The next time someone tries to "friend" you on Facebook, it may turn out to be an undercover fed looking to examine your private messages and photos, or surveil your friends and family. The Electronic Frontier Foundation has obtained an internal Justice Department document that describes what law enforcement is doing on social networking sites.

The 33-page document shows that law enforcement agents from local police to the FBI and Secret Service have been logging on to MySpace and other sites undercover to communicate with suspects, read private postings and view photos and videos that are restricted to a user's friends.

The document also describes techniques for verifying alibis – such as checking messages posted by a suspect on Twitter disclosing his whereabouts at the time a crime was committed – and uncovering information that might point to illegal activity, such as photos depicting a suspect with expensive jewelry, a new car or even a weapon.

The document says evidence from social networking sites can:

Reveal personal communications Establish motives and personal relationships Provide location information Prove and disprove alibis Establish crime or criminal enterprise The investigative techniques were part of a slide presentation titled "Obtaining and Using Evidence from Social Networking Sites" (.pdf) given last year by John Lynch, deputy chief of the Justice Department's Computer Crime and Intellectual Property division to describe how valuable social networking sites can be to give law enforcement access to non-public information. The cops can also map social relationships and networks, among other things. The document does not include guidance or cautionary notes on how to conduct an investigation responsibly using these services, though it acknowledges the problematic nature of using an assumed identity to open an account with a social networking site.

"Can failure to follow [terms of service] render access unauthorized?" the document asks. "If agents violate terms of service, is that 'otherwise illegal activity'?"

Agents who create fake accounts to communicate with suspects under an assumed identity could create a conundrum for the Justice Department, which prosecuted Lori Drew in 2008 for essentially doing the same thing. Drew was charged with computer fraud and abuse for violating MySpace's terms of service when she conspired with two others to create a fake MySpace account under the identity of a teenage boy in order to communicate with a teenage girl named Megan Meyer.

The account was used to bully Meyer, who then committed suicide. Drew was found guilty of three misdemeanors by a Los Angeles jury, but the judge eventually overturned the convictions on grounds that the federal law was constitutionally vague.

Facebook's terms of service prohibit users from providing false personal information to the site, as does MySpace.

In the offline world, agents involved in an investigation can't impersonate a suspect's spouse, child, parent or best friend, the Associated Press notes. But online they can.

"This new situation presents a need for careful oversight so that law enforcement does not use social networking to intrude on some of our most personal relationships," said Marc Zwillinger, a former federal prosecutor told the news outlet.

The document also discusses the value to prosecutors of using social networking sites to obtain information on the background of defense witnesses, though it cautions that the same sites could be "potential pitfalls" in that defense attorneys could also use them to background prosecution witnesses.

Another document obtained by EFF is a syllabus for a training course for employees of the Internal Revenue Service describing the use of social networking sites and Google Street View to investigate taxpayers. (.pdf) The syllabus notes, however, that IRS employees are prohibited from using deception or fake online accounts to obtain information about taxpayers and generally limits employees to using publicly available information.

"In civil matters, employees cannot misrepresent their identities, even on the Internet," the document states. "You cannot obtain information from websites by registering using fictitious identities."