It’s often done in secret. Law enforcement investigators seek access to private user information stored by websites, routinely imposing a gag order that prohibits the Internet company from telling anyone about the demand.
Don’t you at least have a right to know the rules governing such quiet disclosures? When will sites like Twitter, Facebook, PayPal and others – with their hundreds of millions of users and massive caches of everything from cell-phone numbers to unique computer IDs – begin handing personal information over to the government?
Newly available documents shed light on such questions. Digital rights advocates at the Electronic Frontier Foundation have been suing federal agencies for months under the Freedom of Information Act with help from the Samuelson Clinic at UC Berkeley’s School of Law. The goal was to force open policies that explain when social networking sites can be used for government surveillance, data collection and investigations.
Results made public so far by EFF are available below for more than a dozen sites in a chart built by the Center for Investigative Reporting. Old and new policies alike are posted next to the document year, so you can compare possible changes over time. EFF argues that the variety among them shows how “social networking sites have struggled to develop consistent, straightforward policies.”
“But the police aren’t investigating me,” you say. “My life is pretty boring, and I’m lucky to get a direct message from my mom on Twitter.”
First, in an age where more people than ever before communicate electronically, it’s worth knowing how long eBay and PayPal, for example, will hang onto your transactional records (an answer available in the chart) along with other insights relevant to alleged criminals and non-criminals alike.
Second, the law that protects your right to communicate privately through electronic means was enacted all the way back in 1986, long before e-mail, instant messaging, cell phones and Skype existed.
Advocates believe the Electronic Communications Privacy Act is being overwhelmed by new technology, creating an advantage for government investigations into terrorism and crime, but threatening the ability of consumers to defend against excessive intrusion.
Some argue that the 25-year-old ECPA “affords more protection to letters in a file cabinet than e-mail on a server,” according to a recent New York Times story on the subject:
Internet companies chafe at what they say is the weaker protection under the law afforded online data. They contend that an e-mail should have the same protection from law enforcement as the information stored in a home. They want law enforcement agencies to use a search warrant approved by a judge or a magistrate rather than rely on a simple subpoena from a prosecutor to obtain a person’s online data.
The chart above shows what personal data social-media sites will unleash with a mere subpoena, as opposed to private information made available only under judge-approved warrants.
A dust-up that emerged this month between federal authorities and Twitter brings the issue into tighter focus. Justice Department officials directed Twitter through a court order to turn over e-mail and IP addresses (the latter being your computer’s unique ID) tied to the anti-secrecy site WikiLeaks, reportedly under investigation by a grand jury in Virginia.
In what appeared to be a rare move for online networking sites, Twitter fought the gag order attached to it, winning the right to inform targeted users of the request. That meant Twitter’s customers affected by the demand had a chance to battle it themselves, leading to applause from some prominent online privacy defenders.
While the entire picture of government surveillance and investigative tactics online isn’t clear, pieces of the broader story have surfaced, helping citizens better understand what may happen to their personal information on the Internet. Facebook disclosed to Newsweek in 2009 that government orders for user information were flowing into the company at an extraordinary rate of 10 to 20 per day.
Verizon testified to Congress four years ago that it faced tens of thousands of requests for customer data annually. Google’s “Transparency Report,” praised by observers as a leading example of openness, lists how many it receives from countries around the globe: nearly 4,300 in the United States alone during a six-month period last year.
Information you release publicly on the Internet is another matter — things like unlocked tweets that anyone can read or Facebook photos and messages not restricted by privacy settings. Personnel at the Department of Homeland Security scan the web as part of its Social Media Monitoring Initiative using dozens of key search terms. The list includes “cops,” “riot,” “radicals,” “decapitated” and more.
Documents made public in November showed that homeland security officials in Pennsylvania tracked the Twitter accounts of people who had not broken any laws, including elderly anti-war protesters associated with Quaker activism. And EFF learned last year that federal investigators were being taught to deceptively “friend” people on Facebook who were applying to become citizens, thereby enabling the government to snoop for relationship details.
So remember, the next time you see a random friend request on Facebook, or that unknown follow on Twitter, it could be the government.
G.W. Schulz joined the Center for Investigative Reporting in 2008 to launch its ongoing homeland security project. Read the project’s blog, Elevated Risk, here.