Wednesday, December 2, 2009

Data collection and retention policies of social networking sites

The Electronic Frontier Foundation (EFF), working with the Samuelson Law, Technology, and Public Policy Clinic at the University of California, Berkeley, School of Law (Samuelson Clinic), filed suit today against a half-dozen US government agencies for refusing to disclose their policies for using social networking sites for investigations, data-collection, and surveillance.

Recent news reports have publicized the government's use of social networking data as evidence in various investigations, and Congress is currently considering several pieces of legislation that may increase protections for consumers who use social-networking websites and other online tools. In response, the Samuelson Clinic made over a dozen Freedom of Information Act (FOIA) requests on behalf of EFF to the Central Intelligence Agency, the Department of Justice, the Department of Homeland Security, and other agencies, asking for information about how the government collects and uses this sensitive information.When several agencies did not respond to the FOIA requests, the Samuelson Clinic filed suit on behalf of EFF. The lawsuit demands immediate processing and release of all records concerning policies for the use of social networking sites in government investigations.

Interesting related reads:
* Myspace Law Enforcement Guide.

Because MySpace functions as both an “electronic communications” and “remote computing” service as defined under ECPA (Electronic Communications Privacy Act, 18 U.S.C. § 2701), ECPA mandates that MySpace disclose certain user information only in response to specific types of government process, including subpoenas, court orders, and search warrants.Generally speaking, ECPA permits the disclosure of basic user identity, log-in information, and stored files (photos, videos, blogs) in response to a subpoena, but requires a court order under § 2703(d) to disclose additional user records, or search warrant to authorize disclosure of private user messages. The rules may differ also depending on whether law enforcement seeks stored, historical information, or to capture information prospectively. For example, if law enforcement seeks ongoing information about a user’s IP address each time they log-in to their account, the law would require a pen register/trap and trace order.

MySpace permits users to exchange private mail messages with other MySpace members. These communications are sent from and held for users on MySpace servers. ECPA generally restricts disclosure of private user communications less than 180 days old except in response to a search warrant. 18 U.S.C. § 2703(a).

Under 18 U.S.C. §§ 2702(b)(8) and 2702(c)(4), MySpace is permitted to disclose information, including user identity, log-in, private messages and other information voluntarily to a federal, state, or local governmental entity when MySpace believes in good faith that an emergency involving danger of death or serious physical injury to any person requires such disclosure without delay.

Data retention
The basic identity information entered by a user in creating a profile, as well as data (blog entries, user profile information, etc.) and images contained in an account are maintained as long as the user has not removed or edited the content from the profile. Once a change is made by the user, the previously existing information is overwritten.

Private inbox messages -- Private messages are retained until the user removes them (MySpace cannot recover deleted messages).

Private sent messages -- 14 days

User identity and date in the user profile is generally available for up to ten days after account deletion. Other stored files, such as photos, may be lost at the time of account deletion.

No mail (inbox or sent mail) is available for deleted accounts.

MySpace will honor requests by law enforcement to preserve information in accordance with 18 U.S.C. § 2703(f). In response to such requests, MySpace will preserve the specific information identified in the request for 90 days, and for an additional 90 days if the law enforcement entity requests the original period be extended.


* Old Facebook Subpoena/Search Warrant Guidance. Less detailed than myspace.

Types of information available

The User Neoprint, which includes
• Profile Contact Information
• Mini-Feed
• Status Update History
• Shares
• Notes
• Gifts, Public and Private
• Wall Postings
• Messages
• Friend Listing, with Friends Facebook ID’s
• Groups Listing, with Facebook Group ID’s

All user contact information input by the user and not subsequently deleted by the user is available, regardless of whether it is visible in their profile. This information may include the following:
Name
Birthdate
Contact email addresses
Address
City
State
Zip
Phone
Cell
Work phone
Screen name (Usually for AOL Messenger / iChat)
Website

If a profile is changed or updated, deleted content is not retained, and cannot be produced. Any messages or wall postings deleted by the user are not retained and cannot be produced.

Where a group is known, we will provide a list of users currently registered in a group.

No comments:

Post a Comment