Staying Logged In All The Time? Diversify for Privacy



Facebook leaked data all over internet--including non-users

Security researchers who revealed Facebook's shadow profiles vulnerability are claiming that Facebook leaked massive amounts of data, including private phone numbers and other personal data--despite what Facebook told its users.

Facebook had announced the fix of a bug that inadvertently exposed the private information of over six million Facebook users. In addition, Facebook apparently is collected non-user phone numbers and email addresses and then matched the data to people. Here is the technical explanation of how data gets merged over several sets of databases, and unique links are discovered.

Knowing the information industry, I expect that this data will be for sale very shortly.

Subpoena to Google, Yahoo and others

As we field more calls on electronic discovery, recall that federal law prohibits electronic communication services from disclosing “contents of a communication” [18 USC § 2702] which most courts deem to be the text of the email or text message. Facebook, Myspace, Twitter and Linkedln as well as email providers such as Gmail, Yahoo and Hotmail all fall in the this category.

A criminal subpoena may get you even the content of messages (and we get this material either from the electronic communication service providers -- or from the prosecutor) . However in a civil case, you can subpoena only basic information such as the name of the user of the account and other identifiers.

A court in Connecticut also explored a new avenue: divorcing parties may be ordered to exchange Facebook and dating site login and passwords.

Subpoenas and court orders to Facebook

We continue to get questions on what records can be obtained by subpoena or court order to Facebook. Generally, only a criminal case subpoena or court order will result in Facebook complying. In that case, we have seen all kinds of data turned over: photos, wall posts, photos uploaded to a page, lists of Facebook friends. Perhaps most intriguing and helpful is login and IP address data--which can be linked to physical addresses in some other private databases that we (and most PIs) subscribe.

Note that while these subpoena’s are most often sent by law enforcement, a defendant is entitled to the same data (just not in expedited fashion like an on-going investigation might require).

According to Facebook’s Law Enforcement and Third-Party Matters (not easily found on the site, in Facebook’s typical sloppy manner): “Federal law prohibits Facebook from disclosing user content (such as messages, timeline posts, photos, etc.) in response to a civil subpoena. Specifically, the Stored Communications Act, 18 U.S.C. § 2701 et seq., prohibits Facebook from disclosing the contents of an account to any non-governmental entity pursuant to a subpoena or court order.”