W.F. "Casey" Ebsary, Jr. |
A recent public records request by the EFF sought more information including:
Guides, manuals, policy statements, memoranda, presentations, or other materials explaining how government agents should collect information on social networking websites: how or when government agents may collect information through social networking websites; procedures government agents must follow to collect information through social networking websites; agreements with social-networking companies: using any visualization programs, data analysis programs or tools used to analyze data gathered from social networks; purchase orders for any visualization programs,data analysis programs or tools used to analyze data gathered from social networks; describing how information collected from social-networking websites is retained in government databases or shared with other government agencies.
How to be a Fed on Facebook
Prosecutor's Obtaining Evidence From Social Networks Training Materials |
The outline covered an Introduction to Social Networking Sites and an Overview of Key Social Networking Sites. Not suprisingly, buried in the training materials is the question: Why go undercover on Facebook, MySpace, etc? The answer in short succinct bullet points was to "Communicate with suspects / targets" and "Gain access to non-public info" and to "Map social relationships/networks." The training session begins: "Most social-networking sites allow users to:
• Create personal profiles
• Write status updates or blog entries
• Post photographs, videos, and audio clips
• Send and receive private messages
• Link to the pages of others (i.e., “friends”)"
How can Law Enforcement Obtain data from these sites?
• Some info may be public
• Use ECPA to get info from providers
• Undercover operations "
The ECPA is the Electronic Communications Privacy Act (ECPA) and it sets out the provisions for access, use, disclosure, interception and privacy protections of electronic communications. The feds use this information to:
• Reveal personal communications
• Establish motives and personal relationships
• Provide location information
• Prove and disprove alibis
• Establish crime or criminal enterprise
How do the Feds get information from Facebook?
Since the Facebook Data is organized by user ID or group ID they use these resources: Data productions using the Fed's Law Enforcement Guide includes Neoprint, Photoprint, User Contact Info, Group Contact Info, and IP Logs. The feds noted that "Facebook has other data available." and that Facebook is "Often cooperative with emergency requests." That means that the feds can claim urgency and shourtcut the time frames that are usually present when legal production of this information is sought.
What do the Feds Think about MySpace?
The feds noted that MySpace is owned by Fox Interactive Media and was the most popular Social Network; was passed by Facebook in 2008; True names are less encouraged than Facebook. Feds are noting there is Messaging through messages, chat, friend updates. MySpace has a Young user base,has a history of child safety concerns, and Privacy is currently less granular than Facebook. Cybercrime defense attorney notes that Granular Privacy Controls in social networks allow authorization profiles - the user gets to decide what data to show to other friends in the network.
The feds noted that MySpace is owned by Fox Interactive Media and was the most popular Social Network; was passed by Facebook in 2008; True names are less encouraged than Facebook. Feds are noting there is Messaging through messages, chat, friend updates. MySpace has a Young user base,has a history of child safety concerns, and Privacy is currently less granular than Facebook. Cybercrime defense attorney notes that Granular Privacy Controls in social networks allow authorization profiles - the user gets to decide what data to show to other friends in the network.
How do the Feds Get Info From MySpace?
The Feds know that many profiles have public content and thatData is organized by Friend ID. Notably, MySpace requires a search warrant for private messages or bulletins that are less than 181 days old. MySpace considers friend lists to be stored content and there are fixed Data retention times for User information and stored files. MySpace retains IP logs indefinitely and information for deleted accounts is kept for a year.
What the Feds believe about Twitter?
Twitter is the market leader in “micro-blogging.” Most Twitter multimedia is handled by 3d party links. Twitter allows both public or private updates. On Twitter Direct messages are private and the sender can delete these messages. the feds noted that short URLs used to serve malicious links and code.
How do the Feds Get Information from Twitter?
The good news for the Feds is that Most Twitter content is public and Private messages are kept until the user deletes them.
The bad news for the Feds is that Twitter only retains the first login IP, there is no user contact phone number, Twitter Will not preserve data without legal process, and Twitter has a stated policy of producing data only in response to legal process.
The Feds frequently use a 2702 request to short cut Search Warrant requirements. On the other hand, as of 2010, Yahoo has the following policy on 2702 requests from cybercrime investigators:
"Under 18 U.S.C. §§ 2702(b)(7) and 2702(c)(4) Yahoo! is permitted, but not required, to voluntarily disclose information, including contents of communications and customer records, to a federal, state, or local governmentalentity if Yahoo! believes in good faith that an emergency involving imminent danger of death or serious physical injury to any person requires such disclosure without delay."
The bad news for the Feds is that Twitter only retains the first login IP, there is no user contact phone number, Twitter Will not preserve data without legal process, and Twitter has a stated policy of producing data only in response to legal process.
The Feds frequently use a 2702 request to short cut Search Warrant requirements. On the other hand, as of 2010, Yahoo has the following policy on 2702 requests from cybercrime investigators:
"Under 18 U.S.C. §§ 2702(b)(7) and 2702(c)(4) Yahoo! is permitted, but not required, to voluntarily disclose information, including contents of communications and customer records, to a federal, state, or local governmentalentity if Yahoo! believes in good faith that an emergency involving imminent danger of death or serious physical injury to any person requires such disclosure without delay."
What about LinkedIn?
The feds use LinkedIn to identify experts and check the background of defense experts. The Privacy model is similar to Facebook and Profile information is not checked for reliability.
Federated Identity Issues Concern the Feds
The Feds note an upsurge in federated identity schemes. Social networking sites are increasingly adopting federated identity schemes such as OpenID, Facebook Connect. They write of concerns that Facebook, MySpace, Yahoo!, and Google authenticate identity and signin across platforms.
They give the following Example: A user can log in to a Facebook account using Google credentials. After a link is established between two accounts, Google will check and vouch for identity of its user. Authentication information split from activity information. In turn, a Facebook login may be used to authenticate.
The feds note that "If attribution is necessary, must determine identity provider - not simply the domain."
Terms of Service TOS and Privacy Policies
The Federal Agent Training materials we reviewed after the EFF Freedom of Information Act FOIA Request noted that Social networks have extensive terms of service and privacy policies, most permit emergency disclosures to Law Enforcement. All specify exceptions to respond to legal process and protect service against fraud/damage
U.S. v. Drew addressed the failure to follow TOS and whether access to a network was unauthorized under 1030? Drew addresses whether allowing a violation of a website's Terms of Service to constitute an intentional access of a computer without authorization or exceeding authorization would "result in transforming section 1030(a)(2)(C) into an overwhelmingly overbroad enactment that would convert a multitude of otherwise innocent Internet users into misdemeanant criminals."
Criminal Penalties for Law Enforcement Officers for Violating the Privacy Protection Act
The feds also are concerned about the growth of social networks and the questions it raises about the breadth of the PPA. This author notes that the Privacy Protection Act provides for criminal penalties against federal officials who willfully disclose a record in violation of the Act, 5 U.S.C. § 552a(i)(1).
Không có nhận xét nào:
Đăng nhận xét