The Unfriendly Friend Request

There was a great article on Naked Security that described how a man was charged with possessing a firearm and ammunition after an undercover police officer befriended him on Facebook and discovered photographs of a handgun, a large amount of cash and keys to a Mercedes.

The officer was then able to obtain a search warrant, and sure enough they found all of the incriminating physical evidence that was shown in the photograph on Facebook.

I found this case fascinating as there were a lot of moving pieces that involved both an undercover operation, online monitoring and some evidence capture issues that I found warranted a deeper look.

The court’s analysis on whether the Facebook evidence should be allowed or not can be read here.

Disclaimer: I have said it before and I’ll say it again, I am not a lawyer, nor a member of law enforcement and this is not a critique of either the defense or the prosecution. Or really anyone else.


Now let’s dig into some of the particulars that are available in the decision.

Archiving All Activity is Essential

The first thing that caught my eye was this sentence:

Based on the record before us, it is unclear what information from Everett’s Facebook page was available to Detective Landis before “friending” Everett and what information was available only after the two became “friends.”

Yep. There is a perfect use case for Hunchly and describes one of the biggest issues I see with online investigations. We don’t possess a crystal ball, so what we see while investigating today may not be what we see tomorrow. Additionally, sometimes we see materials today that only become relevant much later in the future.

You are observing an account of interest today, and they may be posting mundane items or nothing of particular interest. You then send a friend request which potentially can change the content that you are able to see. You now may have to speak to the facts regarding what you saw in the past, and how it changed after the friend request. Tough to do if you haven’t captured all of the content.

We have no idea what part of our investigations can end up in disclosure to the court or could end up being cross-examined. Always best to be prepared to show your work.

There was also an interesting footnote to that paragraph:

When considering Everett’s motion, the trial judge questioned both parties about Everett’s Facebook privacy settings. Everett’s counsel stated that he did not know whether the photos in evidence were “Friend-only protected” or whether they were viewable on Everett’s public profile. Trial Transcript (Feb. 15, 2017), at A095. The State noted that it appeared that, “at some point, maybe in 2016,” Everett changed his Facebook profile to a “private page, which does restrict some access.” Id. But, the State also argued that, “at some point, there is evidence to suggest that it was, in fact, a public page that anyone could go on and look at.” Id.

Pretty interesting that the judge is asking about privacy settings. I think we are going to see more and more of this when the courts are contemplating online evidence submissions. Again, with some archiving they could have easily explained what they saw from a third-party perspective but only the account holder (or production from Facebook) could give you a fully accurate picture of what the privacy settings were.

Physical Evidence Corroborating Online Evidence

I always find it humorous when people say that they can “solve entire cases with OSINT alone”. I think a more accurate way that cases play out is shown below:

The search warrant, which was both authorized and executed on November 5, 2015, allowed police to conduct a daytime search of Everett’s residence to collect DNA samples and/or a deadly weapon. During the search of Everett’s home, police recovered a loaded nine-millimeter Smith & Wesson handgun; the handgun’s original box with a serial number matching the Smith & Wesson handgun; clothing, including the black T-shirt and the red necklace that Everett was wearing in the Photo and other Facebook photos; and Everett’s pay stubs.

Yep! The photos gave them grounds to get the search warrant, they seize the physical evidence and compare it to the online evidence. The two compliment each other, which is how things tend to go more often than not.

Fruit of the Poisonous Tree

This is a common saying when talking about evidence that has been potentially collected illegally. The saying is indicating that if the source of the evidence is contaminated, then anything stemming from that evidence is also contaminated and may not be included as evidence. In this case the defendant is arguing that the Facebook monitoring was a “warrantless search” and as such would then negate the search warrant and anything seized because of it:

Everett’s claim is somewhat convoluted, but his central argument is that Detective Landis’s monitoring of his Facebook page constituted an unlawful, warrantless “search” and, thus, any information seized pursuant to it must be suppressed as the fruit of the poisonous tree in violation of the Fourth Amendment of the United States Constitution and Article I, Section 6 of the Delaware Constitution.

This is a really interesting argument and something I believe we are going to see more of in case law.

Now there is a bit more verbiage below this statement that is interesting:

Everett also argues that Detective Landis presented no evidence that the privacy settings of his Facebook page were “set to anything other than ‘private.’” And, given that Detective Landis had “friended” Everett, Everett argues that it is reasonable to assume that his settings were “private” and, as such, the Photo itself was only viewable to his friends and, thus, he had a “legitimate expectation of privacy.” Finally, he asserts that, even assuming arguendo that his acceptance of Detective Landis’s “friend” request amounted to consent, Detective Landis’s use of deception rendered that consent involuntary because the detective lacked the reasonable suspicion to monitor him.

Again the issue of privacy settings is raised.

There is a takeaway here: if you are monitoring or investigating a Facebook account it is worth doing some archival and analysis of the account to determine (as best you can) the privacy settings for that account. Lawyers, judges and others may start to question this more and more frequently.

The rest of the court document discusses a number of other cases that contemplate similar themes, friend requests, among other things that are really interesting to review. I encourage you to review the document in its entirety.

Key Takeaways

There are a number of things that looked really interesting to me:

  1. Be prepared to discuss your monitoring activities going back to the first day you ever landed on a target’s account. This goes for criminal, and civil cases.
  2. Take note of any observable privacy settings for your target. This can be tricky sometimes but certainly if you befriend your target, note any changes in their Facebook/Instagram/Twitter timelines after you have befriended them.

As always, if you have any questions or comments shoot me an email at justin@hunch.ly. I am always on the prowl for interesting court cases so please send them my way if you are aware of any!

Happy hunting!

Justin