In June 2020, a group of men in military-style camouflage, armed with assault rifles, confronted protesters who wanted to topple a statue of a Spanish conquistador in Albuquerque, N.M. Shots rang out, and a protester was wounded.
Though the alleged shooter apparently wasn't a member of the armed group, which calls itself the New Mexico Civil Guard, prosecutors accused the organization of fomenting the violence and sought a civil injunction to bar it from acting as a paramilitary organization at future public demonstrations.
That case hit an unexpected snag, however: Facebook's own crackdown on extremist groups.
Prosecutors are demanding that Facebook hand over data that would confirm the identity of group members and page administrators - but Facebook says those records no longer exist, because it deleted them after it banned the organization as part of an August 2020 content moderation sweep.
In an era when extremist groups commonly organize online, the legal showdown highlights a tension between the pressure digital platforms face to remove problematic accounts and content on the one hand and authorities' interest in accessing that information for real-world prosecutions on the other. And it raises questions about what privacy protections, if any, those platforms - from Facebook to Twitter to YouTube and others - owe to people and organizations they've banned.
The dispute echoes another ongoing legal battle, in which the African nation of Gambia is pressing Facebook to release deleted account records as part of an international human rights claim against the organizers of Myanmar's ethnic cleansing campaign against Rohingya Muslims. In September, a federal magistrate in D.C. ordered Facebook to comply, ruling that federal privacy laws don't apply to social media accounts once platforms have suspended or banned them.
Legal scholars and online privacy experts say these cases and others expose the shortcomings of federal privacy laws written at a time when email was the hot new digital communication technology and point to a need for legislation that addresses the retention of user records in the social media age.
On Monday, the district attorney of Bernalillo County, where Albuquerque is located, took the unusual step of asking a court in Facebook's home state of California to force Facebook to comply with its subpoena for basic account information related to the New Mexico Civil Guard group and its members. The move comes after talks between District Attorney Raul Torrez's team and Facebook hit a stalemate, with Facebook insisting it doesn't have the records but declining to offer a sworn affidavit that it is incapable of retrieving them.
The New Mexico Civil Guard organized, recruited, taught paramilitary tactics and guided members' actions via Facebook, Torrez said at a news conference Monday. If Facebook really deletes all traces of such groups when it takes down their pages and accounts, that calls into question how serious Facebook is about preventing them from resurfacing on the platform, let alone aiding real-world investigations into such groups, he added.
"We find it hard to believe that a trillion-dollar company would be in a position where they would have deleted this information and have no way to retrieve it," Torrez said.
Facebook pointed out that it does offer a clear process by which authorities can request that the company preserve data that might be relevant to investigations, as long as they do so in a timely manner.
"We preserve account information in response to a request from law enforcement and will provide it, in accordance with applicable law and our terms, when we receive valid legal process," Andy Stone, Facebook's policy communications director, said in an emailed statement. "When we preserve data, we do so for a period of time, which can be extended at the request of law enforcement."
Aiding New Mexico prosecutors in the case is Georgetown University's Institute for Constitutional Advocacy and Protection, which also aided in a Virginia case for an injunction against several of the groups that participated in the deadly 2017 "Unite the Right" rally in Charlottesville. Mary McCord, the institute's executive director, said Facebook's response is insufficient.
Facebook should know that records related to organizations and people it deems dangerous under its "real-world harm" policies are, almost by definition, likely to be of interest to authorities and should preserve them accordingly, McCord argued. Authorities can't always know at the beginning of an investigation exactly which records they'll need, or who all the suspects are, she noted.
Some advocates caution, however, that asking social networks to permanently store data on deleted accounts would amount to surveillance overreach.
"I wouldn't want to live in a world where everything that Facebook takes down it just keeps in a big database," said Dia Kayyali, associate director of advocacy at Mnemonic, a nonprofit that works on documenting human rights violations. "We've seen through the Facebook Oversight Board how many false positives Facebook has in its content moderation, particularly around its 'dangerous individuals and organizations' policy."
The privacy rights of people whose communications are stored online are defined federally by the Stored Communications Act, part of the Electronic Communications Privacy Act of 1986. But that act was designed around email providers that acted as conduits of information, not social networks that actively police their platforms. It's silent on the status of accounts or posts that have been removed for policy violations.
McCord noted, however, that the information prosecutors are seeking in this case is not the actual content of users' posts, as in the Gambia case, but metadata about their accounts, which have fewer privacy protections under the law.
"It's tough," said Orin Kerr, a constitutional law professor at the University of California at Berkeley. "People want the providers to moderate. And then they want the information to be available when they want it to be available."
"Exactly what should be kept and what should be available is a relatively new question" in the law, Kerr added, "and there's uncertainty as to what the rules should be."
Facebook said last month it would support modernizing the Stored Communications Act to allow "a broader range of disclosures for significant investigations ... while avoiding a precedent that risks the privacy and human rights of billions of people."
Heidi Beirich, co-founder of the nonprofit Global Project Against Hate and Extremism, said she believes there should be federal legislation to give companies clear guidelines on when to save or delete user data.
"I don't think Facebook, Twitter or whoever should be deciding what to do with the data. That's the real problem," Beirich said. "At the end of the day, there should be rules."
Privacy laws aside, prosecutors are hoping the California court will help them get to the bottom of whether Facebook really deleted all of its data on the New Mexico Civil Guard accounts. Their petition also calls on the court to compel Facebook to disclose internal communications around its decision-making to retain or delete the records in question. If granted, that could offer new insight into how Facebook itself weighs the trade-offs around data retention and disclosure.
The civil case against the New Mexico Civil Guard is separate from an ongoing criminal case against the suspected shooter, Steven Ray Baca. An attorney for the New Mexico Civil Guard members named in the case did not respond to a request for comment.