pinit_fg_en_rect_red_20 GEN - DEEP DIVE: CBPs Social Media Surveillance Poses Risks to Free Speech and Privacy Rights

The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBPs practice of monitoring social

media to enhance the agencys situational awareness. As weve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.

Situational Awareness

The Privacy Impact Assessment (PIA) states that CBP searches public social media posts to bolster the agencys situational awarenesswhich includes identifying natural disasters, threats of violence, and other harmful events and activities that may threaten the safety of CBP personnel or facilities, including ports of entry.

The PIA aims to inform the public of privacy and related free speech risks associated with CBPs collection of personally identifiable information (PII) when monitoring social media. CBP claims it only collects PII associated with social mediaincluding a persons name, social media username, address or approximate location, and publicly available phone number, email address, or other contact informationwhen there is an imminent threat of loss of life, serious bodily harm, or credible threats to facilities or systems.

Why Now?

It is unclear why DHS and CBP released this PIA now, especially since both agencies have been engaging in social media surveillance, including for situational awareness, for several years.

The PIA cites authorizing policies DHS Directive No. 110-01 (June 8, 2012) [.pdf] and DHS Instruction 110-01-001 (June 8, 2012) [.pdf] as governing the use of social media by DHS and its component agencies (including CBP) for various operational uses, including situational awareness. The PIA also cites CBP Directive 5410-003, Operational Use of Social Media (Jan. 2, 2015), which does not appear to be public. EFF asked for the release of this document in a coalition letter sent to the DHS acting secretary in May.

Federal law requires government agencies to publish certain documents to facilitate public transparency and accountability related to the governments collection and use of personal information. The E-Government Act of 2002 requires a PIA before initiating a new collection of information that will be collected, maintained, or disseminated using information technology and when the information is in an identifiable form. Additionally, the Privacy Act of 1974 requires federal agencies to publish Systems of Records Notices (SORNs) in the Federal Register when they seek create new systems of records to collect and store personal information, allowing for the public to comment.

This appears to be the first PIA that CBP has written related to social media monitoring. The PIA claims that the related SORN on social media monitoring for situational awareness is DHS/CBP-024 Intelligence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (Sept. 21, 2017). Given that DHS issued directives in 2012 and CBP issued a directive in 2015 around social media monitoring, this PIA comes seven years late. Moreover, there is no explanation as to why the SORN was published two years after CBPs 2015 directive, nor why the present PIA was published two years after the SORN.

In March, CBP came under scrutiny for engaging in surveillance of activists, journalists, attorneys, and others at the U.S.-Mexico border, with evidence suggesting that their social media profiles had been reviewed by the government. DHS and CBP released this PIA only three weeks after that scandal broke.

Chilling Effect on Free Speech

CBPs social media surveillance poses a risk to the free expression rights of social media users. The PIA claims that CBP is only monitoring public social media posts, and thus [i]ndividuals retain the right and ability to refrain from making information public or, in most cases, to remove previously posted information from their respective social media accounts.

While social media users retain control of their privacy settings, CBPs policy chills free speech by causing people to self-censorincluding curbing their public expression on the Internet for fear that CBP could collect their PII for discussing a topic of interest to CBP. Additionally, people running anonymous social media accounts might be afraid that PII collected could lead to their true identities being unmasked, despite that the Supreme Court has long held that anonymous speech is protected by the First Amendment.

This chilling effect is exacerbated by the fact that CBP does not notify users when their PII is collected. CBP also may share information with other law enforcement agencies, which could result in immigration consequences or being added to a government watchlist. Finally, CBPs definition of situational awareness is broad, and includes information gathered from a variety of sources that, when communicated to emergency managers and decision makers, can form the basis for incident management decision making.

We have seen this chilling effect play out in real life. Only three weeks before DHS and CBP released this PIA, NBC7 San Diego broke the story that CBP, along with other DHS agencies, created a secret database of 59 activists, journalists, and attorneys whom the government flagged for additional screening at the U.S. border because they were allegedly associated with the migrant caravan. Dossiers on certain individuals included pictures from social media and notations of designations such as administrator of a Facebook group providing support to the caravan, indicating that the government had surveilled their social media profiles.

As one lawyer stated, It has a real chilling effect on people who might go down [to the border]. A journalist who was on the list of 59 individuals said the increased scrutiny by border officials could have a chilling effect on freelance journalists covering the border.

EFF joined a coalition letter to the DHS acting secretary about CBPs secret dossiers. Several senators wrote a follow-up letter [.pdf]. In mid-May, CBP finally admitted to targeting journalists and others at the border, but justified its actions by claiming, without evidence, that journalists had some level of participation in the violent incursion events.

CBPs Practices Dont Mitigate Risks to Free Speech

The PIA claims that any negative impacts on free speech of social media surveillance are mitigated by both CBP policy and the Privacy Acts prohibition on maintaining records of First Amendment activity. Yet, these supposed safeguards ultimately provide little protection.

First Amendment

The PIA emphasizes that CBP personnel are trained to use a balancing test to determine whether social media information presents a credible threatas opposed to First Amendment-protected speechand thus may be collected. According to the PIA, the balancing test involves gauging the weight of a First Amendment claim, the severity of the threat, and the credibility of the threat. However, this balancing test has no basis in constitutional law.

The Supreme Court has a long line of decisions that have established when speech rises to the level of a true threat or incitement to violence and is thus unprotected by the First Amendment.

In Watts v. United States (1969), the Supreme Court held that under the First Amendment only true threats may be punishable. The Court stated that alleged threats must be viewed in context, and noted that in the political arena in particular, language is often vituperative, abusive, and inexact. Thus, the Court further held that political hyperbole is not a true threat. In Elonis v. United States (2015), the Supreme Court held that an individual may not be criminally prosecuted for making a true threat based only on an objective test of negligence, i.e., whether a reasonable person would have understood the communication as a threat. Rather, the defendants subjective state of mind must be considered, including whether he intended to make a threat or knew that his statement would be viewed as a threat. (The Court left open whether a recklessness standard would also be sufficient for the speech to fall out of First Amendment protections.)

Additionally, in Brandenburg v. Ohio (1969), the Supreme Court held that the constitutional guarantees of free speech and free press do not permit a State to forbid or proscribe advocacy of the use of force or of law violation except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action. There, the Court struck down an Ohio law that penalized individuals who advocated for violence to accomplish political reform, holding that the abstract advocacy of violence is not the same as preparing a group for violent action and steeling it to such action. In Hess v. Indiana (1973), the Court further clarified that speech that is mere advocacy of illegal action at some indefinite future time, is not directed to any person or group of persons, and is unsupported by evidence or rational inference that the speakers words were intended to produce, and likely to produce, imminent disorder, remains protected by the First Amendment. Similarly, the Court in NAACP v. Claiborne Hardware Co. (1982), held that [a]n advocate must be free to stimulate his audience with spontaneous and emotional appeals for unity and action in a common cause. When such appeals do not incite lawless action, they must be regarded as protected speech.

While the PIA states that CBP considers threatening posts to be those that infer an intent, or incite others, to do physical harm or cause damage, injury, or destruction, the PIA does not fully embrace the nuances of the Supreme Courts jurisprudenceand CBPs balancing test fails to comport with constitutional law. A seemingly threatening social media post may, in fact, be protected by the First Amendment if it is political hyperbole or other contextual facts suggest that the speaker did not intend to make a threat or did not believe that readers would view the post as a threat. Furthermore, a social media post that advocates for violence against CBP facilities or personnel may nevertheless be protected by the First Amendment if it is not directed at any particular person or group, and evidence does not reasonably indicate that the speaker intended to incite imminent violence or illegal action, or that imminent violence or illegal action is likely to result from the speech.

Thus, CBP may be collecting social media information and related PII even when the speech is protected by the First Amendmentcontrary to its own policyand further contributing to the chilling effect of CBPs social media surveillance program.

Privacy Act

The PIA also mentions the Privacy Act, a federal law that establishes rules about what type of information the government can collect and keep about U.S. persons. In particular, the PIA points to 5 U.S.C. 552a(e)(7), the prohibition against federal agencies maintaining records describing how any individual exercises rights guaranteed by the First Amendment.

Unfortunately, this prohibition is followed by an exception that effectively swallows the rulethat information about First Amendment activity may be collected if it is pertinent to and within the scope of an authorized law enforcement activity.

In Raimondo v. FBI, a Privacy Act case currently before the Ninth Circuit, the FBI kept surveillance files for threat assessments on two individuals who ran an antiwar website. EFF argued in an amicus brief against an expansive interpretation of the Privacy Acts law enforcement activity exception in light of modern technologyspecifically, given the ease with which law enforcement can collect, store, and share information about First Amendment activity on the internet, such information should not be stored in government files in perpetuity when the record is not relevant to an active investigation. We reminded the Ninth Circuit that in MacPherson v. I.R.S. (1986), the court recognized that even incidental surveillance and recording of innocent people exercising their First Amendment rights may have a chilling effect on those rights that (e)(7) [of the Privacy Act] was intended to prohibit.

Raimondo demonstrates the seemingly limitless nature of the law enforcement activity exception, including allowing for the indefinite retention of records of online activism and journalism, activity that is clearly protected by the First Amendment.

Similarly, under this PIA, because CBP follows a credible threat assessment not rooted in the First Amendment and the Privacy Acts law enforcement activity exception can be interpreted broadly, CBP could very well collect and retain information that is protected by the First Amendment.

Unidentified Government Social Media Profiles Pose Risk to User Privacy

The PIA inspires little confidence not only in DHS and CBPs interpretation of the law related to protected speech, but also in CBP personnels ability to follow the agencies own policies related to respecting social media users privacy.

The PIA states that CBP personnel may conceal their identity when viewing social media for operational security purposes, effectively allowing CBP agents to create fake accounts. However, this provision conflicts with DHSs 2012 directive, which requires employees to [u]se online screen names or identities that indicate an official DHS affiliation and use DHS email addresses to open accounts used when engaging in social media in the performance of their duties.

Moreover, if, as according to the PIA, CBP personnel do not engage with other social media users and may only monitor publicly available, open source social media, it begs the question: why would a CBP agent need to create a fake account? Public posts or information are equally available to all social media users on a platform. Why would CBP personnel need to conceal their identity before viewing a publicly available post if they are not attempting to engage with a user?

This concern is backed by past practices where DHS agencies used fake profiles and interacted with users during the course of monitoring their social media activity. Earlier this year, journalists revealed that U.S. Immigration and Customs Enforcement (ICE) officers created fake Facebook and LinkedIn profiles to lend legitimacy to a sham university intended to identify individuals allegedly engaged in immigration fraud. There, ICE officers friended other users and exchanged emails with students, thereby potentially bypassing social media privacy settings and gaining access to information intended to remain private.

Such practices not only violate DHS existing policies, but also allow law enforcement to obtain access to content that would otherwise require a probable cause warrant. Furthermore, fake profiles violate the policies of several social media platforms. Facebook has publicly stated that law enforcement impersonator profiles violate the companys terms of service.

Fighting Back

The CBP PIA is just one sliver of a broad federal government campaign to engage in social media surveillance. DHS, through its National Operations Center, has been monitoringsocialmedia for situational awareness since at least 2010. DHS also has been monitoring social media for intelligence gathering purposes. More recently, DHS and the State Department have greatly expanded social media surveillance to vet visitors and immigrants to the U.S., which EFF and other civil society groups have consistently opposed.

Severalcongressionalcommitteeshave the responsibility and the opportunity to review CBPs budget and provide oversight of the agencys operations, including its social media surveillance. At a minimum, EFF urges these committees to ensure that CBP is following DHS own policies and is reporting, both to Congress and the public, how often officers are engaging in social media monitoring to understand the prevalence and scale of this program. Fundamentally, Congress should be asking why social media surveillance programs are necessary for public safety. Additionally, Congress has the responsibility to ensure that CBP and DHS are abiding by settled case law respecting the free speech and privacy rights of Americans and foreign travelers.

Were also pushing social media companies to do more when they identify law enforcement impersonator profiles at the local, state, and federal level. Earlier this year, Facebooks legal staff demanded that the Memphis Police Department cease all activities on Facebook that involve the use of fake accounts or impersonation of others. Additionally, Facebook updated its Information for Law Enforcement Authorities page to highlight how itsmisrepresentationpolicyalso applies to police. While EFF applauds these steps, we are skeptical that warnings or policy changes alone will deter the activity. Facebook says it will delete accounts brought to its attention, but too often these accounts only become publicly knownthrough a lawsuit or a media reportlong after the damage has been done. Instead, EFF is calling on Facebook to take specific steps to provide transparency into these law enforcement impersonator accounts by notifying users who have interacted with these accounts, following the Santa Clara Principles when removing the law enforcement accounts, and adding notifications to agencies Facebook pages to inform the public when the agencies policies permit impersonator accounts in violation of Facebooks policy.

Please contact your members of Congress and urge them to hold CBP accountable. Congress depends on hearing from their constituents to know where to focus, and public pressure can ensure that social media surveillance wont get overlooked.