange information:

    Thousands of technology, finance and manufacturing companies are working closely with U.S. national security agencies, providing sensitive information and in return receiving benefits that include access to classified intelligence, four people familiar with the process said.

    These programs, whose participants are known as trusted partners, extend far beyond what was revealed by Edward Snowden, a computer technician who did work for the National Security Agency. The role of private companies has come under intense scrutiny since his disclosure this month that the NSA is collecting millions of U.S. residents' telephone records and the computer communications of foreigners from Google Inc (GOOG). and other Internet companies under court order.


    Makers of hardware and software, banks, Internet security providers, satellite telecommunications companies and many other companies also participate in the government programs. In some cases, the information gathered may be used not just to defend the nation but to help infiltrate computers of its adversaries.

    Along with the NSA, the Central Intelligence Agency (0112917D), the Federal Bureau of Investigation and branches of the U.S. military have agreements with such companies to gather data that might seem innocuous but could be highly useful in the hands of U.S. intelligence or cyber warfare units, according to the people, who have either worked for the government or are in companies that have these accords.

    But not to worry, folks: it's all legal.

    Gag Order Unconstitutional (5.00 / 1) (#6)
    by squeaky on Sat Jun 15, 2013 at 09:12:55 AM EST
    I assume that this is why the Government has allowed the release of NSL requests.. they were forced to.. the 90 day "stay" period has expired just about now.
    U.S. District Judge Susan Illston ordered the government to stop issuing so-called NSLs across the board, in a stunning defeat for the Obama administration's surveillance practices. She also ordered the government to cease enforcing the gag provision in any other cases. However, she stayed her order for 90 days to give the government a chance to appeal to the Ninth Circuit Court of Appeals.

    "We are very pleased that the Court recognized the fatal constitutional shortcomings of the NSL statute," said Matt Zimmerman, senior staff attorney for the Electronic Frontier Foundation, which filed a challenge to NSLs on behalf of an unknown telecom that received an NSL in 2011. "The government's gags have truncated the public debate on these controversial surveillance tools. Our client looks forward to the day when it can publicly discuss its experience....

    A blanket prohibition on disclosure, she found, was overly broad and "creates too large a danger that speech is being unnecessarily restricted." She noted that 97 percent of the more than 200,000 NSLs that have been issued by the government were issued with nondisclosure orders....

    ...She also noted that since the gag order on NSL's is indefinite -- unless a recipient files a petition with the court asking it to modify or set aside the nondisclosure order -- it amount to a "permanent ban on speech absent the rare recipient who has the resources and motivation to hire counsel and affirmatively seek review by a district court." [emphasis mine]


    "Limited Disclosure Approval" (5.00 / 1) (#7)
    by Mr Natural on Sun Jun 16, 2013 at 11:29:14 AM EST
    Can't help remembering John Erlichman's famous and relevant phrase, modified limited hangout.

    Why was a juror required to make (none / 0) (#1)
    by caseyOR on Sat Jun 15, 2013 at 12:49:16 AM EST
    FB info available to the court? Why would any juror have to give up FB or Twitter or any private info of this sort?

    Because what you post (none / 0) (#2)
    by Jeralyn on Sat Jun 15, 2013 at 02:40:47 AM EST
    on social media sites is public, not private (unless you restrict your privacy settings.) It's discoverable before trial and admissible during trial, if relevant and authenticated.

    But the rules for obtaining it are different for  law enforcement than for private litigants seeking the information.  The Stored Communications Act  provides ways for governmental entities to obtain content from sites like Facebook and Twitter (a warrant under the rules of criminal procedure if its been stored less than 180 days and an administrative subpoena or SCA order if stored more than 180 days). Otherwise, the sites cannot disclose content except with the consent of the user. (There are some exceptions but not relevant here.)

    Admissibility of social media evidence is generally determined under the same rules as other types of evidence. If it's relevant and authenticated, it can come in. Most courts leave concerns about the reliability of the evidence, such as who authored it or whether the evidence is legitimate, to jurors who  decide what weight to give it.

    Since non-law enforcement can't apply for search warrants under the rules of criminal procedure,  courts have developed alternative ways for parties to get content, such as ordering witnesses, third parties or jurors to sign a consent and request and produce their own social media information.

    All the social media sites mention on their law enforcement pages that the procedures apply only to law enforcement, not to those seeking to enforce civil or criminal trial subpoenas.  

    As to relevance: If a juror tells the court during voir dire he never engaged in discussions about a certain case, and his publicly available FB postings show otherwise, that's relevant and will be admissible if authenticated.  One easy way of authenticating is to show it to the juror and see if he confirms he wrote it. If he denies it, then it's a bit harder, but still do-able through third parties and other means.

    Or think of a workman's comp case, where the injured person submits claims that his back is so messed up he can't work or get out of bed. But on his FB page, there's a picture of him lifting heavy objects or engaging in rigorous physical activity. That's relevant.

    Law enforcement also has tricks to get information that FB users restrict as viewable only to their "friends." Cops may use a cooperating witness who is a `friend' of the person to access the material and provide it. Or, they may pose on FB as someone who wants to be friends and send a friend request to get access. If a private lawyer deceptively friends someone to get access to their restricted FB information, they are subject to ethics sanctions.  

    There are even duties to preserve your account data in many instances and not delete it.

    If people would set strict privacy settings to their social media accounts, there might be less chance of it winding up in court.


    I am so glad that I do not have a FB (none / 0) (#3)
    by caseyOR on Sat Jun 15, 2013 at 02:44:22 AM EST
    account or a twitter account or anything like them. If the information is out on the 'net there is always the risk that someone will try to get it.

    I guess maybe my comments here at TL could be subpoenaed for some reason, but that would pretty much be it for me. Could a court ever require you to make available commenter information from TL, like email addresses or real names if you know them?


    Wow (none / 0) (#5)
    by jimakaPPJ on Sat Jun 15, 2013 at 08:38:47 AM EST
    "Don't feed Mr. Nosey. If you run across a media site that wants you to log in with your FB or Twitter account to comment, run the other way."

    Many newspapers are requiring this. Gannet leads the way.

    Google Not Playing Ball (none / 0) (#8)
    by squeaky on Sun Jun 16, 2013 at 01:28:40 PM EST
    Privacy concerns are front and center in the online world these days, and a deal taken by Facebook and Microsoft on government transparency doesn't pass the Google sniff test. Google claims the offer comes with strings attached they can't live with, and they appear to be holding out for a better offer.

    The current deal forces companies who wish to disclose FISA requests to lump in those coming from the NSA with that of U.S. local, state, and federal law enforcement agencies. This restriction alone makes it pretty much impossible to know where our information is going, and its further complicated by another rule that forces them to only report request in bands of 1,000.

    Google has taken a hard stance on the matter, and has released a pretty clear statement with what they hope to accomplish.

    We have always believed that it's important to differentiate between different types of government requests. We already publish criminal requests separately from National Security Letters. Lumping the two categories together would be a step back for users. Our request to the government is clear: to be able to publish aggregate numbers of national security requests, including FISA disclosures, separately.


    SITE VIOLATOR (none / 0) (#10)
    by CaptHowdy on Wed Sep 09, 2015 at 08:53:08 PM EST