Original URL: http://www.theregister.co.uk/2007/05/25/myspace_privacy/

Your space, MySpace, everybody's space

A closer look at the privacy issue

By Mark Rasch

Posted in Law, 25th May 2007 12:04 GMT

It has recently been reported that Attorneys General from about a dozen US States, including Connecticut, Georgia, Hawaii, Idaho, Mississippi, Maryland, New Hampshire, North Carolina, Ohio and Pennsylvania have demanded that News Corporation's social networking site MySpace voluntarily deliver a list of all sex offenders who have registered for or used the MySpace social networking service.

Noting the possibility that sex offenders might use the service to find and solicit other members for sex, the chief state law enforcement officers merely demanded that MySpace pony up the records.

When MySpace, citing its own privacy policies and federal privacy laws, refused to produce the records without a subpoena, the Attorneys General initially went on a public relations campaign against the social networking site - almost calling them complicit in child abduction and sexual predation.

This case points out the problem of establishing an online privacy policy and then trying to stick to it under pressure from the very agencies that enforce the policies.

It is clear that people - both registered sex offenders and others - use social networking sites like MySpace and Facebook to meet other people. It is also clear that these sites can be used by individuals interested in violent criminal activity - including sexual predation, abduction and other crimes, to further criminal activity.

The question is, however, the extent to which the operators of the sites should step into the shoes of law enforcement and identify not just those who are engaging in criminal activity on the site, but also to identify FOR law enforcement those who might later engage in criminal activity based upon the fact that they had committed crimes in the past.

A Privacy Policy

MySpace, like most websites, has a privacy policy that sets out, in general terms, what information it collects and what it can and may do with that information. Indeed, the terms of these privacy policies are generally enforced by federal agencies like the Federal Trade Commission, or State Attorney's General under unfair or deceptive trade practices statutes.

In other countries, enforcement of data privacy agreements may be within the purview of federal or local data privacy commissioners. The MySpace policy, is fairly loose, and gives MySpace a good deal of latitude about what it can do with what it collects. The policy states that:

Sharing and Disclosure of Information MySpace.com Collects ... MySpace will not disclose personal information to any third party unless we believe that disclosure is necessary: (1) to conform to legal requirements or to respond to a subpoena, search warrant or other legal process received by MySpace.com, whether or not a response is required by applicable law; (2) to enforce the MySpace.com Terms of Use Agreement or to protect our rights; or (3) to protect the safety of members of the public and users of the service...

So, MySpace can use or disclose information about you - including your IP information, subscriber information, even the contents of MySpace IM or email if it wants to enforce its policies, protect its rights, or if there is a threat to the safety of the public. Why then was it appropriate for them to demand that the AGs get a subpoena for the sex offender information?

The AG's Response

Partially in response to public criticism, and partly to act as a "good corporate citizen", MySpace recently started using an online name, address, and criminal history verification service provided by Sentinel Tech Holding Company to help it determine if people who joined the site using their real names, real addresses, and real email addresses were convicted of sex offenses.

Clearly MySpace was trying to do something about the problem of sexual predators using its service. If it found a convicted and registered sex offender, MySpace would kick them off, and they would remain off the service (at least until they could figure out how to use a fictitious email address). The sentry service does not purport to determine the nature of the restrictions on the person convicted - the terms of parole or probation, etc, only the fact that they were convicted. Nevertheless, if you were a convicted sex offender AND the Sentinel software detected you, MySpace would kick you off.

Note that there was nothing in the MySpace terms of use that said convicted sex offenders couldn't use the service, and nothing in federal or state law prevents convicted sex offenders from using social networking sites.

If you are convicted of a crime - any crime, and given probation or parole, the Judge has some latitude in restricting what you can do after release - including limiting your use of computers of computer networks, requiring that you report your computer use, or even permitting the local probation officer to examine the contents of your computer or computer use (assuming you're on your OWN computer and adhere to the terms of your probation.) These restrictions however, generally disappear after a convict has fully completed their sentence, including any probationary term.

Some states are trying to push requirements that limit sex offender's use of computers by statute, (something MySpace reportedly supports) or require that minors using social networking sites obtain parental permission, but MySpace already in theory restricts use to those over 14. The MySpaceTerms of Use merely states that:

Use of and Membership in the MySpace Services is void where prohibited. By using the MySpace Services, you represent and warrant that (a) all registration information you submit is truthful and accurate; (b) you will maintain the accuracy of such information; (c) you are 14 years of age or older; and (d) your use of the MySpace Services does not violate any applicable law or regulation. Your profile may be deleted and your Membership may be terminated without warning, if we believe that you are under 14 years of age.

Nothing here about convictions, probation, or sex offenses. But remember, you don't have a RIGHT to use MySpace. It's a private website. As a general rule they don'tit doesn't have to let you on, although it might have liability if the precluded "membership" based upon some prohibited classification - e.g., race or national origin, but that is not entirely clear.

Indeed, in creating state "registered sex offender" laws, many states mandated that they not be used for certain discriminatory purposes. Indeed, the Connecticut sex offender registry explicitly states that "any person who uses information in this registry to injure, harass or commit a criminal act against any person included in the registry or any other person is subject to criminal prosecution".

So MySpace might be within its rights to kick off sex offenders if it wants to, although they are under no legal obligation to do so, or for that matter, to police their site for improper activity. It reportedly has already removed about 7,000 profiles of registered sex offenders.

This wasn't enough for the AGs. They insisted that NewsCorp's MySpace - after kicking the people off - turn over information to the cops about the number of registered sex offenders who used to be on the sites, and other information. MySpace indicated that it was happy to produce the information - just give us a subpoena. The AGs response was not initially to walk down the hall and draft up and print a subpoena, but rather to lambaste MySpace for adhering to its privacy policy, and for complying with the federal Electronic Communications Privacy Act.

Privacy Law

The Electronic Communications Privacy Act, 18 USC 2702, limits the legal authority of "a person or entity providing an electronic communication service to the public" to disclose either the contents of electronic communications (email or IM) or subscriber information, noting:

A provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber to or customer of such service to any governmental entity.

Of course, the statute contains certain relevant exceptions, including when the cops are armed with a subpoena, search warrant or administrative subpoena or when:

The provider reasonably believes that an emergency involving immediate danger of death or serious physical injury to any person justifies disclosure of the information.

The statute also allows the service provider to turn over records to the National Centre for Missing and Exploited Children when there is a crime involving the distribution of child pornography. But nothing about providing information about registered sex offenders just cause the cops were curious.

Now let's be clear on something. MySpace always intended to shut down the registered sex offenders. MySpace always intended to share the relevant information with law enforcement. The question was whether it would do it without a warrant.

Unhappy Prosecutors

When MySpace insisted on some legal process to provide subscriber or identity information about people it had already kicked off the service, the Attorney Generals cried foul and went to the press. North Carolina Attorney General Roy Cooper sent out an email exclaiming: "MySpace admitted they've found thousands of sex offenders on their site, but they have refused to provide information so law enforcement and parents can do something about it."

Cooper included both law enforcement and parents in the proposed list of people who would have access to the MySpace data. Essentially, Cooper was insisting that MySpace turn over information to the cops, and that the cops would then make it public - after MySpace had already deleted the accounts.

Again, not necessarily a bad idea but where is the subpoena? It appears that the NC AG decided to get a civil investigative demand - essentially a subpoena without any court involvement to get around the provisions of NC § 15A 623(e) which provides "Grand jury proceedings are secret and...all persons present during its sessions shall keep its secrets and refrain from disclosing anything which transpires during any of its sessions", including presumably what documents are produced pursuant to a grand jury subpoena.

Cooper went on to note: "It's outrageous that MySpace chooses to protect the privacy of predators over the safety of children." Um, I think he meant the privacy of MySpace subscribers. Indeed, in the case of Freedman v. Am. Online, Inc., 325 F. Supp. 2d 638 (D. Va. 2004) AOL was successfully sued for giving out subscriber information without an effective warrant (the warrant was signed by one of the cops and not by a judge).

In another case, United States v. Hambrick, 55 F. Supp. 2d 504 (D. Va. 1999), the Court refused to suppress the subscriber information delivered to the cops when a Justice of the Peace who was also a police officer signed off on an invalid warrant.

In both Freedman and Hambrick, the ISP gave subscriber data to the cops without an effective warrant, and in both cases the courts found that the ISP could be held civilly liable for it. Cooper continued, "We will take action to require MySpace to give law enforcement and parents the information we need to protect our kids."

Bully! That's EXACTLY what he should do - take action to get the information, not waste time complaining to the press that MySpace wasn't doing HIS job. Connecticut Attorney General Richard Blumenthal said that he was "deeply disappointed by MySpace's disingenuous refusal to provide information about convicted sex offenders with profiles on its site".

He forgot to add, "without a subpoena or other legal process, or a demonstration of some exigency He also forgot to note that in the Freedman case, not only was AOL sued under the ECPA, but also under the Connecticut Unfair Trade Practices Act ("CUTPA"), Conn. Gen. St. § 42-110a et seq, a statute that Blumenthal himself is charged with enforcing..."

This is not the first time that law enforcement agents have used public perception of a crisis to try to convince private entities to waive privacy policies and pony up information to the government without legal process. In the wake of September 11, the government used the threat of terrorism to get various airlines to pony up passenger information without any legal process. In both the United States and the UK, law enforcement officers have used examples of sexual assault to convince thousands of ordinary citizens to give DNA samples (cheek swabs) to clear them of any suspicion.

There is nothing to prevent the cops from publishing the names of people who refuse to consent to giving a "voluntary" DNA sample in order to shame or pressure them into consenting - creating in the public the impression that they must be guilty of the sexual assault or they would be willing to give the DNA sample in much the same way that the Attorneys General in the MySpace case are attempting to pressure MySpace into "consenting" to provide the subscriber information without a subpoena.

Indeed, in the DNA cases, once having obtained the DNA by "consent" there is no legal restriction on its use - the cops can retain the DNA samples obtained from innocent "volunteers" for years and compare them in every criminal or even civil cases. Such is the nature of "privacy."

Among the information requested by the AGs from MySpace was information such as the number of registered sex offenders with MySpace profiles. The Connecticut AG noted: "No subpoena is needed for much of the information we requested, such as the number of registered sex offenders with MySpace profiles. MySpace's failure to give us this essential data is inexplicable and inexcusable."

He neglected to mention that the demand also called for the names of the registered sex offenders on MySpace, and the states in which they reside. He added that legally MySpace can and must provide this information without a subpoena, noting: "The vague reference by MySpace to federal privacy laws certainly failed to justify a complete refusal to cooperate - or insistence on a subpoena for all information." MySpace didn't "completely refuse to cooperate", it just asked the AGs to comply with the law - or more accurately not force MySpace to break the law.

There is no doubt that, if there was a threat of imminent harm and releasing the records of the NUMBER of registered sex offenders would prevent that harm, MySpace could release that information without a subpoena, both under its privacy policy and under the ECPA. Indeed, if there was evidence of criminal activity, MySpace could release the data, at least under its privacy policy. The aggregated data (e.g., the number of registered sex offenders on the site) may not be protected under the exact terms of the ECPA. Does this mean the AGs have a RIGHT to the data? Not really.

Privacy is about protecting data when somebody wants it for some purpose. It is easy to protect data that nobody wants. If State Attorneys General ask for the information just because they want to know, why can't other groups ask for the same, or similar information? Do I have the right to demand that Yahoo business scan posters for felony fraud convictions and provide ME (an investor) with the data? To what extent are we demanding that ISPs, website operators, communications service providers not only act as law enforcement agents, but also waive both privacy AND legal restrictions in doing so?

Clearly the AGs argument that there was an imminent threat from the people removed from the service was what was disingenuous. Moreover, if the information was SO important, what kept the AG from getting a subpoena? Apparently nothing. Instead, the law enforcement agents responsible for enforcing privacy laws and policies were hoist by their own petard - they found the privacy laws as applied inconvenient, so they attacked the service provider. Indeed, they insinuated that not only was MySpace PERMITTED to turn over subscriber or other data to the cops, but that it was legally obligated to do so, just because the cops wanted it.

Sex Offender Crimes

The Attorneys General appear to insinuate that there is some law that precludes all sex offenders from using online social networking services, noting that they have "no business" being there.

Certainly, sexual predation and using computers in furtherance of sexual predation is a crime. For example, according to the National Conference of State Legislatures, a 2006 Colorado statute prohibits an unrelated person from using a computer network to communicate with a child under age 15 without consent of the child's parent if the person is at least four years older.

Measures in Kansas and Oklahoma establish the crime of "electronic solicitation" as a felony, while a Virginia law made it a felony to pay for any online sexually explicit material that includes children. A Hawaii legislative proposal Hawaii H 1763 (2005) would have made it a crime to use a computer while impersonating another for the purpose of committing a sexual offense against a minor under the age of 16. North Carolina proposal S. 472 (2005) would have made it an offense to use a computer to solicit a child under the age of 16 for a sexual offense.

But the AGs didn't ask for the information in furtherance of the investigation of a particular crime. Rather, the Connecticut AG argued that: "Many of these sex offenders may have violated their parole or probation by contacting or soliciting children on MySpace."

But the AGs didn't demand the records of those who had such parole or probation restrictions. They didn't present any evidence to MySpace of probation violations. They never explained how the information would prevent a crime, or empower parents, or more importantly why drafting a subpoena was an excessive burden. Indeed, it apparently wasn't, as the AGs eventually got them.

Clearly, there will be cases where there are exigent circumstances or serious crimes where companies will simply turn information over to the cops because it's the right thing to do to prevent imminent harm. What the AGs seem to insinuate is that whenever they believe a crime MIGHT be committed, Internet companies have a legal duty to produce records to law enforcement without anything more than a demand. We could do away with subpoenas entirely. If the cops want it, they must have a good reason. And all internet companies become the agent of the cops. And that would be a dangerous thing. Almost as dangerous as the public relations nightmare that might befall you if you have the audacity to say no to the cops in the first place.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus