When a 14-year-old Johannesburg schoolgirl’s Facebook account was “broken into” and abusive messages and material sent to friends and family, she was deeply traumatised. But at least, she imagined, Facebook would assist in tracking down the perpetrators. It was not to be.
Facebook is easily able to fend off spurious complaints about wasting productive time, but issues of privacy threaten to topple it from its social-networking throne. Much has been written and debated about the extent to which the site can be used for data mining — both internally in order for Facebook to sell data and externally in order for outsiders to extract data for commercial and other purposes.
Some attention has also been focused on users’ ability to manage their existence on Facebook: only since the end of February this year has Facebook allowed users to delete their own accounts — but only by contacting Facebook and requesting this. People who find fake accounts purported to have been set up by themselves have an even more difficult process to follow, but at least there is a procedure.
For all the genius of its developers, however, Facebook has been unable to figure out how to respond to users when their own accounts are compromised.
This poses a serious risk to both users and Facebook itself, as the latter runs the risk of being an accessory to abusive behaviour. However, Facebook, which makes a big deal of acceptable use in creating profiles or groups, has no equivalent appreciation of the severity of users’ own rights being violated.
Right now, a Johannesburg family is dealing with the trauma of their teenage daughter’s Facebook account being accessed maliciously and used to spread pornography and abuse to this girl’s friends and associates. Aside from appalling damage to her reputation, the child herself is deeply traumatised, and the family shares in her trauma.
It is easy to blame the child for not protecting her log-in information adequately. But this happens regularly and easily in a world of teenage users. When they set up a web-based email account through Hotmail or Gmail, and use that account to sign on to Facebook, they are often not savvy enough to protect their email account details adequately, and that opens them up to malicious acts — often from their own school “friends”.
The easy way to track down the perpetrators would be to obtain the IP addresses of those who had logged into her account, and then submit those to the relevant ISP to whom the IP addresses are assigned, in order to identify the user through the ISP’s log files.
Or not so easy. Facebook requires a court order to release the information. The ISP will require a court order. This, one would say, is a reasonable approach to take when members of the public call for internal data of this nature. The owner of this data has a duty to protect the privacy of its users, not so?
However, when there is a clear violation of one user’s rights, surely the balance of rights tilts away from the perpetrator and towards the victim? If someone vandalises your car in a mall parking lot, is the mall owner obliged to refuse access to video footage from the security cameras because it wants to protect the privacy of the vandals?
In the South African case, the father wrote to Facebook from his own email address, explaining the situation and demanding action. Facebook responded first with an automatic response, referring the father to its Privacy and Security Help page, and then with a personal response, advising that: “Unfortunately we cannot discuss this account over this email address for security and privacy reasons. We will await a correspondence from the log-in email address or a secondary email address owned by the account holder.”
Then, using his daughter’s secondary account, which was linked to her Facebook account after the original email address had been compromised, the father once again explained the situation, providing times and details of the offence.
All this time this 14-yearold girl was engaging in a massive damage-control exercise, having to convince friends and family that she had not been responsible for abusive messages and material sent to them.
As explained to Facebook, “not only were pornographic messages and images posted in her name, but she was added to racist and sexist groups while being removed from groups that she had voluntarily joined at other times”.
He argued in his letter that the culprits needed to be brought to justice, “not only for the sake of our daughter’s good name, but to act as a deterrent to other malicious people who might be similarly inclined to impersonate and abuse the identity of innocent people”.
Not entirely unreasonable, you may think. But then a Facebook representatitive responded with this amazing comment: “Your daughter needs to write to me from this email address so I can correspond with her concerning her account. Please have her do so. The account in question has been removed from the site in the interim.”
While that is not the equivalent of some South African courts requiring victims of child abuse to face their violators in court, it smacks of the same kind of insensitivity.
It is not enough that the child has given her parents access to her account to make contact with Facebook. Now this 14-year-old, utterly confused and feeling emotionally violated, is required to step up to the witness box before Facebook will take any further steps. Okay, so you may argue that Facebook is entitled to a direct comment from the victim — who incidentally did not want her Facebook profile removed; she merely wanted to avoid it being violated again in the future.
But the big question for the family was, what is Facebook going to do with her testimony?
In that same response they had said:
“Unfortunately, we cannot release the information you requested regarding IP addresses unless we receive a valid subpoena or court order. Additionally, please be aware that there are situations where we may be unable to retrieve the information that you have requested due to technical limitations. You should contact a lawyer or your local law-enforcement agency and discuss this issue with them. If you decide to pursue legal action, have the lawyer or officer contact us at [email protected], and we’ll communicate with them regarding the issue.”
The implication was that, if their daughter would step up to the plate with her own story, they would take it more seriously. With this end in mind, the daughter then agreed to write in her personal capacity to Facebook representative.
She explained the situation and added, among other things: “I can’t tell you how this has affected me … For the first day or two I was scared to go out or even to switch on my computer because of what these people did to me … I’m so worried that if we don’t find out who they are and stop them legally, they might do something even worse.
“When I went on to Facebook, I trusted the site enough that I thought that now that something bad has happened to me on the site, you would care a little bit about what might happen next. I’m worried that people who can do such things could easily think up something even worse if they aren’t stopped.”
And this was Facebook’s helpful, caring, cooperative response:
“I would suggest contacting the authorities, because unfortunately we cannot release the information you requested unless we receive a valid subpoena or court order. Additionally, please be aware that there are situations where we may be unable to retrieve the information that you have requested due to technical limitations. You should contact a lawyer or your local law enforcement agency and discuss this issue with them. If you decide to pursue legal action, have the lawyer or officer contact us at [email protected], and we’ll communicate with them regarding the issue.”
You guessed it: a form letter!
There are many arguments for not releasing IP addresses, but when there is such clear and present violation, it simply intensifies the abuse when the family is required to go to court to enable it to get action from Facebook. The latter is lightning fast off the mark in responding to minor infractions of its commercial rules, but intensely bureaucratic when it comes to responding to violation of its users’ rights. It needs to find a way to cross this gap, or it will lose both trust and credibility — the true currency of the internet.