What started as a story about the latest Facebook privacy problem – revealed in an arguably unethical demo at an IT security conference in Australia – has blossomed into a much bigger story of press freedom, personal data storage and the ambiguity of cybercrime laws.
There’s a lot to go through, so here are the bullet points [all via the Sydney Morning Herald]:
1. At the AusCERT security conference in Gold Coast earlier this week, security researcher Christian Heinrich gives a presentation demonstrating a flaw in Facebook’s privacy settings that allows you to view privacy-protected Facebook photos even if the people in the photos haven’t friended you.
2. Heinrich repeats the demo and presentation for Fairfax journalist Ben Grubb. Grubb reports for the Sydney Morning Herald that, in the course of the demo, Heinrich accessed the photos of the wife of HackLabs director Chris Gatford without asking either of them for permission first, raising questions about how the ethical nature of the demo (not least because of an apparent ongoing feud between Heinrich and Gatford).
3. Later that day, Grubb is questioned by Queensland police over the demo, and later informed he is under arrest for allegedly “receiving unlawfully obtained property” – namely, one of the Facebook photos used in the demo.
4. Grubb – who had the sense to not only record the meeting with police but also tweet news of his arrest – is released without charge an hour later, but the police keep his iPad in order to make a copy of everything on it.
5. The Queensland police justify all this by claiming that, legally, there’s no difference between knowingly possessing a photo obtained via hacking and knowingly possessing a stolen television set. Experts tell the SMH that actually, no, there’s a huge difference.
Obviously there are a number of ongoing stories in play here, the biggest ones being the Facebook privacy flaw uncovered by Heinrich, and the arrest of a journalist who covered the story. (And of course, as a technology journalist who covers security topics from time to time, I confess to not being all that impartial on the latter point. It's also only fair to add that I don't know any additional details about the case beyond what the SMH has reported as of Thursday afternoon.)
But an even bigger detail worth emphasizing is the decision by Queensland police to confiscate Grubb’s iPad and copy its contents.
In an age where personal devices carry tons of personal data about their owners (location data, for example), this raises serious legal questions: do the police need a warrant to copy files from a smartphone or tablet? Should they need one?
This is already a topic of debate in the US regarding the legal ability of law enforcement agents to search and seize laptops and cellphones (and, in the case of state police in Michigan, copying the contents of smartphones with data-extraction devices, allegedly).
The Queensland case is another version of that debate, and it’s one we’re likely to hear more of in other markets as smartphones, tablets and laptops store more and more data about us, and as governments start making decisions about how and to what extent that personal data should be protected.
EDITED TO ADD [May 20, 13:41 HKT]: The police have returned Grubb's iPad, the SMH reports today. No word on whether they copied its contents. The debate, however, is far from over.