Recent news has made it abundantly clear that the government uses the Internet and social networking sites as tools for investigation. But what’s not clear, and what the government has been reluctant to reveal, is how this information has been collected and utilized. To get answers, EFF, with help from Berkeley Law’s Samuelson Clinic, made a series of Freedom of Information Act (FOIA) requests asking various law enforcement agencies to disclose documents detailing their use of social networking sites in their investigations. When the government refused to comply with these requests, we went to court to compel them to respond. The latest disclosures from this litigation reveal just some of the ways the government is obtaining and using information from the Internet.
In addition to using this information for law enforcement investigations, the government has been considering using it for all background checks in security clearances. The ODNI has released this study [PDF] from 2008 on the potential of Internet searches in government security clearances. With just a name, address, date of birth, and social security number, government-hired Internet investigators were able to find “noteworthy” search results for as many as 53% of the 349 study participants. “Noteworthy” information included the proclivity to put personal information online, but also included so-called “questionable” material such as disclosure of “underage drinking, profanity, extreme religious and/or political views on public forums.”
Social networking sites like MySpace were also included in the background investigations. And while investigators limited themselves to searching only “public” information on these sites, they still found even more damaging (termed “adverse”) results. These “adverse” results included overly descriptive posting of personal or work information as well as references to or pictures depicting illegal drug use. The study found that approximately 48% of those investigated had at least two or more pieces of “adverse” or “noteworthy” information accessible online and that the highest percentages of those having adverse information on the Internet were in the 18 to 24 year old age group.
The disclosures also show the government’s increasing interest in documenting or “mapping” social networks. The ODNI study explicitly mentions the value of obtaining further information about individuals from interviews of “friends” and business associates, and a presentation [PDF] released by DEA presents one example where a “fugitive on the run” was located by finding a video after examining social networking websites for the profile of either the fugitive or his associates. The DEA presentation also notes the use of online tools such as MySpace Visualizer and YouTube Visualizer, which can visually chart the associations between users of these services.
The DEA presentation also appears to condone the use of security exploits to collect information, including MySpace Private Picture Viewer, a website tool that was once able to access private information on MySpace and arguably violated MySpace’s Terms of Service. While the DEA presentation does not directly address the legality or ethics of using security exploits or violating terms of use for investigatory purposes, it certainly raises questions about the limits and appropriate oversight of these techniques. (Interestingly, a recently released memorandum [PDF] by the Justice Management Division of the Department of Justice cautioned against Justice Department use of social networking sites for fear of binding the agency to terms of service. It is unclear how the agency would reconcile this concern with the approach of the DEA, which is part of the Department of Justice.)
Security exploits were not the only covert practice endorsed in the government’s disclosures. For example, the DEA presentation cryptically mentions the ability to potentially “recover ‘private’ content only shared among those chosen by the page owner.” Another document, the FBI Intelligence Information Report Handbook [PDF], mentions using “covert accounts” to access protected information. And a document describing Secret Service procedures [PDF] for monitoring electronic communications includes recommendations on how to avoid leaving “electronic footprints” by utilizing “stand-alone” computers with “anonymous accounts from an ISP” during surveillance.