Facebook will throw you under the bus

Tryin to ruin my name
Threw me under the bus
Riding all over the town
Spreading rumors around
Threw me under the bus
From Under the Bus by Lolene

In my previous post I explained why I left Facebook. Doing so freed up enough time to actually do another bl0g entry so it’s only apropos that this entry reinforce the idea that Facebook is not your friend. Unless of course your friends are conniving weasels who steal from you and will throw you under the bus in a heartbeat. Like being friends with Casey Anthony (but I digress). If you have friends like that then Facebook is what you are used to. If not then read on.

In this post by the oft quoted (by Security For All at any rate) Sharon D. Nelson, Esq. of the {ride the lightning} blog the following question is asked: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?

According to Reuters, since 2008, federal judges have authorized at least two dozen warrants to search Facebook accounts to the FBI, the DEA and ICE. The investigations have involved such things as arson, rape and terrorrism.

What interested me most is that these warrants demands a user’s “Neoprint” and Photoprint” – terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to. So much for Facebook’s claim that the “Download Your Account” button gives you everything that Facebook itself possesses.

Facebook doesn’t tell users about the warrants to give them a chance to challenge those warrants legally.

Yikes! Talk about throwing your users under the bus. And without notice. As Sharon points out even Twitter has a policy of notifying users before they hand over anything to law enforcement. But not Facebook.

And then there is this post by fellow Security Blogger Carole Theriault in the nakedsecurity blog that asks Does using Facebook put you at more risk elsewhere on the internet?

The Pew Research Center has shown that the more time you spend on the internet, especially social networks like Facebook and Twitter, the more trusting you become.

Not just on social networks, but everywhere – both online and in real life.

With 30% of the world estimated to be online – about 80% of North America and 60% of Europe – and more than half of these users belonging to some social networking site, an increase in trust could have major impacts on how people interact in the future.

Does this mean that social network users will eventually become a bunch of loved-up hippies? It is really difficult for me to imagine what I would be like if I shed my cynical armour.

I shouldn’t really worry: while I study social networks all the time, I am more of a voyeur than a player. Let’s be honest here – I find them really scary.

Many users of social networks seem completely addicted – they are on there all the time, recording every event of their lives. It just seems so intrusive to me…and compulsive.

So the premise is that people on Facebook are more trusting than other internet users, and MUCH more trusting than non-internet users.

It seems clear me to me that if Facebook users are genuinely more trusting, they are more at risk of online scams, both on and off social media sites.

Maybe research like this proves that social networking sites like Facebook and Twitter need to show greater interest in educating their users about being safe online.

One could argue that they should proactively protect their community against commonly encountered threats.

I agree that it would be swell if Facebook showed a greater interest in educating their users about being safe online but from where I sit I’ve only seen an interest in exploiting their users. But it is a great interest.

To borrow a soundbite (in spite of the lack of audio in this blog) from former First Lady Nancy Reagan, Just say No! to Facebook. Or friend Casey Anthony.

Why I left Facebook

Speak my friend, you look surprised
I thought you knew I’d come disguised
On angel wings, dressed in white
From Descent of the Archangel by Kamelot

Last week I finally had enough. The cumulative effect of every sleazy privacy invading stunt that Mssrs. Zuckerberg et al have pulled was definitely part of the motivation. Also the recent departure of several of security blogger “friends” including Richard Stiennon was another part. That, and the reality that I’m already following all of my blogger “friend’s” blogs so Facebook was like a cheesy notification service of new blog entries which is not only redundant  as news aggregators do a much better job, but includes tons of advertising  which I was compelled to filter.

Then there was the simple fact that Facebook is a an incredible time sink [read waste of time]. When I realized that the last two entries in this blog were Captain X-Ploit sagas – and the good captain doesn’t appear that often – it became clear that some priorities were seriously amiss. There were some mitigating factors of course not the least of which is that I work for a company that builds actual products for actual customers and the particular actual product that I’m working on is getting close to release [disclaimer: this is not a product announcement since I have nothing to do with that kind of stuff and is not meant to imply or represent anything about Ricoh products] which means plenty of work and deadlines. And the fact that I spent any time on Facebook is hard to justify.

And then there was a post that was forwarding and reposting it’s way among my less technically savvy (or possibly delusional) “friends” that went like this.

Who says Facebook friends aren’t real friends?.. They enjoy seeing you on line everyday. Miss you when you’re not there. Send condolences when you lose a loved one. Send you wishes on your birthday. Enjoy the photos you post. Put a smile on your face when you’re down. Make you laugh when you feel like crying. Repost if you are grateful for your Facebook friends. I know I am.

Seriously? Come on folks – a Facebook “friend” is an online persona. They are NOT REAL PEOPLE. You may buy into the abstraction that your “friends” represent real people, but I for one have always been very open about the fact that my Facebook profile was completely fraudulent. This was to help mitigate the privacy infringing business model of Facebook. If you really don’t mind letting Facebook have it’s way “monetizing” your personal information with no compensation to you I guess that’s your choice. Sucker.

And then there’s the legal exposure. Yeah that’s right. Legal exposure. Here’s an example from the Electronic Discovery Law blog.

In this case arising from a car accident which the plaintiff claimed resulted in physical and psychological injuries, the parties invited the court to conduct a review of Plaintiff’s social networking accounts “in order to determine whether certain information contained within Plaintiff’s accounts is properly subject to discovery.” Using Plaintiff’s log-in information, the court reviewed Plaintiff’s Facebook account, including “a thorough review of Plaintiff’s ‘Profile’ postings, photographs, and other information.”

But the thing that finally caused me to bail from Facebook was the realization that the Facebook – and nearly all social networking sites’ – business model is fundamentally flawed. This is articulated quite nicely in this article by Bob Garfield in IEEE Spectrum entitled The Revolution Will Not Be Monetized.

1. If you build it and they come, does that guarantee that there’s money to be made? (Hint: No.)

2. Which of Facebook, YouTube, and Twitter will amass the millennium’s first megafortune and a borderless virtual state, with a vast population, political influence, economic clout, and a lair in a hollowed-out volcano from which to control the world’s weather? (Well, you can probably eliminate Twitter.)

3. The Wall Street valuations of companies like Facebook, which is worth US $85 billion on the secondary market, are stratospheric. Should we stockpile ammo and canned goods for when the bubble bursts? (Not a bad idea; remember Pets.com.)

According to the Interactive Advertising Bureau, U.S. advertisers spent $25 billion online in 2010—representing about 15 percent of the $164 billion U.S. ad market and, for the first time, a bit more than their spending on print newspapers. That was no small milestone. But here’s the thing: According to eMarketer, 31 percent of Americans’ media-consuming time in 2010 was spent online. Which means, speaking broadly, marketers valued new-media time only half as much as old-media time. And that’s the rose-colored view. Chris Anderson, curator of the TED Conferences, recently crunched numbers from Nielsen, Forrester Research, the Yankee Group, and other modelers to synthesize the value, medium by medium, of an individual’s time. Globally, print publications fetched $1 per hour of reader attention. TV got a quarter for a viewer hour. Online fetched “less than a dime.”

Why is online advertising such a poor stepchild? Well, extremely delightful and informative books with pale-blue and white covers have been written on this subject, but let’s reduce the problem to its essence: The endless supply of online content means an endless supply of places where ads could go, which by definition depresses demand and, with it, price. Period.

The second problem is more basic still. Ever click on a banner ad? Have you? Ever? Of course not, because why would you leave what you’re doing—especially socializing—to go listen to a sales pitch? The click-through rate, industry-wide, is less than 1 percent—and chalk some of that up to mouse error and click fraud. Some advertisers deal with this problem by popping ads into your face, blaring audio, or subjecting you to “preroll” video messages before the video you actually wish to see. As Anderson sagely observed to a Madison Avenue audience, that was an acceptable quid pro quo in the days of passive TV viewing. Online, though, users are active and in control. “If you take control away from them,” he said, “they will hate you.” Or, put another way: Online, all advertising is spam. These two structural problems leave two possibilities: Either advertising will never be the force in new media that it was in the five predigital centuries (a theory to which I personally subscribe), or someone will crack the code.

Yep. That pretty much covers it. When you are a Facebook “member” [read product] you are essentially trading your privacy for Facebook to convince advertisers that they can target you with spam better than their competitors. It’s not even as clever as Google’s for-fee search engine poisoning (er… Search Engine Optimization) and a whole lot more intrusive.

So there you have it. I really doubt that I will be missed on Facebook. Certainly not by Facebook themselves since I never provided them with any private information and probably not by any “friends” [read online personae that I found amusing] since those who matter in any real way can either call me or find me at this blog. All the others will probably find it refreshing to not be mocked with snarky comments when they post silly nonsense on their walls. And fear not, this blog is still represented on Facebook through the intrepid David Nicholas Stone, AKA Captain X-Ploit. Feel free to become a fan.

Oh – and to my “friend” Mark Zuckerberg – Take the money and run dude! It will get ugly when the investors sober up.

Social Network privacy officially an oxymoron

It’s good to know you’re thought of, it’s good someone should care
It’s good to know you’re trusted but not to know they’re there
Too late to shut your curtains they’ve caught you unaware
They’re not at your window man, they’re sitting in your chair
From Privacy Invasion by Exploited

I have attempted on numerous occasions, for example here, here and here, to get the point across that you have no reasonable expectation of privacy on social networks. Posting anything on Facebook or MySpace is the same as announcing it on network television. Only with more marginally sentient viewers. “Oh yeah, we already know all about that.” I hear you thinking (it’s a gift, my telepathy). “ But that’s only on the public part of my Facebook page and stuff I post publicly to my friends’ pages. All my private stuff is password protected and, well, private“. Yeah. You wish. This entry in the Electronic Discovery Law blog describes a ruling that should disabuse you of those social networking privacy notions forever.

In this personal injury case, defendant sought access to plaintiff’s social network accounts and requested production of his user names, log-in names, and passwords.  Plaintiff objected, arguing that the information was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days and that plaintiff should not take steps to delete or alter the existing information on his social network accounts.

Holy social privacy slapdown, Batman! You mean that a court can compel you to [that means throw your fuzzy butt in jail if you don’t] hand over your Facebook logins and passwords? Yes indeed. And that’s not all, folks. The judge in this case had some very specific points to make vis-à-vis social networking [emphasis mine].

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.

The court concluded that no person could reasonably expect that his communications on a social network site would remain confidential; that confidentiality was not essential to maintain the relationships between social network users; that the relationship between users was not one that the “community seeks to sedulously foster”; and that “whatever relational harm may be realized by social network computer site users [by disclosure of their communications] is undoubtedly outweighed by the benefit of correctly disposing of litigation.” As to the last point, the court went on to reason that “[a]s a general matter, a user knows that even if he attempts to communicate privately, his posts may be shared with strangers as a result of his friends’ selected privacy settings.  The court thus sees little or no detriment to allowing that other strangers, i.e., litigants, may become privy to those communications through discovery.

So you have only the right to be hoist by your own petard and your friends’ petards and their friends’ petards and so on. Privacy? Not so much. Actually, not at all. Not now. Not Ever. I would especially like to draw your attention to the statement: the relationship between users was not one that the “community seeks to sedulously foster”.  While you should definitely look up “sedulously”, I’ll translate as a public service: the “community” doesn’t give a rodent’s pa-toot about your relationships. Don’t ask, don’t tell, don’t care. And just in case you are still holding a glimmer of privacy hope allow me to allow the court to snuff that glimmer forever.

Where there is an indication that a person’s social network sites contain information relevant to the prosecution or defense of a lawsuit, therefore, and given Koken’s admonition that the courts should allow litigants to utilize “all rational means for ascertaining the truth.” 911 A.2d at 1027, and the law’s general dispreference for the allowances of privileges, access to those sites should be freely granted.

In case you doubt the veracity of my paraphrase and quoting abilities here is the full opinion.

RIP Social Network Privacy. We only wished we knew you.

E-discovery is hard

Sometimes life is hard like trying bail out the ocean with a spoon
Sometimes life is hard like trying to turn December into June
And sometimes life is hard like trying lasso a quarter moon
From Life Is Hard by Eric Durrance

I’m trying really hard to catch up on all of the e-discovery news I’ve been ignoring in favor of goofing off. It is summer after all and I don’t get paid nearly enough for doing this. Okay, so I don’t get paid at all for doing this. That certainly isn’t nearly enough. But as I was saying before I was sidetracked by my schizophrenic alter ego, while catching up on what’s happening in e-discovery and legal proceedings related to security and privacy I came across several articles that while seemingly unrelated really do have a common and interesting thread. One, in fact, actually being about threads. But I’m ahead of myself.

The first article comes from the Electronic Discovery Law blog and is entitled New York Court Provides Detailed Instruction on Protocol for Discovery of Cloned Hard Drive. The background of the story is this.

In this matrimonial action, plaintiff sought access to her husband’s (the defendant) office computer to determine his true financial condition. After denying plaintiff’s initial motion, the court directed (by stipulated order) that a clone of defendant’s office hard drive be made at plaintiff’s expense.  Thereafter, the court denied plaintiff’s motion for access to the cloned drive upon finding her request for unrestricted access overbroad. “Equally important” to the court was plaintiff’s failure to propose any protocol for investigation of defendant’s hard drive. The court instructed that should the plaintiff wish to renew her motion, her renewal “must contain a detailed, step-by-step discovery protocol that would allow for the protection of privileged and private material.”

So in other words the court said, “We’re not going to give you carte blanche to do anything you want with hubby’s financial data. You have to have a plan. Just like real e-discovery and forensics guys – not to be confused with TV CSI guys – do. Furthermore, the court was good enough to provide such a plan to the plaintiff and her apparently clueless legal counsel. Here is the abbreviated list, but definitely check out the full text of the court’s opinion for some great information.

(a) Discovery Referee:  The parties [must] agree on an attorney referee, preferably someone with some technical expertise in computer science, to be appointed to supervise discovery.

(b) Forensic Computer Expert:  The parties [must] agree on a forensic computer expert who will inspect and analyze the [hard disk] clone.

(c) File Analysis:  The expert will analyze the clone for evidence of any download, installation, and/or utilization of any software program, application, or utility which has the capability of deleting or altering files so that they are not recoverable, extract all live files and file fragments and recover all deleted files and file fragments.

(d) Scope of Discovery:  Plaintiff will list the keyword and other searches she proposes to have the expert run on the files and file fragments, subject to a reasonably short time frame in [they] were created or modified.  Plaintiff is cautioned that she should narrowly tailor her search queries so as to expedite discovery and reduce the costs of litigation to the parties.

(e) First-Level Review:  The expert will run keyword or other searches on all of the extracted files and file fragments.  After performing searches, the expert will export to CDs or DVDs a copy of the native files and file fragments which were hit by such searches, and will deliver such media to defendant’s counsel to conduct a privilege review.  An exact copy of the media delivered to defendant’s counsel will be contemporaneously delivered by the expert to the referee.

(f) Second-Level Review:  Within twenty days after delivery of the media containing the extracted files and file fragments, defendant’s counsel will deliver to plaintiff’s counsel all non-privileged documents and information included in the extracted files and file fragments, together with a privilege log which identifies each document for which defendant claims privilege and describes the nature of the documents withheld, so as to enable plaintiff to assess the applicability of privilege.

(g) Discovery Disputes:  The referee will resolve any disputes concerning relevancy and privilege.

(h) Cost Sharing:  All costs for the expert will be borne by plaintiff, subject to any possible reallocation of costs at the conclusion of this action.

(i) Discovery Deadline:  The parties should agree to a fast-track discovery schedule.

(j) Retention of Clone:  The discovery referee will keep the clone until the action is concluded.

Yep – that’s quite a lot of detail. Certainly more than the “let’s clone hubby’s hard drive and take a look” that the plaintiff originally suggested (probably after watching CSI on TV). There’s a lot more to this e-discovery business than most people including, apparently, some lawyers think.

The next article comes from the e-discovery 2.0 blog and is entitled Courts Undecided on How to Handle Email Threads in Electronic Discovery. We’re all familiar with email threads, but just in case you’re not familiar with the “thread” terminology the article has a really good description.

Email allows us to communicate in a way that helps us associate context to our discussions, namely in its ability to be chained into a sequential thread when email users reply to or forward emails they previously received. This accomplishes two important tasks: 1) it allows the person sending the reply or forward to get an understanding of the issues so he/she can craft a meaningful response, and 2) it allows the person receiving the response to understand that response in the context of other on-going discussions. Email programs help by automatically including content from prior emails, thus producing a long chain of reference.

So see you really knew what they were all along. Anyway, as you can imagine email threads are quite valuable as evidence in litigation. Quite a bit more so, in fact, than the individual messages on their own would be. But unfortunately for courts, even something as straightforward as email threads isn’t really that simple. Once again the idea of priviledge rears it’s ugly (or beautiful depending on whether you get it or not) head.

The area of greatest confusion and uncertainty has been the determination of privilege when emails are exchanged with in-house counsel and attorneys and whether such emails are protected by attorney-client privilege or not. A central issue is the composition of privilege logs under these circumstances.

There are several legal opinions on the matter of intermingling privileged and non-privileged communications in an email chain. These opinions have left the matter with little clarity, especially regarding whether the entire email thread is privileged or whether individual emails must be separated out and classified as privileged, with a privilege log listing them. Typically, the most recent email in a thread contains all other emails in that thread. Separating out individual emails (i.e., the contained emails) from the containing email would allow for treatment of just the portions of the email thread that may have privilege. When such separation is permitted, some contained emails may be assessed as privileged while others may not. However, it is entirely possible that the contained email is also present as an independent email under possession of the same custodian or another custodian. When it is present, one could argue that the contained email can just be ignored, and if the corresponding email is responsive, one can ignore the contained email. But rarely does a collection include a complete set of custodians, so the question of whether the privilege log should include the contained item in question still remains. In terms of management of review, and for constructing a privilege log, treating the most recent email and all its contained emails as a single entity is less expensive and cleaner than separating and determining privilege status of each contained email.

Another complicating factor is simply a determination of privilege. Does the mere fact that an attorney was listed as a courtesy CC recipient make the entire email privileged? And, when such emails are then forwarded only to an attorney involved in the case, with a legal strategy discussed in the containing email, is only the new content added to the containing email privileged, or does the privilege determination extend to the other contained emails?

Wowzers! That makes my brain hurt. Confusing indeed. After some great legal references, the second article unfortunately devolves into a flack piece for the Clearwell E-Discovery Platform which you can read about if you are so inclined. Actually I’m being a bit harsh, since the author is simply stating the problem and presenting a product that helps solve the problem. I’m just not in the market.

So the common thread between these two articles is that admissible electronic evidence is not an easy, cheap or sometimes even well defined proposition. Which is why e-discovery and forensic specialists get paid the big bucks [Okay you e-discovery guys and gals can stop laughing now]. The points you can take from this are several including:

  1. If you are thinking of enrolling on one of those “become a CSI” courses, read this post and these articles over and over until you understand what they really mean. Then go to Vegas instead.
  2. If you are involved in litigation and your attorney suggests that you “snag the computer and take a look” for some evidence, point him/her to this blog entry as a handy reference on what “snag the computer and take a look” really involves. Then fire the fool and get an attorney with a clue.

Nasty attempt to destroy evidence

Eat it, eat it, eat it, eat it
If it’s gettin’ cold, reheat it
Have a big dinner, have a light snack
If you don’t like it, you can’t send it back
Just eat it, eat it, eat it, eat it
From Eat It by Weird Al Yankovic

And in news of the weird, we have this article from The Smoking Gun entitled Giga-Biter In Obstruction Charge that begs an entire post filled with genuine potty humor.

In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents

Yowza! I would have loved to hear the e-discovery motions by the prosecution on this one. [The following scenario is entirely fictional and occurred only in the mind of the author].

Prosecutor: Your honor, in order to access the evidence acquired through the legal search warrant we will require a court order to administer laxatives and/or enema to the defendant.
Judge: WTF! Is that some new encryption protocol?

But sadly they were able to avoid any hilarious legal maneuvering the old fashioned way. Through collusion with friendly medical professionals.

When [the suspect] was unable to pass the item after about four days, doctors – concerned that the drive was not compatible with the suspect’s GI tract – concluded he “would be injured if they allowed the flash drive to remain inside of him”. [The suspect] eventually agreed to allow doctors at New York Downtown Hospital to remove the item, according to a source familiar with the incident.

I must concur that a flash drive is probably not compatible with your GI tract. Although passing it would definitely be a pain in the… Well, you get it. So, presumably after cleaning up the evidence, [this adds a whole new meaning to “sanitizing data”] there was still the question of whether the data was damaged by the tour of the suspect’s digestive system.

A Kingston executive said it was unclear if stomach acid could damage a flash drive. “As you might imagine, we have no actual experience with someone swallowing a USB device”.

Since the case is still pending, we have no idea of the ultimate disposition or disposal of the evidence. Or of the state of the suspect’s GI tract.

Left naked in the rain by social networking

I must have been out cold
But the way the story’s told
They found me lying naked in the rain
From Bible Black by Heaven and Hell

Any number of times in the past I’ve warned about the inherent lack of privacy with social networking in posts like thisthisthis and even this. But this week Sharon Nelson of the {ride the lightning} Electronic Evidence blog had a very interesting post wherein she points outs that employees who engage in social networking at work expose their employers as well as themselves.

So you have a policy against social networking on work computers? Who cares? Probably not your Millennial generation employees. 45% of them use social networking at work whether or not their employers have imposed policy restraints. Of course, you can use technology to block them from visiting these sites on their computers. And then they reach for their cell phones chanting the Millennial mantra, “There’s an app for that.”

That’s right Mr. CIO, pretty much leaves you naked in the rain. But it’s not all bad though, e-discovery folks like Sharon love these miscreants for the bounty they allow them to harvest. Well okay, maybe it is all bad for you. The post references this report from Accenture titled Jumping the Boundaries of Corporate IT which examines the Millennials’ use of technology. Some of the highlights include:

29% of those surveyed say that they don’t know if their company has a social networking policy.
17% say a policy has never been published.
11% say that what the company has published is too complex to understand.
11% say – in essence – screw the policy, I’ll do as I see fit.

If these little tidbits don’t have your IT security folks hyperventilating then you’re not paying attention. I’m thinking that it might be a really good idea to check out that Accenture report and try to understand how Millenials think and their proclivity for defying company policy and look for things that policy tells you shouldn’t exist. It’s not much but it’s better than being completely naked in the rain.

Web 2.0 Miranda

don’t say a word or we’ll surely expose
that it’s you who are wicked and vile
anything you say will be used against you
and now it is you here on trial
from Don’t Say a Word by Cici Porter

For a long time now I’ve tried to get folks to realize that there is nothing private or protected about social networking. To wit, these posts here and here. In case you think I’m overreacting you should check out this post by Sharon Nelson in the {ride the lightning} blog.

Recently, Facebook spokesman Andrew Noyes said that the company has created a team led by a former FBI employee to manage requests for information in criminal cases. According to Noyes, a big part of the job is explaining the applicable laws and the limitations on access to Facebook user information. He said that Facebook strives to respect the balance between law enforcement’s need for information and the privacy rights of citizens.

To be fair to Sharon’s point in the post, judges are increasingly ruling on the side of individual privacy in cases with requests to make social network content discoverable or admissible. But the fact that the number of such cases have increased to the point that FaceBook needs a team to “manage requests for information in criminal cases” is my concern. It almost seems like this has progressed to the point that every social networking site should display your Miranda rights prominently. In actual fact FaceBook does display, albeit not terribly prominently, something like that in their Privacy Policy.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.

Twitter has a similar statement in their privacy policy.

We may disclose your information if we believe that it is reasonably necessary to comply with a law, regulation or legal request; to protect the safety of any person; to address fraud, security or technical issues; or to protect Twitter’s rights or property.

So what’s the big deal? These Web 2.0 site have to comply with the law just like everybody else. Exactly. So think about that the next time you want to post a photo of that truly epic party. You know, the one with the funny pictures of you and your peeps totally hammered and passing the bong. Or maybe that post where you really let everyone know how you feel about your sleazy ex. Just remember that you have been “Mirandized”. Sort of. And to the extent you have any rights you didn’t waive by using the social network.