The Obama Administration is considering sending federal officers undercover on Facebook and other popular social networking sites. This effort raises a number of interesting questions, some legal, some not. For example, would the feds work with Facebook, or simply register, and silently patrol the social network looking for leads? If they went with the cooperative approach, just how much help could Facebook provide given its privacy policy and terms of use? Would it unlock the kingdom based upon an informal request, or would it require a subpoena or search warrant to comply? And, if the government decided to slip into the system without alerting Facebook, would it be required to follow Facebook's terms of use -- such as providing real names and contact information? What are the consequences if a person "tricks" someone into being their friend?
A confidential Department of Justice presentation obtained by the Electronic Frontier Foundation sheds some light on these issues, and also provides useful guidance in the crafting of privacy policies and terms of use by eCommerce companies, including those who provide social networks or online communities.
The presentation first shows that Facebook is "[o]ften cooperative with emergency requests." It is probably in the interest of most eCommerce companies to be cooperative in those situations, but it is likewise vital to ensure that your privacy policy makes clear the nature of such cooperation, and that you have some degree of internal controls in place to ensure that the emergency exception does not swallow the privacy rule. Vetting such requests with counsel can be an important protective measure to an appropriate balance of company interests.
In defending itself, Facebook explained: "We scrutinize every single law enforcement request; require a detailed description of why the request is being made; and if it is deemed appropriate, share only the minimum amount of information. We strive to respect the balance between law enforcement's need for information and the privacy rights of our users, and as a responsible company we adhere to the letter of the law." The presentation notes, in contrast, that Twitter only produces data "in response to legal process." Both approaches are sound.
The presentation also discusses the fact that supplying fake credentials (in violation of the terms of service) can result in civil and potentially criminal liability. CNET reports that at least one case has found no criminal liability from a breach of such terms of service, but the law, as CNET notes, remains unsettled. In the Drew case, the defendant allegedly created a deliberately false identity and pretended to be a sixteen-year old for the purpose of communicating with a minor, all "conscious violations" of the MySpace terms of service. In dismissing the criminal charges, the trial court concluded that the Computer Fraud and Abuse Act was unconstitutionally vague in connection with the argument that it criminalized intentional breaches of a website's terms of service. While it is helpful to know that the DOJ is mindful of the potential criminal implications of using false pretenses in connection with a social media account, the presentation also shows a degree of interest in such techniques that might be considered to be very disturbing by some.
Apart from whether fraudulent access to a community web site is a crime, the Drew case underscores the general importance of terms of service, and the additional degree of protection they can provide to users both in terms of criminal infiltration and unwarranted government intrusion. Clear terms that require accurate personal information in connection with all accounts help safeguard users from online predators and fraud, while also helping to ensure that law enforcement goes through appropriate channels (and not secretly) to obtain content from those sites. This is just another reminder to take those terms seriously and to treat them as more than simply boilerplate. As with privacy policies, periodic reviews are wise.