Facebook’s Flip-Flop: Is It a Law Enforcement Thing?

Kash Hill has a fascinating story about a Facebook flip-flop over a story she reported yesterday.

It started when — as increasingly happens in her work — someone came to her with a scary problem. Facebook recommended he friend someone he had only just met for the first time at a meeting for parents of suicidal teens. In response, Facebook confirmed they do use co-location for such recommendations.

Last week, I met a man who was concerned that Facebook has used his smartphone location to figure out people he might know. After he attended a gathering for suicidal teens, Facebook recommended one of the other parents there as a friend, even though they seemingly had nothing else in common but being in the same place at the same time. He asked me whether Facebook was using location to figure out if people knew each other.

I was skeptical, because that seemed like such an egregious violation of privacy. On Friday, I emailed Facebook:

A Facebook user told me that he attended an event last week with people he’d never met before. The next morning, one of the people at the event came up as a suggested friend. They had no other ties beyond being in the same room the night before. Could their shared location have resulted in the suggestion?

A spokesperson responded, saying that location is one of the signals for “People You May Know.”

But then, as people started making a stink about this, Facebook reached out again and offered this oblique reversal.

Thus I reported that “Facebook is using your phone’s location to suggest new friends—which could be a privacy disaster.” The story garnered lots of negative feedback, with people upset about Facebook using their location information this way without telling them.

Then, on Monday night, the Facebook spokesperson reached out again, saying the company had dug into the matter and found that location isn’t currently used. She sent an updated statement:

“We’re not using location data, such as device location and location information you add to your profile, to suggest people you may know. We may show you people based on mutual friends, work and education information, networks you are part of, contacts you’ve imported and other factors.”

One part of this comment is easy: Facebook is not using locations you mark for yourself (so if I said I was in Grand Rapids, they wouldn’t use that to find new Grand Rapids friends for me). But it’s not really clear what they mean by “device location.” Determined by what? GPS? Cell tower? IP location? Wifi hotspot colocation?

Which got me thinking about the way that federal law enforcement (in both the criminal and FISA context, apparently) are obtaining location data from social media as a way to tie physical location to social media activity.

[Magistrate Stephen Smith] explained he had had several hybrid pen/trap/2703(d) requests for location and other data targeting WhatsApp accounts. And he had one fugitive probation violation case where the government asked for the location data of those in contact with the fugitive’s Snapchat account, based on the logic that he might be hiding out with one of the people who had interacted with him on Snapchat. The providers would basically be asked to to turn over the cell site location information they had obtained from the users’ phone along with other metadata about those interactions. To be clear, this is not location data the app provider generates, it would be the location data the phone company generates, which the app accesses in the normal course of operation.

Doing so with Facebook would be particularly valuable, as you could target an event (say, a meeting of sovereign citizens) and find out who had attended the meeting to see whose location showed up there. The application would be even more useful with PRISM, because if you were targeting meetings overseas, you wouldn’t need to worry about the law on location data.

In other words, I started wondering whether Facebook is using this application — and was perfectly willing to tell Hill about it — until the FBI or someone started complaining that people would figure out one of their favorite new law enforcement (and intelligence) methods.

Hill is still pressing Facebook for real answers (and noted that Facebook may be violating FTC rules if they are doing this, so expects answers from there if not from Facebook directly).

Still, I’m wondering if FBI is now telling our private spy companies they can’t reveal the techniques law enforcement most likes to rely on.

Marcy has been blogging full time since 2007. She’s known for her live-blogging of the Scooter Libby trial, her discovery of the number of times Khalid Sheikh Mohammed was waterboarded, and generally for her weedy analysis of document dumps.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including the Guardian, Salon, and the Progressive, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse and dog in Grand Rapids, MI.

11 replies
  1. bloopie2 says:

    “Still, I’m wondering if FBI is now telling our private spy companies they can’t reveal the techniques law enforcement most likes to rely on”.
    .
    It’s time for some legal eagle to weigh in on the question of just what the Feds can and can’t tell you to say about what they ask you. If an FBI agent comes to question me about a crime I have witnessed (good, standard, detective work), can she legally force me not to tell anyone what they have been asking? If an agent asks me about a particular person, can she legally force me to not tell that person that the Feds have been asking around? That doesn’t sound right. And if they can’t, then how is it different in an electronic spying scenario? I understand that a federal statue authorizes NSA gag orders, but does that apply to this Facebook stuff? Could they enact a similar law that prevents me from talking about my interview? I’m so confused. Help!

  2. der says:

    “…to suggest people you may know. We may show you … networks you are part of…and other factors.”
    .
    Lawyer weasel words.
    .
    “I didn’t know that person Zuck but you’re suggesting I friend them and get to know them, eh?”
    .
    So their answer was yes?

  3. Rayne says:

    Missing one more piece of location data which can be retrieved — Mac address (or mobile device equivalent), which is unique to the physical device and therefore the real location of the device user. IP addresses can be spoofed; physical addresses are much harder to spoof.

    Did Facebook ever use a physical or virtual network address used at any time? And did they do so as part of a test or experiment they didn’t disclose to users? This could offer another reason for backpedaling; FB’s conducted enough other sketchy experiments without adequate ethical protocols in place or appropriate disclosures.

    • emptywheel says:

      Thanks, didn’t mean to be comprehensive. Point is there are a lot of possibilities broadly permitted in that comment.

      Also, did not update post, but as you note they now say there was just an experiment. Facebook has become like NSA — all their most interesting stuff is done in the name of “research.”

      • Rayne says:

        My bad, I should have been more specific. I mean that Hill’s report and others about Facebook’s friend rec services don’t ever ask about the source of location identification, and often assume that smartphone number or IP address are definitive when it comes to location. But as you know, Mac address is physical, tied to device, and one hell of a lot scarier if it’s being used.

        And the Treasure Map program used not only IP addy but Mac addy when mapping location, which made for certainty of target’s place spatially.

        Just how specific has Facebook been about users’ location?

  4. Phil Perspective says:

    It sounds like the people in question didn’t have their location thingy turned off for the FB app. If they turned it off would they still get these suggestions? Might FB be taking advantage of people’s unfamiliarity with how apps can and might work?

    • bloopie2 says:

      Well I guess if you want the world to know where you are, or if you can’t figure out where you are without looking at your phone, then, the world will know where you are. Like holding a conversation with your companion on a crowded train–you expect others not to listen? The whole world, good and bad, knows just where you are all the time, and keeps a record of that, if you have location services turned on. Why on earth would you have location services turned on if you are going to a hopefully-private meeting? And why would you have Facebook turned on in the first place, if you wanted privacy?

  5. bloopie2 says:

    The world (including Zuck) may be out to get you, but don’t despair. There are still beautiful things in this world. Here’s one I found today: Rachmaninoff, Slava Op 11/6—a piano duet. Written 122 years ago. Amazing.
    .

  6. Rayne says:

    Phil Perspective (5:27) — Pretty sure turning on/off sharing location option can be construed any way a social media network desires if you’ve agreed to use their services. In this case, users might have had the location sharing off, but were there other settings turned on that bypassed this setting? Maps, for instance — did two users attending the same event make a map request for location? Wouldn’t share actual location, but it would establish a point of commonality for two users. Did two users make a request for information about an event — not even a map, but just event name/time/address-sans-map — which increase affinity given other points like age/sex/other issues of interest?

  7. RUKidding says:

    Reason 9,784,365 (a) why I am not on FaceDump. Try to stay far away from most social media and only have a few email accounts. Not that BigSpy can’t find me. I’m sure they can (then again, they often seem stunningly incompetent), but I’ve heard too many stories like this one and similar from friends.
    **
    Trust parasites like Zuckerberg? Yo gadda be kidding me! Money talks, bullshit walks.

  8. Procopius says:

    They do not care about meetings of “sovereign citizens” or militias, but if you’re a member of the Green Party or PETA they will be very interested in whom you are meeting with.

Comments are closed.