This is not surveillance as we know it: the anatomy of Facebook messages
Modern communications surveillance policy is about gaining access to modern communications. The problem is that the discourse around communications policy today is almost the same as it was when it was simply a question of gaining access to telephone communications. "Police need access to social network activity just as they have access to phone calls" is the politician's line. We use Facebook as an example here, but most internet services will be similar in complexity and legality.
The reality is much more complicated, and modern communications surveillance policy hides far greater ambitions. Telcos usually have physical offices in the countries in which they operate and will comply with the law of the jurisidiction in responding to law enforcement requests. Social networking service providers tend to be based in just a few countires, despite having users all over the world, and are not therefore necessarily obliged to comply with domestic legal regimes.
This situation is persuading governments to be more ambitious in their policies: it is all very well drafting a policy 'compelling' Facebook to respond to law enforcement requests, but Facebook may not be legally obliged to comply. As a result, governments like the UK are planning to implement black boxes at our national telcos/internet providers in order to gain access to our Facebook sessions and identify our friends, networks and chat activity. When we try to explain to government officials that this is overly ambitious and may breach constitutional safeguards, they argue that it is no different from gaining access to logs held by telephone companies. But this is emphatically not the case, and here's why...
What is a Facebook message?
Considering Facebook the equivalent of a telephone company is fundamentally flawed, but that's what the British government's Draft Communications Data Bill does.
1. Facebook logs provide very different information
Firstly, when logging details of a phone call, the telephone company is not interested in the name of the owner of the receiving account, just the telephone number. When the police access our phone logs, all they have is a list of telephone numbers. However, when it comes to Facebook messages, if police were to access the logs of who we have been communicating with they would also be able to easily obtain our friends' names and profile photos at the very least - and possibly a great deal more. For example, if a police officer wanted details about Facebook user 611405130, he or she would simply have to go to https://facebook.com/profile.php?id=611405130 and view the publicly available information.
2. Ethical access to Facebook data would require perfect authorities
Traditional interception laws usually allow governments to gain access to information about where you have been surfing, i.e. which servers, but not the items you have been surfing for, i.e. which articles or blogs. For instance, in the UK the Regulation of Investigatory Powers Act (RIPA) states that police officers can find out that you have been to www.facebook.com without an interception warrant, but in order to get access to the data relating to anything after the 'first slash' in the URL, they need an interception warrant. So, if a police officer wanted to find out whether you'd visited http://www.thesun.co.uk/sol/homepage/news/politics/4371932/May-blast-for..., he or she could self-authorise access to the fact that you visited the website http://www.thesun.co.uk, but would require an interception warrant to find out which articles you read while you were there. Obtaining logs of interactions requires a lower standard of approval (self-authorised police access) than getting access to a web surfing session, which requires interception (and a ministerial warrant, or judicial warrant in most other countries). This line of separation was established after a great deal of bad-tempered discussion during the RIPA debates back in 2000.
body=content of the message
last_msg[subject]: Message Subject line
body: content of reply
last_msg[sender_fbid]: Your Facebook ID
last_msg[sender_name]: Your Name
last_msg[timestamp]: when you sent it
With thanks to Tom Fishburne for the cartoon that accompanies this piece.
- 1. 'Questioning lawful access to traffic data', Alberto Escudero-Pascual and Ian Hosein, Communications of the ACM, Vol. 47 Issue 3, March 2004, Pages 77-82, http://dl.acm.org/citation.cfm?id=971619 and www.it46.se/docs/papers/acm-1905_prepub.pdf
- 2. On a technical level, this is a URL encoded form posted to the URL above; however, the number of fields changes dramatically depending on which links you press to send a message. Both of these were captured with LiveHTTPHeaders logging in Firefox
- 3. Q29 http://www.parliament.uk/documents/joint-committees/communications-data/...