Within the context of social networking sites, lawful access powers clarify and often extend government authorities’ powers to compel social networking companies to assist authorities in monitoring subscribers. Many social networking companies already possess policies for what they will disclose to American authorities and the requirements for such disclosures.
In what follows we generally outline some of the practices that social networking companies adhere(d) to when disclosing subscriber data to law enforcement. Our discussion here is derived from publicly accessible law enforcement guides; for a specific breakdown of what we found in the handbooks - which is divided by company - we refer you to our analyses of these handbook. For more on what could change - or how existing policies may not cohere with recently proposed lawful access legislation - we refer you to ‘What Lawful Access Could Change’.
As it stands now, none of the law enforcement handbooks of social networking services that we have examined includes warrantless disclosure of subscriber data to authorities save, perhaps, in the case of exigent circumstances. Moreover, prior to any disclosure of subscriber information many of the social networking companies require that law enforcement officers serve requests on legal letterhead, with case numbers, office identification and follow up contact information, and copies of judicial orders. Some companies will disclose subscriber or account information based on limited user information, such as just an IP address or full name of a subscriber, though the efficacy of such demands is brought into question by companies. Specifically, they warn that while such basic identifiers are sometimes sufficient to disclose information about accounts of interest to authorities, it may not always be enough to retrieve information sought by the police.
It should be noted that companies often require far more than an IP address or full name of a subscriber before revealing information to authorities. Specifically, these companies often demand that an account name is needed to identify the subscriber whose information is sought as well as a court order. Some companies recognize email addresses as helpful in locating specific user accounts whereas others, such as MySpace, are explicit in noting that authorities cannot ‘just’ provide email addresses, names, or nicknames of the person or persons of interest.
Most companies tend to divide the ‘classes’ of information that they can disclose about their subscribers. They all tend to have a ‘basic subscriber information’ category, which can include the subscriber’s name, the length of their service, credit card or other accounting information, email addresses associated with the account, as well as recent log in and log out information that is captured in server logs. Given that the guidebooks we have received are designed primarily to address American authorities’ concerns they also often identify the period(s) of time that metadata - such as IP logs, data/time of all log in and log out events, message headers, and “other information” that isn’t content - are retained. Finally, most handbooks state what can be disclosed to authorities when served with an order to release long-term content retained by the services: this can include all stored communications, geolocation information provided to the services, photos, comments on other subscribers’ uploads to the service, or private and non-deleted communications between subscribers.
Of the handbooks we had access to, only Facebook, LinkedIn, or Twitter commit to informing their subscribers that their data was accessed by authorities, though in the case of ‘gag’ orders the companies may be prevented from informing their customers. Such gag orders are often included as conditions of warrants or subpoenas.
Of note, we discovered the Blizzard Entertainment has created a data retention system that deletes messages within 180 days of their being sent between members of their various social services. As a result it is may be technically able to access such ‘long-term’ communications under the United States’ Stored Communications Act. We also learned that Facebook’s process for delivering information to authorities runs at least 90 days, that the company discourages authorities from creating fake profiles, offers only english-language assistance, may be able to collect categories not listed in any of their guides upon request, and reserves the right to see cost reimbursements when disclosing subscriber data. Yahoo!, similarly, has detailed costing information so that authorities will know precisely how much data will cost when requesting subscriber data from the company.