Reports that law enforcement agencies use social networking sites like Facebook for investigations have touched a nerve with some, but opinions are divided as to whether lines are being crossed.
The discussion was put into focus March 16 with the release of a U.S. Department of Justice (DOJ) document touching on the use of social networking sites by law enforcement agencies to conduct undercover operations and obtain evidence-including through the use of fake user profiles. The33-page document (PDF) was turned over to the Electronic Frontier Foundation (EFF) after the digital privacy watchdog group sued the DOJ for information about the department's use of social networking sites for federal investigations.
The EFF also got its hands on information about a 2009 training course that describes how IRS employees can use social networking sites and tools like Google Street View to investigate taxpayers.
The idea of the government using the Web as an investigative tool should surprise few; for example, in the case described here, investigators went undercover online to catch a suspected sexual predator. But deciding where the line between privacy and surveillance should be drawn and possibly crossed can be a tougher question.
"Where it gets a bit iffy to me from a privacy perspective are private profiles," said Shawn Moyer, principal security consultant at FishNet. "For example, my Facebook profile is private-so if you pretend to be someone I know so I that I add you to my network, and then monitor activity in my private profile, that seems like it wouldn't be in line with the same kind of intelligence gathering as, say, monitoring a public place of business. In the case of real-life undercover activity, there are lots of procedural rules around how and when law enforcement performs an impersonation, but for a social network impersonation the barrier of entry is obviously very low, so any agent with a computer and an account could take on a persona."
For its part, Facebook says it regularly works with law enforcement agencies investigating criminal activity.
"We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations," Facebook spokesman Andrew Noyes told eWEEK. "We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and, if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law.
"It is possible that the accounts of undercover officers would be disabled in our regular checks for fake accounts," he said. "However, we don't have any prior knowledge that they are undercover officers or any way to distinguish these accounts that we may detect from other fake accounts."
With the exception of Twitter's "Verified Accounts" feature, social networks don't really have a feasible way to prove a user's identity as it is, Moyer noted.
"Most sites do state in their terms of service that you can't use the network for willful impersonation and things along that line, but it's demonstrably unenforceable since so many accounts of that type exist, and no real method to verify identities is in place," Moyer said. "That said, I'd bet a savvy defense lawyer could use the Terms of Service and the fact that law enforcement specifically targeted someone as grounds to get social network data thrown out of court."
There are certainly jurisdictional and constitutional issues online, noted Jerry Dixon, who formerly served as executive director of the National Cyber Security Division (NCSD) of the U.S. Department of Homeland Security. If it's a targeted investigation, then undercover operations online have judicial oversight just like they do on the street, he explained.
"At a minimum, most police departments also have set procedures for how undercover work is to be carried out," said Dixon, who now works as director of analysis for Team Cymru. "They need to have the same for online undercover operations specific to social networking sites. The other angle to consider is that if someone accepts a friend request from someone they really don't know, they are allowing law enforcement to be a party to the conversation, meaning status updates, posts and the like are fair game.
"The key to this is making sure you have a magistrate or judge that is providing judicial oversight," he continued. "People put themselves at risk also to discovery in civil or criminal cases too, since that information can be gathered through court orders as well. No different than discovery done with EZ-Pass or cell phone records. When you put lots of pictures, information and your business associates online, you're accepting a degree of risk."