EFF obtains docs that reveal when authorities can get your data from social media companies
The Electronic Frontier Foundation today posted analysis of documents obtained under the Freedom of Information Act which show how various popular social media companies handle requests for user data from authorities. The issue became a focal point earlier this month when the US Department of Justice obtained a court order for records from Twitter on users affiliated with WikiLeaks. The EFF’s Jennifer Lynch writes:
We received copies of guides from 13 companies, including Facebook, MySpace, AOL, eBay, Ning, Tagged, Craigslist and others, and for some of the companies we received several versions of the guide. We have combed through the data in these guides and, with the Samuelson Clinic’s help, organized it into a comprehensive spreadsheet (in .xls and .pdf) that compares how the companies handle requests for user information such as contact information, photos, IP logs, friend networks, buying history, and private messages. And although we didn’t receive a copy of Twitter’s law enforcement guide, Twitter publishes some relevant information on its site, so we have included that in our spreadsheet for comparison.
The guides we received, which were dated between 2005 and 2010, show that social networking sites have struggled to develop consistent, straightforward policies to govern how and when they will provide private user information to law enforcement agencies. The guides also show how those policies (and how the companies present their policies to law enforcement) have evolved over time.
For example, the 2008 version of Facebook’s guide explains in detail the different types of information it collects on its users, but it does not address the legal requirements necessary to obtain this data. In contrast, the 2009 version groups this information into three categories (basic subscriber information, limited content, and remaining content) and describes, under the Electronic Communications Privacy Act (ECPA), the different legal processes required to obtain the various data. However, the 2010 version merely says that the company “will provide records as required by law.” Facebook doesn’t explain why it changed its language from year to year. While the 2010 guide’s language may allow the company to be flexible in responding to requests under a complicated and outdated statute, it does so through a loss of transparency into how it handles these requests.