Facebook's an appalling spy machine? That's what WikiLeakers founder (and Martina Navratilova impersonator) Julian Assange is saying. In an interview with Russia Times, the floppy-haired leaker extraordinaire declares:
Facebook in particular is the most appalling spying machine that has ever been invented. Here we have the world's most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo -- all these major US organizations have built-in interfaces for US intelligence. It's not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use.
Now, is it the case that Facebook is actually run by U.S. intelligence? No, it's not like that. It's simply that U.S. intelligence is able to bring to bear legal and political pressure on them. And it's costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them.
How does Mr. Assange come to be in possession of this knowledge? I suspect he made a few rather large logical leaps, based on the confidential document WikiLeaks just made available on PublicIntelligence.net: Facebook's 2010 Law Enforcement Guidelines.
(Facebook's response follows in the update at the bottom of this post.)
Those guidelines are worth a few words. But first, some reactions to what Assange said.
There's no way Assange can assert that Facebook is "the world's most comprehensive database" about anything, unless his sources at the NSA are much better than I suspect. He'd have to be very intimate with the details of every other large database out there to make that claim. That's extremely unlikely.
True, Facebook is large. Comprehensive? Not so much. If anything, it's extremely incomplete and deeply unreliable. (Think about it: Are all the people in your Friends list really your friends? Do you tell the truth all the time? Is that your real age?)
That bit about Facebook, Google, Yahoo et al having a ‘special interface' just for U.S. spy agencies, no subpoena needed? I think Julian's been huffing the Reddi-Wip again. It's highly doubtful any of these organizations would just hand over non-publically-available data without some kind of legal writ -- a subpoena, search warrant, National Security Letter, etc -- let alone build their own little back door for spies to use. Imagine the outcry if that were true.
In fact, this is what the Facebook legal guidelines are all about -- how to legally request such information, on a case by case basis, which Facebook then provides. Not an automated process, not one-stop shopping for spies.
What's interesting about Facebook's 2010 Guidelines? A few things.
* Generally speaking, Facebook can produce 90 days' worth of data on every person. That includes your contact info, news feed, status updates, notes, wall posts, friends list, groups list, any events you'd said you'd attend, photos you've posted, photos where others have tagged you, and a list of the videos you've posted.
Facebook may also be able to retrieve any private messages you haven't deleted, and can go back even further than 90 days, if needed, but that apparently requires more effort.
* Facebook makes no guarantees about being able to retrieve IP logs or at least complete records of IP logs. So if the cops want to know every single time and place you logged into Facebook, they're probably out of luck.
* Facebook asks law enforcement for a scosh more documentation with each request (ie, badge numbers) than it used to. And it notes that if law enforcement authorities identify a fake Facebook account, or one that otherwise violates Facebook's terms and conditions, they will nuke that account unless specifically requested otherwise.
If law enforcement creates a fake Facebook account or one that violates the terms - say, to go undercover and befriend a suspected bad guy -- Facebook will nuke that one as well. (Take that, you wannabe Donny Brasco.)
Does that make Facebook a treasure trove for potential investigators? Absolutely. Facebook data has played a part in several well-publicized arrests; at this point I'm sure it's standard operating procedure to look at the Facebook (and other online accounts) of anyone who wanders into the cross hairs of Johnny Law. Just like your cell phone.
If any of this is a surprise to you, maybe you should be paying closer attention (or watching more TV shows about police forensics). Does that make Facebook the most appalling spy machine ever? Only if you're a publicity seeking paranoid.
Update: Facebook spokeshuman Andrew Noyes responded with the following statement:
We don't respond to pressure, we respond to compulsory legal process. There has never been a time we have been pressured to turn over data. We fight every time we believe the legal process is insufficient. The legal standards for compelling a company to turn over data are determined by the laws of the country, and we respect that standard.
So how many legal requests did Facebook receive last year, and how many did it fufill? Noyes responds thusly:
Currently, we don't make those figures public. I can tell you that we do receive a significant volume of third party data requests and we review each request individually for legal sufficiency before responding, and have a dedicated team of CIPP certified professionals responsible for managing requests (and that team is supervised by two former federal cybercrime prosecutors who are experts in the law in this area).