subpoena | Advocate's Studio

The Electronic Frontier Foundation, a donor-funded nonprofit dedicated to defending free speech, privacy, innovation, and consumer rights online, has been hounding relevant law enforcement agencies to get a hold of documents identifying how the government seeks information from social networking sites and how the sites respond to these requests. Via an ongoing social networking Freedom of Information Act (FOIA) request, the EFF asked for copies of the social networks’ own guides that they provide to law enforcement giving the “how-to” on how to get information about site users. EFF pulled guides from thirteen companies, including Facebook, MySpace, AOL, eBay, Ning, Tagged, Craigslist and others. The EFF then compared the guides and organized the data in spreadsheets ( .xls and .pdf). The guides cover the period from 2005 to 2010 and address requsets for contact information, photos, IP logs, friend networks, buying history, and private messages. The EFF wasn’t able to secure Twitter’s guide, but they did their own research and found some relevant information on the site to include on their spreadsheets as well.

Check out the spreadsheet at the link above. Or, if you want to see some sample policy language straight from the horses’ mouths at Facebook, Craigslist and Twitter, hit the links below:

Facebook 2010 Law Enforcement Guide (PDF link)

Craigslist Law Enforcement Guide (PDF link)

Twitter Law Enforcement Guidelines (on website)

There are as many different mindsets on web privacy as there are web users out there. Every week or so, a new “scare” crops up, be it a hacking scam or an expose on oversharing. But I wonder if users are truly aware of the limits of their privacy on-line. I know that I could have a better understanding than I currently posses.

I am a bit wiser about protected information after reading a Computerworld article (link here), published yesterday about the information that Facebook or Comcast may turn over to authorities in response to subpoenas. The breadth of the information is quite large. As the article explains, the information to be turned over must comply with applicable laws (and presumably Constitutional protections). However, as the ability to track information on the internet is far more fine-grained than in real-life, failing to comply with the law can be far more damning in cyber-space.

The documents supporting the Computerworld article are concededly a few years dated and may have been updated. Nonetheless, they are illuminating. For example, when Facebook is served with a subpoena, it follows its internal guidelines, set forth below:

Types of Information Available

User Neoprint

The Neoprint is an expanded view of a given user profile. A request should specify that they are requesting a “Neoprint of used Id XXXXXX”.

User Photoprint

The Photoprint is a compilation of all photos uploaded by the user that have not been deleted, along with all photos uploaded by any user which have the requested user tagged in them. A request should specify that they are requesting a “Photoprint of user Id XXXXXX”.

User Contact Info

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birth date
Contact e-mail address(s)
Physical address
City
State
Zip
Phone
Cell
Work phone
Screen name (usually for AOL Messenger/iChat)
Website

With the exception of contact e-mail and activated mobile numbers, Facebook validates none of this information. A request should specify that they are requesting “Contact information of user specified by [some other piece of contact information]”. No historical data is retained.

Group Contact Info

Where a group is known, we will provide a list of users currently registered in a group. We will also provide a PDF of the current status of the group profile page.

A request should specify that they are requesting “Contact information for group XXXXXX”.

No historical data is retained.

IP Logs

IP logs can be produced for a given user ID or IP address. A request should specify that they are requesting the “IP log of user Id XXXXXX” or “IP log of IP address xxx.xxx.xxx.xxx”.

The log contains the following information:

* Script – script executed. For instance, a profile view of the URL http://www.facebook.com/profile.php?id=29445421 would populate script with “profile.php”

* Scriptget – additional information passed to the script. In the above example, scriptget would contain “id=29445421”

* Userid – The Facebook user id of the account active for the request

* View time – date of execution in Pacific Time

* IP – source IP address

IP log data is generally retained for 90 days from present date. However, this data source is under active and major redevelopment and data may be retained for a longer or shorter period.

Special Requests

The Facebook Security Team may be able to retrieve specific information not addressed in the general categories above. Please contact Facebook if you have a specific investigative need prior to issuing a subpoena or warrant.

When Comcast is directed to hand over information, the type and amount is even more overwhelming. Of course, there are the emails, customer information including contact and payment data, and similar details one might expecte. But Comcast also can assist law enforcement in effecting what are called “pen registers” or “trap and trace” devices, which track all of your internet activity, including emails, websites and IMs.

Of course, one should bear in mind that there must first be some lawful basis for investigation to support the issuance of a subpoena (although some of the safeguards may be bypassed if there “is an immediate danger of death or an immediate risk of serious physical injury…”).

I still contend that the best safeguard against inadvertent disclosure of dangerous information is a healthy dose of common sense. Lacking that, however, privacy should indeed be a concern, particularly for those skirting the line of legality. Perhaps assuming that you have no privacy on-line would be the safest way to proceed.