The issue of online service providers' law enforcement compliance guidelines made the headlines again this week when Cyrptome.org published a leaked copy of the granddaddy of them all, the U.S. domestic version of the Microsoft Online Services Global Criminal Compliance Handbook.
When I wrote about this the leaked document in question was Yahoo's Compliance Guide for Law Enforcement, and I took issue with the fact that Yahoo was taking an unnecessarily secretive approach to the matter by trying to keep the document out of public view.
The document states specifically that 'it is not meant to be distributed to individuals or organizations that are not law enforcement entities, including Yahoo! customers, consumers, or civil litigants.' There is absolutely no legitimate reason for the information in this document to be withheld from the general public, or for Yahoo to hide what it's able and prepared to do to assist in criminal investigations. The customer has every right to know exactly what Yahoo's policies and capabilities are in this regard, so that he can weigh that information in his decision to sign up for Yahoo services. It's not too much of a stretch to surmise that Yahoo officials don't want the [information] to be publicly available because of the concern that it would scare off too many customers. That's just not a good enough reason for it to be kept under wraps.
These guides should be prominently posted on each service providers' Web site, right next to the requisite privacy statement, one click off the home page. Instead, in the case of the Microsoft document, each page carries the notation, 'Microsoft Confidential For Law Enforcement Use Only.' Indeed, it turns out that this absurd secrecy is the norm.
Furthermore, this Guide is intended solely for use by bona fide law enforcement agencies and may not be distributed to any other person or organization without the express written authorization of MySpace. MySpace will require verification that the person requesting this Guide is a bona fide law enforcement officer or acting on behalf of a law enforcement agency or prosecutor's office.
On the first page of the Facebook guide is this statement:
This document is CONFIDENTIAL. It contains Facebook Proprietary Information. It is intended for law enforcement and legal counsel use only and should not be redistributed without the express written permission of Facebook.
In case that didn't get the point across, each page carries two stark reminders: 'FACEBOOK CONFIDENTIAL AND PROPRIETARY' at the top, and 'LAW ENFORCEMENET USE ONLY' at the bottom.
Another nagging element of this story is the fact that Cryptome has taken to calling these documents 'spy guides.' They are no such thing, but that hasn't stopped many of the media outlets covering the story to adopt the misnomer.
The connotation is that there's something sinister and nefarious about the guides. There isn't. These documents are legitimate, indispensible resources for law enforcement agencies. To protect the community at large, online service providers are morally obligated to make user information available to the authorities when a criminal investigation is proceeding, with the caveat that there must be an abuse-prevention mechanism in place.
The service providers themselves deserve the lion's share of the blame for the misnomer, because their unwillingness to make these guides accessible to the public gives the perception that some kind of illicit spying must be going on. For the sake of the accurate portrayal of what these documents are, and in fairness to the community at large that each of these parties is trying to protect, the unwarranted secrecy needs to end.