Sunday, May 8, 2011

Facebook: Simply a Spying Machine?

Facebook's an appalling spy machine? That's what WikiLeakers founder (and Martina Navratilova impersonator) Julian Assange is saying. In an interview with Russia Times, the floppy-haired leaker extraordinaire declares:

Facebook in particular is the most appalling spying machine that has ever been invented. Here we have the world's most comprehensive database about people, their relationships, their names, their addresses, their locations and the communications with each other, their relatives, all sitting within the United States, all accessible to US intelligence. Facebook, Google, Yahoo -- all these major US organizations have built-in interfaces for US intelligence. It's not a matter of serving a subpoena. They have an interface that they have developed for US intelligence to use.

Now, is it the case that Facebook is actually run by U.S. intelligence? No, it's not like that. It's simply that U.S. intelligence is able to bring to bear legal and political pressure on them. And it's costly for them to hand out records one by one, so they have automated the process. Everyone should understand that when they add their friends to Facebook, they are doing free work for United States intelligence agencies in building this database for them.

How does Mr. Assange come to be in possession of this knowledge? I suspect he made a few rather large logical leaps, based on the confidential document WikiLeaks just made available on Facebook's 2010 Law Enforcement Guidelines.

(Facebook's response follows in the update at the bottom of this post.)

Those guidelines are worth a few words. But first, some reactions to what Assange said.

There's no way Assange can assert that Facebook is "the world's most comprehensive database" about anything, unless his sources at the NSA are much better than I suspect. He'd have to be very intimate with the details of every other large database out there to make that claim. That's extremely unlikely.

True, Facebook is large. Comprehensive? Not so much. If anything, it's extremely incomplete and deeply unreliable. (Think about it: Are all the people in your Friends list really your friends? Do you tell the truth all the time? Is that your real age?)

That bit about Facebook, Google, Yahoo et al having a ‘special interface' just for U.S. spy agencies, no subpoena needed? I think Julian's been huffing the Reddi-Wip again. It's highly doubtful any of these organizations would just hand over non-publically-available data without some kind of legal writ -- a subpoena, search warrant, National Security Letter, etc -- let alone build their own little back door for spies to use. Imagine the outcry if that were true.

In fact, this is what the Facebook legal guidelines are all about -- how to legally request such information, on a case by case basis, which Facebook then provides. Not an automated process, not one-stop shopping for spies.

In fact, Facebook creates one of these guidelines every year (you can see the previous versions at PublicIntelligence as well.) So do Microsoft, Yahoo, Google, Twitter, and so on. Any big tech company that collects information and has a legal department will have confidential written procedures about how to handle information requests from legal authorities. If you've ever read any real privacy policy (and I have read too many of them) you'll always see the exception that allows them to share your data with the authorities when required by law.

What's interesting about Facebook's 2010 Guidelines? A few things.

* Generally speaking, Facebook can produce 90 days' worth of data on every person. That includes your contact info, news feed, status updates, notes, wall posts, friends list, groups list, any events you'd said you'd attend, photos you've posted, photos where others have tagged you, and a list of the videos you've posted.

Facebook may also be able to retrieve any private messages you haven't deleted, and can go back even further than 90 days, if needed, but that apparently requires more effort.

* Facebook makes no guarantees about being able to retrieve IP logs or at least complete records of IP logs. So if the cops want to know every single time and place you logged into Facebook, they're probably out of luck.

* Facebook asks law enforcement for a scosh more documentation with each request (ie, badge numbers) than it used to. And it notes that if law enforcement authorities identify a fake Facebook account, or one that otherwise violates Facebook's terms and conditions, they will nuke that account unless specifically requested otherwise.

If law enforcement creates a fake Facebook account or one that violates the terms - say, to go undercover and befriend a suspected bad guy -- Facebook will nuke that one as well. (Take that, you wannabe Donny Brasco.)

Does that make Facebook a treasure trove for potential investigators? Absolutely. Facebook data has played a part in several well-publicized arrests; at this point I'm sure it's standard operating procedure to look at the Facebook (and other online accounts) of anyone who wanders into the cross hairs of Johnny Law. Just like your cell phone.

If any of this is a surprise to you, maybe you should be paying closer attention (or watching more TV shows about police forensics). Does that make Facebook the most appalling spy machine ever? Only if you're a publicity seeking paranoid.

Update: Facebook spokeshuman Andrew Noyes responded with the following statement:

We don't respond to pressure, we respond to compulsory legal process. There has never been a time we have been pressured to turn over data. We fight every time we believe the legal process is insufficient. The legal standards for compelling a company to turn over data are determined by the laws of the country, and we respect that standard.

So how many legal requests did Facebook receive last year, and how many did it fufill? Noyes responds thusly:

Currently, we don't make those figures public. I can tell you that we do receive a significant volume of third party data requests and we review each request individually for legal sufficiency before responding, and have a dedicated team of CIPP certified professionals responsible for managing requests (and that team is supervised by two former federal cybercrime prosecutors who are experts in the law in this area).


  1. Wow, i guess i never thought of it like that, it's definitely making me think twice!

  2. this is so creepy. i bet the us intelligence will never need me info anyway heh

  3. I guess the lesson is to just not be dumb with your social networking!

  4. i stand behind assange he's right i think

  5. It is inevitable that with such popularity there will eventually be the big bros

  6. Interesting stuff, to say the least.

  7. Damn... I don't feel safe at all after reading this. :\ I'm thinking about deleting my Facebook. :|

  8. yeah, I'd say it's paranoid of people to say that the gov. is spying using facebook but that being said, DON'T PUT STUFF ON THE INTERNET IF YOU CARE IF PEOPLE KNOW! i always thought it was common knowledge but that's just

  9. I think assange's completely right

  10. Awesome post man! Keep blogging cause this is great!

  11. I do believe that people put too much information on facebook. I'm in a career development group at my college, and the first thing they told us was to mind what we put on our facebooks. even then however, there are many risks with it. people need to know how to use these social networking sites properly.