The following originally appeared in Just Security
U.S. Customs and Border Protection (CBP) released a required Privacy Impact Assessment (PIA) on March 27 for the social media monitoring it carries out as part of its new Situational Awareness Initiative. The release of the assessment may have come in response to a March 6 report from NBC7 in San Diego revealing that the U.S. government created a surveillance target list of “Suspected Organizers, Coordinators, Instigators and Media.” The list featured journalists, activists, social media influencers, and lawyers working on immigration issues, and was the subject of a recent article for Just Security on the immense growth in the Department of Homeland Security’s (DHS’s) intelligence gathering programs.
The list included names and photos of each individual – including 40 Americans and 19 others – as well as information on whether they had alerts placed on their passports and their connection to the migrant caravans traveling from Central America to the United States. Social media was clearly a source of information in curating the list – some of the photos were copied from social media profiles, and three people were described as “administrator on caravan support Facebook page.”
According to the PIA, as part of the initiative, CBP continuously monitors social media sites using web-based platforms and other tools in order to provide awareness of breaking news, “natural disasters, threats of violence, and other harmful events.” The surveillance target list seems to have been part of these “situational awareness” efforts, though given the lack of transparency surrounding the department’s various surveillance programs, we cannot know for certain.
Collecting information in emergency situations and to ensure public safety undoubtedly are important, but CBP collects vast amounts of irrelevant information – far beyond what would be required for emergency awareness – by amassing all social media posts that include matches to designated keywords. While CBP’s list of keywords is not publicly available, earlier DHS situational awareness programs used broad terms such as “attack,” “border,” “Mexico,” and “cops.” According to the PIA, CBP may also collect all posts that reference the names of individuals who “have been involved in events that could lead to credible threats,” which could extend to mere bystanders.
The standards for storing and using social media information – including information irrelevant to any emergency – are so broad that it is no wonder the curation of a surveillance list of journalists and activists seems to be fair game. While the PIA clarifies that CBP personnel will not store more personally identifiable information from social media than necessary, nor “store or disseminate information related to First Amendment protected speech or activities,” there are significant exceptions. For instance, CBP can store online information related to First Amendment-protected speech when “pertinent to and within the scope of an authorized law enforcement activity.” But that restriction is hardly limiting when CBP’s authorized activities include a huge range of operations, from monitoring border crossings, to “city patrols,” to assigning “risk assessments” to travelers, including Americans flying domestically.
‘Dangerous or Threatening’ Activities
CBP can also store and disseminate social media information relating to First Amendment-protected activities when those activities become “dangerous or threatening.” The history of DHS situational awareness programs demonstrates that political protests often are categorized as “dangerous or threatening.”
For example, DHS’s Office of Operations Coordination and the Federal Emergency Management Agency (FEMA), the part of DHS responsible for disaster relief, have situational awareness programs geared towards emergencies and natural disasters. But, according to hundreds of documents obtained by the Intercept, those programs used social media to monitor Black Lives Matter activists beginning in the summer of 2014, when anti-police protests erupted in Ferguson, Missouri. Given the lack of meaningful standards or oversight, CBP’s current Situational Awareness Initiative appears primed for similar abuse, as the leaked surveillance list already suggests.
CBP’s use of automated tools further muddles what gets categorized as “dangerous or threatening.” As numerous empirical studies have proven, automated tools have trouble correctly interpreting social media posts due to the context-dependent nature of social media and the frequent use of humor, sarcasm, and non-standard language. Tools with the highest accuracy rates for English-language processing still misinterpret content 20 percent to 30 percent of the time. So, innocuous posts scooped up because they contain keywords like “immigration,” “terrorism,” or “border” may easily be misinterpreted and flagged as a threat.
Situational awareness social media information containing all sorts of personal information may be stored in various DHS databases, though details are scant. The PIA only specifies that online posts containing “credible threats” against particular CBP agents are stored in a system that mainly holds employee misconduct and disciplinary records. Considering that “credible threats” are likely only a small subset of situational awareness data, the lack of discussion of where the rest of the data is stored is a glaring omission.
However, in September 2017, DHS reported the creation of a new database, the CBP Intelligence Records System (CIRS), to store information for “situational awareness for the CBP enterprise” (in addition to general law enforcement and immigration records). It may be that CIRS stores Situational Awareness Initiative information. Since December 2018, CIRS has been exempt from many requirements of the Privacy Act of 1974 that aim to ensure accuracy of records. CBP personnel, therefore, can store social media information in CIRS that is inaccurate, incomplete, and irrelevant to CBP operations.
Link Analysis
Additionally, CBP agents may use “situational awareness” information for “link analysis,” that is, identifying possible associations among data points, people, groups, events, and investigations. For link analysis, CBP agents first use CIRS to amass information about a huge number of individuals from social media and other public and governmental sources. Then, the analytical tools in another system, CBP’s Analytic Framework for Intelligence (AFI), are used to conduct link analysis on CIRS data to identify “non-obvious relationships” between individuals or entities.
AFI’s link analysis capabilities are intimately intertwined with private data analytics firms, including Palantir, which helped facilitate one of the National Security Agency’s notorious surveillance programs, and Babel Street, which provides access to more than 25 social media sites. Law enforcement agencies have used Palantir’s link analysiscapabilities to map social networks and identify people only tangentially related to investigations, categorizing some as “Colleague of,” “Lives with,” “Operator of [cell number],” “Owner of [vehicle],” and even “Lover of.” While that kind of analysis could be useful for uncovering criminal networks, in the hands of an agency that categorizes protests and immigration advocacy as dangerous, it may be used to track activist groups and political protesters.
DHS has previously couched its situational awareness efforts in terms that appear uncontroversial – as “nothing more than the standard practice of monitoring current events in the media,” according to DHS Press Secretary Tyler Houlton. But giving DHS’s ever-expanding intelligence apparatus carte blanche to monitor constitutionally-protected online activities that are either “pertinent” to broadly-defined law enforcement priorities or appear “threatening or dangerous” should never be “standard practice.” CBP’s efforts to map out the networks and activities of Americans through link analysis and social media monitoring pose a serious threat to the rights of free speech and association.