Calls to #DeleteFacebook echoed across social media last week after documents became public detailing how Meta provided Nebraska prosecutors with private messages from a 17-year-old who allegedly planned and performed a late abortion in April. On August 9, Meta published a statement claiming he received a valid legal warrant that never mentioned abortion.
Meta has tried to reconcile its users’ privacy expectations with the inherently public nature of a social network almost from its inception as Facebook in 2004, promising privacy improvements from the start. 2009. The Federal Trade Commission got involved in Facebook’s privacy concerns by 2011 and again in 2019. Facebook has promised transparency over data use, control of personal data and accountability since 2018. TThe company’s goal is to “build much stronger privacy protections for everyone on Facebook,” Zuckerberg said in 2020. But he continues to apologize for letting his users down and says that the company will do better.
Facebook wants to protect the privacy of its users, but it must also comply with the laws of the countries in which it operates. In many cases, it cannot have both. And while the company says it’s committed to protecting its users’ privacy, that’s not necessarily true if a user has broken the law.
Hundreds of thousands of law enforcement requests for user data
Last year, Facebook received 426,000 requests for user data from law enforcement, a third of which came from the United States. The company has repeatedly stated that it is committed to working with law enforcement and frequently cites emergency scenarios such as suicide prevention and retrieving missing children as a reason to do so, although such emergency disclosures only accounted for about 10% of data requests in 2021. This also indicates extreme crimes such as terrorism, child exploitation and extortion. In his transparency center, Facebook does not detail the percentage of data requests related to these major crimes. Meta did not respond to requests for comment.
“If there’s a subpoena or court order in a criminal investigation, there’s not much Meta can do about it,” said Ellen Goodman, a law professor at Rutgers.
Facebook sometimes pursues different avenues to fend off law enforcement and protect the privacy of its users.
“Online services must inevitably choose to challenge legal proceedings and when faced with numerous data demands from governments around the world,” said John Verdi, senior vice president of policy at the Future of Privacy Forum, a non-profit privacy organization. an email. “Companies typically assess a range of factors: whether they can notify users, the likelihood of a successful legal challenge, the nature of the alleged underlying crime, etc. »
A decade ago, Twitter became the first social platform to publicly challenge orders forcing companies not to disclose that they were transmitting data, saying their users had a right to know their data was being shared with people. law enforcement. Last year Facebook makes the news for refusing to comply with a U.S. court order requiring him to post previously deleted accounts linked to Myanmar officials’ hate speech toward Rohingya Muslims, which helped spark genocide. Yet in 2021, Facebook complied with 72 percent data requests around the world and 89 percent U.S.-based claims, according to data from its Transparency Center.
With every court order Facebook receives, it could fight the confidentiality order as Twitter frequently does. When users are notified, this allows them to raise any objections available to them. In the case of Nebraska, however, Facebook did not follow this path. In some cases, Facebook may also argue that the warrant is too broad, violating Fourth Amendment protections against unreasonable search and seizure, but that argument was unfounded in the Nebraska case.
Facebook may deploy delaying tactics to frustrate law enforcement
Even when presented with valid court orders, Facebook can prevent law enforcement from obtaining data by forcing it to go through a process of domestication, which in this case would have transferred the warrant from Nebraska to the California, where Meta is headquartered. The process can be expensive and take months, which can strain the court’s resources. By requesting domestication, Facebook can throw sand into the gears, forcing law enforcement to seek other ways to resolve their cases and reducing their incentive to keep submitting requests. When the underlying law is controversial, many privacy advocates recommend making the process difficult for law enforcement through domestication. In the Nebraska case, however, Facebook was unaware it was abortion and did not pursue the domestication process.
The previously sealed warrant served on Meta, obtained by the Observer, did not cite abortion law and included a non-disclosure order that prevented Meta from telling the user that he was handing over his data.
The best solution to prevent law enforcement from demanding user information is “not to have that information in the first place,” said Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, an organization nonprofit protecting digital privacy. “And there are some very simple steps that Meta could have taken years ago, like end-to-end encryption of all messages by default.”
This specific type of encryption means that messages are stored on users’ devices, not on Meta servers, so law enforcement cannot order Meta to deliver them. Although if the messages were end-to-end encrypted, Facebook could not use them to target advertising to its users, said Galperin, which is its main financial model.
“It’s the data collection that’s the problem,” Goodman agreed.
The company announced on August 11, days after the Nebraska court order was issued, that it would begin testing default end-to-end encryption for Facebook Messenger.
“I’ll believe it when I see it,” Galperin said. “Facebook didn’t find out it was a problem yesterday.”