Federal police are increasingly gaining real-time access to Americans' social-network accounts -- such as Facebook, Google+, and Twitter -- without obtaining search warrants, newly released documents show.
The numbers are dramatic: live interception requests made by the U.S. Department of Justice to social-networking sites and e-mail providers jumped 80 percent from 2010 to 2011.
Documents the ACLU released today show police are using a 1986 law intended to tell police what phone numbers were dialed for far more invasive surveillance: monitoring of whom specific social-network users communicate with, what Internet addresses they're connecting from, and perhaps even "likes" and "+1"'s.
The ACLU hopes the disclosure of the documents it sued to obtain under the Freedom of Information Act will persuade Congress to tighten the requirements for police to intercept "noncontent" data -- a broad category that excludes e-mail messages and direct messages. The current legal standard "allows the government to use these powerful surveillance tools with very little oversight in place to safeguard Americans' privacy," says Catherine Crump, an ACLU staff attorney.
It might work. On Tuesday, Rep. Zoe Lofgren, D-Calif., introduced a bill that would require police to get warrants to access Americans' e-mail and track their cell phones. Last week, however, senators delayed a vote on a similar bill after law enforcement groups objected.
The Justice Department did not immediately respond to questions from CNET about social-network surveillance. We'll update this story if we receive a response.
It's not clear how many of those 1,661 real-time intercepts last year -- which do require a judge's approval -- targeted social networks, and how many were aimed at e-mail providers. Traditional phone intercepts remain far more frequent: the U.S. Marshals Service, for instance, says 409 of its noncontent intercepts (PDF) were for Internet companies, while 14,568 were for telephone call data. (The largest number of them fell into the fugitive-finding category, including parole or probation violations.)
To perform noncontent intercepts on social networks, police must generally seek court authorization for a pen register or trap and trace order, both of which are terms borrowed from decades-old surveillance law. They were originally designed to allow law enforcement to easily collect the phone numbers associated with incoming and outgoing calls, and were extended to the Internet by the Patriot Act over a decade ago.
But the Patriot Act didn't make it any more difficult for law enforcement to ask for such an order. Police must merely claim their request is "relevant" to an ongoing investigation. (A search warrant, by contrast, requires probable cause, and a live wiretap order is even more privacy-protective.)
What's also unclear is what kind of real-time data police are seeking from social networks through these orders. It's clear they can obtain the current Internet Protocol address of a Facebook user, for instance, and the port number (which, as CNET reported in May, is increasingly important). But it's less clear whether a "+1" or information about a user's circle of friends would be permitted.
The wording of that section of the Patriot Act is more broad than narrow. It says police can demand all "routing" or "addressing" information that's transmitted through an Internet service or that's "likely to identify the source of a wire or electronic communication."
"This is a very invasive surveillance technology," says Christopher Soghoian, principal technologist with the ACLU's Speech, Privacy and Technology Project. "We don't have a feel for how broadly it's being used."