By Declan McCullagh | CNET | Nov. 23, 2011
Confidential guidelines telling police how to access Facebook, Microsoft, Blizzard, and AOL user accounts have appeared online this week.
The files, known colloquially as law enforcement guidelines, typically tell police what types of user data are stored, how long they're retained, and what procedures to use to gain access to them.
A few types of requests--for e-mail less than 180 days old, for instance--tend to require search warrants. In general, basic subscriber information can be disclosed with a subpoena, and a court order is required for more extensive information (whether that's sufficient is the subject of ongoing litigation in the Twitter-WikiLeaks case).
Here are some highlights from each company's policies:
Blizzard: Logs of Internet Protocol addresses are kept "indefinitely," according to the company behind World of Warcraft. Sent mail is not retained. Deleted mail messages are not retained.
Facebook: An earlier version of the company's manual from 2008 said that "IP log data is generally retained for 90 days." That statement is missing from the newly-released 2010 version, indicating that Facebook now may store data longer (a company spokesman did not respond to that question).
Microsoft/MSN: Hotmail IP logs are kept for 60 days. MSN TV's Web site logs are kept for 13 days. No logs are kept for conversations taking place through MSN chat rooms and MSN instant messenger. The leaked document is from April 2005, though, and may be out of date.
AOL: IP logs for the AIM and ICQ messaging services are stored for up to 90 days. Customer logs are kept for 6 months. All AOL e-mail, including from portals such as AOL.ca, AOL.fr, and AOL.mx, is stored in its Northern Virginia data center.
The AOL, Blizzard, and Microsoft manuals were leaked as part of a recent data dump from Anonymous. The 2010 Facebook manual was posted by PublicIntelligence.net, a WikiLeaks-like effort that describes itself as an "international, collaborative research project."
By far the most extensive collection of not-meant-for-the-public law enforcement guidelines has been assembled by John Young, a retired architect who runs the Cryptome.org document repository from his Manhattan flat.
After its law enforcement manuals for Windows appeared on Cryptome last year, Microsoft has attempted to remove it from the Internet using the Digital Millennium Copyright Act. The DMCA complaint was withdrawn a few days later. (See a related CNET Q&A with Young.)
A House of Representatives panel voted in July to require Internet providers to store customers' names, addresses, phone numbers, credit card numbers, bank account numbers, and temporarily-assigned IP addresses. Previous Justice Department proposals envisioned forcing social networking sites to keep records for a few years of who uploads which photographs or videos.
In what may or may not be a coincidence, Facebook plans to post the 2011 law enforcement guide in its help center by the end of the day.
Update, 6 p.m. PT: Facebook has posted its latest law enforcement guide. There's no mention of how long data is retained. Facebook is, however, taking a more privacy-protective stand than some other companies and insisting (as its membership in the Digital Due Process coalition might suggest) that search warrants are required for the "stored contents of any account."