This story was written by Keith Dawson for the International Data Group's ITWorld publication. Copyright 2010 by ITworld, 492 Old Connecticut Path, Framingham, Mass. 01701. Reprinted by permission of ITworld. All rights reserved.
I T W o r l d

The Intimate Social Graph

2010-10-14

How private are the most private communications you do on social networking sites?

For a number of years I have had a privacy concern that is just now beginning to peep into view on the Internet at large. Around 2001 I spent some time in a casual multiuser game hosted by PopCap. It featured a way that two players could chat in a private space while playing the game. The game was centrally hosted: each user’s local Java applet talked with a PopCap server, so every keystroke typed in those private conversations was sent up to the server and back out to the other party’s client. I wondered at the time: were those conversations being stored? How about the metadata describing which players talked privately with which others, and how often? If so, then from what I observed, the resulting log files could have kept an army of divorce lawyers gainfully employed for years to come.

Fast-forward to 2010. Facebook, Twitter, LinkedIn, and MySpace each sit on a rapidly expanding treasure-trove of data about the users who frequent their services. Aspects of this data have value to different audiences. Knowledge of users’ interests, likes, and enthusiasms clearly is coveted for targeting advertising. Knowledge of the users’ “social graphs” — who connects to whom and in what manner of relationship — may be of interest to social science researchers, and occasionally to law enforcement. But what of the “intimate social graph?” All these services allow users to communicate privately with one another. The social networking services store not only the graph metadata (who communicates with whom and when), but also the content of these private communications. What happens when government agents — or divorce lawyers — come calling?

Of course the privacy of social networking data is dependent on security. If malicious hackers manage to break into a Facebook database of private messages, all bets are off. If your own PC gets infected by a keylogging Trojan and your Twitter username and password are compromised, it’s game over for you, in terms of any private data stored on the service.

This article is not about the stupid things people post voluntarily and publicly on Facebook or Twitter that later get them into trouble — for example, in divorce proceedings. We’ve been reading about such incidents for years. A 2010 survey of the American Academy of Matrimonial Lawyers found that 81 percent of US divorce attorneys have seen an increase in the number of cases using social networking evidence during the past five years. “Facebook is the primary source of this type of evidence according to 66% of the AAML respondents, while MySpace follows with 15%, Twitter at 5%, and other choices [such as email and computer hard drives] listed by 14%.” In many of these cases, perhaps depending on the user’s privacy settings, no subpoena would be needed if the opposing parties posted damning statements to their Facebook wall or their public Twitter stream.

Users of Facebook and LinkedIn can choose which information appears on their public pages for all the world to see. In the more private space of their Facebook wall postings and LinkedIn updates, only the user’s chosen friends or contacts (and perhaps their friends) have access. Twitter has no separate public page; anyone can scrutinize everything a user has said publicly (even though the user, when posting, probably had in mind only his or her followers).

The services’ private, one-to-one communication includes Facebook messages, LinkedIn InMail, and Twitter direct messages. (Facebook also has a rudimentary instant messaging client built in.) In Facebook, users can see each threaded conversation they have participated in. LinkedIn’s InMail looks and feels exactly like an internal email system. In Twitter, logged-in users, or the apps they employ, can see a list of all of their DMs sent and received (the API may impose some limits on the quantity of past messages available). In fact, one developer has recently raised some concern over Twitter’s coarse-grained API behavior, which he claims pushes Twitter application developers to request read-write access to users’ tweet streams — thus granting themselves the ability to see all of their users’ direct messages.

The privacy of these communications is protected mainly under a law — ECPA, the Electronic Communications Privacy Act — dating from 1986 and crafted for then-existing email (think Compuserve and Prodigy) and emerging cellular networks. This law is an increasingly poor fit for modern and emerging communication modalities. Email stored on servers is treated differently depending on whether or not the user has read a particular message; and messages older than 6 months in storage enjoy different protection than newer messages. In attempting to apply the ECPA to social networking media, courts have interpreted users’ privacy rights in a variety of ways. What the ECPA basically says, subject to a great deal of interpretation and wiggle room, is that private communications can be disclosed upon presentation of a search warrant in a criminal case, but not of a subpoena in a civil action. Many exceptions have been carved out in court cases over the years.

For example, in a recent civil case in California, a federal judge ruled that a plaintiff’s private Facebook and MySpace data must remain private. In a very different civil case, a New York judge said that a plaintiff’s Facebook and MySpace data must be opened up to discovery by opposing attorneys.

In California, artist Buckley Crispin sued a clothing company, Christian Audigier, claiming that they had used his designs in ways beyond those outlined in their contract. Audigier requested all of Crispin’s communications about his work with the company from Facebook, MySpace, and others; Crispin objected on privacy grounds. A magistrate judge ordered the records turned over, but upon appeal federal judge Margaret Morrow applied the 1986 law (PDF) to determine that the communications stored on Facebook and MySpace were analogous to stored emails — and thus, under the ECPA, don’t have to be turned over to opposing counsel in a civil lawsuit. The fact that Crispin’s Facebook wall settings, and their equivalents in MySpace, limited the public’s view of his postings mattered in this case: those settings established the privacy wall that Judge Morrow ruled could not be breached in civil litigation.

In the New York case, in which a county judge reached the opposite conclusion, the facts had a very different tenor: the publicly visible information on social networking sites suggested that things might not have been exactly as one of the parties had claimed. A woman working at Stony Brook University fell off an allegedly defective chair and sustained “serious, permanent personal injuries.” Kathleen Romano claimed that she needed multiple surgeries for back injuries and that she had been mostly bedridden at home since the accident. Lawyers for Steelcase, the maker of the chair in question, found that Romano’s public Facebook photo showed her smiling and standing in front of her house; and there were public indications that she had taken a trip to Florida. They wanted access to her private Facebook data — apparently private messages as well as wall posts — but Facebook opposed the move (MySpace did not take a position). Acting Justice Jeffrey Arlen Spinner wrote that it was “reasonable to infer from the limited postings on Plaintiff’s public Facebook and MySpace profile pages, that her private pages may contain materials and information that are relevant to her claims or that may lead to the disclosure of admissible evidence.”

A Forbes blog post on these two cases perhaps slightly overstated their less than definitive joint outcome this way: “In California, your privacy settings matter on Facebook/MySpace, and in New York, they don’t.”

Work is now underway in the Congress to update the ECPA for the present century. A good summary of the current state of the law and what it could become was given in testimony by law professor Fred H. Cate (PDF) before the House Judiciary Committee. Both the ACLU and the group Digital Due Process have published bullet points on what a revised law should ideally look like.

One shortcoming of the ECPA is that it does not require email, search engine, cloud computing, or socal networking sites to report how many requests for private data they get from authorities. Whatever the number, it almost certainly dwarfs the number of real-time online intercepts (wiretap, pen register, and trap and trace orders), for which statistics must be kept. LinkedIn did not respond by press time to an inquiry on how many such requests they field, and how they react to them. A spokesman from the Twitter Trust & Safety department responded: “Per our Privacy Policy, Twitter does not release user information except as required by proper legal process.”

A leaked staff memo from the Senate Judiciary Committee indicates that Republicans on the committee plan to oppose any effort to update the ECPA. In this political climate anything could happen — or, far more likely, nothing will — but for now the privacy of the intimate social graph rests on the vagaries of localized judicial interpretations of a creaky 24-year-old law.