Skip Navigation

CBP’s New Social Media Surveillance: A Threat to Free Speech and Privacy

Customs and Border Protection’s new social media monitoring program poses a serious threat to the rights of free speech and association.

April 26, 2019

The follow­ing origin­ally appeared in Just Secur­ity

U.S. Customs and Border Protec­tion (CBP) released a required Privacy Impact Assess­ment (PIA) on March 27 for the social media monit­or­ing it carries out as part of its new Situ­ational Aware­ness Initi­at­ive. The release of the assess­ment may have come in response to a March 6 report from NBC7 in San Diego reveal­ing that the U.S. govern­ment created a surveil­lance target list of “Suspec­ted Organ­izers, Coordin­at­ors, Instig­at­ors and Media.” The list featured journ­al­ists, activ­ists, social media influ­en­cers, and lawyers work­ing on immig­ra­tion issues, and was the subject of a recent article for Just Secur­ity on the immense growth in the Depart­ment of Home­land Secur­ity’s (DHS’s) intel­li­gence gath­er­ing programs.

The list included names and photos of each indi­vidual – includ­ing 40 Amer­ic­ans and 19 others – as well as inform­a­tion on whether they had alerts placed on their pass­ports and their connec­tion to the migrant cara­vans trav­el­ing from Cent­ral Amer­ica to the United States. Social media was clearly a source of inform­a­tion in curat­ing the list – some of the photos were copied from social media profiles, and three people were described as “admin­is­trator on cara­van support Face­book page.”

Accord­ing to the PIA, as part of the initi­at­ive, CBP continu­ously monit­ors social media sites using web-based plat­forms and other tools in order to provide aware­ness of break­ing news, “natural disasters, threats of viol­ence, and other harm­ful events.” The surveil­lance target list seems to have been part of these “situ­ational aware­ness” efforts, though given the lack of trans­par­ency surround­ing the depart­ment’s vari­ous surveil­lance programs, we cannot know for certain.

Collect­ing inform­a­tion in emer­gency situ­ations and to ensure public safety undoubtedly are import­ant, but CBP collects vast amounts of irrel­ev­ant inform­a­tion – far beyond what would be required for emer­gency aware­ness – by amass­ing all social media posts that include matches to desig­nated keywords. While CBP’s list of keywords is not publicly avail­able, earlier DHS situ­ational aware­ness programs used broad terms such as “attack,” “border,” “Mexico,” and “cops.” Accord­ing to the PIA, CBP may also collect all posts that refer­ence the names of indi­vidu­als who “have been involved in events that could lead to cred­ible threats,” which could extend to mere bystand­ers.

The stand­ards for stor­ing and using social media inform­a­tion – includ­ing inform­a­tion irrel­ev­ant to any emer­gency – are so broad that it is no wonder the cura­tion of a surveil­lance list of journ­al­ists and activ­ists seems to be fair game. While the PIA clari­fies that CBP person­nel will not store more person­ally iden­ti­fi­able inform­a­tion from social media than neces­sary, nor “store or dissem­in­ate inform­a­tion related to First Amend­ment protec­ted speech or activ­it­ies,” there are signi­fic­ant excep­tions. For instance, CBP can store online inform­a­tion related to First Amend­ment-protec­ted speech when “pertin­ent to and within the scope of an author­ized law enforce­ment activ­ity.” But that restric­tion is hardly limit­ing when CBP’s author­ized activ­it­ies include a huge range of oper­a­tions, from monit­or­ing border cross­ings, to “city patrols,” to assign­ing “risk assess­ments” to trav­el­ers, includ­ing Amer­ic­ans flying domest­ic­ally.

‘Dan­ger­ous or Threat­en­ing’ Activ­it­ies

CBP can also store and dissem­in­ate social media inform­a­tion relat­ing to First Amend­ment-protec­ted activ­it­ies when those activ­it­ies become “danger­ous or threat­en­ing.” The history of DHS situ­ational aware­ness programs demon­strates that polit­ical protests often are categor­ized as “danger­ous or threat­en­ing.”

For example, DHS’s Office of Oper­a­tions Coordin­a­tion and the Federal Emer­gency Manage­ment Agency (FEMA), the part of DHS respons­ible for disaster relief, have situ­ational aware­ness programs geared towards emer­gen­cies and natural disasters. But, accord­ing to hundreds of docu­ments obtained by the Inter­cept, those programs used social media to monitor Black Lives Matter activ­ists begin­ning in the summer of 2014, when anti-police protests erup­ted in Ferguson, Missouri. Given the lack of mean­ing­ful stand­ards or over­sight, CBP’s current Situ­ational Aware­ness Initi­at­ive appears primed for similar abuse, as the leaked surveil­lance list already suggests.

CBP’s use of auto­mated tools further muddles what gets categor­ized as “danger­ous or threat­en­ing.” As numer­ous empir­ical stud­ies have proven, auto­mated tools have trouble correctly inter­pret­ing social media posts due to the context-depend­ent nature of social media and the frequent use of humor, sarcasm, and non-stand­ard language. Tools with the highest accur­acy rates for English-language processing still misin­ter­pret content 20 percent to 30 percent of the time. So, innoc­u­ous posts scooped up because they contain keywords like “immig­ra­tion,” “terror­ism,” or “border” may easily be misin­ter­preted and flagged as a threat.

Situ­ational aware­ness social media inform­a­tion contain­ing all sorts of personal inform­a­tion may be stored in vari­ous DHS data­bases, though details are scant. The PIA only specifies that online posts contain­ing “cred­ible threats” against partic­u­lar CBP agents are stored in a system that mainly holds employee miscon­duct and discip­lin­ary records. Consid­er­ing that “cred­ible threats” are likely only a small subset of situ­ational aware­ness data, the lack of discus­sion of where the rest of the data is stored is a glar­ing omis­sion.

However, in Septem­ber 2017, DHS repor­ted the creation of a new data­base, the CBP Intel­li­gence Records System (CIRS), to store inform­a­tion for “situ­ational aware­ness for the CBP enter­prise” (in addi­tion to general law enforce­ment and immig­ra­tion records). It may be that CIRS stores Situ­ational Aware­ness Initi­at­ive inform­a­tion. Since Decem­ber 2018, CIRS has been exempt from many require­ments of the Privacy Act of 1974 that aim to ensure accur­acy of records. CBP person­nel, there­fore, can store social media inform­a­tion in CIRS that is inac­cur­ate, incom­plete, and irrel­ev­ant to CBP oper­a­tions.

Link Analysis

Addi­tion­ally, CBP agents may use “situ­ational aware­ness” inform­a­tion for “link analysis,” that is, identi­fy­ing possible asso­ci­ations among data points, people, groups, events, and invest­ig­a­tions. For link analysis, CBP agents first use CIRS to amass inform­a­tion about a huge number of indi­vidu­als from social media and other public and govern­mental sources. Then, the analyt­ical tools in another system, CBP’s Analytic Frame­work for Intel­li­gence (AFI), are used to conduct link analysis on CIRS data to identify “non-obvi­ous rela­tion­ships” between indi­vidu­als or entit­ies.

AFI’s link analysis capab­il­it­ies are intim­ately inter­twined with private data analyt­ics firms, includ­ing Palantir, which helped facil­it­ate one of the National Secur­ity Agency’s notori­ous surveil­lance programs, and Babel Street, which provides access to more than 25 social media sites. Law enforce­ment agen­cies have used Palantir’s link analysiscapab­il­it­ies to map social networks and identify people only tangen­tially related to invest­ig­a­tions, categor­iz­ing some as “Colleague of,” “Lives with,” “Oper­ator of [cell number],” “Owner of [vehicle],” and even “Lover of.” While that kind of analysis could be useful for uncov­er­ing crim­inal networks, in the hands of an agency that categor­izes protests and immig­ra­tion advocacy as danger­ous, it may be used to track activ­ist groups and polit­ical protest­ers.

DHS has previ­ously couched its situ­ational aware­ness efforts in terms that appear uncon­tro­ver­sial – as “noth­ing more than the stand­ard prac­tice of monit­or­ing current events in the media,” accord­ing to DHS Press Secret­ary Tyler Houlton. But giving DHS’s ever-expand­ing intel­li­gence appar­atus carte blanche to monitor consti­tu­tion­ally-protec­ted online activ­it­ies that are either “pertin­ent” to broadly-defined law enforce­ment prior­it­ies or appear “threat­en­ing or danger­ous” should never be “stand­ard prac­tice.” CBP’s efforts to map out the networks and activ­it­ies of Amer­ic­ans through link analysis and social media monit­or­ing pose a seri­ous threat to the rights of free speech and asso­ci­ation.