Facebook's law enforcement 'guidebook' leaked

Facebook's law enforcement 'guidebook' leaked

Summary: Facebook's "guidebook" on acting and reacting to law enforcement and governments has been leaked, and shows a first-hand view of how the world's largest social network dishes out users' data when it is required.


Facebook has long been both accused and condemned for it's "intelligence capabilities", as it houses more than 800 million users inside and outside the United States.

But leaked documents show how law enforcement and government agencies alike can access Facebook account data, including sensitive and personal data belonging to its 800 million user base.

(Source: Flickr, CC)

The series of documents were uploaded to the web, outlining how Facebook deals with law enforcement requests: the so-called "guidebook".

Though Wikileaks' founder Julian Assange once called Facebook "open to U.S. intelligence", from browsing through the documents it appears that the world's largest social network is somewhat cagey in how it responds.

A lot of the guidance in these leaked documents shows process and necessary authority in order to proceed with handing over data. Though Facebook could be seen as a 'goldmine' of intelligence, and certainly with nearly 1 in 7 of the world's population on the site, the social network does appear to have due process.

How it hands over data, and under what pressure, however, is unclear. A court order is a court order after all, and Facebook could spend millions in defying and challenging these in the courts should it wish. Twitter has already proven that it does to a greater or lesser extent, but Facebook is lacking transparency in this area.

It is thought that since 2008, federal judges have authorised at least 24 search warrants pertaining to individuals' Facebook accounts, including private messages, status updates and even rejected friend requests. Even such information as "Neoprint" and "Photoprint" data, terms that Facebook use to describe photo information of uploaded content data that even its users do not have access to, can be accessed by law enforcement officials.

Though many of the documents date back to May 2010, it is thought that these documents are out of date and set to be updated, according to one report.

Some of the differences per date are shown through a 2006 document that notes Facebook will not provide any user data without a "valid subpoena or warrant", whereas in 2010 it states that the social network requires a "valid subpoena or a legal document with equivalent authority issued through your local court system". This could include civil cases, along with criminal investigations, it is believed.

There are three kinds of requests law enforcement can make:

  • Preservation requests: which requests that data is preserved for legal reasons for 90 days, pending the service of formal legal process.
  • Formal legal requests: where a formal compulsory legal request is issued by law enforcement or government to provide records by law; though response times may vary depending on the warrant issued.
  • Emergency requests: where someone is at risk of harm or death, a specific emergency form must be submitted for Facebook to provide urgent assistance.

From these documents, not only will Facebook log a users IP address, the social networking giant will hold them for more than 30 days, as per law enforcement request.

As you can see, though IP logs are "limited" and often "incomplete", this data is still available to determine when posts or content was uploaded:

Some of the data that can be accessed is increasingly personal, such as the "Neoprint" of the users' profile, including: profile contact information, mini-feed data, status update history, shared content, notes, Wall postings, friend listings (including their Facebook ID's), group listings (as well as their Group ID's), future and past events and video listings.

Some content can be held for over 180 days, and Facebook is willing to hand over this data should a subpoena be presented. Though court orders will only display so much, a search warrant will grant law enforcement and government access to "remaining content" outside the "Basic Subscriber Information" access rights.

Interestingly, Facebook's policy on data retention appears to have changed since the 2006 documents, where the social network could not provide any data that was "already deleted by the user", which appears to contradict the findings by an Austrian user, who then later filed a list complaints to the Irish Data Commissioner after he requested his data.

Facebook also states that it works "internationally", and recognises international law enforcement, including the UK and European-based police units Europol and Interpol.

One of the most interesting parts of the documents shows that Facebook "reserves the right" to charge reasonable fees where necessary. Not only do freedom of information requests often require a certain fee, Facebook can charge fees to law enforcement and government outside its jurisdiction areas, such as where it does not have a direct presence.

Though Facebook could be criticised for being an open-book to law enforcement and governments, it does have a seemingly sensitive side. If users are at risk of "potential bodily harm" or subject to "death of a person", an emergency disclosure can be summoned in a bid to prevent harm to a person.

Microsoft has also had its law enforcement documents leaked before, which explained in detail how police and governments can access data pertaining to Windows Live and email records, should a user be breaking the law, or be in harm's way.


Topic: Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook's law enforcement 'guidebook' leaked

    Facebook should turn NOTHING over without a warrant signed by a judge. Suspicion is not enough for a warrant unless backed up by some evidence, as it should be.

    It's time that Facebook and other companies gave a big middle finger to the police and told them "Nothing without a warrant AND, unless you have the warrant sealed by a judge, we are going to inform the person in question that their data has been asked for!"
    • It does appear they have due process

      and in all honesty, they appear to have a policy. I wonder how many other sites that individuals deal with actually have a policy of any type in place.
      Tim Cook
    • RE: Facebook's law enforcement 'guidebook' leaked


      I hope you've noticed... Congress has been busy trying to pass laws that circumvent the very scenario you just outlined.

      If we don't speak and let Congress (along with the RIAA) have their way, Facebook, our ISPs, and other companies won't have a choice... they'll [i]have[/i] to hand over our data without question.
      • RE: Facebook's law enforcement 'guidebook' leaked


        Those laws wouldn't pass constitutional muster, and if you are talking about SOPA? Nearly everyone save the MPAA and RIAA who were for it are now speaking out against it.
    • RE: Facebook's law enforcement 'guidebook' leaked

      @Lerianis10 - Don't confuse "should" with real life; Facebook like every other corporation has to balance stockholder and government relations. If a company does not cooperate with the authorities, all sorts of bad things start happening, I know from personal experience. Legal fees are no joke, they can run into a lot of money. Once your CEO and General Counsel starts getting phone calls from an Assistant Attorney General asking why the company is protecting some killer/terrorist/child molester, the concept of user privacy generally goes out the window.

      And the fact is that Facebook is under no legal obligation to put up the mildest defense. As almost all TOS documents read, once you access somebody else's system and put data in it, they can do whatever they damn well wish with it, read the TOS for this site and it says the same thing.
      terry flores
  • RE: Facebook's law enforcement 'guidebook' leaked

    Good to know they at least have a policy, even if it's imperfect. Frankly, as I'm not (currently) on the run, I'm more concerned about their policy of selling individualized personal data to commercial companies.

    But then, I'm old fashioned like that :)
  • RE: Facebook's law enforcement 'guidebook' leaked

    I see where FB's figure is now ~800 million... I have to wonder how accurate that is?

    How many people's info has changed but not been updated on FB? How many created an account but grew bored with it after a few months or a year?

    I know FB and the media likes to tout the several hundred million user # as much as they can (and Wall Street certainly would love it), but I'd be really curious to see how much attrition has affected the almighty FB

    Maybe when FB goes public and has to answer to Wall St., they will have to cough up true figures... instead of saying how many people registered at some point in time... how many people are actively using it, how many people have logged in the last 90 days or 6 months, etc
    • RE: Facebook's law enforcement 'guidebook' leaked


      Good point. Personally, I made a Facebook account solely to get onto one website's commenting section (a site which now has shut down) and I just don't use it anymore.

      I put a STRONG password on it as well (20 character alpha-numeric-symbol) so I'm not really worried about it. Never had the intention to 'post all my private information' on that site, I'm kinda a private person, as you can tell by my using Ghostery on all my browsers, along with HTTPS Everywhere and NoScript.
  • RE: Facebook's law enforcement 'guidebook' leaked

    Google spies on far more people, yet Facebook seems to get more "credit" for their spying capabilities. If you put anything on Facebook, or anywhere on the web, you should count on it getting out sometime. Google is scanning your Gmails, profiling your searches, and putting scripts, like Google Analytics, on websites all over the world, all to spy on you surreptitiously.