This is not surveillance as we know it: the anatomy of Facebook messages

News & Analysis
This is not surveillance as we know it: the anatomy of Facebook messages

Modern communications surveillance policy is about gaining access to modern communications. The problem is that the discourse around communications policy today is almost the same as it was when it was simply a question of gaining access to telephone communications. "Police need access to social network activity just as they have access to phone calls" is the politician's line. We use Facebook as an example here, but most internet services will be similar in complexity and legality.

The reality is much more complicated, and modern communications surveillance policy hides far greater ambitions. Telcos usually have physical offices in the countries in which they operate and will comply with the law of the jurisidiction in responding to law enforcement requests. Social networking service providers tend to be based in just a few countires, despite having users all over the world, and are not therefore necessarily obliged to comply with domestic legal regimes.

This situation is persuading governments to be more ambitious in their policies: it is all very well drafting a policy 'compelling' Facebook to respond to law enforcement requests, but Facebook may not be legally obliged to comply. As a result, governments like the UK are planning to implement black boxes at our national telcos/internet providers in order to gain access to our Facebook sessions and identify our friends, networks and chat activity. When we try to explain to government officials that this is overly ambitious and may breach constitutional safeguards, they argue that it is no different from gaining access to logs held by telephone companies. But this is emphatically not the case, and here's why...

What is a Facebook message?

Considering Facebook the equivalent of a telephone company is fundamentally flawed, but that's what the British government's Draft Communications Data Bill does. 

1. Facebook logs provide very different information

Firstly, when logging details of a phone call, the telephone company is not interested in the name of the owner of the receiving account, just the telephone number. When the police access our phone logs, all they have is a list of telephone numbers. However, when it comes to Facebook messages,  if police were to access the logs of who we have been communicating with they would also be able to easily obtain our friends' names and profile photos at the very least - and possibly a great deal more. For example, if a police officer wanted details about Facebook user 611405130, he or she would simply have to go to https://facebook.com/profile.php?id=611405130 and view the publicly available information.

2.  Ethical access to Facebook data would require perfect authorities

Traditional interception laws usually allow governments to gain access to information about where you have been surfing, i.e. which servers, but not the items you have been surfing for, i.e. which articles or blogs. For instance, in the UK the Regulation of Investigatory Powers Act (RIPA) states that police officers can find out that you have been to www.facebook.com without an interception warrant, but in order to get access to the data relating to anything after the 'first slash' in the URL, they need an interception warrant. So, if a police officer wanted to find out whether you'd visited http://www.thesun.co.uk/sol/homepage/news/politics/4371932/May-blast-for..., he or she could self-authorise access to the fact that you visited the website http://www.thesun.co.uk, but would require an interception warrant to find out which articles you read while you were there. Obtaining logs of interactions requires a lower standard of approval (self-authorised police access) than getting access to a web surfing session, which requires interception (and a ministerial warrant, or judicial warrant in most other countries). This line of separation was established after a great deal of bad-tempered discussion during the RIPA debates back in 2000.

To "maintain capability" (one of the Home Office's favourite phrases), the government feels it needs the ability to grab a lot more information without having to formally ask for it. Not only do they want to go beyond the 'first slash' without having to apply for an interception warrant, they want black boxes that will sit at ISPs and record all the data sent between your devices and the servers of your favourite social networking service. As ever, you need to look at the details of the technology to see what is going on, and why it is significant.1When you hit send on a Facebook message, the below is what is actually sent to the Facebook servers - if governments like the UK want access to this information, they'll have to get our ISPs to intercept all internet streams to Facebook from the UK (and this, traditionally at least, is illegal). Facebook's servers see the below and send a variant of it to the recipient's browser, which also displays the profile photo, name, etc. The website address that all Facebook messages seem to be sent to is:
 
        https://www.facebook.com/ajax/messaging/send.php 
 
One version of sending a Facebook message sometimes looks like this (we've scrambled some of the numeric identifiers): 2
 
Form data:
 
        body=content of the message
        action=send
        recipients[0]=347071695348056
        force_sms=true
        __user=611405130
        __a=1
        fb_dtsg=AQA73Zry
        phstamp=168341234561987193134
 
Sometimes it's more complicated:
 
        tids[0]:id.228960123445000
        mid:id.345001234550661
        last_msg[subject]: Message Subject line
        last_msg[body]:body 
        last_msg[timestamp]:1342609696665
        last_msg[mid]:id.340012345500000
        last_msg[tid]:id.220123455400000
        last_msg[sender_fbid]:347071695348056
        last_msg[offline_threading_id]:
        last_msg[sender]:yourFacebookEmailAddress@facebook.com
        last_msg[sender_name]:Your Name
        last_msg[tags]:source:titan:web,inbox
        last_msg[source]:source:titan:web:
        last_msg[forward]:0
        last_msg[replyActionType]:0
        last_msg[coordinates]:
        last_msg[action_id]:1300123690123001230
        mode:2
        gigaboxx_reply:
        body: content of reply
        action:send
        send_on_enter:false
        __user:347071695348056
        __a:1
        fb_dtsg:00000-W4
        phstamp:1600000000000000000764
 
There are several other possible formats. In this much more complex example, it's worth noting that nowhere in that message is the ID of the recipient. That's contained in a previous message. As a result, the black boxes at ISPs would have to read across our various interactions with the Facebook servers in order to identify who we are communicating with, thus requiring deep intrusion into other communications.
 
What the UK government seems to be saying is that they only want the ability to save these fields:
 
        last_msg[sender_fbid]: Your Facebook ID
        last_msg[sender]:      you@Facebook.Com
        last_msg[sender_name]: Your Name
        last_msg[timestamp]:   when you sent it
        __user:347071695348056
 
or, in the simpler format:
 
        recipients[0]=347071695348056
        __user=611405130
        phstamp=168342837491987193134 
 
They promise to do this without even glancing at any of the other fields in the message (which are interleaved, so the government would have to deeply inspect the request and read it all to build a structure in order to extract the bit of the message they actually want to store) because to do so, under even the new interpretation of the law, would be illegal without an interception warrant.
 
Our point is that it is not possible for the system to build the desired structure without the ability to access all of the fields within the communication. For the British government to find out who a Facebook message is intended for, they will need to closely monitor the individual's communications streams in order to see what information a user is looking for, and then see what they do next. They will need to keep this information speculatively until the user logs out of Facebook or sends a message, i.e. possibly for seconds, possibly for minutes, or possibly for days.
 
Fundamentally, the whole of the request to the Facebook page must be read, at which point the type of message is known, and only then can the technology pretend it didn't see the earlier parts. Whether this information is kept is often dismissed as "technical detail", but in fact it is the fundamental point.
 
This example gives us some idea of how widely the government would need to cast its net if it was to identify types of  content with the level of accuracy that Charles Farr, the Home Office Director of the Office for Security and Counter-Terrorism, claimed was possible in his testimony3
 

With thanks to Tom Fishburne for the cartoon that accompanies this piece.