The Electronic Frontier Foundation got its hands on documents on federal law enforcement approaches to gathering data on Facebook and other social networks. But just how far should the FBI and other police agencies go in using those sites to collect data? Security pros shared their thoughts with eWEEK.
Reports that law
enforcement agencies use social networking sites like Facebook
for investigations have touched a nerve with some, but opinions are
divided as to
whether
lines are being crossed.
The discussion was put
into focus March 16 with the release of a U.S. Department of Justice (DOJ)
document touching on the use of social networking sites by law enforcement
agencies to conduct undercover operations and obtain evidence-including through
the use of fake user profiles. The
33-page document (PDF) was turned over to the Electronic Frontier
Foundation (EFF) after the digital privacy watchdog group sued the DOJ for
information about the department's use of social networking sites for federal
investigations.
The EFF also got its hands
on information about a 2009
training course that describes how
IRS employees can
use
social networking sites and tools like Google Street View to investigate
taxpayers.
The idea of the government
using the Web as an investigative tool should surprise few; for example, in the
case described
here, investigators went undercover online to catch a suspected sexual
predator. But deciding where the line between privacy and surveillance should
be drawn and possibly crossed can be a tougher question.
"Where it gets a bit iffy
to me from a privacy perspective are private profiles," said Shawn Moyer,
principal security consultant at FishNet. "For example, my Facebook profile is
private-so if you pretend to be someone I know so I that I add you to my
network, and then monitor activity in my private profile, that seems like it
wouldn't be in line with the same kind of intelligence gathering as, say,
monitoring a public place of business. In the case of real-life undercover
activity, there are lots of procedural rules around how and when law
enforcement performs an impersonation,
but
for a social network impersonation the barrier of entry is obviously very
low, so any agent with a computer and an account could take on a persona."
For its part, Facebook
says it regularly works with law enforcement agencies investigating criminal
activity.
"We have developed
materials to help officials understand Facebook and the proper ways to request
information from Facebook to aid investigations," Facebook spokesman Andrew
Noyes told eWEEK. "We scrutinize every single law enforcement request;
require a detailed description of why the request is being made; and, if it is
deemed appropriate, share only the minimum amount of information. We strive to
respect the balance between law enforcement's need for information and the
privacy rights of our users, and as a responsible company we adhere to the
letter of the law.
"It is possible that the
accounts of undercover officers would be disabled in our regular checks for
fake accounts," he said. "However, we don't have any prior knowledge
that they are undercover officers or any way to distinguish these accounts that
we may detect from other fake accounts."
With the exception of
Twitter's "Verified Accounts" feature, social networks don't
really have a feasible way to
prove
a user's identity as it is, Moyer noted.
"Most sites do state in
their terms of service that you can't use the network for willful impersonation
and things along that line, but it's demonstrably unenforceable since so many
accounts of that type exist, and no real method to verify identities is in
place," Moyer said. "That said, I'd bet a savvy defense lawyer could use the
Terms of Service and the fact that law enforcement specifically targeted
someone as grounds to get social network data thrown out of court."
There are certainly
jurisdictional and constitutional issues online, noted Jerry Dixon, who
formerly served as executive director of the National Cyber Security
Division (NCSD) of the U.S. Department of Homeland Security. If it's a targeted
investigation, then undercover operations online have judicial oversight just
like they do on the street, he explained.
"At a minimum, most police
departments also have set procedures for how undercover work is to be carried
out," said Dixon, who now works as director of analysis for Team Cymru.
"They need to have the same for online undercover operations specific to social
networking sites. The other angle to consider is that if someone accepts a
friend request from someone they really don't know, they are allowing law
enforcement to be a party to the conversation, meaning status updates, posts
and the like are fair game.
"The key to this is making
sure you have a magistrate or judge that is providing judicial oversight," he
continued. "People put themselves at risk also to discovery in civil or
criminal cases too, since that information can be gathered through court orders
as well. No different than discovery done with EZ-Pass or cell phone records.
When you put lots of pictures, information and your business associates online,
you're accepting a degree of risk."
Email
Print
