This article was originally published on eff.org on 24 October 2014.
Facebook scolded the Drug Enforcement Administration this week after learning that a narcotics agent had impersonated a user named Sondra Arquiett on the social network in order to communicate and gather intelligence on suspects. In a strongly worded letter to DEA head Michele Leonhart, Facebook's Chief Security Officer Joe Sullivan reiterated that not only did the practice explicitly violate the site's terms of service, but threatened Facebook's trust-based social ecosystem.
Facebook has long made clear that law enforcement authorities are subject to these policies. We regard the conduct to be a knowing and serious breach of Facebook's terms and policies, and the account created by the agent in the Arquiett matter has been disabled.
Accordingly, Facebook asks that the DEA immediately confirm that it has ceased all activities on Facebook that involve the impersonation of others or that otherwise violate our terms and policies.
So far, it is unclear whether the DEA has responded, although the US Department of Justice has independently launched an investigation into the practice. We commend Facebook for holding the agency accountable.
But we also think Facebook should go further in protecting users and the integrity of its services. The DEA isn't the only law enforcement agency creating fake profiles on Facebook, and fake profiles are not the only way that law enforcement agencies routinely violate the site's terms of service.
Sock Puppet Investigators
Facebook's “Statement of Rights and Responsibilities” require users to provide their “real names and information” and warn users to “not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.” In other words, this is a ban on sock puppets: fake accounts that someone creates for deceptive purposes.
According to a lawsuit filed against the DEA, Arquiett was arrested in 2010 on drug charges. She allegedly agreed to allow an agent to search her phone. But the agent did much more than that, taking files from her phone—including suggestive photos of Arquiett as well as pictures of her children. The agent then used them to create a Facebook profile in her name. The agent accepted and made friend requests and engaged in conversations with other users.
While this may be the first time we have heard of the DEA impersonating an actual person, two separate independent studies show that creating fake profiles is commonplace in the law enforcement community.
In 2012, LexisNexis researchers surveyed more than 1,200 federal, state, and local law enforcement agencies and almost 70 percent of agencies surveyed said they use social media to some extent in their investigations. Among those agencies, Facebook was by far the most popular social network site, with 91 percent using it for investigations, 27 percent using it on a daily basis. Alarmingly, the LexisNexis researchers concluded that police “have no concerns around the ethics of creating fake virtual identities as an investigative technique." Approximately 83 percent reported they had no qualms about going undercover online.
LexisNexis even included an anonymous testimonial on how police were able to track a suspect's location through Facebook:
I was looking for a suspect related to drug charges for over a month. When I looked him up on FB, and requested him as a friend from a fictitious profile, he accepted. He kept “checking in” everywhere he went so I was able to track him down very easily.
A 2013 study [pdf] from the International Association of Chiefs of Police (IACP) mirrored the LexisNexis findings. Out of 500 predominantly municipal law enforcement agencies, more than 58 percent reported that they use fake profiles to gather information.
It's difficult to determine exhaustively which agencies have adopted this tactic, but some have publicly acknowledged the practice:
• Cincinnati Police Department admitted to CNN that it used undercover profiles for “targeted enforcements.”
• In a DOJ-funded report on social media tactics, IACP revealed that the New York City Police Department has created formal policies for creating alias accounts for use in investigations. (The policies are available on page 169 of this report.)
• The Georgia Bureau of Investigation similarly has a policy (page 157) allowing for aliases to be used in investigations.
• In its policy on the use of social media, the La Vista Police Department in Nebraska says, “Covert undercover operations on the Internet and Social Networking are an effective investigative technique in establishing admissible, credible evidence in support of a criminal prosecution against suspects.”
Yet most of these agencies explicitly agreed to abide by Facebook's terms of service when they created their own Facebook pages.
Creating fake profiles is only one way that law enforcement agencies are actively violating Facebook's terms of service.
Facebook's terms say that you must not share your password or “let anyone else access your account.” It further states, “you will not solicit login information or access an account belonging to someone else.” Yet, law enforcement agencies are guilty of these activities, particularly when it comes to screening applicants for jobs. According to a recent article from the San Francisco Chronicle, “The standard practice in most California police departments is to require social-media passwords of job applicants, including those applying for dispatch and jail staff positions.” This past session, the California Legislature attempted to clarify the law to extend a prohibition on this practice in the private sector to public employees—including a provision explicitly prohibiting police agencies from soliciting passwords—but the bill failed to make it to the governor's desk.
Meanwhile, the FBI has been researching ways to data mine on Facebook, which would be a violation of the ToS that says you cannot “not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.”
Law enforcement agencies have been potentially violating social media networks' terms of service with scraping and "covert accounts" for years (even as far back as when MySpace was the leading social network). We had to go court to find this out, but Facebook has the power to force transparency without litigation.
What Should Facebook Do About This?
Under a White House directive (most recent version here), federal agencies are supposed to sign special, negotiated terms of service with social media providers where they would like to have a presence, including Facebook (example pdf here). Facebook also has special terms of services that are applicable only to state and local government agencies.
These agreements and special terms of services are opportunities for Facebook to demand more of law enforcement. If cops want to use Facebook for public purposes (and according IACP, most agencies find it “very valuable” for community outreach, collecting tips and disseminating emergency information), then Facebook should make sure they know they must follow the same rules as everyone else.
We're asking Facebook to spell out, in no uncertain language, that the terms that apply to regular users apply to government agencies as well, including law enforcement. It should remind law enforcement that violating its terms of service—such as by creating fake profiles, using impersonation, requiring passwords from applicants and employees, and data mining—isn't OK.
But Facebook could, and should, go a step further to restore the public's trust in their system and require that any law enforcement agency that wants to use Facebook must first develop and publish departmental policies for social media, including their policies for using social media in investigations and in screening job applicants.
It's great that Facebook sent a letter to the DEA, but for the company to protect its users it needs to do more than simply react after the damage has been done.
Police in U.S. need to obey Facebook's rules by ending collection of user data
This article was originally published on eff.org on 24 October 2014.