The agencies named in the lawsuit were the Department of Defense, the Department of Homeland Security, the Justice Department, the Treasury Department, the CIA and the Office of the Director of National Intelligence.
The EFF this week obtained documents from two of those agencies -- the IRS and the Justice Department -- that show how the government is collecting information from social networking sites, as it has been suspected of doing for some time, said Shane Witnov, a law student and spokesman for the lawsuit at the Samuelson Law, Technology and Public Policy Clinic. "The documents tell us clearly that the government is using social networking sites for undercover investigations," Witnov said.
In the case of the IRS, formal policies appear to be in place governing the manner in which agents can use social networking sites to investigate taxpayers, Witnov said. Guidelines contained in a 2009 IRS training course show that the agency clearly forbids agents from using deception and fake social networking accounts to ferret out information.
Agents are also limited to only accessing and using publicly available information from social networking sites. "We were actually quite impressed that they had formal training in place and that these were the rules they had established," Witnov said.
The 38-page IRS training document posted on the EFF Web site provides detailed tips to agents on how to conduct searches, locate relevant taxpayer information, narrow down and refine results, and save multiple Web pages using Adobe's Web capture feature. Among the social media applications mentioned are Google Groups, FaceBook, Twitter, MySpace, YouTube and Second Life.
The IRS document provides an example of how information gathered from a social networking site could be useful in a tax investigation. In the example, a revenue officer discovers that a taxpayer he is investigating maintains a social networking site to advertise his services as a comedian. The officer discovers that the individual maintains a video clip on his social network site where he lists his schedule of past and future performances. That information could be useful in determining amounts paid to the taxpayer for his performances and where those payments were deposited, the document noted.
"Future performance sites are potential levy sources and show where the taxpayer will be for possible summons if returns and financial information are needed," the document said.
Meanwhile, the documents obtained from the criminal division of the Justice Department show that law enforcement agents there use social media sites for undercover operations, Witnov said.
A DOJ slide presentation titled "Obtaining and Using Evidence from Social Networking Sites" from the department's Computer Crime and Intellectual Property section describes how evidence from social networking sites can reveal personal communications that might help "establish motives and personal relationships." The slide show also mentions how content posted by a user on a social media site could provide location information and "prove and disprove alibis."
The presentation also mentions the responsiveness of some social media sites such as Facebook to law enforcement requests for data. It also notes that most Twitter content is public while private Twitter messages are stored on Twitter's servers until a user deletes them. The "bad news" for law enforcement, however, is that there is no contact information for Twitter users, such as phone numbers, making the site less valuable for gathering information. The DOJ documents also say that Twitter only retains the last log-in IP address and does not preserve data unless legally required to do so.
The DOJ presentation also says that going undercover on social media sites can allow law enforcement to communicate with suspects and targets, gain access to nonpublic information and map social relationships.
The goal in getting the government to disclose its policies related to such practices is to foster a dialogue on the appropriate use of social networking sites in criminal investigations, Witnov said.
"There is a balance between privacy and protecting ourselves from crime," that needs to be achieved, he said. There are instances where the seriousness of a crime might override privacy rights. But there need to be guidelines on when and how information from social networking sites can be collected, he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld . |