Here’s How Easy It Is for Cops to Get Your Facebook Data
Police can access everything from “pokes” to private Messenger data — and increasingly do
In mid-September of 2019, Violet, a friend of mine, was jolted awake by a sound every activist dreads: the police door knock. She hoped they would just go away, but the pounding spread across the house. “One of the officers started whacking my roommates’ air conditioning unit with a broom handle,” she recalled.
When she opened the door, Rhode Island State Police officers told her she was under arrest and transported her to the police barracks in Lincoln, Rhode Island for interrogation. She was ultimately charged with disorderly conduct for allegedly throwing fluids on a white supremacist during the alt-right’s “Resist Marxism” rally in Providence about a year before.
Little did she know, the police had been watching her for weeks prior to the arrest. This was revealed during the court’s discovery process, when the government turned over a file one might expect for a serial killer, not a protester: Hundreds of photos they claimed showed her at the demonstration, drone footage of the protest, call logs, at least one day of home surveillance that documented her and her roommates’ license plates and bumper stickers, and conversations between police and anonymous informants.
The discovery process also revealed a search warrant police sent to Facebook’s Law Enforcement Response Team (LERT), an obscure unit within Facebook that handles law enforcement requests for Facebook and Instagram data.
Without Violet’s consent or knowledge, several weeks prior to her arrest, Facebook had handed over her private Messenger content, GPS location data, billing records, associated cell phones, and friend requests.
Violet said the scope of the surveillance put her in “a total state of paranoia.”
More than 10,000 people have been arrested during the recent Black Lives Matter revolt, and those organizing, marching, or otherwise attending the demonstrations could be similarly subject to such levels of surveillance.
Although this sort of collaboration between Facebook and law enforcement is not common knowledge, the practice isn’t rare in the United States. Over the last five years, U.S. government requests for Facebook data have more than tripled. In 2015, American police requested data from 56,620 separate accounts; 80,443 in 2016; 105,905 in 2017; 134,150 in 2018; and 164,782 in 2019. (Facebook provided law enforcement with data in 88% of cases in 2019, a 9% increase from 2013.)
By contrast, Canadian law enforcement requested data from just 4,901 accounts last year, and the practice is uncommon in Europe.
In most cases, law enforcement sends Facebook a search warrant or a government-issued subpoena for data. But Facebook policy also allows for “emergency requests,” where the tech giant will voluntarily hand over data outside of the legal process when police claim a case involves death or “potential bodily harm.” Increasingly, law enforcement has taken advantage. In 2019, the government made 6,447 such “emergency requests,” compared to 6,000 in 2018 and 3,672 in 2017. Police submitted “preservation requests,” which operate outside of the legal process and preserve user data for 90 days, for more than 110,000 accounts in 2019.
It is relatively easy for law enforcement to make such requests. A lawyer seeking to exonerate a client using Facebook data must physically serve a subpoena to Facebook’s offices. Yet LERT, a unit which includes some former police officers, like its director, Scott Swantner, a retired secret service special agent and cybercrime investigator, offers law enforcement an online portal that makes requesting data online simple.
Through this portal, according to a Sacramento Sheriff’s guide to Facebook’s Law Enforcement Portal published in 2016, Facebook can hand over every bit of data, including users’ photo metadata (such as IP address and location information), advertisements clicked, applications added, deleted friends, facial recognition data, posts liked, searches made, deleted content, and even silly data, like “pokes.”
Since Facebook is oftentimes barred from informing users of law enforcement data requests because of the Stored Communications Act, a 1986 law that addresses disclosure of electronic communications, the full scope of activist targeting is impossible to know. And police departments aren’t transparent about the practice. NYPD, for example, denied several OneZero public records requests that sought Facebook surveillance-related documents pertaining to several local activists, saying that if the records exist, disclosing them “would reveal non-routine criminal investigative techniques or procedures.”
But activists have been targeted by such requests in several cases. In April 2017, University of Puerto Rico students went on a school-wide strike to protest the slashing of public services across the island. Dozens stormed and shut down a closed board meeting at the university to protest these policies. Two weeks later, in response, the island’s Department of Justice arrested and charged seven students with rioting, burglary, violating the right to assemble, aggravated restriction of freedom, and violence or intimidation against a public authority.
Following an investigation conducted by a House of Representatives member in the Puerto Rican Independence Party, a student media outlet that had recorded and live-streamed the demonstrations discovered that the island’s government had sent secretive, sweeping search warrants for its Facebook user data, seeking interactions over the course of the 72-hour period and information about the journalists who managed the pages.
Roberto J. Nava Alsina, the former president of the media outlet Pulso Estudiantil UPR, learned that his data was among those targeted. Facebook handed over 1,500 pages of private messages, a “friend” list, and photos with their meta-data to law enforcement. Alsina told OneZero he “wasn’t surprised at all” that the government went to such lengths to surveil activists and the outlets but said he would have fought the warrant had Facebook alerted him.
In 2017, law enforcement similarly requested Facebook data from several individuals who administered the ‘DisruptJ20,” Facebook page, a group that organized protests during Donald Trump’s inauguration, and from several individuals arrested during one of the demonstrations. That same year, police obtained a search warrant to surveil the Facebook page of a group protesting the Dakota Access Pipeline after they blocked Interstate 5 in Washington State for more than an hour.
Jerome Greco, supervising attorney of the Digital Forensics Unit at Legal Aid in New York City, told OneZero that in his experience, unjustified and overbroad electronic surveillance warrants are common.
“I can’t say for all judges and all situations, but for the most part I think it’s clear that most judges are signing away,” he said. “Judges are reluctant or don’t care enough to dig deep into whats going on and a number of them aren’t very knowledgable about the tech world, so they are concerned about asking too many questions and looking stupid or they rely on the officers or the detective or the DA, or whoever it may be, to explain to them.”
And, in some jurisdictions, police officers and detectives can shop around for lenient judges. “If a judge becomes known as someone who is quick to question you or is reluctant to sign something….all the sudden that judge gets a lot less requests for it,” Greco says.
Overbroad warrants can lead to privacy breaches for those not related to the alleged criminal conduct. Violet’s friend “Bee,” who wishes to remain anonymous fearing retaliation, conversed with Violet in a group chat that was handed over to the police. Bee told OneZero that she felt “betrayed and violated” when she found out the police had access to her conversations. Like Alsina, they said they would have fought against the privacy invasion if given the opportunity to do so.
The potential for privacy violations chills dissenting speech, Greco and other privacy advocates say. People who are dissatisfied with the state may be less willing to speak out, if they know the contents of their entire social media profile could be handed over to the government.
Violet decided the privacy breaches weren’t worth the risk, and deleted her account.
Despite the sweeping surveillance, nearly two years and many court appearances later, her case was dismissed with 20 hours of community service.
She hopes for some kind of alternative to Facebook. But she still recognizes the platform’s current value for activists, especially in the digital age of the pandemic. “I’m not sure it [the solution] is as simple as saying activists shouldn’t use Facebook,” she said. “I don’t think we can afford to narrow the scope of our outreach at this time. That’s unfortunately a really shitty trade-off.”
“We just need to be smarter and we need to be stronger,” she said. “There’s no simple answer to use it or not use it.”
Greco’s advice is to assume that anything put in the electronic sphere could be accessed by the government. “The most important thing for people is knowing what the choice actually is and being properly informed, then they can make that decision themselves.”