Schneier on Security
A blog covering security and security technology.
« Classifying a Shape |
| Friday Squid Blogging: Giant Squid Finally Captured on Video »
January 4, 2013
What Facebook Gives the Police
This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public.
EDITED TO ADD (1/4): Commenters point out that this case is four years old, and that Facebook claims to have revised its policies since then.
Posted on January 4, 2013 at 7:48 AM
• 33 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I notice what is conspicuous in its absence: all the tracking done by the Like button...
any other service located @USA are same
They hand this information over to brutal dictatorships too so the Bahrainian police can round up dissidents more easiily like when they did mass arrests of doctors after the last uprising
Not quite sure what distinction you're making on the subpoena vs warrant thing. Isn't the subpoena the correct form of a court order to compel a third party to testify?
I also note that the original letter is specific in what they ask for. It's quite possible Facebook has more data than this. About 90% of this is displayed public ally on Facebook already.
@Pierce Wetter: At least in the USA, subpoenas can be issued by certain law-enforcement units without judicial oversight. Some of these are described as "investigative subpoenas", and they're easier to get than warrants.
This is from early in 2012, so things may have changed. Something that frustrated me at the time of this release is that the Boston paper here made the damn thing available via Scribd in such a way that we can't work with it or download it. If anyone gets a copy of the redacted PDF, I would like a copy to cite to (credit would still go to the Boston paper in some form).
There are a handful contacts that were not redacted, the one related to prosecutors.
Page 2 and 3 are in reversed order ; Page 4 can be found just before Facebook's answer.
@Nicholas Weaver "I notice what is conspicuous in its absence: all the tracking done by the Like button..."
Yeah, but as Pierce Wetter recalls it, the original letter did ask for "IP logs". Notice that these IP are prefixed by
"[snip]plog for RT2991, TABLE=rt2991_16105103_0120_0421, UID=16105103, IP=all, COOKIE=all, start=2009-01-20, end=2009-04-21"
and suffixed by
"225 rows selected."
@Joe Hall "in such a way that we can't work with it"
Open the url starting by http://www.scribd.com/embeds/88465177/content?... in a tab, then replace "embeds" by "doc" in that URL, you will be able do download all images by scrolling it slowly to the end, then saving the page with attachment (menu File, worked with Firefox on Linux). You will get 71 .jpg files, it is then easy to make a PDF file with these.
typo: "page with attachment" should have been "complete web page".
To reorder the pages and produce the .pdf, I used this linux line
convert 1-*.jpg 3-*.jpg 2-*.jpg 4-*.jpg 8-*.jpg 5-*.jpg 6-*.jpg 7-*.jpg 9-*.jpg ??-*.jpg content.pdf
I work for the Policy Communications Team at Facebook and I wanted to point out that the case was from almost 4 years ago.
As set forth in our Law Enforcement Guidelines (http://on.fb.me/LEGuidelines), we require law enforcement authorities to obtain a search warrant from a judge to compel the disclosure of the contents of a user's Facebook account. Our response three years ago to an official request in the Markoff homicide investigation reflects the level disclosure required by the law that was later ruled unconstitutional, and we have amended our procedures accordingly.
Here's a quick summary of what's included:
- Profile info: Full name, DOB, e-mails, screen names, relationship status
- Recent IP addresses
- Recent URLs visited
- Recent wall posts, by the subject or anyone else
- Exhaustive friends list
- Deleted friends
- Lots of recent photos in which they are tagged, not just photos from their own profile. Includes photo description, who uploaded the photo, and when it was uploaded.
Notice the fax they received as the warrant/subpoena. Anybody can cook that up in photoshop, spoof fax it in and get all your information. Most companies never phone and if they do its to your fake number on the fax.
This is how Chinese agents get into any account they want, or shady social engineers like Cosmo
It's also fascinating to see how respectfully the Boston Police Department treated the corporate confidentiality markings emblazoned on the report by the Facebook's Law Enforcement support team. I should make all companies more circumspect in their dealings with BPD.
So it's been a few years since this happened... do you think that today the wording of a request/subpoena/warrant and the subsequent disclosure has changed since then?
I'm sure Facebook has much, much more data on a given user (at least in 2012); they would have to in order to make the targeted ads... right? And forgive my ignorance (I'm trying to become better informed), but doesn't Facebook have information about every site visited for a user, so long as A, that site has a Facebook "Like" button or iframe, and B, that user is logged in/has a cookie present?
Maybe I'm giving them too much credit, but if the above is possible, wouldn't Facebook have a huge amount of data on Joe User? Could Law Enforcement get access to this data, and to what degree? Would they be able to see what Facebook/Google's algorithms say the suspect is likely to be interested in buying?
Sorry if this came out jumbled, but after looking at the above link, I am surprised that even in 2009 there wasn't more data on Facebook's servers about the suspect, or if so why law enforcement wasn't including it in their warrants/subpoenas (legal limits, perhaps). Maybe they already had the rest of the data from *other* sources?
I love how the 2nd iframe includes "secret_password" in the scrib URL. Nice.
Yes, I noticed the IP based logs. But those are access logs for facebook itself if you look at the URLs. The Like button, particularly through the referrer field, gives information about the sites that the user visits that aren't on facebook.
(Google+ is the same way).
Warrant-less subpoenas are a powerful tool for both law enforcement and criminals. Just like any tool, the result and efficiency depend on who is wielding it and for what purpose.
In the case of using FB data to perform surveillance on the population: it is legal but sometimes immoral. As a pragmatist I must concede that collecting massive amounts of data about people will not stop. We are legally obliged to report salary, address, marital status, sale of deed, credit cards and many other personal details to the government even if though we have not been accused , indicted or convicted of any crime.
On top of this we and our social groups self-report through social networking sites that are compelled to (by law) reveal this information.
We then add the FCC regulated cellular communication, that tracks data, voice, texts, geo-location and locally stored information.
Complaining about it is not going to help. Legislating against it is not effective, because if it can be done, it will be done either by the law-enforcement, commerce or criminals.
All of this brings me to my point: (sorry about being long winded)
I propose a social network site that is encrypted by the user.
You click on a link to a web page that is gibberish, enter the page password and the computer translates the gibberish to words, links, pictures and so on.
The social network owner, can get IP access information, username and access password to the system but the information is secret from them. A legal action will just dump massive amounts of useless symbols with very little secondary data.
Encryption and translation is done completely on the user's computer.
One reason my /etc/hosts file has lines like
0.0.0.0 facebook.com www.facebook.com
etc. I can't tell you how many times per day that I see "Firefox can't establish a connection to the server at www.facebook.com"
By the way, I have dozens of those lines in my /etc/hosts file.
Thanks for an official FB response. Can you clarify something that has been bugging many people for a while.
When someone 'delete' a post or message or photo or , how long does it take the deletion routine to complete remove the said item from all backups?
The insidious nature and behavior of on-line "behavioral profiling", or what I call spying, is very problematic. I am a researcher with my own small company (two people) where we work on new development in the area of electronics and systems of systems. We are trying to be competitive with the big boys...that includes GE, Microsoft, Siemens, Hitachi, Mitsubishi, Northrup Grumman, and the like (just to name a few). Because of this "profiling" we are at a severe risk in using the Internet to do just about anything. Our on-line research activities run the risk of exposing our isolated development systems at many levels. Even making purchases for lab equipment and software runs us afoul when considering there is enough information revealed in our purchases to give someone an idea of what we are doing. Even with multiple sourcing, different payment methods, and a host of other methods to dilute our "on-line signature" we estimate that the risk to our development process as high.
This brings me to my to concerns:
1. Given the above, how do we remain competitive with the high level of activity we must employ as a small business to maintain a suitable assurance of integrity and propriety?
2. With the economic conditions as they are, doesn't this put us at a competitive disadvantage with respect to others...either nationally or internationally?
I used to work for a company that was involved with citation databases for academic medical and industrial organisations.
As you will appreciate knowing what an organisation has searched for gives an increadably strong indicator as to what they will be researching next, and the refinment of the searches as they study the papers the initial search brought up just about nails it cold.
Most people who have had to use patent search engines are also aware of this as well.
The usual way to deal with this is by noise and diversity. That is make lots of searches in a way that hides the real search and use as many unrelated search engines as possible so that no one organisation sees the whole search and what they do see is hidden in noise.
Unfortunatly modern algorithms will strip the signal from the noise and in most cases there are not enough database search organisations to use diversity.
But worse for you you are looking at online purchases so you cannot generate noise as this would involve considerable expense and secondly you remove another diversity aspect by actually making a traceable purchase and delivery.
As to your questions the second one is perhaps the easiest to answer,
With the economic conditions as they are doesn't this put us at a competitive disadvantage with respect to others
Potentialy yes, but only if they are looking for you or you chose for whatever reason to stand out in some way.
That is as an organisation prior to your first product going to market you were just one of thousands of such organisations setup each year.
And unless you chose to be visable there was nothing very much that indicated your organisation existed let alone indicated that it might be of comercial interest.
However there are unfortunatly reasons why you might chose to be visable and make noise and indicate your organisations presence by contacting journalists or other news organisations. One such is raising investment from venture capatalists or less preditory external investors. Another is to recruit the right people.
So the real issue is recognising what lifts your organisation above the general noise floor, or trips a filter to make your organisation "known" and working out how to best mitigate the downside that occurs from such activities.
There is of course a downside to this, firstly the mitigation process can be costly, it slows development and perhaps worse may atract the wrong sort of attention. This is because some of this covert mitigating behavior is very like that of criminal organisations involved in producing illegal items such as counterfeit goods and banned substances...
It also makes it difficult to raise external funding because the mitigation strategy looks like exactly what it is "a process to hide something" only it's likely that any potential investor is going to assume what you are hiding is some kind of fraud, not protect IP.
One way to mitigate such issues is the way the film industry and some other industries work which is to have seperate companies for each project. That is the main persistent companies for holding and investment / leasing, and a new company for each project. Depending on your juresdiction there may even be tax advantages to doing this as well. Further it also makes "spining off" projects to other organisations considerably easier as clear dividing lines exist from day one.However since the likes of Enron this multiple company aproach can raise other red flags.
Which comes back to your first question,
How do we remain competitive with the high level of activity we must employ as a small business to maintain a suitable assurance of integrity and propriety
One traditionaly touted way is to remain "fleet of foot" that is get a product from initial conception to market before the larger and slower organisations can.
However for those that have tried this method it's very high stress and realy does not provide a comensurate competative edge these days for the majority of products.
It also only realy works for a small organisation of just a handfull of people that integrate well as a team and have common goals. That is small organisations where each member of the team is also a major shareholder and thus has a substantial interest in making the organisation work, which is a working definiton of many start up companies.
I'm guessing you've gone beyond the start up stage and have regular non shareholding employees at all levels of the company, and in particular some senior positions.
One way to make an organisation less visable is to exploit some of the advantages of virtual companies.
Many virtual companies have a very tiny if non existant geographical footprint, and as such a low overhead. Basicly they are comprised of out of office workers who work from home, or on the road or in coffee shops etc. They look like a single organisation simply because they share an identity which is enabled by technology, so have a common phone number, snail mail address, email address, corparate credit cards etc.
What you want to do is have employees that work at home from their own non organisational phone, internet connection, EMail, credit card etc. That way when they do online searches and purchases from home using their personal identities not their organisational identities, there is no direct tie back to the organisation visable from the sites they have searched and have purchased from. There are obviously some difficulties involved but the use of pre-payed credit cards etc can do much to eliviate these issues.
One thing I have seen used in the past is to rent computer space in various co-location providers and VoIP connectivity from various providers it was used by organisations to appear to have many branch offices etc with local dial numbers. The organisation concerned was for servicing domestic appliances for an insurance company and the service personnel hand "company vans" although they were in effect self employed.
I even helped a small manufacturing organisation use a similar system to give them "world wide" offices with local freephone numbers going into a VoIP back end back to their sales force in their home country (a bit like "Indian Call Centers" but in reverse).
Surprisingly you can rent shared computer space where you can log in and then use it as a relay for your internet searches for just a few USD a month in effect you set up your own private network that has some of the advantages of a TOR network.
And within reason you can use a variety of comercial or non comercial anonymous networks for doing searches.
There are also quite a few comercial organisations that provide "meeting places" and other "office services" for people running small companies that will do "signed for deliveries" and mail forwarding for you, whilst these sevices are somewhat more expensive they are not exorbitant.
The important thing to remember is what ever you decide to do you must take the required steps to show that it's not being used for fraud should any official come knocking. That is you need to keep good and honest records of all activites and carry out active auditing etc to stop staff etc misusing the system.
Ironic that 3.2k people read that post and "Liked" it on Facebook.
One reason my /etc/hosts file has lines like
0.0.0.0 facebook.com www.facebook.com
Check out http://someonewhocares.org/hosts/ for a well-maintained hosts file of other internet nasties.
As for Facebook (and most other social networks), the question remains why anyone in his/her right mind would want his/her every online move tracked, stored and data-mined by corporations and governments of any kind. Is anyone on this blog actually on Facebook ?
In Facebook, the Beacon project allegedly collected logs on people not logged in.
If this also applies to people who don't have a Facebook account, explicitly refuse to have anything to do with Facebook and are actually blocking any and all reference to it (browser plugins, hosts file etc.), then I would call that a serious violation of privacy.
Facebook and a host of other Internet giants that include ISP's, NAP's, Software and hardware companies, Telcos, as well as professional and social groups/organizations have been using symantics and double talk to continue their ride down the "privacy pirating" highway (formally known as the Information Super Highway).
Facebook's fbconnect code is a good example. It walks around things like cookie blocking, noscript, and employees GUID like etags on a large number of sites Internet-wide. It even gets around image tag blocking by encoding the tracking images in the XML components of the page source. That means modifying your hosts file or not loading images (except for clients like Lynx) means you are being tracked.
You don't have to be a member of any social site to be caught up in this Orwellian nightmare that the Internet has become. If you use a search engine, purchase products on-line, use Windows Live or Window 8 then you have already been assimilated...and you have know way of knowing what data is held and by whom or how long it will live. Welcome to "Big Data."
I use a half a dozen different browser clients, from Lynx to Chrome. What really concerns me is some of the software vendors are starting to aid the pirates. And I won't even discuss how ISP's use trapwire or HP's FBI code.
It's the sense that there is no restriction on intrusion if your using a computational device. This whole thing makes Calea look like a childish game. The Internet, at least the way I knew it, is dead. Finally, the most abhorrent result of this activity is the complete dismantling of the 4th, 5th, and 6th amendments to the constitution and a widening pressure on the first amendment.
name.withheld.for.obvious.reasons, could you share links on this ? Searching for fbconnect yields a lot of stuff that's seemingly unrelated :/
I can suggest that you do a google search that returns results that point to shopping.com. Even better, look for results that include the aforementioned site and includes shadowshopping.com. I scraped the code from their site (Lynx is a powerful tool that doesn't convolve the original source--most browsers process the http stream prior to rendering) and it is completely obvious what is going on.
Myself, I would use transforms to extract obvusacted code making the job of discerning the method and purpose more difficult. And no, I am not suggesting that the privacy pirates need to do a better job. I'm just surprised to see what a crappy job they do--actually they shouldn't have a job.
@name.withheld.for.obvious.reasons : I don't think they're trying to hide what they're doing.
Quite the contratry : if you think with a more business-like mindset, the code must be simple, clear and easy to use so they can get the widest adoption possible; they're trying to minimize the cost of implementation.
Unfortunately, they don't need to hide. NOONE CARES, for many plausible values of "everyone".
But I have heard from a very well placed source --and there is no reason to doubt it because it is most likely what is happening-- that even when *the man* requests data, it leaves a LOT of trails.
Think about it: a sysadmin will most likely not be the contact point for 'the man' -- the legal department might. So from the Legal to CIO to Ops, a few people might know although they keep it hush hush.
So Big Data will cut both ways.
I noticed that many entries in the Facebook response posted were redacted. I am very curious if the redactions were done by Facebook, by the police or by whoever published the article.
I would feel slightly better if Facebook had done the redacting, but I've always been an optimist.
Whoops, I just read the first few pages of the profile. It seems that neither Facebook nor the Police redacted any of the information. The Phoenix, arguably the best newspaper in Boston, did the redacting themselves. Good for them, shame on Facebook and the Police. Someone could probably make a lot of money if they could set up a social networking site in Tuvalu or some remote location that offered true privacy to users. I'm not holding my breath.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.