Facebook Applications: Back Doors for Law Enforcement?

Via Google News I hear of a new Facebook Application: GMP Updates. The application, also known as “The Greater Manchester Police Updates,” gives you a feed of crime updates and links to a form for reporting crimes, according to the article. It’s the first time I’ve seen a law enforcement based Facebook application.

GMP Updates

There have been several articles about law enforcement using its normal user-level access to Facebook for criminal prosecutions (For example: “Facebook Helps Law Enforcement“, “Site Used to Aid Investigations,” “Student Arrested After Police Facebook Him“). In these cases, law enforcement or their tipsters browse Facebook like a normal user, looking at the information made available to that user.

Expanded Viewing Powers

Law enforcement use of applications will significantly expand the reach of what law enforcement can see, and also provide a more surreptitious viewing ability. It’s been noted that some 90% of popular applications have access to more information than they need, but this seems like a significant first — giving law enforcement more access than it needs. Why the expansion? Because application providers get access to just about all of your Facebook information, as described in the “Platform Application Terms of Use“:

In order to allow you to use and participate in Platform Applications created by Developers (“Developer Applications”), Facebook may from time to time provide Developers access to the following information (collectively, the “Facebook Site Information”):

(i) any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information, and

(ii) the user ID associated with your Facebook Site profile.

Facebook provides some examples of what this means. Like:

The Facebook Site Information may include, without limitation, the following information, to the extent visible on the Facebook Site: your name, your profile picture, your gender, your birthday, your hometown location (city/state/country), your current location (city/state/country), your political view, your activities, your interests, your musical preferences, television shows in which you are interested, movies in which you are interested, books in which you are interested, your favorite quotes, the text of your “About Me” section, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, your course information, copies of photos in your Facebook Site photo albums, metadata associated with your Facebook Site photo albums (e.g., time of upload, album name, comments on your photos, etc.), the total number of messages sent and/or received by you, the total number of unread messages in your Facebook in-box, the total number of “pokes” you have sent and/or received, the total number of wall posts on your Wall™, a list of user IDs mapped to your Facebook friends, your social timeline, and events associated with your Facebook profile.

[I've highlighted some of my favorites]

Note that applications can access your data even if you’ve marked it as not viewable by the police in your geographic network or school. Even if you’ve used a “friend list” to restrict who sees a photo, it’s still available to the third party application providers. So its not enough to carefully tune your privacy vis-a-vis other Facebook users. You also have to avoid adding in applications like the GMP Updater — avoid getting updates from your local law enforcement.

Inadvertent Snitching

That’s not all that is happening. When you add an application, by default it can see what you can see on Facebook. So you’re also sharing your friends’ information with law enforcement. Your friends may opt-out of this sharing, but until they do you’ll be the eyes and ears of law enforcement by adding a law enforcement-based Facebook app. The defaults include quite a bit of information:

API Defaults

When you add applications, you’re told they get to see your information:

Add GMP Updates

But you’re not told you’re also sharing your friends’ info.

Content Too?

One thing that is unclear to me is whether applications can see the content of my Facebook messages and other communications I make within the site. Content fits the definition (“any information provided by you and visible to you on the Facebook Site, excluding any of your Contact Information”) of information available to third party providers, but it would be quite shocking if this was being made available to third parties. In the US, intercepting a communication requires a warrant — pursuant to the 4th Amendment as well as ECPA, and accessing a stored communication requires court orders or warrants, depending on the age of the information. This is why I’m skeptical that content is being shared with law enforcement via the API. It would be quite a scandal.

Posted: April 16, 2008 in:

NYT on Digital Evidence and Divorce

A friend emailed this NYT article:

Tell-All PCs and Phones Transforming Divorce
By BRAD STONE
The age-old business of breaking up has taken a decidedly Orwellian turn, with digital evidence like e-mail messages, traces of Web site visits and mobile telephone records now permeating many contentious divorce cases.

Spurned lovers steal each other’s BlackBerrys. Suspicious spouses hack into each other’s e-mail accounts. They load surveillance software onto the family PC, sometimes discovering shocking infidelities.

The article also mentions using GPS to track spouse; the ethical issues some spouses have when they decide to spy; and how the person spied upon can find it “particularly disturbing.”

In the legal issues, though, the article seems to be lacking. The only consideration is the admissability of the evidence: whether it can be seen by the divorce court. Furthermore, the entire article seems to gloss over the difference between the use of electronic evidence gained via discovery — the legitimate, court supervised method of gaining records from the other side — and the surreptitious access to information that is the use of spyware and unauthorized access to devices.

The legal issues are serious. The Electronic Communications Privacy Act (ECPA) governs interception of electronic communications. Intercepting an electronic communication can land you jail for five years. 18 USC 2511(4). You can also be sued civilly, being responsible for attorney’s fees and minimum damages of $10,000. Besides interception, accessing stored communications is regulated by the Stored Communications Act. Accessing someone’s stored communications can be punished by up to a year in jail. 18 USC 2702. And it can also expose you to suits of a minimum of $1000 plus attorneys fees. 18 USC 2707.

But under both of these, the issues can get tricky if the computer is shared between people, or if people have previously shared their passwords with each other. It’s no surprise that a reporter talking to divorce lawyers didn’t go into wiretap laws. But at least they should not have mixed up the very legitimate accessing of stored information during a lawsuit with spousal espionage and stalking.

Posted: September 17, 2007 in: