Hackers Leak Facebook Law Enforcement Guidelines
A group of hackers claiming to represent Anonymous’s Antisec movement hijacked two Gmail accounts belonging to a retired California Department of Justice cybercrimes investigator, now a private investigator, and on November 18 published 38,000 private emails and identifying contact information online.
Among the data published by the hackers in a torrent file were two versions of what appears to be Facebook’s guidelines for law enforcement agencies, according to Public Intelligence, a collaborative research website dedicated to the freedom of information.
Specifically, the documents posted by the hackers and made available on the Public Intelligence website are two different versions of instructions on how agencies should submit subpoenas and requests for user data from the world’s largest social network, one of them dated 2010 and the other, shorter document dated November 2006.
Sources close to Facebook stated that the newly revealed guideline documents are “outdated,” and that an updated set of law enforcement guidelines is scheduled be made publicly available to all users on Facebook’s Help Center late Wednesday.
The 2006 document notes that Facebook will not provide any user data without “a valid subpoena or warrant,” while the 2010 document states that the social network requires “a valid subpoena or a legal document with equivalent authority issued through your local court system.”
Federal warrant rulings permitting law enforcement agencies to obtain Facebook data have surged in recent years, Reuters reported, with federal judges granting over 24 warrants since 2008.
The newly revealed 2010 document expressly discourages law enforcement officers from creating phony accounts, even for undercover investigations: “We encourage you to report false accounts to Facebook, and discourage any use of false accounts by law enforcement,” the document states.
Both the 2010 and 2006 documents explain how agencies need to first locate a Facebook user’s or group’s unique ID number, which is easily seen in the URL after the letters “id” or “gid.”
The documents state that a law enforcement agency must submit this information to Facebook in order to retrieve information about the account in question. According to the documents, Facebook can then provide agencies with “basic subscription information (BSI)” which includes a user’s email address, mobile phone number (if provided by the user in their Facebook account), the date and time their account was created, and the most recent login times.
The 2006 document states that Facebook can provide a user’s “Neoprint,” which is described as an “expanded view” of a profile, including “all wall postings and messages to and from the user that have not been deleted by the user.” Facebook can, according to the document, also provide “a compilation” of all of a user’s photos and all of a user’s contact information that’s been uploaded, even if it doesn’t appear in their publicly viewable profile.
As far as Facebook Groups, the social network can provide a list of all users in the group, contact information and the current status of the group page, the 2006 document states.
Importantly, though, Facebook points out in the 2006 document that it cannot provide any user data that has already been deleted by the user before the time of the request. That’s seemingly at odds with the deleted data that Facebook turned over to an Austrian user upon request, who later filed a list of complaints with the Irish Data Commissioner, which is now auditing the social network. The 2010 document contains no mention of deleted data.
In addition, Facebook can reportedly provide law enforcement agencies with a user’s Internet Protocol (IP) logs, including the user’s unique IP address, the Facebook usernames associated with that IP address, and the most recent times that IP address viewed Facebook. The 2006 document states that Facebook “generally” retains IP logs for the past 30 days.
Finally, the documents state that the “Facebook Security Team,” may respond to “special requests” for information not contained in the above provisions, as well as provide “emergency disclosures.”
The 2010 document contains a notice that Facebook will immediately disable all user accounts that have been accused of illegal activity, although law enforcement agencies can stop the network from doing this in their request, at least temporarily, by writing “DO NOT DISABLE UNTIL [DATE],” and filling out a corresponding date. This provision is to allow agencies the freedom to continue pursuing an investigation that would otherwise be hindered by shuttering the Facebook account(s).
As Public Intelligence notes, these are actually just the fifth and sixth versions of documents purporting to be the “Facebook Law Enforcement Guidelines” going back to 2007.
Facebook declined to confirm authenticity of any of the prior versions of the documents to Reuters, but the documents contain valid Facebook email and mailing addresses, and the 2010 document contains a Facebook copyright notice.
In addition, the Electronic Frontier Foundation, an advocacy group dedicated to protecting users’ digital rights, obtained several copies of the Facebook guidelines from the Justice Department. The EFF commended Facebook for taking a zero-tolerance approach to enforcing its “no fake accounts” policy, even against law enforcement.
That said, the EFF has also pointed out how a November 10 court ruling ordering Twitter to hand over user information to the Justice Department without a warrant or subpoena could also apply to Facebook.
And the Obama Administration was this year supposed to submit to lawmakers a bill that would allow federal law enforcement agencies the ability to use “back doors” to observe all online communications under wiretap orders, even encrypted communications, according to a New York Times report in October 2010. That legislation has yet to be introduced.