Feds consider going undercover on social networks

Confidential Justice Department presentation on social-networking sites says undercover work can help agents "communicate with suspects" and "gain access to nonpublic info." IRS is more wary.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

The next friend request you receive might come from the FBI.

The Obama administration has considered sending federal police undercover on social-networking sites, including Facebook, MySpace, and Twitter.

A confidential U.S. Department of Justice presentation (PDF) on social-networking sites made public Tuesday said online undercover work can help agents "communicate with suspects," "gain access to nonpublic info," and "map social relationships."

Federal police agencies organized under the Justice Department include the FBI, the U.S. Marshals, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms, and Explosives.

The 33-page presentation noted that Twitter has a "stated policy of producing data only in response to legal process," while saying Facebook is "often cooperative with emergency requests."

By contrast, an IRS document about social-networking sites was more cautious about Internet undercover work. It says agents are allowed to conduct Internet searches for taxpayers and review information from public Web sites--but that they are not allowed to "misrepresent your identify (sic) or obtain information from a Web site using a fictitious identity to register."

That advice appears to apply to routine investigations. In some cases, as CNET reported in late 2008, Congress has authorized undercover IRS agents to run businesses for an extended sting operation, to open their own personal bank accounts with U.S. tax dollars, and so on.

For years, FBI agents have gone undercover on the Web for child porn sting operations. One technique that the bureau has used involves logging in to a discussion forum, posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

One possible hurdle that the lawyers at the Justice Department noted in their presentation, which was given by John Lynch and Jenny Ellickson, both attorneys in the department's Computer Crime and Intellectual Property Section, is the possibility of violating a Web site's terms of service, if an agent lies about his identity.

This is called prosecutors being too clever by half: in the Lori Drew case, the Justice Department claimed (PDF) that violating MySpace terms of service was a criminal offense.

The problem today? Many Web sites require that subscribers use their real name. Facebook's terms of service require users to agree not to "create an account for anyone other than yourself without permission." At Twitter, "impersonation is against the terms of service." Even some newspapers such as the Los Angeles Times say "using a name other than your own legal name in association with the submission of user content is prohibited."

A federal judge eventually ruled (PDF) that a strict interpretation of criminal law would be unreasonable, but it remains an unsettled legal question.

"The good example set by the IRS is in stark contrast to the U.S. Marshals and the Bureau of Alcohol, Tobacco, Firearms and Explosives," wrote Marcia Hofmann, an attorney at the Electronic Frontier Foundation, which obtained the documents through the Freedom of Information Act and released them this week. "Neither organization found any documents on social-networking sites in response to EFF's request, suggesting they do not have any written policies or restrictions upon the use of these Web sites."

Update 4:45 p.m. PDT: Andrew Noyes, a spokesman for Facebook, sent me this statement: "Facebook regularly works with law enforcement agencies when they are investigating criminal activity. We have developed materials to help officials understand Facebook and the proper ways to request information from Facebook to aid investigations. We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." It doesn't quite answer what I asked, which was: "How many law enforcement requests do you folks receive a year, and for what types of stored data do you require a search warrant? Also, under what circumstances do you disclose user data without a valid subpoena or search warrant?"

Update 4:48 p.m.: I should have mentioned this story I wrote last month, which quoted a survey of law enforcement officers as saying: "MySpace give (sic) me the quickest response and they have been very pro-police." And there's the delightful case of State v. Athan, in which the Washington State Supreme Court ruled that it was acceptable for police to send a suspect a fake letter to obtain a DNA profile from the saliva on the return envelope.