Introduction to Social Media Investigation: A Hands-on Approach, 1st Edition (2015)
Chapter 7. Legal issues
Abstract
Legal guidelines about how information about people can be collected from social media Web sites often depend on who is doing the investigation. Law enforcement or parties in lawsuits have different rules and expectations compared to businesses doing background checks on job applicants or a private citizen undertaking a personal investigation. That said, this chapter lays out the current legal landscape. There are two core legal issues that come up in this area: a person's right to privacy and the investigator violating a site's terms of service (TOS). We will look at those areas individually along with a list of common investigative techniques that have not seen any legal challenge.
Keywords
Social media
Social networks
Investigation
Terms of service
Legal issues
This chapter will come nowhere near laying out a clear and complete picture of what the law says about using social media for investigation. That's because the law is entirely unclear on these issues. There have been many court cases and lawsuits regarding a variety of investigative techniques, but the results are unclear and sometimes contradictory.
Guidelines often depend on who is doing the investigating. Law enforcement or parties in lawsuits have different rules and expectations compared to businesses doing background checks on job applicants or a private citizen undertaking a personal investigation.
That said, this chapter will lay out the current legal landscape. What is presented here is an overview of how current cases have been handled and an interpretation of them. However, this chapter should not be taken as legal advice! I, your author, am not a lawyer or a law expert. If you are considering undertaking an investigation but are worried about the legal risks, you should contact a lawyer from your company or organization or a personal attorney. This issue is currently unclear for the law so consulting an internet law expert is essential for your own protection.
There are two core legal issues that come up in this area: a person's right to privacy and the investigator violating a site's terms of service (TOS). We will look at those areas individually along with a list of common investigative techniques that have not seen any legal challenge.
Right to Privacy
Melvin Colon
In 2011, Melvin Colon was one of eight gang members charged with murder, attempted murder, and a number of drug and gun charges. He had posted photos of himself on Facebook, which were accessible to anyone online, that showed him flashing gang signs and flashing cash (e.g., Figure 7.1). In posts that had privacy settings that restricted access to his friends, Colon posted more incriminating material, including threats of violence and photos of illegal activity.1
FIGURE 7.1 An example of Melvin Colon's posts. His username and face are blurred here for privacy, though the original photo is still available on his Facebook profile to the general public.
The police obtained a warrant to collect Colon's private Facebook information. In order to show probable cause to obtain the warrant, the police accessed some of this private information through the assistance of a corroborating witness. Colon's friend list was public, and the police used this to find a friend who was willing to show them Colon's restricted posts. Colon's attorneys argued this was a violation of his Fourth Amendment rights, claiming he had a right to privacy for the posts he restricted to his friends.
A judge ruled against this, stating, “Colon's legitimate expectation of privacy ended when he disseminated posts to his ‘friends’ because those ‘friends’ were free to use the information however they wanted—including sharing it with the Government”.2
Occupy Wall Street
In another case, a protestor in the Occupy Wall Street protests challenged an attempt by the government to collect public tweets he had posted before his arrest during a demonstration. The subpoena went to Twitter, and the company argued that the user had a right to quash the subpoena. A judge ruled he did not because a user has “no propriety interest” in tweets—essentially, Twitter owned the data, not the user.
The user also argued that the Fourth Amendment should protect the privacy of his tweets. The New York City Criminal Court disagreed, stating that there can be no expectation of privacy for tweets shared with the general public.3
Georgia Student
Another case that reinforces this argument is that of a minor student in Georgia. The student had posted a publicly visible photo of herself in a bikini on Facebook. This photo was found and used in a presentation by her school district on internet safety in a context that implied the student was promiscuous and abused alcohol. The student and her attorneys argued that this was a Fourth Amendment violation,4 but a judge ruled against her stating that she had no expectation of privacy for a photo she had published publicly. (Note that there may be other arguments against the school using this photo, such as copyright violation, but that was not the privacy argument at issue here.)
Indeed, most websites' terms state something to this effect. Facebook, for example, says, “When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e. your name and profile picture)”.5
While there are likely to be more challenges on this front, it appears that the courts are inclined to accept that once a person shares data with someone else, he loses his expectation of privacy. This precedent has held since the predigital age—including written and mailed letters—and is likely to continue.
Terms of Service
The TOS of a website provide a set of rules that users agree to follow when they use a site. A site might also use them to offer disclaimers or deny legal responsibility for some actions.
Each social media site has its own TOS, and so, there is no single rule an investigator can follow in order to ensure he or she is within the bounds of allowable activity on every site—except that it is important to read the terms for each site.
Fake Accounts
For investigations, the main issue that arises with respect to TOS is that of creating profiles with fake identities. If you are investigating someone, it is obvious that you would not want to use details from your personal account. You may not want to personally add someone as a friend or otherwise reveal your true identity as someone who is looking at what the target posted. Thus, creating a fake or anonymous account can be a solution.
However, not all sites allow fake accounts. Facebook does not, and, at the time of this writing in fall 2014, it was actively enforcing this requirement by shutting down accounts it believed to be fake. Facebook's Terms of Service page6 makes this requirement very clear:
Registration and Account Security
Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account:
• You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.
• You will not create more than one personal account.
• If we disable your account, you will not create another one without our permission.
• You will not use your personal timeline primarily for your own commercial gain, and will use a Facebook Page for such purposes.
• You will not use Facebook if you are under 13.
• You will not use Facebook if you are a convicted sex offender.
• You will keep your contact information accurate and up-to-date.
• You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
• You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission.
• If you select a username or similar identifier for your account or Page, we reserve the right to remove or reclaim it if we believe it is appropriate (such as when a trademark owner complains about a username that does not closely relate to a user's actual name).
You can see that a number of these items explicitly exclude fake accounts. Aside from the explicit requirements, the requirements of keeping contact information up-to-date, not sharing passwords, and not transferring accounts may prohibit many activities investigators may take with fake accounts.
The policy is out of sync with reality, where as many as 10% of accounts may be totally fake,7 and many users report including some fake information to protect their privacy. For example, a Pew study showed that 26% of African-American teens had at least some fake data in their profile for privacy reasons.8
As a side note, this “real name” policy has come under sharp criticism because of the real danger it presents to a lot of users.
Not all social networks prohibit fake accounts, however. Twitter has no rules about using a true identity. Google, and its social media services including YouTube and Google +, used to have a real name policy, but they eliminated that policy in 2014. They published this statement on Google + describing the removal of the policy.9
When we launched Google + over three years ago, we had a lot of restrictions on what name you could use on your profile. This helped create a community made up of real people, but it also excluded a number of people who wanted to be part of it without using their real names.
Over the years, as Google + grew and its community became established, we steadily opened up this policy, from allowing + Page owners to use any name of their choosing to letting YouTube users bring their usernames into Google +. Today, we are taking the last step: there are no more restrictions on what name you can use.
We know you've been calling for this change for a while. We know that our names policy has been unclear, and this has led to some unnecessarily difficult experiences for some of our users. For this we apologize, and we hope that today's change is a step toward making Google + the welcoming and inclusive place that we want it to be. Thank you for expressing your opinions so passionately, and thanks for continuing to make Google + the thoughtful community that it is.
LinkedIn does require the use of real names and accurate information10:
2.3. Service Eligibility
To be eligible to use the Services, you must meet the following criteria and represent and warrant that you: … (4) will only maintain one LinkedIn account (and/or one SlideShare or Pulse account, if applicable) at any given time; (5) will use your real name and only provide accurate information to LinkedIn.
So it depends on the service whether or not you are required to create an account with your true identity. Reviewing the TOS is important if you want to ensure that you are not violating an agreement in your investigation—especially if you plan to bring evidence gathered from the investigation to court.
Fake Accounts in Court Cases
There are a few ways the creation of fake accounts has come up in the courts so far: using a fake account and impersonation.
Let's first look at simply creating a fake account. The TOS are presented as legal agreements. Would it count as a violation of law if a person were to violate the terms?
United States v. Drew
The main court case to look at this is United States v. Drew. Lori Drew, the defendant, is a Missouri woman and mother of a teen girl in 2006. Drew's daughter, Sarah, had been friends with another girl, Megan Meier, who was 13 years old at the time. When the two girls had a falling out, Lori Drew created a fake profile on Myspace claiming to be a 16-year-old boy named Josh. “Josh” friended Megan and the two became online friends, though the account was secretly being run by Sarah's mom and another 18-year-old girl.
In October 2006, “Josh” changed from his friendly tone and sent Megan a message that said, “I don't know if I want to be friends with you anymore because I've heard that you are not very nice to your friends.” His account then started to publicly share private messages that Megan had sent. His last message read, “You are a bad person and everybody hates you. Have a shitty rest of your life. The world would be a better place without you.” Twenty minutes after their last exchange, Megan hanged herself by a belt in her closet and died the next day.11
Lori Drew, the mother who had operated the “Josh” account, was arrested and charged with violating the Computer Fraud and Abuse Act (CFAA), a US federal law. The government argued that by creating the fake account on Myspace, Drew had gained “unauthorized access” to a computer in violation of the CFAA.
Drew was convicted of these charges, but a federal district court judge later overturned the conviction stating that violating the TOS does not constitute a crime under CFAA.12
Facebook v. Power Ventures
Another case, Facebook v. Power Ventures, established that it is not a crime to violate the TOS.
Power Ventures is a company that was collecting public information from people's Facebook profiles. Facebook's terms prohibit the automated collection of information from its pages. It blocked Power Ventures' IP addresses, and Power Ventures changed them to continue getting access. Facebook then sued Power Ventures, asserting their actions violated Section 502 of the California Penal Code, which deals with unauthorized access to computer systems.
The court ruled that simply violating the TOS was not a crime.13 Other issues in that case are pending, but the courts made clear that a person was not committing a computer crime simply by violating the TOS on a social media site.
However, even if fake accounts are not crimes that can be prosecuted, there can certainly be consequences to using them. First, the social media site can shut down the fake accounts at any time and refuse to reinstate them. Occasionally, this has even been the case for people who use real identities that the social media sites simply don't believe.14
If a fake profile claims to be another real person (rather than an invented person), there are many potential consequences. Twitter is an excellent site to learn about this because they allow fake accounts and even parody accounts (as long as the accounts identify themselves as parodies).
Coventry First
In one case, insurer Coventry First sued an unidentified John Doe for his Twitter parody account. Coventry First is a secondary insurance company; they buy life insurance policies and collect when the insured person dies. This marketplace has been criticized for being morbid, since they essentially profit from the deaths of people. (And the more quickly the people die, the more money the company makes.) The market gained some infamy in the 1980s for buying up policies of AIDS patients, because secondary insurance companies expected them to die quickly.
The fake Twitter account posted messages essentially rooting for mass death in order to increase profits (Figure 7.2).
FIGURE 7.2 Examples of tweets from the Coventry First parody account.
The account did not properly identify itself as a parody account (though one could argue that the parody was quite clear from the contents of the tweets), and Coventry First sued for trademark infringement and unfair competition.15 Fortunately for John Doe, Coventry First did not file the proper paperwork to obtain his real identity, and after they were challenged by Doe's lawyer, they dropped the case.16
Todd Levitt
Similar circumstances were at play when Todd Levitt, a Central Michigan University professor (and criminal defense lawyer), sued a student for parodying him on Twitter. The parody included tweets like “Buying me a drink at Cabin karaoke will get you extra credit, but it's not like that matters because you're guaranteed an A in the syllabus”.17 Levitt sued for defamation and intentional infliction of emotional distress. The student's lawyer argued that the parody tweets were protected by the First and Fourteenth Amendments, since they were caricatures and “rhetorical hyperbole”.18
At the time of writing, the lawsuit is still under way.
Jim Ardis
One parodied man took things into his own hands. Peoria, Illinois, mayor Jim Ardis was so upset about a Twitter account (@peoriamayor) that parodied him that he sent a SWAT team to raid the home of Jon Daniel who operated the account on charges that he was impersonating a public official.19 Police detained him and seized his computers. No charges were filed against Daniel, but with the backing of the American Civil Liberties Union (ACLU), he filed a lawsuit for wrongful arrest, claiming that his tweets were protected under the First Amendment. His case is also still pending.
These examples all show that it is currently unclear what is protected and what actions can be taken against someone who impersonates another person online. While we have looked at examples of parody accounts, law enforcement officials and other investigators face more complex challenges. For example, is it appropriate to impersonate someone a target knows in real life? That is a different type of impersonation than parody, but there are no clear legal guidelines to follow in cases like this.
Conclusions
Fortunately, we have not seen any legal issues arise from one person simply accessing the public information provided on a person's social media site. It appears that if a private citizen looks at someone's content for his own purposes, no one has decided to sue as a result. However, once a social media post is used for something, it has been challenged.
Courts seem to be in agreement that users do not have an expectation of privacy for content they share on social media, whether it is shared publicly or not. In terms of creating alternative accounts to help access information, the story is more mixed.
There appears to be agreement that it is not a crime to simply violate the TOS of a website, though investigators who hope to bring information to court should be wary of such practice, as it calls into question the validity of an investigation. There is no case law that firmly establishes how acceptable it is to create fake accounts that impersonate another person. We examined this in the case of parody accounts, but investigators might think about creating fake accounts that appear to be someone from a target's life. We do not know how courts would rule on such an activity, so it should be undertaken with caution.
The one issue that is very clear is that legal precedent around social media is still evolving. The current case law is likely to change, and new laws are popping up at all levels, from the federal government to small towns. Investigators will be well served to keep abreast of developments on this topic.
1 Oremus, Will. 2012. “Melvin Colon Ruling: Facebook Friends Can Share Your Private Posts with the FBI.” Slate. http://www.slate.com/blogs/future_tense/2012/08/17/melvin_colon_ruling_facebook_friends_can_share_your_private_posts_with_the_fbi.html.
2 Pauley III, William H. 2012. “United States of America v. Joshua Meregildo et al. (1:11-Cr-00576-WHP).” United States District Court: Southern District of New York. http://www.scribd.com/doc/102937713/Facebook-Privacy-Ruling.
3 Preziosi, Stephen N. 2014. “Twitter And Tweets: You Do Not Have A Proprietary Interest In The Material You Post To A Social Media Website.” New York Appellate Lawyer. http://www.newyorkappellatelawyer.com/twitter-and-tweets-you-do-not-have-a-proprietary-interest-in-the-material-you-post-to-a-social-media-website/.
4 Batten Sr., Timothy C. 2013. “Chelsea Chaney v. Fayette County Public Scool District and Curtis R. Cearley (Case 3:13-Cv-00089-TCB).” http://www2.bloomberglaw.com/public/desktop/document/Chaney_v_Fayette_County_Public_School_District_et_al_Docket_No_31.
5 Facebook. 2013. “Statement of Rights and Responsibilities.” Facebook. https://www.facebook.com/legal/terms.
6 Ibid.
7 Munson, Lee. 2014. “Facebook: At Least 67 Million Accounts Are Fake.” Naked Security. http://nakedsecurity.sophos.com/2014/02/10/facebook-at-least-67-million-accounts-are-fake/.
8 Madden, Mary; Lenhart, Amanda; Cortesi, Sandra; Gasser, Urs; Duggan, Maeve; Smith, Aaron; Beaton, Meredith. 2013. “Teens, Social Media, and Privacy.” Pew Research Center. http://www.pewinternet.org/files/2013/05/PIP_TeensSocialMediaandPrivacy_PDF.pdf.
9 Google +. 2014. “[Untitled.] Google+”. https://plus.google.com/+googleplus/posts/V5XkYQYYJqy.
10 LinkedIn. 2014. “User Agreement.” LinkedIn. https://www.linkedin.com/legal/user-agreement.
11 United States District Court for the Central District of California (10 November 2008), Government's Trial Memorandum (Case 2:08-cr-00582-GW Document 64). O’Brien, Thomas P.; Ewell, Christine C.; Krause, Mark C. 2008. “United States of America v. Lori Drew (Case 2:08-Cr-00582-GW).” United States District Court for the Central District of California. http://www.scribd.com/doc/23406419/Governments-Trial-Memo.
12 Zimmerman, Matt. 2009. “Judge Overturns Lori Drew Misdemeanor Convictions.” Electronic Frontier Foundation. https://www.eff.org/deeplinks/2009/07/judge-overturns-lori.
13 Hofmann, Marcia. 2010. “Court: Violating Terms of Service Is Not a Crime, But Bypassing Technical Barriers Might Be.” Electronic Frontier Foundation. https://www.eff.org/deeplinks/2010/07/court-violating-terms-service-not-crime-bypassing.
14 Jordan, Yitz. 2014. “Facebook’s ‘real Name’ Policy Isn’t Just Discriminatory, It’s Dangerous.” Quartz. http://qz.com/267375/facebooks-real-name-policy-isnt-just-discriminatory-its-dangerous/.
15 Roberts, Jeff. 2011. “Insurer Sues Twitter Imposter Who Cheers Death, Mayhem.” Reuters. http://www.reuters.com/article/2011/06/09/us-coventry-idUSTRE7586ST20110609.
16 Balasubramani, Venkat. 2011. “Coventry First Withdraws Twittersquatting Lawsuit Against @Coventryfirst — Coventry First, LLC v. Does.” Technology & Marketing Law Blog. http://blog.ericgoldman.org/archives/2011/07/coventry_first_1.htm.
17 Staumsheim, Carl. 2014. “Former Central Michigan U. Adjunct Instructor Sues Student over Fake Twitter Account @insidehighered.” Inside Higher Ed. https://www.insidehighered.com/news/2014/07/03/former-central-michigan-u-adjunct-instructor-sues-student-over-fake-twitter-account.
18 Aleck II, Ghazey H.; Bloem, Gordon M. 2014. “Defendant’s Answer to Plaintiff’s Complaint and Affirmative Defenses.” Todd L. Levitt and Levitt Law Firm, P.C., v. Zachary Felton (File No. 14-11644-NZ). https://www.insidehighered.com/sites/default/server_files/files/LevittFeltonAnswer.pdf.
19 Press, The Associated. 2014. “Fake Peoria Mayor Tweets Stir Debate about Parody.” The Chicago Sun Times. http://politics.suntimes.com/article/springfield/fake-peoria-mayor-tweets-stir-debate-about-parody/fri-09192014-933am.