
When the cops subpoena your Facebook information, here's what FB sends the cops - tilt
http://blog.thephoenix.com/blogs/phlog/archive/2012/04/06/when-police-subpoena-your-facebook-information-heres-what-facebook-sends-cops.aspx
======
haberman
I recently served on a jury for a violent crime, and as a juror being able to
see evidence like cell phone records and closed circuit video was incredibly
valuable. Cases that would have otherwise been a matter of "he said, she said"
can have corroborating evidence that makes it much easier to be convinced
beyond a reasonable doubt. I wondered how prosecutors managed to convict at
all before these kinds of electronic records were available.

I'm not downplaying privacy concerns, but when you can see thing from the
other side too it's easier to see it as a set of trade-offs that need
weighing. It's not a black and white issue.

EDIT: Also remember that evidence can help the falsely accused just as easily
as it can help victims of crime. Phone records can give a person an alibi that
would otherwise have been very difficult to prove.

~~~
revelation
Yes, think of all the things we can do with street CCTV surveillance. Or with
cameras matching license plate numbers on the street. Or with a secret service
allowed to act within our borders and against american citizen.

The point of laws is not to make things harder for the police, it is to
protect all of us from the government.

~~~
nextparadigms
Think about how much fewer wives would be beaten if the Government had a
camera in everyone's bedroom, or how much money we'd save on taxes if law
enforcement could do anything they wanted without a warrant.

Yes it's sarcasm, but I don't think the law enforcement agencies see it like
that. They actually want that, and they've said before that having to get a
warrant makes it "hard" for them - even though 90% of the warrants they ask
for are approved.

Lately all of them are pushing for more invasion of privacy, because they
don't see it like that. They see it as "making our job easier" - without any
regard for the abuses that could lead to or for history of Government
oppression, or if the people actually want that. After all, surely they know
"best" what needs to be done to protect the population.

~~~
tptacek
There is no law enforcement agency in the country that wants cameras in
everyone's bedroom.

~~~
andybak
And the Missing the Point award goes to...

------
xxbondsxx
It's incredibly ironic that The Phoenix censored out identifying information
of Markoff's friends, but left all the event / profile ID's in the browsing
history section. You can easily go back to a 3 year old event:

<http://www.facebook.com/events/46300108330>

And view who attended, or view the profile he viewed on February 18th 2009:

<http://www.facebook.com/profile.php?id=16104623>

Kind of creepy to say the least. I'm surprised they made such a huge mistake.
Knowing which profiles he stalked before committing his crime is even more
sensitive than just friendship connections in my opinion.

~~~
sliverstorm
They acknowledged it wouldn't be perfect redaction, and isn't the whole un-
redacted thing publicly available now anyway?

------
alanh
Here’s a PDF version I created: [http://dl.dropbox.com/u/105727/fb-subpoena-
db/fb-subpoena.pd...](http://dl.dropbox.com/u/105727/fb-subpoena-db/fb-
subpoena.pdf)

Or view as a web page with JPEGs: <http://dl.dropbox.com/u/105727/fb-subpoena-
db/index.html>

(What is more absurd than releasing information like this in SWF format and
only SWF format…?)

------
ChuckMcM
It makes one wonder how many people will create a fictional facebook
'experience' which is to say spend time building up an alternate identity in
various social sites so that in the event they are charged with a heinous
crime they can confuse the jury and make it seem 'out of character.'

Surveillance works best when it isn't scripted.

~~~
trotsky
That kind of thing definitely goes on in the intelligence community

~~~
pvarangot
One of the leaked HBGary e-mails is about developing a tool to automate it,
including completely fake subgraphs.

[http://www.boingboing.net/2011/02/18/hbgarys-high-
volume.htm...](http://www.boingboing.net/2011/02/18/hbgarys-high-volume.html)
[http://www.dailykos.com/story/2011/02/16/945768/-UPDATED-
The...](http://www.dailykos.com/story/2011/02/16/945768/-UPDATED-The-HB-Gary-
Email-That-Should-Concern-Us-All)

------
phillmv
I skimmed the document. Nothing terribly damning, or that you wouldn't suspect
that FB would hand over.

No, the part that creeps me out is when they start being able to hand over my
political preferences and ideological bents and how likely I am to consume
drugs based solely on how I am friends with.

"Your honor, members of the jury, the evidence is clear: based on phillmv's
social graph, he's 83% likely to be a stark raving socialist capable of
committing precisely this sort of crime. As we all know, Facebook cannot lie!"

~~~
drostie
Well, there is one thing "terribly damning," and that's the "Deleted Wall
Posts" bit.

This was also discovered when someone in Europe requested all of the data that
Facebook has on him: that stuff which he had deleted had never _actually_ been
deleted, but was instead stored with a flag "deleted=True" which was checked
by the database queries.

In principle, at least for short time scales, this is not a bad idea -- you
should try to make most or all of your database manipulations reversible, just
in case someone steals someone else's account (or other similar abuses). But
for long time scales, you would really expect that it would eventually get
purged -- and as far as anybody knows, it never is.

~~~
Xuzz
You can't purge backups: if the servers were allowed to go in and remotely
modify the off-site backups to purge deleted data, then an intruder could do
the same thing for all data. So you can't permanently delete data in the
backups. When subpoenaed, Facebook would have to go back through the backups
and find the user-deleted data anyway: they still have it under their control.
So there's really no difference in marking a "deleted" flag or purging the
data from the production servers: they are not (and should not, and arguably
cannot be) able to the data from backups.

This is true for all web services. I'm not even getting into about the support
and user anger cost by permanently deleting user data. But it's clear to see
that this — while an intuitive idea — is not practically possible for most web
services.

~~~
drostie
I would agree that there are privacy concerns whenever you back up user data.
It's something of an interesting question because users could also be held
responsible for creating their own backups, especially if you made it
extremely easy for them to do. It's something like when my VPS failed. The
code that I was running on my VPS I routinely backed up, but the database --
while I serialized it to disk -- wasn't ever transferred to my local computer
because I didn't think it was important. When the VPS failed, the whole
database was gone. The point is, I can't be angry at them for not backing it
up, because that wasn't a term of the service they were providing me. A
similar mental model could probably work for database-driven sites, at least
for the databases storing user content -- your code should of course always be
under a mirrored version control. ^_^;;

------
Foy
Don't forget about Max Schrems from Austria. He got Facebook to send him on
their data on him (at least most of it)

I couldn't find the original news article I read when it first came out but
here seems to be a good summary of what he found out:
<http://www.youtube.com/watch?v=kJvAUqs3Ofg>

While this may not be identical to what cops would receive from a subpoena
request, it shows at least part of what Facebook knows about you.

------
runn1ng
Huh. That's funny.

One would think what special secret information facebook has on its users -
where they are, what do they click to over the site, what sites do they visit
even outside the FB site, but nope, it's just that - the data people wrote to
the system themselves, voluntarily. Maybe with their public IP, sometimes.

Maybe I am skipping something, but there is nothing one wouldn't reasonably
believe Facebook has on you and would give to the police.

edit: oh. I did miss the browsing history section.

...yeah. That is kind of creepy.

~~~
epoxyhockey
One should note that this request was satisfied in 2009. That leaves 3 years
of extra _innovation_ that you don't know about.

~~~
runn1ng
Very true. All the "likes" and the united Messages are both younger.

------
draebek
Did anyone else notice the 172.23.8.44 "login IP" on the third page? What does
it mean that the login IP is a non-routeable address? Is that some kind of IP
in use inside FB's network?

~~~
parimm
Is it possible that a client behind a NAT logged into facebook and facebook
recorded the clients local IP address?

------
jstalin
That's the last straw. I haven't done anything with my Facebook page in a
while, but now I'm just going to delete it.

~~~
hvass
What exactly surprised you?

~~~
itg
While most people on hn probably know about this, you would be surprised at
what the general public would think about this story. I hope it gets spread
further in the media so more people know exactly what fb(and other social
networking sites) keeps tabs on and what info they give out to law
enforcement.

~~~
crusso
Do you think it will matter? That Farmville thing ain't gonna play itself.

------
soulclap
Where are the private messages though? Did Facebook hold them back? Should be
the most interesting (and well, most private) bits. (Sorry, I am in a bit of a
hurry right now and only had a quick look at the article and the provided
document.)

And a bit off-topic, but related: does anyone know if Twitter actually deletes
direct messages or are they just not visible on the website any more?

~~~
jfoster
Yeah, PMs and comments seem to be missing. Probably a whole lot of other
stuff, too.

------
tacogordito
Am i correct in seeing (page 54) that Facebook logs every single mouse click
you make within facebook? That's pretty intense.

~~~
smsm42
Why not? Most companies do - since most webservers are configured to log every
request by default. Of course, with facebook volumes they probably don't use
"default" solutions for anything - but logging every click is a norm for most
sites.

------
vectorpush
It's conceivable that law enforcement could legally obtain _any_ information
that is stored on any disk, even the disk inside your local machine.

------
justhw
I am 3 seconds away from deleting my account, but before I do that I would
like to know if fb actually deletes my account and everything I've generated
on there. I have a feeling that they just insert a "deleted=True" in the
database. In that case I don't want to delete my account, because I'm merely
giving up my right to log in.

So, do they completely remove my account information, or do they just mark me
deleted?

~~~
a3_nm
The information probably still exists somewhere. The best you can do is
probably to stop using your account.

------
sneak
What about extrajudicial requests like NSLs? I bet they get far more of those.

------
rabidsnail
Has anyone tried the last session cookie in the access log? It's probably been
invalidated, but then again...

------
avallark
If you are frantically looking around for a link to "DELETE" your facebook
account, here it is :

[https://www.facebook.com/help/contact.php?show_form=delete_a...](https://www.facebook.com/help/contact.php?show_form=delete_account)

I did this just a month ago.

------
MichaelGG
Interesting that things like photo tagging is stored in a changing timezone
(some are PDT (UTC-7), some are PST(UTC-8)), whereas for the access logs, they
state that everything is PST.

Why would they be storing/using time in a timezone anyways?

------
TazeTSchnitzel
Resembles the contents of the zip file you get if you click the button on
Facebook to download your entire personal data (yes, it exists. It generates
huge HTML pages of all your messages, wall posts, photos etc)

------
ghshephard
Not visible on an iPad. Rare you run into a newspaper that ignores that part
of their audience.

------
loverobots
Wow, so our dear friends and FB save even our deleted posts?? What the...

