Want CNET to notify you of price drops and the latest stories?

Feds snoop on social-network accounts without warrants

Justice Department report shows real-time surveillance targeting social networks and e-mail providers jumped 80 percent from 2010 to 2011. The ACLU says current law doesn't protect Americans' privacy.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
3 min read
Under Attorney General Eric Holder, one form of real-time Internet surveillance used by the Justice Department has increased 80 percent year-over-year.
Under Attorney General Eric Holder, one form of real-time Internet surveillance used by the Justice Department increased 80 percent in one year. U.S. Department of Justice

Federal police are increasingly gaining real-time access to Americans' social-network accounts -- such as Facebook, Google+, and Twitter -- without obtaining search warrants, newly released documents show.

The numbers are dramatic: live interception requests made by the U.S. Department of Justice to social-networking sites and e-mail providers jumped 80 percent from 2010 to 2011.

Documents the ACLU released today show police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social-network users communicate with, what Internet addresses they're connecting from, and perhaps even "likes" and "+1"'s.

The Justice Department conducted 1,661 live intercepts on social networks and e-mail providers in 2011 (PDF), up from only 922 a year earlier (PDF), the reports show.

The ACLU hopes the disclosure of the documents it sued to obtain under the Freedom of Information Act will persuade Congress to tighten the requirements for police to intercept "noncontent" data -- a broad category that excludes e-mail messages and direct messages. The current legal standard "allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans' privacy," says Catherine Crump, an ACLU staff attorney.

It might work. On Tuesday, Rep. Zoe Lofgren, D-Calif., introduced a bill that would require police to get warrants to access Americans' e-mail and track their cell phones. Last week, however, senators delayed a vote on a similar bill after law enforcement groups objected.

The Justice Department did not immediately respond to questions from CNET about social-network surveillance. We'll update this story if we receive a response.

It's not clear how many of those 1,661 real-time intercepts last year -- which do require a judge's approval -- targeted social networks, and how many were aimed at e-mail providers. Traditional phone intercepts remain far more frequent: the U.S. Marshals Service, for instance, says 409 of its noncontent intercepts (PDF) were for Internet companies, while 14,568 were for telephone call data. (The largest number of them fell into the fugitive-finding category, including parole or probation violations.)

To perform noncontent intercepts on social networks, police must generally seek court authorization for a pen register or trap and trace order, both of which are terms borrowed from decades-old surveillance law. They were originally designed to allow law enforcement to easily collect the phone numbers associated with incoming and outgoing calls, and were extended to the Internet by the Patriot Act over a decade ago.

But the Patriot Act didn't make it any more difficult for law enforcement to ask for such an order. Police must merely claim their request is "relevant" to an ongoing investigation. (A search warrant, by contrast, requires probable cause, and a live wiretap order is even more privacy-protective.)

What's also unclear is what kind of real-time data police are seeking from social networks through these orders. It's clear they can obtain the current Internet Protocol address of a Facebook user, for instance, and the port number (which, as CNET reported in May, is increasingly important). But it's less clear whether a "+1" or information about a user's circle of friends would be permitted.

The wording of that section of the Patriot Act is more broad than narrow. It says police can demand all "routing" or "addressing" information that's transmitted through an Internet service or that's "likely to identify the source of a wire or electronic communication."

"This is a very invasive surveillance technology," says Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project. "We don't have a feel for how broadly it's being used."