If you are interested enough in government access to social media data to have sought out this article, you probably already are aware that virtually all cloud service providers have “terms of service” agreements which grant the providers the right to turn over your data to law enforcement authorities. Today, Facebook also publishes guidelines the company says it uses in providing customer information to law enforcement.
What you may not know is what Facebook provides about you pursuant to law enforcement requests, how they do so, and under what types of authority. You may also not know how little care is sometimes taken to protect unauthorized or unnecessary public disclosure of personal information, not only relating to criminal defendants, but also, potentially, victims, witnesses, and even wholly unrelated persons.
But thanks to the Boston Police Department, we now have a rare window into exactly how at least one cloud service provider discloses user information to law enforcement and how cavalierly, at least in one case, such information has been handled. The brutal April 2009 murder of 25-year-old masseuse Julissa Brisman in a Boston hotel by medical student Philip Markoff became a massive media story. Dubbed the “Craigslist Killer,” Markoff had solicited his appointment with Ms. Brisman through that site’s Erotic Services section.
According to The Phoenix, and the documents released by the Boston Police which The Phoenix analyzed, Facebook records related to Markoff played a role in nailing Markoff for the slaying. The detective story is riveting. The story of police surveillance, and one cloud provider’s supporting role, is instructive or disturbing or both depending upon your point of view.
Who and How
Many assume that the CIA, FBI, and their sister agencies are the only “big brothers” out there. In fact, thousands of state and local police agencies routinely conduct wiretaps and order cloud service providers to turn over voluminous communications records, often on considerably less legal authority than required of their U.S. Government cousins. In the Craigslist Killer case, the records demand was served on Facebook – in Palo Alto -- by the District Attorney for Suffolk County, Massachusetts. Interestingly, but not uncommonly, the state prosecutor used a combination of federal and state authority.
First, the District Attorney (DA) invoked federal authority to demand that Facebook “preserve evidence” for 90 days while the DA was “in the process of reviewing [its] investigation to obtain a search warrant, Grand Jury subpoena,” or other court order requiring Facebook to actually deliver the information. Under federal law, the authority for such a preservation demand can be used by U.S. Government, state, or local authorities and enforced upon any “provider of wire or electronic communication services or a remote computing service.” This definition is broad enough to cover most, if not all, cloud service providers. And there is really no substantive standard in the applicable legal provision. A provider must comply “upon the request of a governmental entity,” with no showing even of relevance to an investigation. Whether or not Facebook or other providers would have preserved the information for their own purposes is a separate issue. Once served with this type of letter from law enforcement, they have no choice.
Then, to get the preserved records, the District Attorney of Suffolk County relied, and Facebook complied, simply on a grand jury subpoena. Not a judicial warrant based on probable cause. Not a court order based on a lesser standard of proof. Not even a federal administrative subpoena under the much-derided PATRIOT Act or related authorities, which at least require the subpoenaed information to be “relevant” to an investigation. What is the standard for getting a grand jury subpoena? In most cases, the standard is that the prosecutor issues one. It’s been said that a good prosecutor can get a grand jury to indict a ham sandwich. Issuing a grand jury subpoena is even easier. In most cases, the prosecutor need not even run the subpoena by the grand jury, much less a judge.
In the Markoff case, the 2009 subpoena called for the following information concerning two Facebook User IDs: complete online profiles and posted files, specifically including: videos; blogs; notes; notifications; and comments posted on the subscriber’s wall and (if possible) any and all wall-to-wall conversations with other users participated in by either of the requested subscribers; name, address, and “personal information”; all contact information; IP logs; length of services; friends list; and “Private messages in the user’s inbox, Trash and Sent Mail.”
In short, the grand jury subpoena ordered Facebook to provide just about everything the prosecutors could think of. What Facebook actually produced is available here and included, among other information, dozens of photos, of Markoff himself, but also of numerous others, presumably innocent, friends and acquaintances, as well as deleted friends, deleted wall posts, and other information. Not only does none of the information appear to have been “minimized,” that is, redacted to provide only directly responsive information, but the Boston Police Department subsequently released what appears to be the bulk of their investigatory file, utterly unredacted.
This was despite a direction by the District Attorney to Facebook that all information was to be treated as sensitive, and a confidentiality notice back from Facebook to law enforcement. Fortunately, prior to publication, The Phoenix redacted items such as last names of friends and contacts. This disclosure is worth considering when deciding what to post on social media or store in the cloud.
For its part, Facebook, through a a self-identified Facebook “Policy Communications Team” member, asserted, in comments to the January 4, 2013 Bruce Schneier blog posting drawing renewed attention to the story, that, today, Facebook’s “Law Enforcement Guidelines” (http://on.fb.me/LEGuidelines) would have required a “search warrant from a judge to compel the disclosure of the contents of a user’s…account.” A search warrant, while significantly more difficult to obtain than a grand jury subpoena, will usually still be meet-able in most serious criminal investigations.
More importantly, however, Facebook’s Law Enforcement Guidelines in effect today state that: “We disclose account records solely in accordance with our terms of service and applicable law.” Translated, this means Facebook reserves the right to provide information pursuant to any foreign legal process, whether from England, China, or Iran.
In some ways, what is most surprising about the materials turned over to law enforcement in this 2009 case is how little there was: just over 60 pages. One must imagine that, had documents responsive to the Massachusetts DA been provided today, there would have been hundreds, if not thousands, of pages.
In the Markoff case, Facebook literally helped catch a killer. Given the cavalier way it appears Markoff killed the young masseuse, a complete stranger to him, Facebook’s actions may well also have saved lives. But the ease with which the information was obtained, the breadth of the information provided, including much seemingly irrelevant information about innocent not-even-bystanders, and the Boston Police’s publication of unredacted investigatory files, suggests that government agencies, and social media providers turning over personal information, need to be considerably more careful about how, what, and under what conditions, such information is given to law enforcement. One can only imagine the situation in foreign jurisdictions without our traditions of due process and reasonable search and seizure.
Once provided, there’s no telling where the information may end up.
Markoff took his own life in a Boston jail in 2010, before he faced justice. Stopping those that would follow with him is vitally important, but so is safeguarding individuals’ sensitive information in the cloud. The vast majority of law enforcement and intelligence officials are committed to striking the right balance. To be sure, though, individuals should carefully consider what they post to the “cloud” in the first place.
Bryan Cunningham is an information security, privacy, and data protection lawyer, and a senior advisor of The Chertoff Group, a global security advisory firm that advises clients on cyber security. Formerly, he was a US civil servant, working for the CIA and serving as deputy legal advisor to national security advisor Condoleezza Rice.