What sites such as Facebook and Google know and whom they tell

washingtonpost.com

What sites such as Facebook and Google know and whom they tell

By Ariana Eunjung Cha

Washington Post Foreign Service

Saturday, May 29, 2010; A01

When Disa Powell's husband and brother were badly burned in an electrical explosion while conducting maintenance at a Wal-Mart store and the family sued, the defense went after something she never expected: her online life.

Through a subpoena seeking information about the men's injuries, Wal-Mart was able to gain full access to her Facebook and MySpace social-networking accounts -- every public and private message, contact and photo for the previous 2 1/2 years.

There were the pictures of Powell's newborn baby lying in a hospital bed after heart surgery (Label: "The hardest day of Mommy and Daddy's life"). The messages detailing problems with her pregnancy ("I got a bladder infection, which has moved to my kidneys"). And the messages dissing on friends ("Brad is a big fat BABY, and can't do anything by himself. The whole issue is that he's lazy").

"I was livid," said Powell, 35, a former hospital administrator who a few years ago moved from Maryland's Eastern Shore back to her home town in Oklahoma. "I felt like I had been seriously violated."

The case, which was settled out of court in January, offers a window into an issue that in recent weeks has riled members of Congress, consumer advocacy groups and tens of thousands of account holders: what your social-networking sites know about you and whom they share it with.

Many online service providers over the past few years have been building huge dossiers with minute details of each user's online activities -- a practice that isn't usually mentioned in privacy policies. Some companies anonymize the data, while others do not. Some store detailed data for a month, while others keep it for years.

At the same time, the ease with which outsiders can access the data is increasing, as corporations, insurance companies and parties in divorces or employment disputes make widespread use of subpoenas.

David Hersh, the attorney who represented the Powells and Disa's brother Joel Ledbetter, said such subpoenas have become standard practice in litigation and are "meant to discover information that would be embarrassing or might be used adversely even if it has nothing to do with the claim."

Companies own the data

Because your account information is stored on a company's servers, on the "cloud" that is the Internet rather than on your personal laptop, the company owns it, not you. While accessing your laptop may require a difficult-to-obtain search warrant, getting certain data on Facebook, MySpace, Meetup, LinkedIn and other social-networking sites' servers may require only a simple subpoena.

"The law in this area is really outdated. It's pre-'www,' " Christopher Calabrese, legislative counsel for the American Civil Liberties Union, said of the 1986 act that was designed to introduce privacy controls to electronic communications. "Back then nobody could even figure out whether an e-mail was more like a letter or a phone call."

Efforts to give consumers more control over their private information have accelerated in Washington over the past month, in the wake of a furor over privacy policy changes at Facebook in particular. (Washington Post Co. Chairman Donald E. Graham is on the board of directors at Facebook.) Facebook chief executive Mark Zuckerberg tried to quell the outcry this week by making it easier for users to control how they share data.

On Friday, Rep. John Conyers Jr. (D-Mich.), chairman of the House Judiciary Committee, wrote to Facebook and Google to demand that they cooperate with congressional investigators looking into privacy practices. Google has drawn scrutiny for accessing information including e-mails and surfing from open WiFi networks while photographing streets for its mapping service.

Sen. Charles E. Schumer (D-N.Y.) has called on the Federal Trade Commission to provide guidelines for use of private information and prohibit access without user permission. The ACLU is part of a coalition of advocacy groups and tech companies that is pushing for a major overhaul of the 1986 act.

Meanwhile, software developers are working on a way to prohibit access using technology. Four New York University students recently made headlines for a project they call Diaspora that they say will allow users to keep control over their social-networking information. The group was seeking $10,000 for its startup but has raised $190,000 since the Facebook controversy broke out in late April.

In the 15 years since the World Wide Web brought the Internet to the masses, the most successful companies have been those that collect information about users and use it to sell things. Google, for instance, has confirmed that it keeps track of search queries sent from a particular IP address. (A spokesman said the company anonymizes IP addresses associated with search queries after nine months and cookies after 18 months.)

Extensive data collection

Companies are loath to talk about what information they track, but internal compliance manuals for law enforcement for Facebook, Yahoo and Microsoft reviewed by The Washington Post show that their data collection is much more extensive than users might believe based on what they themselves can access.

For example: Microsoft tracks the Xbox LIVE start and end dates and times for game-playing and notes the game played, such as "SW: Jedi Academy." Yahoo keeps chat and instant messenger logs for 45 to 60 days and notes the time/date and IP address for when content is added or deleted to someone's profile or to its Flickr photo service.

Facebook's data collection is among the most detailed.

For every user id, Facebook keeps a log of the IP address that accessed the account, the date and time, and what exactly the user did -- clicking on an advertisement, looking at someone else's profile, posting a photo or sending a message to a friend, etc.

Facebook spokesman Andrew Noyes declined to comment on specific data-gathering and retention policies but said the privacy policy makes clear that the company may disclose information pursuant to subpoenas, court orders or other requests.

However, Noyes said, "We scrutinize every single information request; require a detailed description of why the request is being made; and, if it is deemed appropriate, share only the minimum amount of information."

Facebook says in its compliance manual that it generally retains information about activity by IP address for 90 days, but in the Ledbetter-Powell case it's clear that other information, such as her private messages to and from friends, had been kept since her account was opened in 2007.

Eben Moglen, a Columbia University law professor and director of Software Freedom Law Center, calls Facebook "one big database of hundreds of millions of people containing the kind of information far beyond what the secret police in 20th-century totalitarian regimes had."

The company knows which social contacts are closest to you and can guess your moods, he said. And if you're obsessively checking another person's profile at the same time he or she is doing the same with yours, Moglen claims, "Facebook can even tell you're going to have an affair before you do."

Research editor Alice Crites contributed to this report.