Facebook Applications: Back Doors for Law Enforcement?

Via Google News I hear of a new Facebook Application: GMP Updates. The application, also known as “The Greater Manchester Police Updates,” gives you a feed of crime updates and links to a form for reporting crimes, according to the article. It’s the first time I’ve seen a law enforcement based Facebook application.

GMP Updates

There have been several articles about law enforcement using its normal user-level access to Facebook for criminal prosecutions (For example: “Facebook Helps Law Enforcement“, “Site Used to Aid Investigations,” “Student Arrested After Police Facebook Him“). In these cases, law enforcement or their tipsters browse Facebook like a normal user, looking at the information made available to that user.

Expanded Viewing Powers

Law enforcement use of applications will significantly expand the reach of what law enforcement can see, and also provide a more surreptitious viewing ability. It’s been noted that some 90% of popular applications have access to more information than they need, but this seems like a significant first — giving law enforcement more access than it needs. Why the expansion? Because application providers get access to just about all of your Facebook information, as described in the “Platform Application Terms of Use“:

In order to allow you to use and participate in Platform Applications created by Developers (“Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”):

(i) any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information, and

(ii) the user ID associated with your Facebook Site profile.

Facebook provides some examples of what this means. Like:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wallâ„¢, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

[I've highlighted some of my favorites]

Note that applications can access your data even if you’ve marked it as not viewable by the police in your geographic network or school. Even if you’ve used a “friend list” to restrict who sees a photo, it’s still available to the third party application providers. So its not enough to carefully tune your privacy vis-a-vis other Facebook users. You also have to avoid adding in applications like the GMP Updater — avoid getting updates from your local law enforcement.

Inadvertent Snitching

That’s not all that is happening. When you add an application, by default it can see what you can see on Facebook. So you’re also sharing your friends’ information with law enforcement. Your friends may opt-out of this sharing, but until they do you’ll be the eyes and ears of law enforcement by adding a law enforcement-based Facebook app. The defaults include quite a bit of information:

API Defaults

When you add applications, you’re told they get to see your information:

Add GMP Updates

But you’re not told you’re also sharing your friends’ info.

Content Too?

One thing that is unclear to me is whether applications can see the content of my Facebook messages and other communications I make within the site. Content fits the definition (“any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information”) of information available to third party providers, but it would be quite shocking if this was being made available to third parties. In the US, intercepting a communication requires a warrant — pursuant to the 4th Amendment as well as ECPA, and accessing a stored communication requires court orders or warrants, depending on the age of the information. This is why I’m skeptical that content is being shared with law enforcement via the API. It would be quite a scandal.

Posted: April 16, 2008 in: