A user is able to contact other individuals by adding them to their ‘friends list’, which enables them to be able to write on other friends’ walls (i.e. a space for public commentary) and leave tags on photographs. Users are also able to communicate by sending instant messages which can sometimes be stored on the user’s machine and messages, similar to emails. Such Facebook evidence can be crucial in terms of showing relations or patterns of contact between parties.
The owner of the account is able to adjust privacy settings so as to restrict what information is publically accessible and what details may be viewed only by friends. Much like conventional email correspondence, sent and received messages are unable to be edited and are stored on the Facebook™ servers in their original format until deleted by the user of an account. This material is the basis for facebook evidence.
Facebook Evidence and Data Retention
Correspondence made via Facebook™, including media files uploaded to the website or shared, are stored permanently on the respective account.
It is necessary for the user to manually select items of correspondence or specific files for deletion in order to have them removed from the account. Alternatively, a user may close their entire account in order to have all correspondence or media files erased. Facebook evidence includes deleted data files or accounts are no longer available to members of the public, online friends or the original account owner; however, all of this content remains archived by Facebook™ for a period of ninety (90) days .
Facebook™ recommends that investigators contact their organization as soon as a requirement for account information is known. This way current accounts, erased content, and related Facebook evidence can be preserved for a further ninety (90) days, to allow adequate time for service of legal applications.
Lawful Disclosure of Facebook Evidence Records
The Facebook™ unit responsible for managing requests for account information and related Facebook evidence, the unit is titled the ‘Security Department and Custodian of Records’:
SECURITY DEPARTMENT / CUSTODIAN OF RECORDS
1601 CALIFORNIA AVENUE
PALO ALTO, CA 94304
The following three types of requests can be made:
- Preservation Requests - following notification of a specific User ID, Username or e-mail address, existing account records and erased archive material will be preserved for ninety (90)days.
- Formal Legal Requests - records will be provided pursuant to formal compulsory legal process issued under US law.
- Emergency Requests - where there is a credible risk of bodily harm or death, immediate assistance will be provided to investigating authorities, even in the absence of legal process/orders. It should be noted that whilst the above references state that formal legal facebook evidence requests “issued under US law”, in the experience of the author the Facebook™ organization will readily assist any request for information from any lawful authority or country, as long as supported by their respective legal process.
Whilst internal procedures vary between Police forces, this position may be verified by contacting the relevant Hi-Tech Crime Unit (HTCU) and/or Single Point of contact (SPoC) for clarification on their approach to securing disclosure of facebook evidence, account information and related records. Subject to receiving a lawful request for information, Facebook™ can provide the following records:
• Basic Subscriber Information
Previously referred to as ‘neoselect’ , these records will include the User Identification Number, account email address, time/date of account creation, associated telephone number(s), and time/date of logins for the past 72hours.
• Expanded Subscriber Content
Previously referred to as ‘neoprint’, these records will include all profile contact information, status updates, files/photographs that have been shared, messages posted on other individual’s walls, listings of friends and group memberships, and event reminders.
• User Photographs
Previously referred to as ‘photoprint’, this will include all photographic media uploaded by the account holder as well as photographs from third parties which have been tagged as featuring the account holder.
• Messaging Correspondence
Incoming (received), outgoing (sent), and draft email equivalent communications.
• Internet Logs
Commonly referred to as ‘IP’ logs, this content will assist in demonstrating the time/date that a user account was accessed as well as provide enough information to trace the physical address of the computing device used to make the account access.
The above Facebook evidence records will generally be served via email in the form of Adobe Portable Document Format (PDF), so that the content cannot be easily modified.
For further guidance, independent advice, or to request a free licence for the specialist eDiscovery toolkit Facebook Forensic Software, contact Afentis Forensics