by James Hyatt
Any day now, the standard police warning is likely to sound like this:
“Step away from the keyboard and keep your hands where I can see them.”
Criminals rob banks, or rape women, and are caught after bragging about it on Facebook. The Dow Jones Industrial Average drops 145 points after the self-styled Syrian Electronic Army hacks into the Associated Press Twitter feed with the fake message “Breaking: Two explosions in the White House and Barack Obama is injured.”
And while Internet stupidity isn’t a crime, it certainly has impact as well – for the pop concert fan ejected for tweeting during a performance, the cheating spouse caught exchanging lurid emails, or the politician(s) forced to resign over ill-considered and offensive Internet postings.
A Wall Street analyst resigned as campaign manager for a New York GOP candidate for Congress after falsely tweeting during Hurricane Sandy items such as “BREAKING: Confirmed flooding on NYSE. The trading floor is flooded under more than 3 feet of water.”
The division between what’s permissible and what’s merely outrageous online grows fuzzier day by day. And legislators, regulators, police officers and businesses are scrambling to harness the wild wild west of social media law.
Although he isn’t the only pubic office to use the phrase, New York County (Manhattan) District Attorney Cyrus Vance Jr. sums it up quite nicely:
“The Internet is our 21st century crime scene. There isn’t a crime that happens, here in Manhattan, or elsewhere, that doesn’t leave some electronic fingerprint.”
Lessons from Boston
On the positive side, the Boston Marathon bombings in April provided dramatic evidence of how instant, online social media reaction pays off:
–missing runners were able to connect with friends and family via Twitter and Google+:
–police were able to gather many photos and videos of the bombing site, helping fill out the evidence.
Yet there were negatives as well. Social news website Reddit’s online thread “dedicated to help find the bombers” resulted in incorrect identification of the possible culprits and links to what turned out to be false leads.
The online buzz became so chaotic that, when the FBI on April 18 released photos and videos of the suspects, it cautioned that “other photos should not be deemed credible and unnecessarily divert the public’s attention in the wrong direction and create undue work for vital law enforcement resources.”
And some media outlets came in for severe scolding. Atlantic Magazine senior editor Alexis C. Madrigal wrote a commentary titled “Hey Reddit, Enough Boston Bombing Vigilantism: It’s only the illusion that what we do online is not significant as what we do offline that allows this to go on.”
Reddit later added a notice to its site declaring “we do not strive, nor pretend, to release journalist-quality content for the sake of informing the public” and that “we do not support any form of vigilante justice. We are not law enforcement….keep in mind that most or all of the ‘suspects’ being discussed are, in all likelihood, innocent people and that they should be treated as innocent until they are proven guilty.”
A week after the bombing, Reddit general manager Erik Martin commented in part “…though started with noble intentions, some of the activity on Reddit fueled online witch hunts and dangerous speculation which spiraled into very negative consequences for innocent parties…After this week, which showed the best and worst of Reddit’s potential, we hope that Boston will also be where reddit learns to be sensitive of its own power.”
And Buzzfeed, another widely viewed social news site that helped spread some of the confusion, in late April announced it had hired Lisa Tozzi, a former deputy national news editor of the New York Times, to supervise a team of ten reporters and manage fast-breaking news. “I do believe that there’s a new model that’s waiting to be discovered for how to present live information,” Tozzi was quoted at the Atlantic.com website.
Law Enforcement Moves Online
Police departments and federal agencies find the social media world a fertile source of intelligence and a worrisome source of criminal activity.
The LexisNexis information and technology firm in 2012 surveyed 1,200 law enforcement professionals about their use of social media and found that four out of five use social media in their investigations — identifying people and locations and discovering evidence of criminal activity. A growing number of police departments are using the photo-posting tools of Pinterest to help track down criminals as well as publicize police programs.
Since its founding in 2000, the Internet Crime Complaint Center has received more than two million complaints – in 2011, the latest figures available, the Center received more than 300,000 complaints for the third year in a row. The top five states were California, Florida, Texas, New York and Ohio, and financial losses averaged $4,187. (The largest single category of cases involved criminals posing as the FBI and sending spam emails to defraud victims.)
California’s attorney general in 2011 established an eCrime unit to investigate and prosecute large scale identity theft and technology crimes with actual losses in excess of $50,000;
The Philadelphia Police Department in October 2012 reported the 100th criminal to be arrested through use of social media, an armed robber identified on a surveillance video; there’s a 39% chance of arrest, the department said, “when a crime video is disseminated through social media.” The department had 352 videos posted on YouTube in April 2012, many seeking the public’s input to help identify suspects. It uses Twitter for a wide variety of public service and investigation postings.
The New York City police department’s Crime Stoppers website regularly posts photos and information about dozens of wanted individuals or seeking information about crimes; there’s even a separate page for bank robberies.
Commissioner Raymond Kelly’s most recent year-end review noted that the Juvenile Justice Division organizes “social media-driven investigations,” looking online for gang threats or intimidation, admissions of criminal conduct and plans to commit crimes. A 2012 investigation of a Bronx gang of drug dealers turned up a Facebook message reading (sic) “Trufulley we shot 2 of them they shot 2 of us we kan kall it even 4 now.”
In 2012, city officials announced $4.2 million in new cybercrime lab funding which District Attorney Vance said will expand ability to analyze information from cell phones, smart phones, and computers as well as cell site mapping.
Rules for Cops
The NYPD in 2012 established rules for use of social media in investigations; officers can uses aliases to get on Facebook looking for useful information and can get a laptop issued by the department which can’t be traced back to the NYPD. However, officers must register their aliases with the department.
And earlier this year, the department advised officers to use caution in their personal Facebook and other electronic media accounts, avoiding identifying themselves as policemen, posting pictures of themselves in uniform, or posting photos of crime scenes or other non-public information from investigations.
A Missouri sheriff’s department has had to alter its sobriety checkpoint strategy after finding that traffic and arrests fell sharply once word of an operation spread on Twitter and Facebook.
Rules for Everybody Else
Divorce lawyers, too, are turning to social media. The American Academy of Matrimonial Lawyers found that dating website Match.com turns up as a useful source of evidence, particularly when users embellish personal information. “Identifying yourself as single when you are not, or listing that you have no children when you are actually a parent, can represent some key pieces of evidence against you during the divorce process,” said Alton Abramowitz, president of the group, in a press release discussing a survey.
Even as law enforcement improves its social media presence and technique, the Internet poses problems for other parts of the legal systems. Both the federal judicial system and several states have amended their model codes of instruction to jurors to add electronic media to restricted sources of information. “You should not consult dictionaries or reference materials, search the Internet, websites, blogs, or use any other electronic tools to obtain information about this case or to help you decide the case,” declares a federal instruction memo. And at the close of a case, the instruction memo declares “Information on the Internet or available through social media might be wrong, incomplete, or inaccurate. You are only permitted to discuss the case with your fellow jurors during deliberations because they have seen and heard the same evidence you have.”
New Jersey’s model instruction declares: “You must not go on the Internet, participate in, or review any websites, Internet chat rooms or blogs, and you must not seek out photographs, documents, or information of any kind that in any way relate to this case.”
Privacy for passwords
Social media has amped up the perennial tug-of-war between workers and employers over what’s legal conduct, particularly when it comes to private email and Facebook accounts. Employers properly worry about keeping corporate secrets secret, while employees resent the intrusion of a Big Brother atmosphere online.
In a series of memos, the NLRB acting general counsel has advised employers that social media policies could violate the National Labor Relations Act if they violate legal protections of employee speech. The Board recently invalidated a policy on Costco Wholesale Corp.’s employee handbook which generally banned employees from posting damaging or disparaging content on electronic message board.
In an alert from its Advanced Media and Technology Law group, law firm Loeb & Loeb said the ruling, “which we anticipate will be the first of many decisions in this arena,” shows that exempting protecting communications and behavior while setting limits is “not an easy task, and a tightrope that Costco learned to its cost that it was unable to walk.”
Employee privacy disputes have led a number of states to adopt privacy laws prohibiting employers from asking for passwords on private accounts. California’s Social Media Privacy Act, which went into effect Jan. 1, 2013, prohibits public and private employers from demanding usernames or passwords in order to access personal social media accounts.
On the other hand, the proliferation of employee password privacy laws worries Wall Street. The Wall Street Journal reported that securities regulators and industry groups want to be able to sidestep bans on social media privacy in some cases. They worry, the Journal said, that social networks “could create new channels for Ponzi schemes and other frauds,” and that the laws could make it harder for companies to monitor employee conduct.
Privacy concerns are extending beyond the workplace. New Jersey lawmakers this year passed, and Gov. Christi signed, the “Anti-Big Brother Act requiring a school district that furnishes students with laptops or other electronic devices to notify students and their families that the device may record or collect information on student activities.
The measure was prompted by reports that the Lower Merion, Pennsylvania school district had transmitted more than 50,000 images taken by laptop cameras to district administrators.
The district was able to secretly activate webcams in district-issued laptops, a system intended to help track missing or lost devices. But parents sued the district for invasion of privacy and the case was settled in 2010 for $610,000 including attorneys’ fees.
Can the Law Catch Up?
The FBI in January 2012 asked private industry for information about its ability to provide an automated social media alert and mapping system to search networking sites and open source news sites for breaking events, crisis and threats. “Examples include but are not limited to Fox News, CNN, MSNBC, Twitter, Facebook, etc.,” the posting said. Social media, the FBI said, can help monitor “threat scenarios” at special events such as political conventions, national holidays and sporting events.
Janet Napolitano, head of the Department of Homeland Security, says her agency needs about 600 “hackers for good,” young college-age hackers to help counter daily computer attacks on the nation’s electrical grid and financial networks.
Meanwhile, social media companies receive literally thousands of requests annually from government agencies asking for information about users or seeking other information. Twitter’s transparency report in late April 2013 said that since the start of 2012, it had received 1,858 information requests and 48 requests to remove information, as well as 6,646 complaints from copyright holders under the Digital Millennium Copyright Act.
Microsoft’s Law Enforcement Requests Report for 2012 disclosed 70,665 requests specifying 122,015 users or accounts; requests from Turkey led the list (11,434), followed by the U.S. (11,073), France (8,603) and Germany (8,419). Slightly more than 2.2% of the requests led to content disclosure, which could include emails, photos and address book information. And almost 80% of the requests resulted in disclosure of “non-content” data such as the user’s name, billing address and IP history.
Microsoft said the overall total reflects “the number of criminal requests received from a law enforcement agency and/or court seeking customer data. Examples of the types of requests include a subpoena, a court order, and a warrant.”
Microsoft separately disclosed 4,713 requests for information about Skype users, none of which resulted in disclosure of content.
Congress, meanwhile, is awash with debates over more security vs. more privacy, over the need for expanded legal authority to search electronic communications and the need to protect private information.
And the states are trying to decide how to handle online behavior bullying and “sexting” messages, for example.
One law enforcement/privacy debate seems headed for possible resolution in Congress this year: amending the 1986 Electronic Communications Privacy Act. The ECPA, recalls Sen. Patrick Leahy, was adopted when “email was a novelty.”
The Senate Judiciary Committee approved amendments in April 2013 that would:
–require a search warrant based on probable cause for the government to obtain the content of Americans’ email when requested from a third-party service provider.
–require the government to promptly notify an individual whose email content has been accessed from a service provide, and provide a copy of the search warrant.
—the search warrant requirement does not apply to other Federal criminal or national security laws such as the Foreign Intelligence Surveillance Act of 1978.
The measure addresses a number of anomalies in existing law; for instance, currently no judicial approval is needed for a subpoena to access private emails that have already been opened or are more than 180 days old.
Meanwhile, a House Judiciary subcommittee is exploring how the existing ECPA Act affects standards for courts to authorize disclosure of a person’s location via geolocation information such as cellphones.
In recent committee testimony, Catherine Crump, a staff attorney for the American Civil Liberties Union, said “in many parts of the country, the police have been obtaining mobile phone location data for days, weeks, or months at a time, without ever having to demonstrate to an independent judge that they have a good reason to believe that tracking will turn up evidence of wrongdoing…..With assistance from mobile phone carriers, the government now has the technical capability to covertly track any one of the nation’s hundreds of millions of mobile phone owners, for 24 hours a day, for as long as it likes.”
Noting that the existing ECPA Act does not expressly address law enforcement access to mobile phone location data, she urged the committee to require law enforcement request a warrant and show probable cause to receive cellphone location data.
The U.S. Supreme Court in 2012 held that attaching a GPS device to a car and tracking its movements is a search under the Fourth Amendment, but left unresolved whether such tracking requires a warrant based on probable cause.