It's Zuck's World We're Just Living In It

Facebook Sheriff Joe Sullivan Decides When the Cops Get Your Data, Is Not Afraid to Call Your Mom

How proactive should a social network be in policing your data?
dsc7994 270x270 Facebook Sheriff Joe Sullivan Decides When the Cops Get Your Data, Is Not Afraid to Call Your Mom


Well Forbes privacy reporter Kashmir Hill certainly showed her detractors! Earlier this week, Ms. Hill was taken to task for the fauxtroversy of getting pageviews for generously quoting from–and repeatedly linking to!–a New York Times magazine article about how companies like Target track personal data based on what you buy, an important piece of work in her area of expertise. We believe that practice is called blo-gging? But a big, juicy profile of Joe Sullivan, Facebook’s chief security officer, should help answer the Times‘ writer’s condescending question of what Ms. Hill really wants to do with her life.

Now that we’ve gotten that distasteful business out of the way, let’s make things even squirmier by discussing the revelations in the article itself. Mr. Sullivan, who operates as the de facto “head of Homeland Security” for Facebook and its 845 million users heads a team in charge of everything from prosecuting spammers gaming Facebook to ferreting out pedophiles to figuring out how much of your info to turn over to the police.

Mr. Sullivan, a lawyer who worked with the DOJ’s cyber-crime unit during the Internet boom, also took a similar role at eBay, including units like PayPal and Skype. At times, his relationship with law enforcement sounds a little too snug:

In 2003 off-the-record remarks Sullivan made at a cybercrime conference were secretly taped and given to a reporter at, the Israeli news site. Sullivan claimed that eBay’s privacy policy was “flexible,” allowing it to freely provide information to investigators—“no need for a court order,” Sullivan said. Haaretz wrote an outraged report about eBay’s collusion with Big Brother.

Mr. Sullivan claims the willingness to bend over had to do with policing corrupt sellers and that it was a different at Skype. “With Skype we’d tell law enforcement to go through Luxembourg, and good luck with that,” Mr. Sullivan told Forbes, comparing Facebook more to Skype than eBay:

Sullivan says the experience of looking through different legal lenses in terms of what to give to law enforcement was “really helpful” when he came to Facebook in 2008, “where expectation of privacy is paramount and our philosophy has to be the Skype policy.” He claims that “99.9% of the time” when Facebook resists a request, the government backs down.

Despite collecting scads of data on its citizens (one Austrian student got a 1,222 page report based on three years on the site), “Facebook Constitution” or terms of service, as Ms. Hill points out, doesn’t specify when it’s appropriate for Facebook to look into that data to police your activity or hand it over to the police. Rather, Facebook’s only relevant policy focuses on “prohibitions for users, such as bullying, creating fake accounts or uploading images of violence or nudity, as well as Facebook’s rights to intellectual property uploaded to the site.”

Add in outmoded Fourth Amendment provisions and things get muddy real fast:

Still, the Fourth Amendment against unreasonable searches and seizures can’t shield against these requests ­because of the so-called third party doctrine, which says the information you knowingly provide to a third party loses its privacy protections, making it much easier for the government to get your phone, banking and Internet records.

Here’s Facebook’s basic internal guidelines for dealing with requests from authorities:

The company gives law enforcement “basic subscriber information” on requests accompanied by subpoenas: a user’s name, e-mail address and IP address (which reveals approximate location). Sullivan insists that everything else—photos, status updates, private messages, friend lists, group memberships, pokes and all the rest—requires a warrant.

However, the bigger can of worms may be when, exactly, Facebook decides to get proactively involved. Mr. Sullivan offers a number of designed-to-be-reassuring instances of reaching out to authorities to protect children by policing photos and would be predators or catching kidnappers, as well as somewhat self-serving attempt to catch the Russian Koobface gang of spammers.

Where do Mr. Sullivan and his social network draw a line in the sand? Depends. Oh yeah, and calling your mom could be on either side.

Sometimes Facebook goes too far—then pulls back. While Sullivan won’t be specific, he cites the hypothetical case of teens using Facebook in a “spammy but borderline legal way”—say, by mass inviting people to events. In such instances his team usually doesn’t turn the offenders over to authorities but instead calls their mothers.

Just to be on the safe side, kids, better go old school and plan your raves on Evite instead.

Follow Nitasha Tiku on Twitter or via RSS.