There are as many different mindsets on web privacy as there are web users out there. Every week or so, a new “scare” crops up, be it a hacking scam or an expose on oversharing. But I wonder if users are truly aware of the limits of their privacy on-line. I know that I could have a better understanding than I currently posses.
I am a bit wiser about protected information after reading a Computerworld article (link here), published yesterday about the information that Facebook or Comcast may turn over to authorities in response to subpoenas. The breadth of the information is quite large. As the article explains, the information to be turned over must comply with applicable laws (and presumably Constitutional protections). However, as the ability to track information on the internet is far more fine-grained than in real-life, failing to comply with the law can be far more damning in cyber-space.
The documents supporting the Computerworld article are concededly a few years dated and may have been updated. Nonetheless, they are illuminating. For example, when Facebook is served with a subpoena, it follows its internal guidelines, set forth below:
Types of Information Available
The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.
The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.
User Contact Info
All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Contact e-mail address(s)
Screen name (usually for AOL Messenger/iChat)
With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting “Contact information of user specified by [some other piece of contact information]”. No historical data is retained.
Group Contact Info
Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.
A request should specify that they are requesting “Contact information for group XXXXXX”.
No historical data is retained.
IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the “IP log of user Id XXXXXX” or “IP log of IP address xxx.xxx.xxx.xxx”.
The log contains the following information:
* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with “profile.php”
* Scriptget – additional information passed to the script. In the above example, scriptget would contain “id=29445421”
* Userid – The Facebook user id of the account active for the request
* View time – date of execution in Pacific Time
* IP – source IP address
IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.
The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.
When Comcast is directed to hand over information, the type and amount is even more overwhelming. Of course, there are the emails, customer information including contact and payment data, and similar details one might expecte. But Comcast also can assist law enforcement in effecting what are called “pen registers” or “trap and trace” devices, which track all of your internet activity, including emails, websites and IMs.
Of course, one should bear in mind that there must first be some lawful basis for investigation to support the issuance of a subpoena (although some of the safeguards may be bypassed if there “is an immediate danger of death or an immediate risk of serious physical injury…”).
I still contend that the best safeguard against inadvertent disclosure of dangerous information is a healthy dose of common sense. Lacking that, however, privacy should indeed be a concern, particularly for those skirting the line of legality. Perhaps assuming that you have no privacy on-line would be the safest way to proceed.