Skip Navigation
Report

Social Media Monitoring

Summary: Personal information gleaned from social media posts has been used to target dissent and subject religious and ethnic minorities to enhanced vetting and surveillance.

Published: May 22, 2019

Introduction

The Department of Homeland Security (DHS) is rapidly expanding its collection of social media information and using it to evaluate the security risks posed by foreign and American travelers. This year marks a major expansion. The visa applications vetted by DHS will include social media handles that the State Department is set to collect from some 15 million travelers per year. 1U.S. Department of State, “60-Day Notice of Proposed Information Collection: Application for Nonimmigrant Visa,” 83 Fed. Reg. 13807, 13808 (March 30, 2018), https://www.regulations.gov/document?D=DOS-2018-0002-0001; Department of State, “60-Day Notice of Proposed Information Collection: Application for Immigrant Visa and Alien Registration,” 83 Fed. Reg. 13806, 13807 (March 30, 2018), https://www.regulations.gov/document?D=DOS-2018-0003-0001; this proposed collection was approved on April 11, 2019. OMB, Notice of Office of Management and Budget Action, “Online Application for Nonimmigrant Visa,” April 11, 2019, https://www.reginfo.gov/public/do/DownloadNOA?requestID=292517; OMB, Notice of Office of Management and Budget Action, “Electronic Application for Immigrant Visa and Alien Registration,” April 11, 2019, https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201808-1405-004. See also Brennan Center for Justice et al., Comments to Department of State, “Re: DS-160 and DS-156, Application for Nonimmigrant Visa, OMB Control No. 1405-0182; DS-260, Electronic Application for Immigrant Visa and Alien Registration, OMB Control No. 1405-185,” May 29, 2018, https://www.scribd.com/document/380580064/Brennan-Center-Urges-State-Department-to-Abandon-the-Collection-of-Social-Media-and-Other-Data-from-Visa-Applicants. Department of State visa applications are vetted using DHS’s Automated Targeting System (ATS). DHS, Privacy Impact Assessment Update for the Automated Targeting System, DHS/CBP/PIA-006(e), January 13, 2017 (hereinafter ATS 2017 PIA), 8-9, 35, 59-60, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp006-ats-december2018.pdf. The social media identifiers that the State Department collects via visa applications will be stored in the department’s Consolidated Consular Database, which is ingested into ATS and becomes available to DHS personnel. ATS 2017 PIA, 3, 8-9, 12. For more on DHS involvement in State Department visa vetting, see infra text accompanying notes 118-131. Social media can provide a vast trove of information about individuals, including their personal preferences, political and religious views, physical and mental health, and the identity of their friends and family. But it is susceptible to misinterpretation, and wholesale monitoring of social media creates serious risks to privacy and free speech. Moreover, despite the rush to implement these programs, there is scant evidence that they actually meet the goals for which they are deployed.

While officials regularly testify before Congress to highlight some of the ways in which DHS is using social media, they rarely give a full picture or discuss either the effectiveness of such programs or their risks. The extent to which DHS exploits social media information is buried in jargon-filled notices about changes to document storage systems that impart only the vaguest outlines of the underlying activities.

To fill this gap, this report seeks to map out the department’s collection, use, and sharing of social media information by piecing together press reports, information obtained through Freedom of Information Act requests, Privacy Impact Assessments, 2Section 208 of the E-Government Act of 2002 requires privacy impact assessments (PIAs) for all information technology that uses, maintains, or disseminates personally identifiable information or when initiating a new collection of personally identifiable information from 10 or more individuals in the public. E-Government Act of 2002, PL 107–347, December 17, 2002, 116 Stat 2899, https://www.govinfo.gov/content/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf; DHS, “Privacy Compliance,” accessed April 25, 2019, https://www.dhs.gov/compliance. DHS is required to publish or update existing privacy impact assessments when developing or procuring any new program or system that will handle or collect personally identifiable information; for budget submissions to the Office of Management and Budget that affect personally identifiable information; with pilot tests that affect personally identifiable information; when developing program or system revisions that affect personally identifiable information; or when issuing a new or updated rulemaking that involves the collection, use, and maintenance of personally identifiable information. Because revisions that affect personally identifiable information are common, DHS often issues multiple, updated privacy impact assessments for a single program or system. System of Records Notices (SORNs), 3A System of Records Notice (SORN) is required whenever the department has a “system of records” — a group of records from which information is retrieved by a personal identifier, such as one’s name. SORNs, formal notices to the public published in the Federal Register, identify the purpose for which personally identifiable information is collected, what type of information is collected and from whom, how personally identifiable information is shared externally (routine uses), and how to access and correct any personally identifiable information maintained by DHS. DHS, “Privacy Compliance.” departmental handbooks, government contracts, and other publicly available documents.

In light of DHS’s expanding use of social media monitoring programs, understanding the ways in which the department exploits social media is critical. Personal information gleaned from social media posts has been used to target dissent and subject religious and ethnic minorities to enhanced vetting and surveillance. Some DHS programs are targeted at travelers, both Americans and those from other countries. And while the department’s immigration vetting programs ostensibly target foreigners, they also sweep up information about American friends, family members, and business associates, either deliberately or as a consequence of their broad scope.

Muslims are particularly vulnerable to targeting. According to a 2011 Pew survey (which was followed by a similar survey in 2017), more than a third of Muslim Americans who traveled by air reported that they had been singled out by airport security for their faith, suggesting a connection between being a devout Muslim and engaging in terrorism that has long been debunked. 4Pew Research Center, Muslim Americans: No Signs of Growth in Alienation or Support for Extremism, August 30, 2011, 108, http://www.pewresearch.org/wp-content/uploads/sites/4/legacy-pdf/Muslim-American-Report-10-02-12-fix.pdf (41 percent of American Muslims surveyed said they had not taken a flight in the past year, and 21 percent of those surveyed had been singled out by airport security, meaning that almost 36 percent of those surveyed who had taken a flight were singled out at security); Pew Research Center, U.S. Muslims Concerned About Their Place in Society, but Continue to Believe in the American Dream, July 26, 2017, 13, https://www.pewforum.org/wp-content/uploads/sites/7/2017/07/U.S.-MUSLIMS-FULL-REPORT-with-population-update-v2.pdf (reporting that 18 percent of American Muslims were singled out at airport security in the previous year, but not indicating the percentage of American Muslims who did not travel by air in the previous year); Faiza Patel, Rethinking Radicalization, Brennan Center for Justice, March 2011, https://www.brennancenter.org/sites/default/files/legacy/RethinkingRadicalization.pdf; Marc Sageman, Misunderstanding Terrorism (Philadelphia: University of Pennsylvania Press, 2016); Jamie Bartless, Jonathan Birdwell, and Michael King, The Edge of Violence, Demos, December 2010, https://www.demos.co.uk/files/Edge_of_Violence_-_full_-_web.pdf?1291806916. A legal challenge to this practice is pending. 5Cherri v. Mueller, 951 F. Supp. 2d 918 (E.D. Mich. 2013). According to government documents, one of the plaintiffs, Hassan Shibly, executive director of the Florida chapter of the Council on American-Islamic Relations, was pulled aside for secondary screening at the border at least 20 times from 2004 to 2011. 6Kari Huus, “Muslim Travelers Say They’re Still Saddled With 9/11 Baggage,” NBC News, September 9, 2011, http://www.nbcnews.com/id/44334738/ns/us_news-9_11_ten_years_later/t/muslim-travelers-say-theyre-still-saddled-baggage/#.XH61NcBKhpg. He says he was asked questions like “Are you part of any Islamic tribes?” and “Do you attend a particular mosque?” 7ACLU and Muslim Advocates to DHS Inspector General Richard L. Skinner, December 16, 2010, https://www.aclu.org/letter/aclu-and-muslim-advocates-letter-department-homeland-security-inspector-general-richard. Shibly’s story is hardly unique. 8See Amanda Holpuch and Ashifa Kassam, “Canadian Muslim Grilled About Her Faith and View on Trump at U.S. Border Stop,” Guardian, February 10, 2017, https://www.theguardian.com/us-news/2017/feb/10/canadian-muslim-us-border-questioning; Emma Graham-Harrison, “US Border Agents Ask Muhammad Ali’s Son, ‘Are You a Muslim?’ ” Guardian, February 25, 2017, https://www.theguardian.com/us-news/2017/feb/25/muhammad-ali-son-detained-questioned-us-border-control; ACLU and Muslim Advocates to Skinner (highlighting the experiences of four other Muslim Americans who faced persistent religious questioning by CBP). See also Pew Research Center, Muslim Americans, 2.

Concerns about such screenings are even more urgent under the Trump administration, which has made excluding Muslims a centerpiece of its immigration agenda through policies such as the Muslim ban and implementation of “extreme vetting” for refugee and visa applicants, primarily those from the Muslim world. 9See Faiza Patel and Harsha Panduranga, “Trump’s Latest Half-Baked Muslim Ban,” Daily Beast, June 12, 2017, https://www.thedailybeast.com/trumps-latest-half-baked-muslim-ban (noting that the administration’s “extreme vetting” rules are aimed at the same pool of people as the Muslim ban); Harsha Panduranga, Faiza Patel, and Michael W. Price, Extreme Vetting and the Muslim Ban, Brennan Center for Justice, 2017, 2, 16, https://www.brennancenter.org/sites/default/files/publications/extreme_vetting_full_10.2_0.pdf. Brennan Center for Justice et al., Comments to Department of State, “Re: DS-160 and DS-156, Application for Nonimmigrant Visa, OMB Control No. 1405-0182; DS-260, Electronic Application for Immigrant Visa and Alien Registration, OMB Control No. 1405-185,” 7-8 (noting that the State Department’s proposed collection of social media information from visa applicants would disproportionately burden Muslims). See infra note 120 and text accompanying notes 118-131. A leaked DHS draft report from 2018 suggests that the administration is considering tagging young Muslim men as “at-risk persons” who should be subjected to intensive screening and ongoing monitoring. 10DHS, “Demographic Profile of Perpetrators of Terrorist Attacks in the United States Since September 2001 Attacks Reveals Screening and Vetting Implications,” 2018, https://assets.documentcloud.org/documents/4366754/Text-of-CPB-Report.pdf. The draft report, published by Foreign Policy, was produced at the request of the commissioner of U.S. Customs and Border Protection (CBP) to “inform United States foreign visitor screening, immigrant vetting and on-going evaluations of United States-based individuals who might have a higher risk of becoming radicalized and conducting a violent attack.” It examined 29 individuals who, according to CBP, carried out terrorist incidents in the United States “driven by radical Sunni Islamist militancy.” Given the data set the report focused on, it unsurprisingly found that this cohort of people were mostly young, Muslim, and male. Ignoring the fact that hundreds of thousands of people who meet this description travel to the United States each year, CBP concluded that these characteristics provided a “baseline to identify at-risk persons.” In fact, CBP even suggested that in addition to initial screenings, this enormous group of people should be “continuously evaluate[d],” for example when they applied for visa renewals or immigration benefits. Ibid., 4. If implemented, such a policy would affect hundreds of thousands of people. 11The Department of State issued more than 900,000 immigrant and nonimmigrant visas to individuals from Muslim-majority countries in FY 2018, which likely included hundreds of thousands of young Muslim men. See Department of State, Report of the Visa Office 2018, Table III and Table XVIII, https://travel.state.gov/content/travel/en/legal/visa-law0/visa-statistics/annual-reports/report-of-the-visa-office-2018.html. DHS’s social media monitoring pilot programs seem to have focused in large part on Muslims: at least two targeted Syrian refugees, one targeted both Syrian and Iraqi refugees, and the analytical tool used in at least two pilots was tailored to Arabic speakers. 12See infra text accompanying note 428.

More generally, social media monitoring — like other forms of surveillance — will impact what people say online, leading to self-censorship of people applying for visas as well as their family members and friends. The deleterious effect of surveillance on free speech has been well documented in empirical research; one recent study found that awareness or fear of government surveillance of the internet had a substantial chilling effect among both U.S. Muslims and broader U.S. samples of internet users. 13Elizabeth Stoycheff et al., “Privacy and the Panopticon: Online Mass Surveillance’s Deterrence and Chilling Effects,” New Media & Society 21, no. 3 (2018): 1-18, https://journals.sagepub.com/doi/abs/10.1177/1461444818801317. See also Dawinder S. Sidhu, “The Chilling Effect of Government Surveillance Programs on the Use of the Internet by Muslim-Americans,” University of Maryland Law Journal of Race, Religion, Gender and Class 7, no. 2 (2007), https://core.ac.uk/download/pdf/56358880.pdf. Even people who said they had nothing to hide were highly likely to self-censor online when they knew the government was watching. 14Elizabeth Stoycheff, “Under Surveillance: Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring,” Journalism & Mass Communication Quarterly 93, no. 2 (2016): 296–311, https://journals.sagepub.com/doi/pdf/10.1177/1077699016630255. Similarly, in a survey of a representative sample of U.S. internet users, 62 percent reported that they would be much less or somewhat less likely to touch on certain topics if the government was watching, with 78 percent of respondents agreeing that they would be more cautious about what they said online. J. W. Penney, “Internet Surveillance, Regulation, and Chilling Effects Online: A Comparative Case Study,” Internet Policy Review 6, no. 2 (2017), https://policyreview.info/articles/analysis/internet-surveillance-regulation-and-chilling-effects-online-comparative-case. Another study measured how internet users in 11 countries reacted when they found out that DHS was keeping track of searches of terms that it regarded as suspicious, such as “state of emergency” and “drug war.” Users were less likely to search using terms that they believed might get them in trouble with the U.S. government. Alex Marthews and Catherine Tucker, “Government Surveillance and Internet Search Behavior,” February 17, 2017, https://ssrn.com/abstract=2412564. The study analyzed the search prevalence of select keywords compiled by the Media Monitoring Capability section of the National Operations Center of DHS. The list of keywords was publicized in 2012 as “suspicious” selectors that might lead to a particular user being flagged for analysis by the National Security Agency (NSA). See DHS, National Operations Center Media Monitoring Capability, “Analyst’s Desktop Binder,” 20, https://epic.org/foia/epic-v-dhs-media-monitoring/Analyst-Desktop-Binder-REDACTED.pdf. The authors later expanded their study to 41 countries and found that, for terms that users believed might get them in trouble with the U.S. government, the search prevalence fell by about 4 percent across the countries studied. Alex Marthews and Catherine Tucker, “The Impact of Online Surveillance on Behavior” in The Cambridge Handbook of Surveillance Law, ed. David Gray and Stephen E. Henderson (Cambridge: Cambridge University Press, 2017), 446. See also Human Rights Watch, With Liberty to Monitor All: How Large-Scale U.S. Surveillance Is Harming Journalism, Law, and American Democracy, July 28, 2014, https://www.hrw.org/report/2014/07/28/liberty-monitor-all/how-large-scale-us-surveillance-harming-journalism-law-and; PEN America Center, Chilling Effects: NSA Surveillance Drives U.S. Writers to Self-Censor, November 12, 2013, https://pen.org/sites/default/files/2014-08-01_Full%20Report_Chilling%20Effects%20w%20Color%20cover-UPDATED.pdf (finding that 28 percent of writers reported “curtailed social media activities” in response to the Snowden revelations, 24 percent reported that they “deliberately avoided certain topics in phone or email conversations,” and 16 percent reported that they “avoided writing or speaking about a particular topic”). As Justice Sonia Sotomayor warned in a 2012 Supreme Court case challenging the warrantless use of GPS tracking technology, “[a]wareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveals private aspects of identity is susceptible to abuse.” 15United States v. Jones, 565 U.S. 400 (2012) (Sotomayor, J., concurring).

DHS’s pilot programs for monitoring social media have been notably unsuccessful in identifying threats to national security. 16U.S. Citizenship and Immigration Services, “Social Media,” in U.S. Citizenship and Immigration Services Briefing Book, (hereinafter USCIS Briefing Book) 181, https://www.dhs.gov/sites/default/files/publications/USCIS%20Presidential%20Transition%20Records.pdf. In 2016, DHS piloted several social media monitoring programs, one run by ICE and five by United States Customs and Immigration Services (USCIS). 17Office of Inspector General, DHS’ Pilots for Social Media Screening Need Increased Rigor to Ensure Scalability and Long-term Success (Redacted), February 27, 2017, https://www.oig.dhs.gov/sites/default/files/assets/2017/OIG-17-40-Feb17.pdf. A February 2017 DHS inspector general audit of these pilot programs found that the department had not measured their effectiveness, rendering them an inadequate basis on which to build broader initiatives. 18Ibid. In a letter to the inspector general sent in response to the investigation, which was included in the publicly available report, DHS personnel noted that CBP also conducted a pilot program, with another soon to be initiated as of December 2016, but there is no publicly available information about either. Ibid., 7.

Even more damning are USCIS’s own evaluations of the programs, which showed them to be largely ineffective. According to a brief prepared by DHS for the incoming administration at the end of 2016, for three out of the four programs used to vet refugees, “the information in the accounts did not yield clear, articulable links to national security concerns, even for those applicants who were found to pose a potential national security threat based on other security screening results.” 19USCIS Briefing Book, 181. The brief does show that USCIS complied with its own rules, which prohibit denying benefits solely on the basis of public-source information — such as that derived from social media — due to “its inherent lack of data integrity.” 20Ibid., 183; DHS, Privacy Impact Assessment for the Fraud Detection and National Security Directorate, DHS/USCIS/PIA-013-01, December 16, 2014 (hereinafter FDNS 2014 PIA), 14, https://www.dhs.gov/sites/default/files/publications/privacy-pia-uscis-fdns-november2016_0.pdf. The department reviewed 1,500 immigration benefits cases and found that none were denied “solely or primarily because of information uncovered through social media vetting.” 21USCIS Briefing Book, 183. But this information provided scant insights in any event: out of the 12,000 refugee applicants and 1,500 immigration benefit applicants screened, USCIS found social media information helpful only in “a small number of cases,” where it “had a limited impact on the processing of those cases — specifically in developing additional lines of inquiry.” 22Ibid., 183.

In fact, a key takeaway from the pilot programs was that they were unable to reliably match social media accounts to the individual being vetted, and even where the correct accounts were found, it was hard to determine “with any level of certainty” the “authenticity, veracity, [or] social context” of the data, as well as whether there were “indicators of fraud, public safety, or national security concern.” 23Ibid., 183. Additional problems identified were the fact that refugee applicants had only a “minimal presence” on social media platforms accessible through social media monitoring programs and that the content was often not in English. Ibid., 181, 184. The brief explicitly questioned the overall value of the programs, noting that dedicating personnel “to mass social media screening diverts them away from conducting the more targeted enhanced vetting they are well trained and equipped to do.” 24Ibid., 184.

The difficulties faced by DHS personnel are hardly surprising; attempts to make judgments based on social media are inevitably plagued by problems of interpretation. 25See Alexandra Olteanu et al., “Social Data: Biases, Methodological Pitfalls, and Ethical Boundaries,” December 20, 2016, http://kiciman.org/wp-content/uploads/2017/08/SSRN-id2886526.pdf; Brennan Center for Justice et al., Comments to Department of State Regarding “Notice of Information Collection Under OMB Emergency Review: Supplemental Questions for Visa Applicants,” May 18, 2017, https://www.brennancenter.org/sites/default/files/analysis/State%20Dept%20Information%20Collection%20Comments%20-%2051817_3.pdf. In 2012, for example, a British national was denied entry at a Los Angeles airport when DHS agents misinterpreted his posting on Twitter that he was going to “destroy America” — slang for partying — and “dig up Marilyn Monroe’s grave” — a joking reference to a television show. 26See J. David Goodman, “Travelers Say They Were Denied Entry to U.S. for Twitter Jokes,” New York Times, January 30, 2012, https://thelede.blogs.nytimes.com/2012/01/30/travelers-say-they-were-denied-entry-to-u-s-for-twitter-jokes/. FBI agents and even courts have erroneously interpreted tweets of rap lyrics as threatening messages. See, for example, Natasha Lennard, “The Way Dzhokhar Tsarnaev’s Tweets Are Being Used in the Boston Bombing Trial Is Very Dangerous,” Fusion, March 12, 2015, http://fusion.net/story/102297/the-use-of-dzhokhar-tsarnaevs-tweets-inthe-bostonbombing-trial-is-very-dangerous/; a Pennsylvania man was even sentenced to more than three years in prison for rap-style lyrics he posted to Facebook. The Supreme Court reversed the conviction in 2015. United States v. Elonis, 2011 WL 5024284 (E.D. Pa. Oct. 20, 2011), aff’d, 730 F.3d 321 (3d Cir. 2013), rev’d and remanded, 135 S. Ct. 2001 (2015), and aff’d, 841 F.3d 589 (3d Cir. 2016). As the USCIS pilot programs demonstrate, interpretation is even harder when the language used is not English and the cultural context is unfamiliar. If the State Department’s current plans to undertake social media screening for 15 million travelers are implemented, government agencies will have to be able to understand the languages (more than 7,000) and cultural norms of 193 countries. 27The total number of world languages is disputed. One widely cited estimate is that there are about 7,111 living languages, of which 3,995 have a developed writing system. These numbers are based on the definition of language (as opposed to dialect) as a speech variety that is not mutually intelligible with other speech varieties. See David M. Eberhard, Gary F. Simons, and Charles D. Fennig (eds.), Ethnologue: Languages of the World, 22nd ed. (Dallas, Texas: SIL International, 2019), https://www.ethnologue.com/enterprise-faq/how-many-languages-world-are-unwritten-0. The Department of State issues nonimmigrant visas to individuals from every country in the world annually. See Department of State, Report of the Visa Office 2018, Table XVIII: “Nonimmigrant Visas Issued by Nationality (Including Border Crossing Cards) Fiscal Year 2009–2018,” https://travel.state.gov/content/dam/visas/Statistics/AnnualReports/FY2018AnnualReport/FY18AnnualReport%20-%20TableXVIII.pdf.

Nonverbal communications on social media pose yet another set of challenges. As the Brennan Center and 34 other civil rights and civil liberties organizations pointed out in a May 2017 letter to the State Department:

If a Facebook user posts an article about the FBI persuading young, isolated Muslims to make statements in support of ISIS, and another user “loves” the article, is he sending appreciation that the article was posted, signaling support for the FBI’s practices, or sending love to a friend whose family has been affected? 28Brennan Center for Justice et al., Comments to Department of State Regarding “Notice of Information Collection Under OMB Emergency Review,” 4-5.

All of these difficulties, already substantial, are compounded when the process of reviewing posts is automated. Obviously, using simple keyword searches in an effort to identify threats would be useless because they would return an overwhelming number of results, many of them irrelevant. One American police department learned this lesson the hard way when efforts to unearth bomb threats online instead turned up references to “bomb” (i.e., excellent) pizza. 29Ben Conarck, “Sheriff’s Office’s Social Media Tool Regularly Yielded False Alarms,” Jacksonville, May 30, 2017, https://www.jacksonville.com/news/public-safety/metro/2017-05-30/sheriff-s-office-s-social-media-tool-regularly-yielded-false. Natural language processing, the tool used to judge the meaning of text, is not nearly accurate enough to do the job either. Studies show that the highest accuracy rate achieved by these tools is around 80 percent, with top-rated tools generally achieving 70–75 percent accuracy. 30Natasha Duarte, Emma Llanso, and Anna Loup, "Mixed Messages? The Limits of Automated Social Media Content Analysis", Center for Democracy and Technology, 2017, 5, https://cdt.org/files/2017/11/Mixed-Messages-Paper.pdf; Shervin Malmasi and Marcos Zampieri, “Challenges in Discriminating Profanity From Hate Speech,” Journal of Experimental & Theoretical Artificial Intelligence 30, no. 2 (2018): 1-16, https://arxiv.org/pdf/1803.05495.pdf (reporting an 80 percent accuracy rate in distinguishing general profanity from hate speech in social media). Irene Kwok and Yuzhou Wang, “Locate the Hate: Detecting Tweets Against Blacks,” Proceedings of the 27th AAAI Conference on Artificial Intelligence (2013), https://pdfs.semanticscholar.org/db55/11e90b2f4d650067ebf934294617eff81eca.pdf (finding an average 76 percent accuracy rate classifying hate speech on Twitter); Bo Han, “Improving the Utility of Social Media With Natural Language Processing” (PhD dissertation, University of Melbourne, February 2014), https://pdfs.semanticscholar.org/fd66/afb9d50c4770a529e7d125809053586b28dd.pdf (showing that natural language processing tools used to normalize “out-of-vocabulary” words, such as slang and abbreviations common on social media, into standard English achieved a 71.2 percent accuracy rate). In fact, accuracy itself is a somewhat slippery concept in these studies — it measures whether the tool came to the same conclusion that a human would have, but it does not take into account the possibility of human error or subjectivity. Duarte, Llanso, and Loup, Mixed Messages? 5, 17-18. This means that 20–30 percent of posts analyzed through natural language processing would be misinterpreted.

Algorithmic tone and sentiment analysis, which senior DHS officials have suggested is being used to analyze social media, is even less accurate. 31See Aaron Cantú and George Joseph, “Trump’s Border Security May Search Your Social Media by ‘Tone,’ ” The Nation, August 23, 2017, https://www.thenation.com/article/trumps-border-security-may-search-your-social-media-by-tone/ (noting that a senior DHS official touted the department’s capacity to search its data sets, including social media data, “by tone”). Ahmed Abbasi, Ammar Hassan, and Milan Dhar, “Benchmarking Twitter Sentiment Analysis Tools,” Proceedings of the Ninth Language Resources and Evaluation Conference (2014), https://www.researchgate.net/profile/Ammar_Hassan6/publication/273000042_Benchmarking_Twitter_Sentiment_Analysis_Tools/links/54f484d70cf2ba6150634593.pdf (finding that the best-performing sentiment analysis tools attain overall accuracies between 65 percent and 71 percent on average, while many low-performing tools yield accuracies below 50 percent); Mark Cieliebak et al., “A Twitter Corpus and Benchmark Resources for German Sentiment Analysis,” Proceedings of the Fifth International Workshop on Natural Language Processing for Social Media (2017): 49, https://pdfs.semanticscholar.org/a050/90ea0393284e83e961f199ea6cd03d13354f.pdf (finding that state-of-the-art systems for sentiment analysis in German achieve only around 60 percent accuracy in most cases, even when a system is trained and tested on the same corpus). A recent study concluded that it could make accurate predictions of political ideology based on users’ Twitter posts only 27 percent of the time, observing that the predictive exercise was “harder and more nuanced than previously reported.” 32Daniel Preotiuc-Pietro, Ye Liu, Daniel J. Hopkins, Lyle Ungar, “Beyond Binary Labels: Political Ideology Prediction of Twitter Users,” Proceedings of the 55th Annual Meeting of the Association for Computational Linguistics (2017), https://www.aclweb.org/anthology/P17-1068. Accuracy plummets even further when the speech being analyzed is not standard English. 33Diana Maynard, Kalina Bontcheva, and Dominic Rout, “Challenges in Developing Opinion Mining Tools for Social Media,” Proceedings of @NLP can u tag #user_generated_content?! (2012), http://www.lrec-conf.org/proceedings/lrec2012/workshops/21.LREC2012%20NLP4UGC%20Proceedings.pdf#page=20 (showing that the accuracy of language and sentiment identification decreases when tools are used to analyze tweets because tweets tend to have greater language variation, tend to be less grammatical than longer posts, contain unorthodox capitalizations, and make frequent use of emoticons, abbreviations, and hashtags); Joan Codina and Jordi Atserias, “What Is the Text of a Tweet?” Proceedings of @NLP can u tag #user_generated_content?! (2012), http://www.lrec-conf.org/proceedings/lrec2012/workshops/21.LREC2012%20NLP4UGC%20Proceedings.pdf (arguing that the use of nonstandard language, emoticons, spelling errors, letter casing, unusual punctuation, and more makes applying natural language processing tools to user-generated social media content an unresolved issue); Dirk Von Grunigen et al., “Potential Limitations of Cross-Domain Sentiment Classification,” Proceedings of the Fifth International Workshop on Natural Language Processing for Social Media (2017), http://www.aclweb.org/anthology/W17-1103 (finding that sentiment analysis tools trained for one domain performed poorly in other domains). See generally Will Knight, “AI’s Language Problem,” MIT Technology Review, August 9, 2016, https://www.technologyreview.com/s/602094/ais-language-problem/. Indeed, even English speakers using nonstandard dialects or lingo may be misidentified by automated tools as speaking in a different language. One tool flagged posts in English by black and Hispanic users — like “Bored af den my phone finna die!!!!” (which can be loosely translated as “I’m bored as f*** and then my phone is going to die”) — as Danish with 99.9 percent confidence. 34Su Lin Blodgett and Brendan O’Connor, “Racial Disparity in Natural Language Processing: A Case Study of Social Media African-American English,” Proceedings of the Fairness, Accountability, and Transparency in Machine Learning Conference (2017): 2, https://arxiv.org/pdf/1707.00061.pdf.

Crucially — as the USCIS pilot programs discussed above demonstrated — algorithms are generally incapable of making the types of subjective evaluations that are required in many DHS immigration programs, such as whether someone poses a threat to public safety or national security or whether certain information is “derogatory.” Moreover, because these types of threats are difficult to define and measure, makers of algorithms will turn to “proxies” that are more easily observed. But there is a risk that the proxies will bear little or no relationship to the task and that they will instead reflect stereotypes and assumptions. The questioning of Muslim travelers about their religious practice as a means of judging the threat they pose shows that unfounded and biased assumptions are already entrenched at DHS. It would be easy enough to embed them in an algorithm.

Despite these serious shortcomings in terms of effectiveness and critics’ well-founded concerns about the potential for targeting certain political views and faiths, DHS is proceeding with programs for monitoring social media. 35DHS, “DHS Transition Issue Paper: Screening and Vetting,” 1, in Strategic Issue Paper Summaries: Presidential Transition 2016–2017, https://www.dhs.gov/sites/default/files/publications/TSA%20Presidential%20Transition%20Records.pdf#page=205 (“DHS is working to expand its current uses of social media to enhance existing vetting processes . . . [and] established a Social Media Task Force in December 2015 to examine current and potential uses of social media and how DHS could best expand its use”). The department’s attitude is perhaps best summed up by an ICE official who acknowledged that while they had not yet found anything on social media, “you never know, the day may come when social media will actually find someone that wasn’t in the government systems we check.” 36George Joseph, “Extreme Digital Vetting of Visitors to the U.S. Moves Forward Under a New Name,” ProPublica, November 22, 2017, https://www.propublica.org/article/extreme-digital-vetting-of-visitors-to-the-u-s-moves-forward-under-a-new-name/a>.

The consequences of allowing these types of programs to continue unchecked are too grave to ignore. In addition to responding to particular cases of abuse, Congress needs to fully address the risks of social media monitoring in immigration decisions. This requires understanding the overall system by which DHS collects this type of information, how it is used, how it is shared with other agencies, and how it is retained – often for decades – in government databases. Accordingly, this paper maps social media exploitation by the four parts of DHS that are most central to immigration: Customs and Border Protection (CBP), the Transportation Security Administration (TSA), Immigration and Customs Enforcement (ICE), and United States Citizenship and Immigration Services (USCIS). It also examines DHS’s cooperation with the Department of State, which plays a key role in immigration vetting.


Case Studies: Using Social Media to Target First Amendment– Protected Activity

End Notes

Key Findings

While the ways in which these DHS units use social media vary, our review identified eight common threads.

1. Social media information is collected from travelers, including Americans, even when they are not suspected of any connection to illegal activity.

People planning to travel to the United States are increasingly being asked to provide social media identifiers, such as their Twitter or Instagram handles, enabling the creation of a registry of their online postings. In December 2016, DHS began asking the travelers who come to the United States from countries covered by the Visa Waiver Program — some 23.6 million annually, primarily from Western Europe — to voluntarily provide their social media identifiers. 1Through the Visa Waiver Program, citizens of 38 mainly western European countries can apply to travel to the United States for business or tourism without obtaining a visa. For the full list of eligible countries, See CBP, “Frequently Asked Questions About the Visa Waiver Program (VWP) and the Electronic System for Travel Authorization (ESTA),” February 23, 2017, https://www.cbp.gov/travel/international-visitors/frequently-asked-questions-about-visa-waiver-program-vwp-and-electronic-system-travel. The Office of Management and Budget (OMB) approved CBP’s proposal to collect the social media identifiers of visitors from Visa Waiver Countries on December 19, 2016. See OMB, Notice of Office of Management and Budget Action, “Arrival and Departure Record,” December 19, 2016, https://www.reginfo.gov/public/do/DownloadNOA?requestID=275860; See also DHS Privacy Office, Notice of Privacy Act System of Records, CBP-009 Electronic System for Travel Authorization System of Records, 81 Fed. Reg. 60713 (September 2, 2016) (hereinafter ESTA SORN), https://www.gpo.gov/fdsys/pkg/FR-2016-09-02/pdf/2016-21210.pdf. DHS Office of Immigration Statistics, Table 28, “Nonimmigrant Admissions (I-94 Only) by Selected Category of Admission and Region and Country of Citizenship: Fiscal Year 2017,” in 2017 Yearbook of Immigration Statistics, https://www.dhs.gov/immigration-statistics/yearbook/2017/table28 (noting that the total number of travelers admitted to the United States through the Visa Waiver Program in fiscal year 2017 was 23,637,046). In May 2017, the State Department, as part of implementing the Muslim ban executive order, began requiring some categories of visa applicants — estimated at 65,000 applicants annually — to provide a list of the identifiers they had used on social media platforms within the previous five years. 2See also Department of State, “Notice of Information Collection Under OMB Emergency Review: Supplemental Questions for Visa Applicants,” 82 Fed. Reg. 20,956 (May 4, 2017), https://www.federalregister.gov/d/2017-08975; Department of State, “60-Day Notice of Proposed Information Collection: Supplemental Questions for Visa Applicants,” 82 Fed. Reg. 36,180 (August 3, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-08-03/pdf/2017-16343.pdf. In March 2018, the State Department started to ramp up its efforts, proposing a new rule that would collect social media identifiers from every visa applicant — i.e., the 15 million people who apply for visas each year. 3Department of State, “60-Day Notice of Proposed Information Collection: Application for Immigrant Visa and Alien Registration”; Department of State, “60-Day Notice of Proposed Information Collection: Application for Nonimmigrant Visa.” See also Brennan Center for Justice et al., Comments to Department of State, “Re: DS-160 and DS-156, Application for Nonimmigrant Visa, OMB Control No. 1405-0182; DS-260, Electronic Application for Immigrant Visa and Alien Registration, OMB Control No. 1405-185.” The proposal was approved in April 2017, with minor privacy-related changes. 4OMB, Notice of Office of Management and Budget Action, “Online Application for Nonimmigrant Visa”; OMB, Notice of Office of Management and Budget Action, “Electronic Application for Immigrant Visa and Alien Registration.”

Social media data can also be collected via searches of electronic devices, which DHS carries out — without suspicion of criminal activity — on both American and foreign travelers. The department claims the authority to undertake warrantless searches of these devices not just at points of entry but also in areas in the broad vicinity of the border. 5Beyond the “physical border,” CBP also claims the authority to conduct electronic device searches at the “functional equivalent of the border” (such as an international airport within the United States) or the “extended border” (as when agents stop a person or vehicle that has recently crossed the border and is in the same state as when the border was crossed, and there is reasonable suspicion of criminal activity). Yule Kim, Protecting the U.S. Perimeter: Border Searches Under the Fourth Amendment, Congressional Research Service, June 29, 2009, 7-8, https://fas.org/sgp/crs/homesec/RL31826.pdf. These searches are conducted primarily by CBP and ICE. While ICE does not report statistics on these searches, CBP does. Its searches of travelers’ electronic devices at ports of entry have been steadily increasing over the past several years. In fiscal year 2015, CBP searched the devices of 8,503 travelers. 6CBP, “CBP Releases Statistics on Electronic Device Searches,” press release, April 11, 2017, https://www.cbp.gov/newsroom/national-media-release/cbp-releases-statistics-electronic-device-searches-0. The fiscal year begins on October 1 of the prior year. So, for example, fiscal year 2017 ran from October 1, 2016, to September 30, 2017. By fiscal year 2017, this number had gone up to 30,200 — an increase of over three and a half times. 7CBP, “CBP Releases Updated Border Search of Electronic Device Directive and FY17 Statistics,” press release, January 5, 2018, https://www.cbp.gov/newsroom/national-media-release/cbp-releases-updated-border-search-electronic-device-directive-and/a>. According to ABC News, 20 percent of these searches are carried out on American travelers. 8Geneva Sands, “Searches of Travelers’ Electronic Devices Up Nearly 60 Percent,” ABC News, January 5, 2018, https://abcnews.go.com/US/searches-travelers-electronic-devices-60-percent/story?id=52171977.

Finally, through contracts with various private companies, DHS acquires massive commercial databases of online information, including social media data. 9See infra text accompanying notes 243-256, 321-331, 415-417, 458. Unlike the direct collection of social media handles by DHS and the State Department, there is no assurance that an individual will be accurately connected to a social media profile. The difficulty of matching people to profiles was a major shortcoming of automated monitoring tested by the pilot programs discussed above. 10See supra text accompanying notes 19-24.

2. Social media checks extend to travelers’ family, friends, business associates, and social media contacts.

When DHS checks the social media of someone trying to obtain permission to come to the United States or someone already at or near the border, it inevitably picks up information about people with whom they interact. For example, ICE agents searching a traveler’s smartphone at or near the border can download the entirety of her Facebook and Twitter accounts and go through them later. 11See infra text accompanying notes 369-382. See also ICE, Directive No. 7-6.1, “Border Searches of Electronic Devices,” August 18, 2009 (hereinafter ICE 2009 Directive, Border Searches of Electronic Devices), 2, https://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdf.

In addition, CBP agents conducting social media checks for people applying for visa waivers (available to the citizens of 38 countries) can examine not only the applicant’s posts but those of the people who interacted with her on social media (even if uninvited), and may retain information so long as the agent believes it is “relevant” to the waiver decision. 12See infra text accompanying notes 102-104. See also DHS, Privacy Impact Assessment Update for the Electronic System for Travel Authorization (ESTA), DHS/CBP/PIA-007(g), September 1, 2016 (hereinafter ESTA 2016 PIA), 4, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-esta-september2016.pdf. The program also allows agents to proactively

identify an applicant’s secondary and tertiary contacts who might “pose a potential risk to the homeland” or “demonstrate a nefarious affiliation on the part of the applicant.” 13ESTA 2016 PIA, 5. Examining contacts and networks may make sense when pursuing someone who is suspected of wrongdoing. But applying this technique to people who are simply seeking to travel opens the door to fishing expeditions for information that can easily be misinterpreted.

Automated analytical tools used by DHS combine social media with other types of information to identify and map possible associations among people and organizations. ICE and CBP both use data systems developed by the data mining 14Data mining, including social media data mining, is defined as conducting pattern-based queries, searches, or other analyses of one or more electronic databases to discover predictive patterns or anomalies. Federal Agency Data Mining Reporting Act of 2007, 42 U.S.C. § 2000ee-3(b)(1). See also DHS Privacy Office, 2017 Data Mining Report to Congress, October 2018, 7, https://www.dhs.gov/sites/default/files/publications/2017-dataminingreport_0.pdf; DHS Management Directorate, Instruction Manual 262-12-001-01, “DHS Lexicon Terms and Definitions,” October 16, 2017, 144-5, https://www.dhs.gov/sites/default/files/publications/18_0116_MGMT_DHS-Lexicon.pdf (defining data mining as the “application of database technology and techniques to uncover hidden patterns, anomalies, and subtle relationships in data and to infer rules that allow for the prediction of future results”). company Palantir Technologies, Inc., that are equipped with tools to analyze social networks. 15Palantir developed CBP’s Analytical Framework for Intelligence (AFI) and ICE’s FALCON-Search and Analysis (FALCON-SA). For more on AFI’s and FALCON-SA’s analytical capabilities, See infra text accompanying notes 238-255 and 395-417, respectively. See also Spencer Woodman, “Palantir Provides the Engine for Donald Trump’s Deportation Machine,” Intercept, March 2, 2017, https://theintercept.com/2017/03/02/palantir-provides-the-engine-for-donald-trumps-deportation-machine/. However, the reliability of the information ingested by these systems is not verified; DHS has exempted them from the relevant requirements of the Privacy Act, and there are functionally no mechanisms for the individuals whose information is included to challenge the accuracy of the data. 16See DHS Privacy Office, Final Rule, CBP — 017 Analytical Framework for Intelligence (AFI) System of Records, 77 Fed. Reg. 47767, 47768 (August 10, 2012) (hereinafter AFI Final Rule), https://www.govinfo.gov/content/pkg/FR-2012-08-10/html/2012-19336.htm. The privacy impact assessment for ICE’s FALCON-SA states that individuals seeking to correct any record contained in the system may submit a request, but it is unlikely that anyone would know that correction was needed, given that FALCON-SA is exempt from access requirements. Moreover, the privacy impact assessment clarifies that “all or some of the requested information may be exempt from correction pursuant to the Privacy Act.” DHS, Privacy Impact Assessment Update for the FALCON Search & Analysis System, DHS/ICE/PIA-032(b) FALCON-SA, October 11, 2016 (hereinafter FALCON-SA 2016 PIA), 25-26, https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-032-falcons-b-october2016.pdf. According to reports from watchdog groups and the press, these systems are being used by ICE to identify individuals for deportation. 17See, for example, Erin Corbett, “Tech Companies Are Profiting Off ICE Deportations, Report Shows,” Fortune, October 23, 2018, http://fortune.com/2018/10/23/tech-companies-surveillance-ice-immigrants/.

These data sets are also used by DHS to undertake broader trend, pattern, and predictive analyses, through a number of systems that are described in this paper. 18DHS defines pattern analysis as “identifying trends in activities or behaviors using prior actions and activities.” DHS Management Directorate, “DHS Lexicon Terms and Definitions,” 473. See also Joel B. Predd et al., Using Pattern Analysis and Systematic Randomness to Allocate U.S. Border Security Resources, RAND Corporation (2012), 1, https://apps.dtic.mil/dtic/tr/fulltext/u2/a558883.pdf (stating, in the context of border security, that “pattern and trend analysis refers to predictive methods that can identify regularities in the times, places, or tactics that interdicted border crossers have historically employed. For example, methods or tools of pattern and trend analysis may identify ‘hot spots’ — i.e., border zones or times of high or increased border activity — to ascertain where more resources could increase interdiction rates”). While the privacy impact assessments for these systems often identify the sources of information used in these analyses, there is almost no publicly available information regarding what types of trends or patterns DHS is seeking to identify or how social media information fits into these types of analyses.

3. DHS frequently uses social media information for vague and open-ended evaluations that can be used to target unpopular views or populations.

Our review showed that in many instances — including the Visa Waiver Program and warrantless searches at the border by CBP and ICE — DHS personnel are charged with examining social media to identify information relating to undefined “national security” risks or concerns. 19See ESTA 2016 PIA, 2; CBP, “Border Search of Electronic Devices,” CBP Directive No. 3340-049A, January 4, 2018 (hereinafter CBP 2018 Directive), 5, https://www.cbp.gov/sites/default/files/assets/documents/2018-Jan/CBP-Directive-3340-049A-Border-Search-of-Electronic-Media-Compliant.pdf. Publicly available documents do not indicate what type of information might be regarded as indicative of a national security risk, and it has been reported that at least some agents are uncertain about what type of information would be considered to be suggestive of a national security risk. 20USCIS, “USCIS Social Media & Vetting: Overview and Efforts to Date,” March 2, 2017, 3, https://assets.documentcloud.org/documents/4341532/COW2017000400-FOIA-Response.pdf#page=56. This document is part of a series of internal reviews obtained by the Daily Beast via FOIA request that offer some information on these pilot programs and more broadly on USCIS’s use of social media monitoring in its vetting efforts. See Aliya Sternstein, “Obama Team Did Some ‘Extreme Vetting’ of Muslims Before Trump, New Documents Show,” Daily Beast, January 2, 2018, https://www.thedailybeast.com/obama-team-did-some-extreme-vetting-of-muslims-before-trump-new-documents-show. While agents obviously must have some flexibility to make judgments, the breadth of discretion combined with weak safeguards opens the door for discrimination based on political or religious views.

Social media information forms part of the data set that DHS uses to assign risk assessments to individual travelers through CBP’s Automated Targeting System (ATS). These assessments are highly consequential because they determine who is allowed to enter the country and what level of questioning they are required to undergo. 21ATS 2017 PIA, 4. But there is no publicly available information about the accuracy, effectiveness, or empirical basis of risk assessments. 22CBP, the DHS Privacy Office, the DHS Office for Civil Rights and Civil Liberties, and the DHS Office of the General Counsel are supposed to conduct joint quarterly reviews of the risk-based rules used in ATS to ensure that the rules are appropriate, relevant, and effective and to assess whether privacy and civil liberties protections are adequate and consistently implemented. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. There is no publicly available information about these quarterly reviews, including whether they occur. In fact, the information that goes into one’s risk assessment need not be “accurate, relevant, timely, [or] complete,” as DHS exempted ATS from these Privacy Act requirements. 23DHS Privacy Office, Final Rule, CBP — 006 Automated Targeting System of Records, 75 Fed. Reg. 5487 (February 3, 2010) (hereinafter ATS Final Rule), https://www.govinfo.gov/content/pkg/FR-2010-02-03/html/2010-2201.htm. This is particularly troubling because in other settings, such as the criminal justice system, risk assessments have been shown to disproportionately impact minorities. 24See Hayley Tsukayama and Jamie Williams, “If a Pre-Trial Risk Assessment Tool Does Not Satisfy These Criteria, It Needs to Stay Out of the Courtroom,” Electronic Frontier Foundation, November 6, 2018, https://www.eff.org/deeplinks/2018/11/if-pre-trial-risk-assessment-tool-does-not-satisfy-these-criteria-it-needs-stay; Jesse Jannetta et al., Examining Racial and Ethnic Disparities in Probation Revocation: Summary Findings and Implications From a Multisite Study, Urban Institute, April 2014, https://www.urban.org/sites/default/files/publication/22746/413174-Examining-Racial-and-Ethnic-Disparities-in-Probation-Revocation.PDF; Lori D. Moore and Irene Padavic, “Risk Assessment Tools and Racial⁄Ethnic Disparities in the Juvenile Justice System,” Sociology Compass 5, no. 10 (2011): 850-858, https://coss.fsu.edu/subdomains/claudepeppercenter.fsu.edu_wp/wp-content/uploads/2015/04/Risk_Assessment_Juvies.pdf.

For example, as of at least 2017, DHS compares refugee and asylum applicant information from social media and other sources against the information provided by an applicant to identify any inconsistencies. Such social media checks are, however, performed only on select populations of asylum seekers and refugees. With the exception of Iraqis and Syrians, these applicant populations have not been publicly identified. 25See Hearing on “Refugee Admissions FY 2018,” Before the Subcommittee on Immigration and Border Security House Committee on the Judiciary, October 26, 2017 (written testimony of L. Francis Cissna, director, U.S. Citizenship and Immigration Services, DHS) (hereinafter Hearing on Refugee Admissions: Cissna Testimony), 5, https://www.uscis.gov/tools/resources/hearing-refugee-admissions-fy-2018-subcommittee-immigration-and-border-security-house-committee-judiciary-october-26-2017-uscis-director-l-francis-cissna; USCIS Briefing Book, 181. However, one prominent refugee organization reported in 2018 that these measures are applied to refugee applicants from the Muslim countries of Egypt, Iran, Iraq, Libya, Mali, Somalia, South Sudan, Sudan, Syria, and Yemen, as well as North Korea. 26Laura Koran and Tal Kopan, “US Increases Vetting and Resumes Processing of Refugees From ‘High-Risk’ Countries,” CNN, January 29, 2018, https://www.cnn.com/2018/01/29/politics/us-refugee-vetting-measures/index.html. All of the countries covered by the Trump Muslim ban are on this list.

4. DHS is continuously monitoring some people inside the United States and plans to expand these efforts.

DHS is increasingly implementing programs to continuously monitor people inside the United States, where freedom of speech, association, and religion are constitutionally protected. For example, using social media and other sources, ICE monitors students who enter the United States planning to study a “nonsensitive” topic and later change to one the State Department categorizes as “sensitive” (e.g., nuclear physics, biomedical engineering, or robotics). 27For more on the monitoring of students who change their course of study to “sensitive” fields, See infra text accompanying notes 342-344. ICE’s Overstay Lifecyle Program targets visitors from a number of unidentified countries to uncover derogatory information for ongoing monitoring, including through social media. And ICE’s planned Visa Lifecycle Vetting Initiative would keep tabs on 10,000 foreign visitors flagged as “high risk” by monitoring their social media activity. 28For more on ICE’s social media pilot programs, See infra text accompanying notes 342-359. Drew Harwell and Nick Miroff, “ICE Just Abandoned Its Dream of ‘Extreme Vetting’ Software That Could Predict Whether a Foreign Visitor Would Become a Terrorist,” Washington Post, May 17, 2018, https://www.washingtonpost.com/news/the-switch/wp/2018/05/17/ice-just-abandoned-its-dream-of-extreme-vetting-software-that-could-predict-whether-a-foreign-visitor-would-become-a-terrorist/. As noted earlier, a draft CBP report recommended continuously monitoring young Muslim men while they were in the United States. If implemented, this discriminatory policy would affect hundreds of thousands of people. 29See supra text accompanying notes 10-11.

5. DHS is increasingly seeking and using automated tools to analyze social media.

While the full scope of DHS’s efforts to use algorithms is not known, our research shows that at least three branches of DHS — CBP, ICE, and USCIS — now use automated tools to analyze social media information, either alongside other data or by itself. For instance, CBP’s Analytical Framework for Intelligence has automated analytic capabilities, developed by Palantir, to identify “non-obvious” links among data points, people, and organizations. 30DHS Privacy Office, 2017 Data Mining Report to Congress, 26. Similarly, ICE has contracted with the data mining firm Giant Oak to continuously monitor, aggregate, and analyze social media data to provide ICE with prioritized rankings of leads for its overstay enforcement initiatives. 31“Statement of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 31, https://www.brennancenter.org/sites/default/files/analysis/ICE%20FOIA%20Social%20Media%20Pilot%20Programs%20-%20BCJ.pdf. The push toward automation raises concerns given the poor track record of automated systems trying to make complicated judgments and the ambiguity of many social media posts, as amply demonstrated by the USCIS pilot programs. 32See supra text accompanying notes 16-24.

6. Social media information collected for one purpose is used by DHS in a range of other contexts, increasing the likelihood of misinterpretation.

The difficulty of interpreting Facebook posts and offhand tweets likely only worsens as they are captured in numerous databases and systems and used for a range of analyses. Empirical research shows that as data becomes further and further removed from the context and aim of its original collection, it is less likely to be useful for secondary analysis. 33See, for example, Rob Kitchin, The Data Revolution: Big Data, Open Data, Data Infrastructures and Their Consequences (London: SAGE Publications, 2014), 178; Victoria Sheriff, “Evaluating Preexisting Qualitative Research Data for Secondary Analysis,” Forum: Qualitative Social Research 19, no. 2 (May 2018), http://www.qualitative-research.net/index.php/fqs/article/view/2821/4212.

The DHS data architecture is a vast, ambiguous, and highly interconnected system in which social media is available for several types of secondary analyses. For example, when someone applies for a visa waiver to visit the United States, that person is asked to provide his or her social media identifiers, such as a Twitter handle. 34CBP officers may use this information to vet the applicant and may also use it when travelers do not provide such information. See ESTA 2016 PIA, 2. The CBP officer who evaluates the applicant’s tweets conducts an individualized assessment and has available a range of biographical information that provides context for what the applicant has said on social media. We know from DHS’s own pilot programs discussed above that this type of analysis is mostly unproductive. These problems are exacerbated when the information is used for secondary analyses. The social media identifiers as well as information obtained from CBP border searches also make their way into the Automated Targeting System, where the information can be used to generate “risk assessments” for other individuals altogether. 35ESTA 2016 PIA, 5; DHS, Privacy Impact Assessment Update for CBP Border Searches of Electronic Devices, DHS/CBP/PIA-008(a), January 4, 2018 (hereinafter CBP Electronic Border Searches 2018 PIA), 10, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp008-bordersearcheselectronicdevices-january2018.pdf. Information in ATS obtained from border searches does not include information from searches pursuant to warrant, consent, or abandonment. See infra text accompanying notes 178-194. The information in ATS also feeds into numerous other data systems and is used, for example, by TSA to prescreen travelers and to vet visa applicants and people applying for immigration benefits. 36ATS 2017 PIA, 22-27, 35-37, 46-47, 58-60. For more on ATS and its interconnections with various DHS programs, See infra text accompanying notes 198-256, 258-297, 317, 336, 402-410, 466-471. When already difficult-to-interpret information is taken out of context, the risks of misunderstandings only increase.

7. Social media information collected by DHS is shared with other law enforcement and security agencies under broad standards.

The past two decades have seen a proliferation in information-sharing arrangements among various government agencies and even with foreign governments. With stringent standards and controls, such arrangements can serve valid purposes. But sharing information about people’s political and religious views, especially when gleaned from the ambiguous realms of social media, only expands the possibility of abuse and inappropriate targeting. For example, the CBP program to track and interrogate journalists and activists at the southern border, discussed earlier, was apparently carried out in cooperation with Mexican authorities. 37 See supra notes iii-v acccompanying sidebar “Case Studies: Using Social Media to Target First Amendment–Protected Activity.” The document listing targets displayed both U.S. and Mexican flags, as well as a seal for the International Liaison Unit, which coordinates intelligence between the two countries. Tom Jones, Mari Payton, and Bill Feather, “Source: Leaked Documents Show the U.S. Government Tracking Journalists and Immigration Advocates,” NBC San Diego, March 6, 2019, https://www.nbcsandiego.com/news/local/Source-Leaked-Documents-Show-the-US-Government-Tracking-Journalists-and-Advocates-Through-a-Secret-Database-506783231.html. The target list showed that Mexican authorities had deported seven people and arrested three others, including nationals of the United States, Honduras, and Spain. 38Ibid. These actions by Mexico, which raise serious concerns about the targeting of political speech and organizing, could well have been the result of the sharing of information by CBP. Reporting also indicates that agents from the San Diego office of the Federal Bureau of Investigation (FBI) were involved in the operation, raising concerns about whether CBP intended that the FBI target the Americans on the list for surveillance. 39Ibid.

Unfortunately, DHS programs generally have low standards for sharing highly personal information, such as that found on social media, and the standards do not differentiate between Americans’ information and that of people from other countries. This information can easily be shared with entities ranging from the Department of State, the FBI, and congressional offices to foreign governments and Interpol. For example, data obtained from CBP searches of travelers’ electronic devices at the border, which can include the full contents of these devices, can be shared with federal, state, tribal, local, or foreign governmental agencies or multilateral government organizations when CBP believes the information could assist enforcement of civil or criminal laws. 40ATS 2017 PIA, 44. ICE, too, can disseminate any device information “relating to national security” to law enforcement and intelligence agencies. 41Memorandum from director, ICE Office of Investigations, to assistant directors, all deputy assistant directors, and all special agents in charge, “Field Guidance on Handling Detained or Seized Electronic Media From Persons of National Security Interest at Ports of Entry,” March 5, 2007, 2, http://www.aclu.org/files/pdfs/natsec/laptopsearch/dhs_20100816_DHS000691-DHS000692.pdf. Information from ICE’s LeadTrac system, which is used to vet and manage leads of suspected overstayers and status violators and includes social media information, can be shared with any law enforcement authorities engaged in collecting law enforcement intelligence “whether civil or criminal.” 42DHS Privacy Office, Notice of Privacy Act System of Records, ICE–015 LeadTrac System of Records, 81 Fed. Reg. 52700 (August 9, 2016) (hereinafter LeadTrac SORN), https://www.regulations.gov/document?D=DHS-2016-0053-0001.

Information shared with agencies can proliferate even further because DHS frequently does not place limits on re-dissemination. USCIS’s Alien Files system, for example, stores social media information on people applying for immigration benefits (such as a change of status from one type of visa to another, or naturalization) but does not seem to limit re-dissemination. 43The Alien File, or A-File, is the official file for all immigration records. DHS Privacy Office, Notice of Modified Privacy Act System of Records, Alien File, Index, and National File Tracking System of Records, 82 Fed. Reg. 43556 (October 18, 2017) (hereinafter A-Files SORN), https://www.gpo.gov/fdsys/pkg/FR-2017-09-18/pdf/2017-19365.pdf. In addition, sometimes databases ingested by DHS do not adequately reflect the dissemination restrictions of the original system. For example, the Department of State databases for visa applications include some modest sharing restrictions, but it does not appear that these restrictions are honored when the State Department information is ingested into CBP’s systems. 44 See infra text accompanying notes 118-131. Justice Department documents from April 2019 describing the expansion of social media identifier collection state that “information obtained from applicants . . . is considered confidential” though it “may be made available to a court or provided to a foreign government.” However, the document does not mention the extensive sharing arrangement with ATS. Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” OMB Number 1405-0185, DS-260, April 11, 2019, 18, https://www.reginfo.gov/public/do/DownloadDocument?objectID=85760502. Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Application for Nonimmigrant Visa,” OMB Number 1405-0182, DS-160 and DS-156, April 11, 2019, 19-20, https://www.reginfo.gov/public/do/DownloadDocument?objectID=85743802; ATS 2017 PIA 8-9.

8. DHS systems retain information for long periods, sometimes in violation of the department’s own rules.

While databases are part of how DHS carries out its functions, its extended retention of large pools of personal information untethered to any suspicion of criminal activity raises serious concerns about privacy risks and misuse of data. 45See generally Rachel Levinson-Waldman, What the Government Does With Americans’ Data, Brennan Center for Justice, October 8, 2013, https://www.brennancenter.org/sites/default/files/publications/Data%20Retention%20-%20FINAL.pdf. In 1974, the Church Committee’s report on surveillance abuses by U.S. intelligence agencies warned: “The massive centralization of . . . information creates a temptation to use it for improper purposes, threatens to ‘chill’ the exercise of First Amendment rights, and is inimical to the privacy of citizens.” 46Select Committee to Study Government Operations With Respect to Intelligence Activities, Final Report, S. Rep. No. 94-755, pt. 3, 778 (1976), https://www.intelligence.senate.gov/sites/default/files/94755_III.pdf/a>. The accumulation of data intrudes on people’s privacy by allowing government authorities to know the details of their personal lives. These risks have only become greater because data — including what we say on social media — can be so readily combined and searched.

To manage these types of risks, as well as to ensure that inaccurate and out-of-date information is weeded out, DHS’s data systems incorporate rules that limit the retention of information beyond a specified time frame. Unfortunately, these retention limits are often not carried over from one DHS database to another, so that once social media information is shared (often automatically), it is kept in the receiving database for longer than intended.

For example, CBP’s ATS stores a range of data from various sources, and as DHS admits, it fails to “consistently follow source system retention periods,” instead retaining most information for 15 years by default. 47ATS 2017 PIA, 14. This means that information stored in ATS, such as Visa Waiver Program applications that include applicants’ social media identifiers and are supposed to be kept for no more than three years, may be retained for five times that long. 48ESTA 2016 PIA, 6 (noting that, after being retained for up to three years, ESTA application data must then enter archive status). However, it does not appear that ATS adheres to this rule. ATS 2017 PIA, 77.

The lack of respect for retention rules is not limited to particular programs either. Since 2015, data from ATS has been copied in bulk to go into the consolidated DHS-wide Data Framework, a new system that is expected to play an enormous role in the agency’s operations. 49DHS, Privacy Impact Assessment for the DHS Data Framework — Interim Process to Address an Emergent Threat, DHS/ALL/PIA-051, April 15, 2015 (hereinafter Data Framework — Interim Process PIA), 8, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhswide-dataframework-april2015.pdf. See infra text accompanying notes 218-231. Because ATS does not abide by source restrictions, the Data Framework likely does not comply with such restrictions either, and will instead rely on data that may be outdated, incorrect, or already deleted from the source system. 50The Data Framework operates under an interim process in which data is not tagged with the relevant retention restrictions. Ibid., 8-9. See infra text accompanying note 225.

Moreover, some systems have long retention periods by design. USCIS’s Alien Files — which contain the official record of an individual’s visa and immigration history and may include social media information — are stored for 100 years after the individual’s date of birth. 51A-Files SORN, 43564. Long retention periods for social media information further exacerbate the risk of misinterpretation. A social media post from 2007 may take on a whole new meaning by 2022, and even more so decades later.

The appendix at the end of this report contains further details on the retention of information in DHS systems.


As the findings above show, DHS incorporates social media into almost all aspects of its immigration operations, from visa vetting to searches of travelers to identifying targets for deportation. Hundreds of thousands or even millions of people, including Americans, are caught up in this net. While some of what the department is doing may well be justified, the scope of its monitoring activities is hidden behind jargon-filled notices and only rarely evaluated. Policymakers and the public need to know the when, why, what, and how behind DHS social media monitoring so that they can make informed judgments about the risk, efficacy, and impact of these initiatives.

End Notes

Customs and Border Protection

Customs and Border Protection (CBP) is the arm of DHS charged primarily with securing the nation’s borders. CBP uses social media information as part of its review of applications to enter the United States. Social media information is also part of CBP’s preflight risk assessments and watch list screening and is used to develop broader intelligence analysis products. 1CBP screens travelers before they board a flight on a U.S.-registered airline anywhere in the world, regardless of whether or not the flight touches down in the United States or flies in U.S. airspace. DHS, Privacy Impact Assessment Update for the Automated Targeting System — TSA/CBP Common Operating Picture, Phase II, DHS/CBP/PIA-006(d), September 16, 2014 (hereinafter ATS-TSA PIA, Common Operating Picture, Phase II), 3, https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_tsacop_09162014.pdf. CBP and TSA cooperate closely in conducting screenings. See infra text accompanying notes 277-297 for more on CBP’s preflight screening and watch listing. CBP’s reliance on social media to perform these critically important functions is misplaced. DHS’s own pilot programs show that social media information is rarely a reliable basis for making judgments. And the vague standards used to assess social media invite discrimination against certain individuals, such as those involved in protest and activism and Muslim travelers. Unreliable social media information is easily shared within and beyond DHS, exposing personal information to a range of actors and increasing the risk that the data will be used out of context.

1. Visa Vetting

A. Visa Waivers (ESTA Program)

DHS, in consultation with the State Department, administers the Visa Waiver Program, through which citizens of 38 mainly Western European countries can travel to the United States for business or tourism without obtaining a visa. 2ESTA, U.S. Travel Authorization Application, “Visa Waiver Countries,” "http://www.esta.us/visa_waiver_countries.html. However, if an individual traveled to Iran, Iraq, Sudan, Syria, Libya, Somalia, or Yemen on or after March 1, 2011, he or she is ineligible for the program. CBP, “Visa Waiver Program Improvement and Terrorist Travel Prevention Act, Frequently Asked Questions,” https://www.cbp.gov/travel/international-visitors/visa-waiver-program/visa-waiver-program-improvement-and-terrorist-travel-prevention-act-faq. In fiscal year 2017, more than 23 million travelers came to the United States through the program. 3See DHS Office of Immigration Statistics, Table 28, “Nonimmigrant Admissions (I-94 Only).” Travelers from these countries who wish to obtain a visa waiver must complete a mandatory online application on the Electronic System for Travel Authorization (ESTA). 4Visa waiver applicants who do not submit the online ESTA form must complete an I-94W form when they arrive at the border, but they may be denied boarding, experience delayed processing, or be denied admission. CBP, “Frequently Asked Questions About the Visa Waiver Program (VWP) and the Electronic System for Travel Authorization (ESTA),” 2016. The information provided through ESTA is vetted against security and law enforcement databases to determine whether applicants are eligible to travel under the program and to ensure they do not pose a law enforcement or security risk. 5ESTA 2016 PIA, 5. If an applicant does not qualify for the Visa Waiver Program, he or she must go through the nonimmigrant visa application process. CBP, “ESTA Application Denied,” June 14, 2017, https://help.cbp.gov/app/answers/detail/a_id/1074/~/esta-application-denied. These travelers are also continually screened in real time. 6DHS, “National Targeting Center: Passenger Operations,” in CBP Presidential Transition Records, 5, https://www.dhs.gov/sites/default/files/publications/CBP%20Presidential%20Transition%20Records.pdf.

Social media information is increasingly being used in this process to vet for national security concerns, although only one American was killed in a terrorist attack by a traveler on the Visa Waiver Program between 1975 and 2017, according to a study by the Cato Institute. 7The attack by a VWP traveler killing one American resident occurred in 1990. Alex Nowrasteh, “Terrorists by Immigration Status and Nationality: A Risk Analysis, 1975-2017,” Policy Analysis no. 866, May 7, 2019, https://www.cato.org/publications/policy-analysis/terrorists-immigration-status-nationality-risk-analysis-1975-2017. While social media checks were previously used by CBP, the agency added a new question to the forms in December 2016, asking all applicants to voluntarily provide their social media identifiers, such as any usernames and platforms used. 8ESTA 2016 PIA, 2. OMB, Notice of Office of Management and Budget Action, “Arrival and Departure Record” (noting that the social media identifier collection was approved on December 19, 2016). ESTA privacy documents note that providing social media information is “optional” for visa waiver applicants and omission will not affect their eligibility determination. ESTA SORN; DHS Privacy Office, Notice of Privacy Act System of Records, CBP — 009 Electronic System for Travel Authorization System of Records Notice, 81 Fed. Reg. 39680 (June 17, 2016), https://www.gpo.gov/fdsys/pkg/FR-2016-06-17/pdf/2016-14422.pdf. Regardless, applicants will likely feel pressure to comply. The ESTA form requires applicants to affirm that the information they have supplied is “true and correct.” If they provide their username for one social media account but not for another, they may worry that their submission will be perceived as untruthful. See Brennan Center for Justice, Comments to CBP, August 22, 2016, https://www.brennancenter.org/sites/default/files/321910883-Brennan-Center-Submits-Comments-on-DHS-Plan-to-Collect-Social-Media-Information.pdf. If applicants choose to provide identifying information, officers may use it to locate their profiles and accounts when the initial screening indicates “possible information of concern” or “a need to further validate information.” 9ESTA 2016 PIA, 2. CBP, Frequently Asked Questions, “How will CBP use my social media information collected through the additional question that was added to the ESTA application in December 2016?” https://esta.cbp.dhs.gov/esta/application.html?execution=e2s1/a>.

Regardless of whether ESTA applicants have chosen to provide their social media identifiers, CBP officers may still choose to manually check their accounts; it does not appear that the officer must first make a finding of “possible information of concern” or “a need to further validate information” in order to do so. 10ESTA 2016 PIA, 2. In such instances, in addition to the interpretive issues identified above, it is unclear how CBP officials confirm that they have correctly connected the applicant to the right social media accounts. This was a recurring problem in the pilot programs discussed previously. 11See supra text accompanying notes 16-24.

Publicly available documents do not indicate what types of postings on social media would be considered by CBP to be indicative of a national security threat. 12The information is also used for “law enforcement vetting purposes,” which could mean ensuring that there are no criminal charges against an ESTA applicant but could also be construed more broadly, and for “eligibility determinations,” which presumably would reflect the legal parameters of immigration law. ESTA 2016 PIA, 2. But the vagueness of the standards creates the risk that innocuous social media activity will be used as a means of excluding people of certain political or religious beliefs. In a nod to this risk, CBP documents state that information from social media “will not” be the sole basis upon which CBP denies someone entry to the United States. 13ESTA 2016 PIA, 4. But this restriction may not be particularly effective because CBP could combine one questionable or weak social media “find” with virtually any other information to deny a visa waiver. For example, CBP and other arms of DHS are not permitted to use ethnicity as the sole basis for suspecting an individual is undocumented, but ethnicity combined with other factors — such as appearing nervous — has been used to stop people on suspicion of undocumented status. 14See, for example, Kavitha Surana, “How Racial Profiling Goes Unchecked in Immigration Enforcement,” ProPublica, June 8, 2018, https://www.propublica.org/article/racial-profiling-ice-immigration-enforcement-pennsylvania. According to a former ICE agent, officers use observations about people’s demeanor to evaluate whether they might be undocumented, such as “when people speak only Spanish” or “appear nervous when encountered by an immigration officer.” Ibid.

The social media check can also extend to associates who posted on or interacted with an applicant on their social media profile, which could include Americans and other contacts living in the United States if “relevant to making an ESTA determination.” 15ESTA 2016 PIA, 4. In addition, CBP uses “link analysis” to proactively identify contacts of applicants (e.g., friends, followers, or “likes”), as well as the applicant’s secondary and tertiary contacts who might “pose a potential risk to the homeland” or “demonstrate a nefarious affiliation on the part of the applicant.” 16Ibid., 5. CBP has no qualms about drawing adverse conclusions from things that third parties have posted — rather, it “presumes” that at least some of the information posted on the applicant’s site, including from third parties, is accurate because “individuals generally have some degree of control over what is posted on their sites.” 17Ibid., 3-4.

Thus, even if nothing posted by the applicant suggests he or she poses a risk, CBP could still potentially deny a visa waiver based in part on concerns related to a tweet posted by a “friend” or follower, who could easily be someone the applicant does not even know. Unfortunately, unlike some other DHS programs, there is no opportunity for the applicant to address or explain the inferences that CBP draws from their social media.

DHS rules require officers to collect only the minimum personally identifiable information “necessary for the proper performance of their authorized duties.” 18DHS, Directive 110-01, “Privacy Policy for Operational Use of Social Media,” June 8, 2012, 8, https://www.dhs.gov/sites/default/files/publications/Instruction_110-01-001_Privacy_Policy_for_Operational_Use_of_Social_Media.pdf. But according to the 2017 privacy audit of ESTA, DHS’s Privacy Office could not verify whether CBP was adhering to this requirement. 19CBP, Privacy Compliance Review of the U.S. Customs and Border Protection Electronic System for Travel Authorization, October 27, 2017, 8, https://www.dhs.gov/sites/default/files/publications/CBP-ESTA%20PCR%20final%20report%2020171027.pdf. Other significant controls — that DHS officers are limited to reviewing publicly available information and must use official DHS accounts to conduct such checks — can be circumvented using a technique called “masked monitoring.” 20ESTA 2016 PIA, 4-5. But the circumstances triggering such monitoring and the applicable rules are not publicly available. 21The detailed CBP rules implementing the directive, which were obtained by the Brennan Center via FOIA, confirm that its officers can undertake masked monitoring, but the triggers and rules for utilizing this technique are redacted. DHS, “DHS Operational Use of Social Media,” July 24, 2012, 5, https://www.brennancenter.org/sites/default/files/analysis/FOIA-CBP%20Social%20Media%20Use%20Template.pdf.

All social media information about those applying for visa waivers (and potentially about their friends and contacts), as well as other data from ESTA applications and related paperwork, is stored in CBP’s Automated Targeting System (ATS). 22ESTA 2016 PIA, 5. CBP agents use the information in ATS to assign risk assessments to travelers, which can impact their vetting and questioning at the border. ATS risk assessments and other analyses also feed into a number of watch lists, such as the FBI’s Terrorist Screening Database and TSA Watch Lists, as well as analytical products on trends and threats. 23ATS 2017 PIA, 25. The role of ATS in preflight and watch list screening is described in more detail in the TSA section; See infra text accompanying notes 258-297. Various records from ATS are shared with CBP’s Analytical Framework for Intelligence (AFI), which is used to create various analytical products. See DHS, Privacy Impact Assessment Update for the Analytical Framework for Intelligence (AFI), DHS/CBP/PIA-010(a), September 1, 2016 (hereinafter AFI 2016 PIA), 1, 3, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-010-a-afi-2016.pdf; See infra text accompanying notes 236-255. In other words, what a person says on social media, which is often context-specific and ambiguous to outsiders, feeds into every aspect of CBP’s work and that of DHS more broadly.

ESTA information — about applicants and their friends and families — is also disseminated widely to a broad range of entities, including the Departments of Justice and State. 24ESTA SORN, 60717. As of December 2018, the National Vetting Center (NVC), a presidentially created clearinghouse and coordination center for vetting information, has been involved in ESTA’s work. 25See National Security Presidential Memorandum (NSPM-9), “Optimizing the Use of Federal Government Information in Support of the National Vetting Enterprise,” February 6, 2018, https://www.whitehouse.gov/presidential-actions/presidential-memorandum-optimizing-use-federal-government-information-support-national-vetting-enterprise/; DHS, “Plan to Implement the Presidential Memorandum on Optimizing the Use of Federal Government Information in Support of the National Vetting Enterprise,” August 5, 2018, https://www.dhs.gov/sites/default/files/publications/NSPM-9%20Implementation%20Plan.pdf; DHS, Privacy Impact Assessment for the National Vetting Center (NVC), DHS/ALL/PIA-072, December 11, 2018, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhsall072-nvc-december2018.pdf. CBP is required to regularly share ESTA application data with a number of agencies involved in the NVC, including the CIA and the Department of Defense, to be compared against the holdings of those agencies. 26DHS, “Plan to Implement the Presidential Memorandum,” 13. Beyond the bulk sharing with the NVC, ESTA information sharing with other agencies is not confined to situations in which there is an indication that the traveler has violated the law. Rather, it can take place simply when DHS determines that the information “would assist in the enforcement of civil or criminal matters.” 27Information may be shared with any “appropriate federal, state, tribal, local, international, or foreign law enforcement agency or other appropriate authority charged with investigating or prosecuting a violation or enforcing or implementing a law, rule, regulation, or order.” ESTA SORN, 60717. In addition, DHS and the National

Counterterrorism Center (NCTC), which is charged with collecting counterterrorism intelligence, have entered into a memorandum of understanding allowing DHS to disclose the entire ESTA data set to the NCTC. 28For more on the NCTC, See National Counterterrorism Center, Today’s NTC, August 2017, 3, https://www.dni.gov/files/NCTC/documents/features_documents/NCTC-Primer_FINAL.pdf; Sari Horwitz and Ellen Nakashima, “New Counterterrorism Guidelines Permit Data on U.S. Citizens to Be Held Longer,” Washington Post, March 22, 2012, https://www.washingtonpost.com/world/national-security/new-counterterrorism-guidelines-would-permit-data-on-us-citizens-to-be-held-longer/2012/03/21/gIQAFLm7TS_story.html. DHS, Privacy Impact Assessment Update for the Electronic System for Travel Authorization, DHS/CBP/PIA-007(c), June 5, 2013 (hereinafter ESTA 2013 PIA), 3-4, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-esta-update-20130606_0.pdf. The memorandum of understanding was updated in 2013. Ibid., 5. See also Rachel Levinson-Waldman, What the Government Does With Americans’ Data, 20 (noting that NCTC has access to data related to international travel and immigration benefits, as well as financial data, none of which is related to terrorism). This data set would go far beyond information about individuals suspected of any connection to terrorism and would include information gathered during routine interactions with the public (e.g., screening travelers, reviewing immigration benefit applications, issuing immigration benefits). 29ESTA 2013 PIA, 2-4, n8.

In sum, the ESTA program demonstrates that CBP collects highly personal information available on social media about those applying for visa waivers and the people in their networks. CBP uses this information, which is highly contextual and subject to interpretation, to decide whether an individual poses an undefined “security risk.” All of this information is stored in DHS databases for years and potentially used for a range of purposes, often far removed from the purpose of the initial collection. 30See supra text accompanying notes 109-110. The information is shared in bulk with the NCTC, and with other law enforcement agencies as long as it could be of “assistance” to them, creating risks to privacy and freedom of speech and association.

B. Visa Applications

The State Department has ramped up its collection of social media information from people applying for visas, which it shares with DHS to be vetted using ATS. 31Visa application data from two Department of State sources, the Consular Consolidated Database and the Consular Electronic Application Center, are compared with existing information in CBP’s ATS for vetting purposes. ATS 2017 PIA, 8-9, 59-60. The Consular Consolidated Database contains records of all visa applications, beginning from the mid-1990s — a total of more than 140 million records. Ruth Ellen Wasem, Immigration: Visa Security Policies, Congressional Research Service, R43589, 2015, 6, https://fas.org/sgp/crs/homesec/R43589.pdf. The Consular Consolidated Database receives information from ATS indicating whether or not DHS identified derogatory information about the visa applicant. If ATS identifies derogatory information relating to an application, that application is referred for manual review. If, following manual review, an applicant is determined to be eligible for a visa, an updated response is sent to the Consular Consolidated Database. ATS 2017 PIA, 34. In May 2017, the State Department began requiring some categories of visa applicants — estimated at 65,000 per year — to provide the identifiers they used on all social media platforms within the previous five years. 32Department of State, “Notice of Information Collection Under OMB Emergency Review.” It seems likely that this move was aimed primarily at travelers from the Muslim ban countries; the Federal Register notice announcing the rule change indicated that it was being implemented as part of the Muslim ban, and the notice’s estimate of the number of travelers who would be affected by the change approximately matched those affected by the overall ban. 33Ibid. The estimate in the Federal Register notice that about 65,000 people will be subject to “increased scrutiny” closely tracks the roughly 68,000 nonimmigrant visas issued in 2016 to nationals of the seven countries included in the first travel ban. See Department of State, Bureau of Consular Affairs, Table XVIII: “Nonimmigrant Visas Issued by Nationality (Including Border Crossing Cards), Fiscal Year, 2007–2016,” https://travel.state.gov/content/dam/visas/Statistics/AnnualReports/FY2016AnnualReport/FY16AnnualReport-TableXVIII.pdf. Additionally, the State Department’s first attempt at implementing the new rule requiring some categories of visa applicants to provide their social media identifiers — which was halted due to litigation — directed consular officials to implement these measures for all nationals of the initial Muslim ban countries. Department of State, “Implementing Immediate Heightened Screening and Vetting of Visa Applications,” 17 STATE 24324, ¶ 9-14, http://live.reuters.com/Event/Live_US_Politics/791246151. See also Alex Nowrasteh, “New Trump Executive Order Fails Cost-Benefit Test,” Cato at Liberty (blog), Cato Institute, September 25, 2017, https://www.cato.org/blog/new-trump-executive-order-fails-cost-benefit-test (noting that, had the third iteration of the Muslim ban — Presidential Proclamation 9645 — been in effect in 2016, “it would have halted the travel, migration and immigration of roughly 66,000 people”); Patel and Panduranga, “Trump’s Latest Half-Baked Muslim Ban.”

In March 2018, the State Department sought to vastly expand the collection of social media identifiers to the approximately 15 million people who apply for visas each year. 34Department of State, “60-Day Notice of Proposed Information Collection: Application for Immigrant Visa and Alien Registration”; Department of State, “60-Day Notice of Proposed Information Collection: Application for Nonimmigrant Visa.” The social media identifiers will be collected via the visa application forms DS-156, 160, and 260, all three of which are stored in the Consular Consolidated Database. Department of State, Bureau of Consular Affairs Visa Services, “Records Disposition Schedule,” https://www.archives.gov/files/records-mgmt/rcs/schedules/departments/department-of-state/rg-0084/n1-084-09-002_sf115.pdf. See also Brennan Center for Justice et al., Comments to Department of State, “Re: DS-160 and DS-156, Application for Nonimmigrant Visa, OMB Control No. 1405-0182; DS-260, Electronic Application for Immigrant Visa and Alien Registration, OMB Control No. 1405-185.” The Office of Management and Budget (OMB) approved the proposal in April 2019, which means the State Department will begin collecting from nearly all visa applicants their social media identifiers associated with any of 20 listed social media platforms, more than half of which are based in the United States (Facebook, Flickr, Google+, Instagram, LinkedIn, Myspace, Pinterest, Reddit, Tumblr, Twitter, Vine, and YouTube). 35OMB, Notice of Office of Management and Budget Action, “Online Application for Nonimmigrant Visa”; OMB, Notice of Office of Management and Budget Action, “Electronic Application for Immigrant Visa and Alien Registration.” See Department of State, Consolidated Nonimmigrant Visa Application, DS-0156, 2, https://www.regulations.gov/contentStreamer?documentId=DOS-2018-0002-0001&attachmentNumber=2&contentType=pdf; Department of State, Online Immigrant Visa and Alien Registration Application, OMB Submission, DS-260, 13, https://www.reginfo.gov/public/do/DownloadDocument?objectID=85760401. The other platforms are based in China (Douban, QQ, Sina Weibo, Tencent Weibo, and Youku), Russia (Vkontakte), Belgium (Twoo), and Latvia (Ask.fm). 36See Department of State, Consolidated Nonimmigrant Visa Application, DS-0156, 2; Department of State, Online Immigrant Visa and Alien Registration Application, DS-260, 13. Applicants will also have the option of providing identifiers for platforms not included on the list. 37Department of State, Consolidated Nonimmigrant Visa Application, DS-0156, 2; Department of State, Online Immigrant Visa and Alien Registration Application, DS-260, 13; Department of State, “60-Day Notice of Proposed Information Collection: Application for Immigrant Visa and Alien Registration”; Department of State, “60-Day Notice of Proposed Information Collection: Application for Nonimmigrant Visa.”

As with the DHS social media collection programs described throughout this paper, there is limited information on what the State Department’s review of applicants’ social media activity will entail. We only know that it is meant to enable consular officers to confirm applicants’ identity and adjudicate their eligibility for a visa under the Immigration and Nationality Act. 38Under applicable U.S. law, an applicant may be ineligible for a visa on grounds, among others, related to health, crime, labor, terrorism, and prior immigration violations. See8 U.S.C. § 1182(a); 8 U.S.C. § 1184(b); 8 U.S.C. § 1158(d)(6). Section 1202(a) provides that an applicant for an immigrant visa must “state his full and true name, and any other name which he has used or by which he has been known; age and sex; the date and place of his birth; and such additional information necessary to the identification of the applicant and the enforcement of the immigration and nationality laws as may be [required] by regulations prescribed.” 8 U.S.C.A. § 1202(a). Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” 10-11; Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Application for Nonimmigrant Visa,” 11. While the notice does state that “the collection of social media platforms and identifiers will not be used to deny visas based on applicants’ race, religion, ethnicity, national origin, political views, gender, or sexual orientation,” this restriction is easily circumvented: a social media post revealing an applicant’s religious or political affiliation may not alone justify denial, but other information in his or her file could easily be used as a pretext, particularly given the broad discretion exercised by consular officials. 39Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Application for Nonimmigrant Visa,” 20; Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” 18-19. According to the statement supporting the notice, consular officers will also be directed not to request passwords, violate the applicant’s privacy settings or the platforms’ terms of service, or engage with the applicant on social media; to comply with State Department guidance limiting the use of social media; and to avoid collecting third-party information. 40Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Application for Nonimmigrant Visa,” 8-9, 20; Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” 8, 19.

The State Department’s expected trove of information will likely be used for a variety of purposes beyond visa vetting. Social media identifiers collected by the State Department will be stored in the Consolidated Consular Database, which is ingested into ATS and becomes available to DHS personnel. 41ATS 2017 PIA, 3, 35-37. The Justice Department’s supporting statement describing the expansion of social media identifier collection states that “information obtained from applicants . . . is considered confidential” though it “may be made available to a court or provided to a foreign government.” See Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” 18. All Consular Consolidated Database (CCD) visa record reports are subject to confidentiality requirements and cannot be shared without the permission of the Department of State. Department of State, Privacy Impact Assessment (PIA), Consular Consolidated Database (CCD), Version 04.00.00, July 17, 2015 (hereinafter CCD 2015 PIA), 8, https://www.state.gov/documents/organization/242316.pdf. However, the supporting statement does not mention the extensive sharing arrangement with ATS, and it remains unclear how far social media identifiers and other CCD information may spread within DHS and to external agencies after being ingested into ATS. The CCD PIA from 2015, which predates the social media identifier collection, lists CBP as an external organization with which CCD may share information but does not address privacy concerns related to the extensive sharing of personally identifiable information with CBP. CCD 2015 PIA, 11. See also ATS 2017 PIA, 8, 11. In 2016, the CCD was found to have glaring security vulnerabilities. Mike Levine and Justin Fishel, “Exclusive: Security Gaps Found in Massive Visa Database,” ABC News, March 31, 2016, https://abcnews.go.com/US/exclusive-security-gaps-found-massive-visa-database/story?id=38041051. Further, that information will be used in coordination with other department officials and partner U.S. government agencies. 42Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Application for Nonimmigrant Visa,” 2; Department of State, “Supporting Statement for Paperwork Reduction Act Submission: Electronic Application for Immigrant Visa and Alien Registration,” 2. Indeed, numerous other agencies have access to the visa records system in which applicants’ social media information will be stored, and — along with foreign governments — can obtain information from the system. 43Department of State, Notice of a Modified System of Records, Visa Records, State-39, 83 Fed. Reg. 28062 (June 15, 2018) (hereinafter Visa SORN), https://www.govinfo.gov/content/pkg/FR-2018-06-15/pdf/2018-12871.pdf. Agencies such as the CIA and the Department of Defense may soon have access to State Department visa information through the National Vetting Center (NVC), and the State Department is likely to share the visa data it collects with DHS through the NVC as well. See supra text accompanying notes 111-114; “Plan to Implement the Presidential Memorandum,” 8. See National Security Presidential Memorandum, “Optimizing the Use of Federal Government Information in Support of the National Vetting Enterprise.”

In sum, the State Department’s collection of social media information, which already includes 65,000 visa applicants (likely those targeted by Trump’s Muslim ban), is on track to begin creating a registry that will include 15 million people after the first year alone. Not only will this information be used by the State Department in undefined ways to make visa determinations, but it will be yet another source of personal information that is funneled into DHS’s many interconnected and far-reaching systems. 44See infra text accompanying notes 198-256.

2. Warrantless Border Searches

CBP conducts warrantless searches at the border on a wide variety of electronic devices, such as phones, laptops, computers, and tablets, many of which are likely to result in the collection of social media information. According to CBP, these searches are meant to help uncover evidence concerning terrorism and other national security matters, criminal activity like child pornography and smuggling, and information about financial and commercial crimes. 45CBP 2018 Directive, 1. However, CBP documents also describe these searches as “integral” to determining an individual’s “intentions upon entry” and to providing other information regarding admissibility. 46Ibid.

While some of these searches are conducted manually, CBP also has technical tools for extracting information from these devices, potentially including information stored remotely. 47The relevant CBP directive is somewhat confusing in regard to information stored remotely. On one hand, it states that officers “may not intentionally use the device to access information that is solely stored remotely” for CBP basic or advanced searches. CBP 2018 Directive, 4; CBP Electronic Border Searches 2018 PIA, 8. But the same directive notes that “an advanced search is any search in which an Officer connects external equipment, through a wired or wireless connection, to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.” CBP 2018 Directive, 5. It has purchased powerful handheld Universal Forensic Extraction Devices (UFEDs), developed by the Israeli company Cellebrite, which can be plugged into phones and laptops to extract in a matter of seconds the entirety of a device’s memory, including all data from social media applications both on the device and from cloud-based accounts like Facebook, Gmail, iCloud, and WhatsApp. 48The website USASpending lists CBP contracts for UFEDs totaling $1,594,366. CBP contract with Cellebrite, May 12, 2009–September 25, 2018, USASpending, https://www.usaspending.gov/#/search/134309b58a47879206e3a328a4e47ec5. See Jose Pagliery, “Cellebrite Is the FBI’s Go-To Phone Hacker,” CNN, April 1, 2016, https://money.cnn.com/2016/03/31/technology/cellebrite-fbi-phone/index.html; “The Feds Can Now (Probably) Unlock Every iPhone Model in Existence,” Forbes, February 26, 2018,https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/#70d4f042667a; Cellebrite, “UFED Cloud Analyzer,” https://www.cellebrite.com/en/products/ufed-cloud-analyzer/.

Searches by CBP of travelers’ electronic devices at ports of entry have increased dramatically over the past several years. In fiscal year 2015, 8,503 people had their devices searched. 49CBP, “CBP Releases Statistics on Electronic Device Searches.” By fiscal year 2017, the number had reached 30,200 — an increase of over three and a half times. 50CBP, “CBP Releases Updated Border Search of Electronic Device Directive and FY17 Statistics.” According to CBP, these searches do not require a warrant, due to “a reduced expectation of privacy associated with international travel.” 51CBP 2018 Directive, 3. Both American and foreign travelers are subjected to these warrantless searches. 52While DHS itself does not provide a breakdown, ABC News reports that about 80 percent of searches are of noncitizens, which would mean that in fiscal year 2017, CBP conducted more than 6,000 searches of devices belonging to U.S. citizens. Sands, “Searches of Travelers’ Electronic Devices Up Nearly 60 Percent.” In 2017,

10 U.S. citizens and one green card holder filed suit challenging warrantless searches of electronic devices at the border. 53Amended Complaint, Alasaad v. Nielsen, 2017 WL 4037436 (D.Mass. Sept. 13, 2017), https://www.eff.org/files/2017/09/13/7._amended_complaint.pdf. The complaint highlights the intrusiveness of these searches, both for the person being searched and for the traveler’s family, friends, and acquaintances, given the many contact lists, email messages, texts, social media postings, and voicemails that cellphones and laptops often contain. 54Ibid.

Under a January 2018 directive, CBP is permitted to conduct two types of searches: “basic” and “advanced,” both of which would allow collection of information from social media. 55CBP 2018 Directive, 4-5. The 2018 directive changed CBP’s previous, more permissive rule, likely as a partial and belated response to a 2013 federal court decision, United States v. Cotterman. In that case, a federal court of appeals held that the fact that a device was seized at a border did “not justify unfettered crime-fighting searches or an unregulated assault on citizens’ private information,” and required that officers have reasonable suspicion of criminal activity to conduct forensic searches of electronic devices. 56United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013). ICE continues to operate under the older regime, however, and CBP is permitted to refer travelers to ICE at any stage of the inspection process, at which point ICE’s more permissive policy would apply. 57DHS, Privacy Impact Assessment for CBP and ICE Border Searches of Electronic Devices, August 25, 2009 (hereinafter ICE/CBP Electronic Device Searches 2009 PIA), 4, https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_laptop.pdf; ICE 2009 Directive, Border Searches of Electronic Devices, 2.

Under CBP’s new rules, a basic search permits an agent to view information that “would ordinarily be visible by scrolling through the phone manually.” 58CBP Electronic Border Searches 2018 PIA, 6. No suspicion of criminal wrongdoing or national security risk is required for basic searches. For either type of search, agents are prohibited from “intentionally” accessing data that is “solely stored remotely”; only information that is “resident on the device and accessible through the device’s operating system or through other software, tools, or applications” may be viewed. 59CBP 2018 Directive, 4. This restriction was absent from CBP’s original electronic border search directive (2009). In response to questions posed by Senator Ron Wyden, CBP clarified that its agents do not access information found on remote servers during electronic device searches, but it did not state how agents were to ensure this in practice (e.g., disabling connectivity via airplane mode). CBP, “Due Diligence Questions for Kevin McAleenan, Nominee for Commissioner of U.S. Customs and Border Protection (CBP),” June 20, 2017, 3, https://www.washingtonpost.com/blogs/the-switch/files/2017/07/cbp-wyden.pdf. CBP officers are supposed to disable network connectivity or request that the traveler do so (e.g., by switching to airplane mode) prior to the search; they are also supposed to conduct the search in the presence of the traveler in most circumstances, though the individual will not always observe the actual search. 60The officer may disconnect the device herself or conduct the search without the individual present if there are national security, law enforcement, officer safety, or other operational considerations. CBP 2018 Directive, 5, 6.

Despite these new guidelines, CBP agents will probably still be able to access social media information during a search. If a traveler has social media data downloaded onto his or her device or cached in some way, it is likely accessible even if connectivity is turned off. 148 For example, if a traveler was scrolling through a Twitter or Facebook feed prior to being selected for a search, any loaded data, such as his or her newsfeed, would be accessible on the user’s phone or laptop.

The officer may also request that the traveler provide any passcodes needed to access the contents of a device. 61Esha Bhandari, staff attorney, American Civil Liberties Union, email message to authors, August 13, 2018. Although a traveler can refuse to provide a code, CBP may then keep the device in order to try to access its contents by other means. 62Ibid. U.S. citizens must be admitted to the country even if they do not provide passcodes, though their phones may still be held for five days or longer. 63Unless unspecified “extenuating circumstances” exist, CBP policy states that devices should not be detained for longer than five days . CBP 2018 Directive, 7 . Noncitizens, however, including visa holders and tourists from visa waiver countries, may be denied entry entirely. 64See Seth Schoen, Marcia Hofmann, and Rowan Reynolds, “Defending Privacy at the U.S. Border: A Guide for Travelers Carrying Digital Devices,” Electronic Frontier Foundation, December 2011, 5, https://www.eff.org/files/eff-border-search_2.pdf. There are a variety of reasons why a noncitizen may be denied entry. See Immigration and Nationality Act § 212(a), 8 U.S.C. § 1182 (2010). See also Daniel Victor, “What Are Your Rights if Border Agents Want to Search Your Phone?” New York Times, February 14, 2017, https://www.nytimes.com/2017/02/14/business/border-enforcement-airport-phones.html.

An advanced search occurs when an officer connects an electronic device to external equipment, via a wired or wireless connection, to review, copy, or analyze its contents. 65CBP 2018 Directive, 5. In 2007, CBP began using external equipment for advanced searches at four ports of entry. As of July 2017, such use had expanded to 67 ports of entry. Office of Inspector General, DHS, CBP’s Searches of Electronic Devices at Ports of Entry, December 3, 2018 (hereinafter OIG 2018 Electronic Device Report), 9, https://www.oig.dhs.gov/sites/default/files/assets/2018-12/OIG-19-10-Nov18.pdf. Advanced searches are highly intrusive, and the tools that CBP has purchased allow it to capture all files and information on the device, including password-protected or encrypted data. 66See supra text accompanying notes 134-135.

Officers are authorized to perform advanced searches if there is reasonable suspicion that one of the laws enforced or administered by CBP has been violated or if there is a “national security concern.” 67CBP 2018 Directive, 5. In creating an exception for “national security concerns,” DHS policy departs from the Cotterman decision, which required reasonable suspicion for all forensic searches. While DHS does not define what constitutes a national security concern, national security is an expansive term that could easily swallow up the requirement of suspicion for these highly intrusive searches. The examples listed in the 2018 privacy impact assessment suggest that national security searches will be based on watch lists. However, this category includes not just lists kept by the government — primarily the FBI and DHS — but other lists as well, such as unspecified “government-vetted” watch lists and a “national security-related lookout in combination with other articulable factors as appropriate.” 68Ibid. And, of course, these examples are not exhaustive, leaving open the possibility that agents will use the cover of national security to undertake forensic searches even when there is no relevant watch list.

Following both basic and advanced searches, the officer enters notes about the interaction, including “a record of any electronic devices searched,” into TECS, CBP’s primary law enforcement system. 69CBP Electronic Border Searches 2018 PIA, 3, 6 This typically includes device details, the type of search performed (basic or advanced), and the “officer’s remarks of the inspection.” 70OIG 2018 Electronic Device Report, 4. CBP may detain a device, or copies of the information it contains, for up to five days, although it can keep a device longer when there are unspecified “extenuating circumstances.” 71CBP 2018 Directive, 7 . If there is no probable cause to seize and retain a device or the information it contains, the device must be returned to the traveler and any copies destroyed. 72Ibid. However, CBP may retain without probable cause any information “relating to immigration, customs, and other enforcement matters,” which seems to allow it to essentially circumvent the probable cause requirement. 73Ibid., 9-10. CBP can retain such information so long as “the retention is consistent with the applicable system of records notice.” Ibid. For instance, information that could be considered useful for determining whether an individual may be permitted to travel to the United States could be stored in the individual’s Alien File, 100 years after their date of birth. 74Ibid., 10; A-Files SORN, 43564

Any information that is copied directly from an electronic device during an advanced search (presumably based on probable cause) is stored in ATS, which allows agents to further analyze information collected by comparing it against various pools of data and applying ATS’s analytic and machine learning tools to recognize trends and patterns. 75CBP Electronic Border Searches 2018 PIA, 10. DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 1. CBP may disclose information from electronic device searches to other agencies, both within and outside DHS, if it is evidence of violation of a law or rule that those agencies are charged with enforcing. 76CBP Electronic Border Searches 2018 PIA, 15. CBP may also share the device or information from the device with third parties to receive technical assistance in accessing the device’s contents. In general, such assisting agencies are permitted to retain the information only as long as necessary to provide such assistance, unless the devices are seized on the basis of probable cause or if an assisting federal agency elects to retain it under its own independent legal authority. CBP 2018 Directive, 11.

Notably, a December 2018 DHS inspector general report concluded that CBP had not been following its own standard operating procedures prior to the implementation of the new rules. 77OIG 2018 Electronic Device Report, 1. CBP’s original policy from 2009 was in effect at the time of this review. Ibid., 5. The report, which was based on a review of CBP’s electronic device searches at ports of entry from April 2016 to July 2017, found that officers frequently did not document searches properly, that they consistently failed to disable network connection prior to search (specifically for cell phones), and that the systems used and data collected during searches were in many cases not adequately managed and secured. 78Ibid., 1. For instance, officers often failed to delete travelers’ information stored on the thumb drives used to transfer data to ATS during advanced searches. 79Ibid., 8. The report also found that CBP had no performance measures in place to assess the effectiveness of its forensic searches of electronic devices. 80Ibid., 9. The report describes CBP’s forensic electronic device searches as a “pilot program,” which was rolled out in 2009, but it is clear given the January 2018 privacy impact assessment update that forensic searches are now a permanent part of CBP’s border searches.

The 2018 directive instructed CBP to develop and periodically administer an auditing mechanism to ensure that border searches of electronic devices were complying with its requirements. 81CBP 2018 Directive, 12. However, the agency has published neither the requirements nor the results of the audits. In February 2019, the Electronic Privacy Information Center (EPIC) sued for the release of this information. 82Complaint for Injunction Relief, Electronic Privacy Information Center v. U.S. Customs and Border Protection, No. 1:19-cv-00279 (D.D.C. Feb. 1, 2019), https://epic.org/foia/cbp/border-device-search-audits/Complaint.pdf.

Even if the rules are operating as intended, they may also be applied discriminatorily. For instance, Muslim travelers have long been singled out for additional scrutiny because of their faith, 83See, for example, Holpuch and Kassam, “Canadian Muslim Grilled About Her Faith”; Sedria Renee, “Muhammad Ali Jr. on Airport Detainment: ‘I’m Not American?’ ” NBC News, February 27, 2017, https://www.nbcnews.com/news/us-news/muhammad-ali-jr-airport-detainment-i-m-not-american-n726246. See also Complaint for Injunctive and Declaratory Relief and Damages, El Ali et al. v. Sessions et al., No. 8:18-cv-02415-PX (D. Md. Aug. 8, 2018), https://papersplease.org/wp/wp-content/uploads/2018/08/watchlist-complaint-8AUG2018.pdf; American Civil Liberties Union et al. v. TSA, No. 1:15-cv-02061-JPO (S.D.N.Y. 2015), https://www.aclu.org/legal-document/aclu-v-tsa-complaint; Michael S. Schmidt and Eric Lichtblau, “Racial Profiling Rife at Airport, U.S. Officers Say,” New York Times, August 11, 2012, http://nyti.ms/lGsuvBV. which President Trump and his administration have repeatedly and inaccurately connected with “terrorism.” 84See, for example, Theodore Schleifer, “Donald Trump: ‘I Think Islam Hates Us,’ ” CNN, March 10, 2016, https://www.cnn.com/2016/03/09/politics/donald-trump-islam-hates-us/index.html; Philip Bump and Aaron Blake, “Donald Trump’s Dark Speech to the Republican National Convention, Annotated,” Washington Post, July 21, 2016, https://www.washingtonpost.com/news/the-fix/wp/2016/07/21/full-text-donald-trumps-prepared-remarks-accepting-the-republican-nomination/?utm_term=.3d7121332501; Meet the Press, July 24, 2016, NBC News, https://www.nbcnews.com/meet-the-press/meet-press-july-24-2016-n615706. Just months after the new policy was issued, the Council on American-Islamic Relations (CAIR) sued CBP on behalf of a Muslim American woman whose iPhone was seized and its contents imaged when she came home from Zurich. 85Cyrus Farivar, “Woman: My iPhone Was Seized at Border, Then Imaged — Feds Must Now Delete Data,” Ars Technica, August 23, 2018, https://arstechnica.com/tech-policy/2018/08/woman-my-iphone-was-seized-at-border-then-imaged-feds-now-must-delete-data/. She was also questioned about her travel history and whether she had ever been a refugee. 86Brief of Petitioner, Lazoja v. Nielsen, No. 18-cv-13113 (D.N.J. Aug. 23, 2018), https://assets.documentcloud.org/documents/4781285/Document.pdf. The lawsuit asked CBP to explain what suspicion warranted the forensic search and demanded deletion of the information seized. 87Ibid., 15. The government quickly settled, agreeing to delete the data it had seized. 88Cyrus Farivar, “Feds Took Woman’s Iphone at Border, She Sued, Now They Agree to Delete Data,” Ars Technica, October 31, 2018, https://arstechnica.com/tech-policy/2018/10/feds-agree-to-delete-data-seized-off-womans-iphone-during-border-search/.

In sum, CBP is increasingly deploying its claimed warrantless border search authority to search the electronic devices of both visitors and American travelers. Basic searches conducted without any suspicion of wrongdoing can result in the scrutiny of travelers’ social media information. Advanced searches will result in the collection of huge amounts of personal information, including from social media, about both the person whose device is being searched and that person’s contacts. CBP has stated that it has this broad authority in order to help uncover information related to terrorism and criminal activity and to determine admissibility. But there is little indication in public documents as to what type of content officers should be looking for, especially in deciding whether a traveler can enter the country, allowing for unfocused fishing expeditions. And these searches are not subject to even minimal safeguards—such as an instruction to avoid making decisions based solely on social media or a prohibition on profiling. And the search is just the start. CBP is permitted to retain information relating to immigration, customs, or other enforcement matters it finds useful, including a copy of the contents of phones and laptops; as discussed further below, the agency may also further analyze the information using unknown tools and algorithms. 89See infra text accompanying notes 195-256.

3. Searches Pursuant to Warrant, Consent, or Abandonment

CBP also collects information from electronic devices in three other situations:

  • When it has a warrant authorized by a judge or magistrate based on probable cause; 90DHS, Privacy Impact Assessment for U.S. Border Patrol Digital Forensics Programs, April 6, 2018 (hereinafter CBP 2018 Digital Forensics PIA), 2, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp053-digitalforensics-april2018.pdf.
  • When an officer finds an abandoned device that he or she suspects “might be associated with a criminal act” or was found in “unusual circumstances” (such as between points of entry in the “border zone,” 91Ibid., 2. the area within 100 miles of any U.S. boundary in which Border Patrol claims authority to conduct immigration checks 92Catherine E. Shoichet, “The U.S. Border Is Bigger Than You Think,” CNN, May 24, 2018, https://www.cnn.com/2018/05/23/us/border-zone-immigration-checks/index.html. CBP officials claim authority to board and search “any railway car, aircraft, conveyance, or vehicle” anywhere within a reasonable distance from any external boundary of the United States.” 8 U.S.C. § 1357(a)(3). Reasonable distance is defined as “100 air miles from any external boundary of the United States . . .” 8 C.F.R. § 287.1(a)(1). ); and
  • When the owner has consented. 93CBP 2018 Digital Forensics PIA, 2.

According to CBP, once the information is determined to be “accurate and reliable,” it is used to support the agency’s border enforcement operations and criminal investigations. 94CBP does not define accurate or reliable. Ibid., 10. DHS materials note that such information is “typically” used only to corroborate evidence already in the agency’s possession. 95Ibid. There is an exception for cases where the evidence itself indicates a violation of law — for instance, child pornography — in which case action presumably could be taken solely on the basis of information retrieved from the device. Ibid.

Agents are explicitly allowed to collect information stored in the cloud when spelled out in a warrant or when the owner consents, but it is not clear whether cloud data can be accessed from abandoned devices. 96Ibid., 8. A CBP officer or agent can submit devices found in one of the aforementioned scenarios for digital forensic analysis, which is usually undertaken by a team of agents at the intelligence unit for the relevant Border Patrol sector. 97Ibid., 3.

If the CBP agent determines after conducting one of these examinations that an electronic device holds information that is “relevant” to the agency’s law enforcement authorities, the agent may load all information into a standalone information technology system for analysis. 98In the case of searches authorized by a warrant, information must be within the scope of the warrant. Ibid., 4. This is the rare database that “may not be connected to a CBP or DHS network.” 99Ibid ., 4. (Emphasis theirs.) The tools built into these stand-alone systems allow CBP to perform various analyses on the collected information. 100Ibid., 4-5. These tools include “timeframe analysis, which can help in determining when data were entered, modified, or deleted from a device”; “detection recovery of concealed data”; “correlation of files to installed applications, examination of drive file structure, and review of metadata”; and “reviews to help to identify individuals who created, modified, or accessed a file.” Ibid., 4-5. If the analytical results produced by a system “develop leads, identify trends associated with illicit activity, and further law enforcement actions,” they will be included in an enforcement case file or law enforcement intelligence product, such as a field intelligence report, “for dissemination.” Ibid., 11. One system, ADACS4, is used to analyze data from electronic devices in order to discover “connections, patterns, and trends” relating to “terrorism” and the smuggling of people and drugs, as well as other activities that threaten border security. 101Ibid., 4. While the privacy impact assessment does not specify that ADACS4 includes social media data, it seems likely given that such information is typically found on electronic devices.

CBP retains information associated with arrests, detentions, and removals, including data obtained from electronic devices, for up to 75 years. Even information that does not lead to the arrest, detention, or removal of an individual and that may be completely irrelevant to DHS’s duties — may be stored for 20 years “after the matter is closed.” 102Ibid., 7. In the special case of information obtained through a search warrant that is subsequently found to be outside the scope of that warrant, it will be deleted from the system once the case or trial is complete. Ibid., 5.

The information collected by CBP from electronic devices is frequently disseminated within DHS and to other federal agencies or state and local law enforcement agencies with a need to know, and less frequently to foreign law enforcement partners. 103Ibid., 14. In addition to sharing with agencies investigating or prosecuting a violation of law, CBP may also share information for unspecified counterterrorism and intelligence reasons. 104Ibid., 14. If a recipient wants to re-disseminate information, it must obtain permission from CBP, though permission is sometimes granted when CBP information is first shared. Ibid., 14.

The CBP search authorities detailed above allow the collection of social media information. While the warrant and consent authorities seem reasonably cabined, the authority to search abandoned devices is quite expansive, especially if it is read to apply to all devices found within 100 miles of U.S. land or coastal borders, where two-thirds of Americans live. 105Carmen Sesin, “Two-Thirds of Americans Live in a Border Zone; What Are Their Rights?” NBC News, January 26, 2018, https://www.nbcnews.com/news/latino/two-thirds-americans-live-border-zone-what-are-their-rights-n841141. It is not clear why the information from these categories of devices is held in a separate database, unconnected to other DHS systems. As with other collection programs, CBP uses the social media information it collects to conduct trend or pattern analyses and shares it with other agencies, raising concerns about how potential misinterpretations and out-of-context information are deployed. 106See supra text accompanying notes 186-192.

4. Analytical Tools and Databases

After CBP personnel collect social media information including from ESTA and visa applications, from electronic devices searched under their claimed border search authority, and from numerous other sources 107ATS 2017 PIA, 2-3, 82-83. — the data is provided to analysts who conduct one or more of three main types of analyses:

A. Assigning individual risk assessments: comparing an individual’s personally identifiable information against DHS-held sources to assess his or her level of risk, such as whether the individual or her associates may present a security threat, in order to determine what level of inspection she is required to undergo and whether to allow her to enter the country;

B. Trend, pattern, and predictive analysis: identifying patterns, anomalies, and subtle relationships in data to guide operational strategy or predict future outcomes; 108DHS Management Directorate, “DHS Lexicon Terms and Definitions,” 473. and

C. Link and network analysis: identifying possible associations among data points, people, groups, entities, events, and investigations. 109See DHS, Privacy Impact Assessment for the Analytical Framework for Intelligence (AFI), June 1, 2012 (hereinafter AFI 2012 PIA), 4, https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_afi_june_2012_0.pdf.

These analytical capabilities are interrelated and interdependent and serve as the backbone of CBP intelligence work. Because the ways in which CBP conducts these analyses and draws conclusions from data depend heavily on interactions among the agency’s various data systems, this section will provide an overview of the key systems and their analytical functions. It shows that the social media information in each of these databases is amassed on the basis of overbroad criteria and without accuracy requirements, shared widely with few or no restrictions, analyzed using opaque algorithms and tools, and often retained longer than the approved retention schedules.

A. Assigning Individual Risk Assessments

The primary system CBP uses for combining and analyzing data, including for assigning risk assessments, is the Automated Targeting System (ATS). There is scant publicly available information regarding the foundation, accuracy, or relevance of these risk assessments; nor do we know whether the factors used in assessments are non-discriminatory. 110While the rules underlying risk assessments are subject to quarterly reviews to assess whether privacy and civil liberties protections are adequate and consistently implemented, there is no publicly available information about these quarterly reviews, including whether they occur. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. Moreover, as risk assessments themselves have no accepted empirical basis, it is unlikely that these reviews could adequately address the core issues of the assessments’ foundation or the validity of the factors used in the assessments. Additionally, risk assessments have been shown to disproportionately impact minorities in other settings, such as the criminal justice system. See supra text accompanying notes 57-60. We do know, however, that social media is likely a common source in formulating risk assessments. ATS contains copies of numerous databases and data sets that include social media information, such as CBP’s ESTA, the FBI’s Terrorist Screening Database (TSDB), and data from electronic devices collected during CBP border searches. 111ATS also ingests and stores data from the Department of State’s Consular Consolidated Database and Consular Electronic Application Center, TSA’s Secure Flight Passenger Data, the FBI’s Terrorist Screening Database, devices searched at the border, ICE’s Student Exchange and Visitor Information System (SEVIS), and Passenger Name Records (PNR), among other sources. ATS 2017 PIA, 2-3, 39-41; PNR data can include name, ticket information, contact information, travel itinerary, billing information, and all historical changes to one’s PNR. DHS, Privacy Impact Assessment for the Automated Targeting System, DHS/CBP/PIA-006(b), June 1, 2012 (hereinafter ATS 2012 PIA), 35, https://www.dhs.gov/sites/default/files/publications/privacy_pia_cbp_ats006b_0.pdf. For more on ATS’s role in electronic device border searches, See supra text accompanying notes 163-168; See also CBP Electronic Border Searches 2018 PIA, 10. ATS also appears to ingest social media information directly from commercial vendors. 112According to an October 3, 2018, addendum to the 2017 ATS PIA, CBP entered into a contract with a private database vendor to test and assess whether “ingestion of commercially available social media information” into ATS would aid CBP’s work. CBP’s stated goal, according to the privacy impact assessment, is to use social media information to better identify potential connections to known terrorist propaganda channels and actors. Where there are matches or potential matches between social media handles and information already in ATS, CBP analysts conduct manual, directed queries and upload additional data into ATS, which may include social media information, in order to substantiate information linking an individual to terrorism or other suspicious activity. Once CBP incorporates the social media handles into a record in TECS, ATS, or AFI, it will be viewable to other users both internal and external to CBP. It is not clear what standards are used to identify matches and in what circumstances this information collection is occurring; in one instance, it is referred to as a “pilot.” ATS 2017 PIA, “Addendum 3.3, ATS IntelCenter,” 76-9. While the contracted vendor is not named in the addendum, ICE awarded a contract worth more than $800,000 to the data analytics company Giant Oak, Inc., on September 24, 2018, for “Open Source/Social Media Data Analytics for CBP.” See ICE contracts with Giant Oak, Inc., September 24, 2018–September 24, 2019, USASpending, https://www.usaspending.gov/#/award/68790969. More information on Giant Oak and its DHS contracts can be found in the ICE section, infra text accompanying notes 353-359. CBP agents use secret analytic tools to combine the information gathered from these various sources, including from social media, to assign risk assessments to travelers, including Americans flying domestically. 113ATS applies its risk-based rules to domestic passengers as part of the joint CBP-TSA flight screening operation. See DHS Privacy Office, 2017 Data Mining Report to Congress, 10; ATS 2017 PIA, 23; ATS-TSA PIA, Common Operating Picture, Phase II, 3-5. See also Electronic Privacy Information Center, “EPIC v. CBP (Analytical Framework for Intelligence),” https://epic.org/foia/dhs/cbp/afi/. These assessments may get a person placed on a watch list like the TSDB, 114CBP uses ATS to nominate additional individuals for inclusion in the TSDB. ATS 2017 PIA, 25. The role of ATS in preflight and watch list screening is described in more detail in the TSA section; See infra text accompanying notes 258-297. and determine whether the person gets a boarding pass or if additional screening is necessary. 115DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 23; ATS-TSA PIA, Common Operating Picture, Phase II, 2-3. These assessments are also used to decide who gets permission to engage in trade across U.S. borders and, at the border, to decide who is allowed to enter the country and what level of questioning they must undergo. ATS 2017 PIA, 4.

To be clear, the individuals who are subjected to these measures are not necessarily suspected of a crime or a link to criminal activity. 116CBP uses ATS risk assessments to determine whether further inspection of a person, shipment, or conveyance may be warranted, “even though an individual may not have been previously associated with a law enforcement action or otherwise be noted as a person of concern.” ATS 2017 PIA, 4; ATS 2012 PIA, 19. Rather, an individual’s risk level is determined by a profile, which can be influenced by social media information contained in ATS or other databases, as well as ad hoc queries of information on the internet, including queries of social media platforms. 117In assigning risk assessments, ATS incorporates information from many sources, including private contractors, the FBI’s Terrorist Screening Database, and other government agencies. ATS 2017 PIA, 1, 10, 76. Notably, DHS exempted ATS from accuracy requirements under the Privacy Act, so the information that goes into one’s risk assessment need not be correct, relevant, or complete. 118ATS Final Rule, 5491.

ATS’s individual risk assessment capabilities are also leveraged by ICE in its enforcement activities against people who have overstayed their visas. ATS receives the names of potential overstays from CBP’s arrivals and departures management system, and ATS automatically vets each name against its records to create a prioritized list based on individuals’ “associated risk patterns.” 119ATS 2017 PIA, 8; Hearing on “Visa Overstays: A Gap in the Nation’s Border Security” before the Subcommittee on Border and Maritime Security of the Committee on Homeland Security, House of Representatives, 115th Congress, May 23, 2017, No. 115-17 (hereinafter Congressional Hearing on Visa Overstays), 10, https://www.govinfo.gov/content/pkg/CHRG-115hhrg27610/pdf/CHRG-115hhrg27610.pdf. The prioritized list is then sent to ICE’s lead management system, LeadTrac (discussed further in the ICE Visa Overstay Enforcement section below). 120ATS 2017 PIA, 8

It is not clear what standard is used in determining “risk” in these profiles or how exactly social media information is weighted. But it seems likely that ATS’s data mining toolkit, which includes “social network analysis” capabilities that may rely on social media information, is an important part of formulating risk assessments. 121These analytical and data mining tools are provided by a facet of ATS, the Automated Targeting Initiative. DHS Privacy Office, 2017 Data Mining Report to Congress, 16.

Risk assessments and other records in ATS are retained for 15 years, unless the information is “linked to active law enforcement lookout records . . . or other defined sets of circumstances,” in which case the information is retained for “the life of the law enforcement matter.” 122ATS 2017 PIA, 14, 43; DHS Privacy Office, Notice of Privacy Act System of Records, CBP–006 Automated Targeting System, System of Records, 77 Fed. Reg. 30297 (May 22, 2012), https://www.govinfo.gov/content/pkg/FR-2012-05-22/pdf/2012-12396.pdf. Notably, the most recent ATS privacy impact assessment admits that the system fails to “consistently follow source system retention periods, but instead relies on the ATS-specific retention period of 15 years,” often retaining data for a period that exceeds the data retention requirements of the system from which it originated (for instance, three years for sources from ESTA). 123ATS 2017 PIA, 14; ESTA 2016 PIA, 6. Therefore, ATS passes information to partners long after it has been corrected or deleted from other databases.

ATS information, including personally identifiable information, is disseminated broadly within DHS and to other federal agencies, and many DHS officers have direct access to ATS. 124For example, ICE, U.S. Coast Guard, and TSA personnel have direct access to ATS. ATS 2017 PIA, 5, 8. Personally identifiable information held in ATS can be shared outside DHS as long as personnel prepare a DHS-191 form to note the sharing of information. ATS 2012 PIA, 28. As an example of such dissemination of personal information, CBP passes photographs and certain personally identifiable information via ATS to the DHS Automated Biometric Identification System (IDENT), which is then forwarded to the FBI’s Next Generation Identification (NGI) for comparison. ATS 2017 PIA, 17-19. It is unclear, however, whether risk assessments and the underlying social media data on which they are based may be disseminated beyond ATS.

B. Trend, Pattern, and Predictive Analysis

Essential to the process of assigning risk assessments are the CBP-formulated “rules,” or “patterns” identified as “requiring additional scrutiny,” that CBP personnel use to vet information in ATS in order to evaluate an individual’s risk level. 125ATS 2017 PIA, 1. These patterns are based on trend analyses of suspicious activity and raw intelligence, as well as CBP officer experience and law enforcement cases. 126Ibid. In addition to assigning risk assessments, ATS is used as a vetting tool by both USCIS (for refugees and applicants for certain immigration benefits) and the Department of State (for visa applicants) and to analyze device data obtained at the border. 127Ibid., 35-37, 39-41, 46-47, 58-60. For each of these functions, CBP agents use ATS to compare incoming information against ATS holdings and apply ATS’s analytic and machine learning tools to recognize trends and patterns. 128DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 1.

CBP agents also use ATS for preflight screenings (which will be discussed in more detail in the TSA section) to identify individuals who, though not on any watch list, “exhibit high risk indicators or travel patterns.” 129ATS 2017 PIA, 23. See infra text accompanying notes 277-297. ATS’s analytic capabilities likely underpin its determinations of “high risk” patterns.

ATS is also central to a DHS-wide “big data” effort, the DHS Data Framework. Similar to ATS in structure and purpose but wider in scope, the Data Framework is an information technology system with various analytic capabilities, including tools to create maps and time lines and analyze trends and patterns. 130These tools also include statistical, geospatial, and temporal analysis capabilities. DHS, Privacy Impact Assessment for the DHS Data Framework, DHS/ALL/PIA-046, November 6, 2013 (hereinafter DHS Data Framework 2013 PIA), 13, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhs-wide-dhsdataframework-11062013.pdf.

The Data Framework ingests and analyzes huge amounts of data from across the department and from other agencies. 131As of February 2018, data sets from at least 16 programs had been ingested into the DHS Data Framework, including CBP’s ATS, ESTA, and border crossing information; ICE’s SEVIS; TSA’s Secure Flight; USCIS’s index of A-Files relating to individuals who were victims of abuse or human trafficking; and USCIS and NPPD’s Automated Biometric Identification System (IDENT). DHS, Privacy Impact Assessment for the DHS Data Framework, Appendix A, Approved Data Sets, DHS/ALL/PIA-046(b), February 14, 2018, 44, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhswide-dhsdataframeworkappendixa-february2018.pdf Originally the Data Framework was meant to import data sets directly from dozens of source systems and categorize the data in order to abide by retention limits, access restriction policies, and ensure that only particular data sets are subject to certain analytical processes. 132DHS, Privacy Impact Assessment for the DHS Data Framework, DHS/ALL/PIA-046(b), February 27, 2015, 3, https://www.dhs.gov/sites/default/files/publications/privacy-pia-046b-dhs-data-framework-20150227.pdf. The Data Framework includes two central repositories for data: Neptune and Cerberus. The previous practice was for the Data Framework to ingest unclassified information from DHS data systems into Neptune, which Neptune then stored and tagged. Once tagged, the unclassified data from Neptune was transferred to Cerberus, the classified “data lake” that DHS uses to perform classified searches of the unclassified data. Neptune tags data based on the type of data involved, the system from which the data originated, and when it was ingested into the Framework. DHS, Privacy Impact Assessment for the DHS Data Framework, DHS/ALL/PIA-046(a), August 29, 2014, 3, https://www.dhs.gov/sites/default/files/publications/privacy-pia-update-dhs-all-pia-046-a-dhs-data-framework-08292014.pdf. Cerberus is part of the “Top Secret/Sensitive Compartmented Information” domain. DHS, Privacy Impact Assessment Update for Neptune, DHS/ALL/PIA-046-1(b), February 27, 2015, 2, https://www.dhs.gov/sites/default/files/publications/privacy-pia-046-1-b-neptune-20150227.pdf. However, as of April 2015, data sets started being pulled straight from ATS instead of from the source systems, and the Data Framework stopped tagging and categorizing data before running analytics. 133Data Framework — Interim Process PIA, 8. DHS said this change was merely an “interim process” of mass data transfer in order to expedite its ability to identify individuals “supporting the terrorist activities” in the Middle East. 134Specifically, the interim process was meant to expedite the identification of individuals “supporting the terrorist activities” of the Islamic State of Iraq and the Levant, al-Qa’ida in the Arabian Peninsula, the al-Nusrah Front, affiliated offshoots of these groups, or individuals seeking to join the Syria-Iraq conflict. Ibid., 1. The interim process was originally established to last for 180 days, with the possibility of extensions in 90-day increments. 135Ibid., 7. However, the interim period continued for at least three and a half years (April 2015–October 2018), and it is unclear whether it is still ongoing. 136DHS Privacy Office, 2017 Data Mining Report to Congress, 46. See also DHS Privacy Office, 2016 Data Mining Report to Congress, April 2017, 57, https://www.dhs.gov/sites/default/files/publications/2016%20Data%20Mining%20Report%20FINAL.pdf.

The Data Framework’s interim process and its extraction of data directly from ATS are troubling in part because ATS does not comply with the retention schedules of different source systems but rather tends to rely on its own 15-year retention period. 137ATS 2017 PIA, 14. By bypassing source systems and extracting information directly from ATS, the interim process creates a risk that outdated or incorrect information, or information that was deleted from its source system many years earlier, will be input into the Data Framework’s classified repository. Hence, information collected from an individual for one purpose — such as screening for the Visa Waiver Program — not only is retained longer than it should be, but is channeled into larger and larger analytical systems for unknown and unrelated purposes.

According to DHS senior leadership, the Data Framework also incorporates “tone” analysis. 138Cantú and Joseph, “Trump’s Border Security May Search Your Social Media by ‘Tone.’” Purveyors of tone analysis software have made dubious claims about its ability to predict emotional states and aspects of people’s personality on the basis of social media data. 139For instance, the Defense Department uses a tone analysis system developed by IBM that purports to be able to interpret and visualize emotional styles and moods from Twitter time lines. Ibid. See also Jian Zhao et al., “PEARL: An Interactive Visual Analytic Tool for Understanding Personal Emotion Style Derived From Social Media,” Proceedings of the IEEE Symposium on Visual Analytics Science and Technology (2014): 203-212, https://ieeexplore.ieee.org/document/7042496. These claims, however, have been thoroughly debunked by empirical studies. 140See, for instance, Ahmed Abbasi, Ammar Hassan, and Milan Dhar, “Benchmarking Twitter Sentiment Analysis Tools” (finding that the best-performing sentiment analysis tools attain overall accuracy levels between 65 percent and 71 percent, with many low-performing tools yielding accuracies below 50 percent); Asaf Beasley, Winter Mason, and Eliot Smith, “Inferring Emotions and Self-Relevant Domains in Social Media: Challenges and Future Directions,” Translational Issues in Psychological Science 2, no. 3 (2016): 238-247, https://psycnet.apa.org/record/2016-47442-004 (noting that social media posts containing sentiment only weakly predict users’ self-reported measure of emotion); Asaf Beasley and Winter Mason, “Emotional States vs. Emotional Words in Social Media,” Proceedings of the Association for Computing Machinery Web Science Conference (2015), https://dl.acm.org/citation.cfm?id=278647 (noting that sentiment analysis tools are not sufficient to infer how users feel). The unreliability of such software increases dramatically for non-English content, especially when people use slang or shorthand, which is often the case with social media interactions. 141Siaw Ling Lo et al., “Multilingual Sentiment Analysis: From Formal to Informal and Scarce Resource Languages,” Artificial Intelligence Review 48, no. 4 (2017): 515, 518 https://sentic.net/multilingual-sentiment-analysis.pdf (noting that most of the sentiment analysis studies to date have utilized lexicons and corpora in “proper English”). See also Duarte,Llanso, and Loup, 14-15.

The Data Framework and its analytical results are used extensively throughout DHS, including by CBP, DHS’s Office of Intelligence and Analysis, TSA’s Office of Intelligence and Analysis, and the DHS Counterintelligence Mission Center. 142DHS, Privacy Impact Assessment for DHS Data Framework, Appendix C — Approved Users, DHS/ALL/PIA-046(b), September 2018, 2, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhswide-dhsdataframeworkappendixc-september2018.pdf. DHS uses the Data Framework’s classified data repository to disseminate information externally, including “bulk information sharing” with U.S. government partners. 143DHS, Privacy Impact Assessment Update for the DHS Data Framework — External Sharing, DHS/ALL/PIA-046(c), March 30, 2016, 1, https://www.dhs.gov/sites/default/files/publications/privacy-pia-dhs-data%20framework-march2016%20%28003%29.pdf.

C. Link and Network Analysis

A central element of CBP network analysis capabilities is the collection of information on a huge number of individuals in order to draw connections among people, organizations, and data. For this purpose, CBP agents use the CBP Intelligence Records System (CIRS) to gather information about a wide variety of individuals, including many who are not suspected of any criminal activity or seeking any type of immigration benefit, such as people who report suspicious activities; individuals appearing in U.S. visa, border, immigration, and naturalization benefit data who could be associates of people seeking visas or naturalization, including Americans; and individuals identified in public news reports. 144DHS Privacy Office, Notice of New Privacy Act System of Records, CBP–024 Intelligence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (September 21, 2017) (hereinafter CIRS SORN), https://www.federalregister.gov/d/2017-19718. The system stores a broad range of information, including raw intelligence collected by CBP’s Office of Intelligence, data collected by CBP pursuant to its immigration and customs authorities (e.g., processing foreign nationals and cargo at U.S. ports of entry), commercial data, and information from public sources such as social media, news media outlets, and the internet. 145Ibid., 44201. Social media information collected by CBP for “situational awareness” activities is also likely stored in CIRS. DHS, Privacy Impact Assessment for the Publicly Available Social Media Monitoring and Situational Awareness Initiative, DHS/CBP/PIA-058, March 25, 2019, 6, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp58-socialmedia-march2019.pdf. Notably, the system is exempt from a number of requirements of the Privacy Act that aim to ensure the accuracy of records. 146DHS, Final Rule, CBP–024 CBP Intelligence Records System (CIRS) System of Records, 83 Fed. Reg. 66557 (December 27, 2018) https://www.govinfo.gov/content/pkg/FR-2018-12-27/pdf/2018-27944.pdf. Accordingly, it appears that information in CIRS may be ingested, stored, and shared regardless of whether it is accurate, complete, relevant, or necessary for an investigation. There is no public guidance on quality controls for information eligible for inclusion in CIRS. 147Ibid.

Huge swaths of data from CIRS, ATS, and other systems, including social media information, are then ingested by another database, the Analytical Framework for Intelligence (AFI). 148CIRS SORN, 44199. In addition to ATS and CIRS, AFI also ingests CBP’s ESTA and ICE’s Student and Exchange Visitor System. AFI 2016 PIA, 3-4. It is unclear how specifically information from CIRS is transmitted to AFI — whether CIRS data is routinely uploaded into AFI or specific CIRS data sets are copied ad hoc for analysis in AFI. AFI provides a range of analytical tools that allow DHS to conduct network analysis, such as identifying links or “non-obvious relationships” between individuals or entities based on addresses, travel-related information, Social Security numbers, or other information, including social media data. 149AFI 2016 PIA, 1; AFI 2012 PIA, 1, 4; CBP, Performance and Accountability Report Fiscal Year 2014, 26, https://www.cbp.gov/sites/default/files/documents/CBP_DHS_2014%20PAR_508C.PDF. Other AFI analytic capabilities include creating an index of data in existing DHS systems, carrying out geospatial and temporal analysis, and performing federated queries against external data sources including the Department of State, the FBI, and commercial data aggregators. Federated or universal queries allow users to search data across many different databases and systems to provide a consolidated view of data about a person or entity. ATS 2017 PIA, 1. AFI also includes capabilities for detecting trends, patterns, and emerging threats, but little is known about the underlying data AFI users have access to in conducting those types of analyses. DHS Privacy Office, 2017 Data Mining Report to Congress, 26.

It is possible that ATS risk assessments are among the unspecified data transferred from ATS to AFI. 150See Electronic Privacy Information Center v. U.S. Customs and Border Protection, 2015 WL 12434257 (D.D.C.), https://epic.org/foia/dhs/cbp/afi/20.1-EPIC-MSJ-MPA.pdf. In addition, AFI users may upload internet sources and other public and commercial data, such as social media, on an ad hoc basis. 239 The data need only be relevant, a fairly low standard, and the rules allow data of “unclear” accuracy to be uploaded. 151The only criterion that AFI users must meet to upload internet sources is that they believe the information is relevant to a project. AFI 2012 PIA, 9; AFI 2016 PIA, 4n19; DHS Privacy Office, Notice of Privacy Act System of Records, DHS/CBP–017 Analytical Framework for Intelligence (AFI) System of Records, 77 Fed. Reg. 33753 (June 7, 2012) (hereinafter AFI SORN), https://www.govinfo.gov/content/pkg/FR-2012-06-07/html/2012-13813.htm. CBP agents use AFI to search and analyze databases from various sources, including Department of State and FBI databases and commercial data aggregators. 152Information in AFI can include “information from any source including public and commercial sources, which may be relevant.” AFI SORN. Publicly available sources are stored even if “the accuracy of information obtained or introduced occasionally may be unclear.” AFI Final Rule, 47768. Social media information in AFI can be used in ongoing projects and finished intelligence products, which can be disseminated broadly within DHS and to external partners. 153For the full list of data sources available through AFI, See AFI 2016 PIA, Appendix B, updated November 30, 2018, 23-29. Starting in September 2016, AFI began copying the volumes of information it accesses into its own servers. AFI 2016 PIA, 2-3. AFI now uses an open-source platform designed by Palantir that requires AFI to store multiple copies of data within the platform. This platform provides for shared storage and analysis by replicating the underlying data sources and storing the replicated data in multiple places. This open-source platform model, DHS acknowledged, “presents privacy challenges as its functionality relies on continuous replication of data.” Ibid.

The data mining firm Palantir — a longtime government contracting partner that helped facilitate one of the National Security Agency’s most sweeping surveillance programs 154Sam Biddle, “How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World,” Intercept, February 22, 2017, https://theintercept.com/2017/02/22/how-peter-thiels-palantir-helped-the-nsa-spy-on-the-whole-world/. — is intimately involved in AFI’s operation. 155Spencer Woodman, “Palantir Provides the Engine for Donald Trump’s Deportation Machine”; Spencer Woodman, “Documents Suggest Palantir Could Help Power Trump’s ‘Extreme Vetting’ of Immigrants,” Verge, December 21, 2016, https://www.theverge.com/2016/12/21/14012534/palantir-peter-thiel-trump-immigrant-extreme-vetting. Documents obtained by the Electronic Privacy Information Center (EPIC) through a Freedom of Information Act (FOIA) request refer to joint “AFI and Palantir data” and state that “data from AFI and Palantir can be shared with other stakeholder[s] and agencies” in compliance with AFI rules. 156CBP, “Analytical Framework for Intelligence Operational Status & Security,” https://epic.org/foia/dhs/cbp/afi/14-04-08-CBP-FOIA-20150205-Production-p4.pdf#page=8. “Palantir data” may refer to personal information about people that Palantir ingests from disparate sourcessuch as airline reservations, cell phone records, financial documents, and social media — and combines into a colorful graphic that purports to show software-generated linkages between crimes and people. 157Sam Biddle, “How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World.”

According to an investigation by Bloomberg News, law enforcement agencies may use this “digital dragnet” to identify people who are only very tangentially related to criminal activity: “People and objects pop up on the Palantir screen inside boxes connected to other boxes by radiating lines labeled with the relationship: ‘Colleague of,’ ‘Lives with,’ ‘Operator of [cell number],’ ‘Owner of [vehicle],’ ‘Sibling of,’ even ‘Lover of.’” 158Peter Waldman, Lizette Chapman, and Jordan Robertson, “Palantir Knows Everything About You,” Bloomberg BusinessWeek, April 19, 2018,https://www.bloomberg.com/features/2018-palantir-peter-thiel/. The value of discovering such linkages in investigations, while much hyped, is open to debate. 159Ibid. (noting that after the departure of several JP Morgan executives who had taken advantage of Palantir’s capabilities, the bank “drastically curtailed its Palantir use, in part because ‘it never lived up to its promised potential’”). And as the volume of information grows, so does the risk of error. Given that the information in AFI is not required to be accurate, it is likely that the data from Palantir is similarly unverified. 160AFI Final Rule, 66558. Palantir also supplies AFI’s analytical platform and works extensively with ICE, as discussed later. 161CBP, “AFI Analyst Training,” https://epic.org/foia/dhs/cbp/afi/14-04-08-CBP-FOIA-20150205-Production-p4.pdf#page=219. See infra text accompanying notes 414-417.

Data Transfer From CIRS & ATS to AFI

Since 2015, CBP has awarded contracts worth about $3.2 million to Babel Street, an open-source and social media intelligence company, for software licenses and maintenance for the CBP unit that manages AFI, the Targeting and Analysis Systems Program Directorate. 162DHS contract with Thundercat Technology, LLC, September 21, 2017–September 20, 2018, USASpending, https://www.usaspending.gov/#/award/23784019; DHS contract with Panamerica Computers, Inc., for Babel Software Licenses, September 21, 2018–September 20, 2019, USASpending, https://www.usaspending.gov/#/award/68617237; CBP contract with Thundercat Technology, LLC, September 21, 2016–September 20, 2017, USASpending, https://www.usaspending.gov/#/award/23781451; CBP contract with Thundercat Technology, LLC, September 21, 2015–September 20, 2016, USASpending, https://www.usaspending.gov/#/award/23779146; Office of Inspector General, DHS, Enhancements to Technical Controls Can Improve the Security of CBP’s Analytical Framework for Intelligence, September 2, 2015, 2, https://www.oig.dhs.gov/assets/Mgmt/2015/OIG-15-137-Sep15.pdf (noting that the Targeting and Analysis Systems Program Directorate administers and manages AFI). According to the company’s website, Babel Street technologies provide access to millions of data sources in more than 200 languages; a number of analytic capabilities, including sentiment analysis in 18 languages; and link analysis. 163Babel Street, “How It’s Done,” https://www.babelstreet.com/#about. Users can also export data to integrate with Palantir analytic software. 164Curtis Waltman, “Meet Babel Street, the Powerful Social Media Surveillance Used by Police, Secret Service, and Sports Stadiums,” Motherboard, April 17, 2017, https://motherboard.vice.com/en_us/article/gv7g3m/meet-babel-street-the-powerful-social-media-surveillance-used-by-police-secret-service-and-sports-stadiums. CBP likely uses Babel Street’s web-based application, Babel X, which is a multilingual text-analytics platform that has access to more than 25 social media sites, including Facebook, Instagram, and Twitter. 165Ibid.; Babel Street, “Babel X,” https://www.babelstreet.com/. While the Washington Post reported in 2017 that Babel Street does not access individuals’ Facebook profiles, it is not clear whether that is still the case and what kinds of Facebook information Babel Street technologies currently collect. Aaron Gregg, “For This Company, Online Surveillance Leads to Profit in Washington’s Suburbs,” Washington Post, September 10, 2017, https://www.washingtonpost.com/business/economy/for-this-company-online-surveillance-leads-to-profit-in-washingtons-suburbs/2017/09/08/6067c924-9409-11e7-89fa-bb822a46da5b_story.html?utm_term=.4f7b99fd5135. There are few details about how Babel Street software is used by CBP and what sorts of social media data it may provide for AFI.

Additionally, ATS and the DHS Data Framework both have their own link and “social network” analysis capabilities, though little is known about how those capabilities function. 166DHS Privacy Office, 2017 Data Mining Report to Congress, 16; DHS Data Framework 2013 PIA, 13.

In sum, while we know that CBP undertakes extensive analyses of social media information, from assessing risk level to predictive and trend analysis to “social network analysis,” we know almost nothing about the validity of these techniques or whether they are using discriminatory proxies. Partnerships with data mining companies such as Palantir raise additional concerns about the incorporation of large pools of unverified data into DHS systems, as well as privacy concerns about allowing a private company access to sensitive personal data. 167See, for example, Waldman, Chapman, and Robertson, “Palantir Knows Everything About You”; Angel Diaz and Rachel Levinson-Waldman, “Hold Private Police Partners Accountable, Too: For-Profit Companies Are Making Millions With Special Access to NYPD Information,” Daily News, October 26, 2018, http://www.nydailynews.com/opinion/ny-oped-hold-private-police-partners-accountable-too-20181025-story.html. The increasing consolidation of data into CBP’s expansive intelligence-gathering databases, as well as into the DHS Data Framework, further compounds the issues created by DHS’s vague, overbroad, and opaque standards for collection of social media data and its tendency to recycle that data for unknown and potentially discriminatory ends.

End Notes

Transportation Security Administration

The Transportation Security Administration (TSA) is in charge of security for all modes of transportation — aviation, maritime, mass transit, highway and motor carrier, freight rail, and pipeline — into, out of, and within the United States. 1Aviation and Transportation Security Act, 49 U.S.C. § 114(d). Although most visible at airports, TSA also works behind the scenes via its Secure Flight program, which runs passenger records against a variety of watch lists and information held in CBP’s Automated Targeting System (ATS). 2ATS 2017 PIA, 22-23. As with ATS’s risk assessments, very little is publicly known about the scientific foundation and validity of TSA’s security determinations. We do know that many of the lists that TSA uses to vet passengers rely on social media information, with the attendant risks of misinterpretation, and have been widely criticized for being inaccurate. 3See, for example, Center for Constitutional Rights, “Leaked Guidelines for Placement on No-Fly List Show System Ripe for Abuse,” July 24, 2014, https://ccrjustice.org/home/press-center/press-releases/leaked-guidelines-placement-no-fly-list-show-system-ripe-abuse; El Ali et al., No. 8:18-cv-02415-PX; David Smith, “ ‘The Illusion of Security’: No-Fly List Draws Scrutiny From Left and Right,” The Guardian, December 9, 2015, https://www.theguardian.com/us-news/2015/dec/09/no-fly-list-errors-gun-control-obama.

Concerns about TSA’s use of social media information are compounded by the lack of transparency surrounding how individuals are designated as security risks.

TSA’s Secure Flight program collects passenger records from airlines and works in conjunction with CBP’s ATS to flag passengers for enhanced screening or denial of boarding. 4DHS, “DHS Transition Issue Paper: Enhancing International Aviation Security,” in Strategic Issue Paper Summaries, 28. Secure Flight checks roughly two million passenger records daily against a variety of watch lists. 5Hearing on “Secure Flight: Additional Actions Needed to Determine Program Effectiveness and Strengthen Privacy Oversight Mechanisms” before the Subcommittee on Transportation Security, House Committee on Homeland Security, House of Representatives, 113th Congress, September 18, 2014 (statement of Jennifer Grover, acting director, Homeland Security and Justice), 1, https://www.gao.gov/assets/670/665884.pdf. Its automated matching system assigns a percentage score to each record, indicating the confidence level of a match between the passenger and a watch list entry. 6Office of Inspector General, DHS, Implementation and Coordination of TSA’s Secure Flight Program, OIG-12-94, July 2012, 23, https://www.oig.dhs.gov/assets/Mgmt/2012/OIGr_12-94_Jul12.pdf. Scores must meet a minimum threshold to be considered a potential match, but it is not clear what that threshold is, raising concerns about whether the system is sufficiently rigorous. Ibid. Those whose scores meet the minimum threshold are identified and subjected to enhanced security screening by on-the-ground TSA personnel. 7DHS, Privacy Impact Assessment Update for Secure Flight, DHS/TSA/PIA-018(f), September 4, 2013, 5, https://www.dhs.gov/sites/default/files/publications/privacy-pia-tsa-secure-flight-update-09042013.pdf. Secure Flight also identifies a (potentially overlapping) category of travelers and their companions called “Inhibited Passengers,” which includes individuals who are confirmed or possible matches to watch lists, as well as individuals about whom DHS possesses “certain derogatory holdings that warrant enhanced scrutiny” or who have “a high probability of being denied boarding.” Both of the latter categories remain undefined. 8ATS-TSA PIA, Common Operating Picture, Phase II, 3.

The watch lists used to designate individuals as security risks include the No Fly and Selectee components of the Terrorist Screening Database (TSDB), TSA Watch Lists, and watch lists derived from ATS’s prescreening of international flights. 9DHS, Privacy Impact Assessment for Secure Flight, DHS/TSA/PIA-018(h), July 12, 2017 (hereinafter Secure Flight 2017 PIA), 1-2, https://www.dhs.gov/sites/default/files/publications/pia_tsa_secureflight_18%28h%29_july2017.pdf. CBP also uses the Centers for Disease Control and Prevention’s Do Not Board List for Secure Flight. Ibid., 2n4. Social media forms part of the basis for placing individuals on these watch lists, which are described below. 10See National Counterterrorism Center, “Watchlisting Guidance,” March 2013, 10, https://www.eff.org/files/2014/07/24/2013-watchlist-guidance_1.pdf; Jeremy Scahill and Ryan Devereaux, “The Secret Government Rulebook for Labeling You a Terrorist,” Intercept, July 23, 2014, https://theintercept.com/2014/07/23/blacklisted/; Center for Constitutional Rights, “Leaked Guidelines for Placement on No-Fly List.”

1. Watch Lists

A. Terrorist Screening Database

Maintained by the FBI’s Terrorist Screening Center and commonly known as the “terrorist watch list,” the TSDB is the database of individuals whom the government categorizes as being “known” or “suspected” of having ties to terrorism. 11DHS, Privacy Impact Assessment Update for the Watchlist Service, DHS/ALL-027(e), May 5, 2016, 1, https://www.dhs.gov/sites/default/files/publications/privacy-pia-027-E-uscis-wlsfdnsds-may2016.pdf. See also Jerome P. Bjelopera, Bart Elias, and Alison Siskin, The Terrorist Screening Database and Preventing Terrorist Travel, Congressional Research Service, 7-5700, November 7, 2016, 1, https://fas.org/sgp/crs/terror/R44678.pdf. DHS receives information from the TSDB through the DHS Watchlist Service, which maintains a synchronized copy of the database and disseminates records from it to parts of DHS. 12DHS, Use of the Terrorist Screening Database System of Records, 81 Fed. Reg. 3811 (January 22, 2016) (hereinafter Use of TSDB SORN), https://www.gpo.gov/fdsys/pkg/FR-2016-01-22/pdf/2016-01167.pdf. The FBI and other federal agencies submitting nominations for the TSDB are encouraged to include social media information as a source for suspicion, even if the information is uncorroborated. 13National Counterterrorism Center, “Watchlisting Guidance,” 10. This guidance also specifies that a posting on a social media site “should not automatically be discounted merely because of the manner in which it was received. Instead, the nominating agency should evaluate the credibility of the source, as well as the nature and specificity of the information, and nominate even if that source is uncorroborated.” Ibid., 34. CBP is one such agency that submits watch list nominations. ATS 2017 PIA, 25. In fiscal year 2016, CBP nominated more than 3,400 individuals to the Terrorist Screening Database. DHS, “DHS Transition Issue Paper: Travel Security and Facilitation,” in Strategic Issue Paper Summaries, 216. A nomination is accepted to the TSDB if the Terrorist Screening Center determines that the information meets a reasonable-suspicion standard and there is sufficient identifying information. Bjelopera, Elias, and Siskin, The Terrorist Screening Database and Preventing Terrorist Travel, 5. The watch list has long been criticized for being bloated and error prone; as of 2016 it included one million names, including those of about 5,000 Americans. 14Office of Senator Dianne Feinstein, “Findings From Joint Response From the National Counterterrorism Center (NCTC) and the Federal Bureau of Investigation (FBI) to Congressional Questions Regarding the Terrorist Identities Datamart Environment (TIDE) and the Terrorist Screening Database (TSDB),” 2016, https://www.feinstein.senate.gov/public/_cache/files/f/b/fb745343-1dbb-4802-a866-cfdfa300a5ad/BCD664419E5B375C638A0F250B37DCB2.nctc-tsc-numbers-to-congress-06172016-nctc-tsc-final.pdf. See also Jeremy Scahill and Ryan Devereaux, “Watch Commander: Barack Obama’s Secret Terrorist-Tracking System, by the Numbers,” Intercept, August 5, 2014, https://theintercept.com/2014/08/05/watch-commander/ (noting that, as of 2013, 680,000 names were in the TSDB, including those of 5,000 Americans). The standards for categorizing individuals as “suspected” of ties to terrorism are so broad that even people three degrees removed from a “suspicious” person could be included on the list. 15See, for example, El Ali et al., No. 8:18-cv-02415-PX; Latif v. Holder, 28 F. Supp. 3d 1134 (D. Or. 2014); Tarhuni v. Sessions, No. 3:13-CV-00001-BR, 2018 WL 3614192 (D. Or. July 27, 2018); National Counterterrorism Center, “Watchlisting Guidance,” 37-42. In 2016, DHS revised the Watchlist Service System of Records Notice (SORN) to further expand the categories of individuals covered by the system. The revised SORN explicitly includes those who “do not otherwise satisfy the requirements for inclusion in the TSDB” but (1) are relatives, associates, or others closely connected with a known or suspected terrorist, (2) “were officially detained during military operations, but not as enemy prisoners of war, and who have been identified as possibly posing a threat to national security,” or (3) are known or suspected to be or have been engaged in conduct constituting, in aid of, or related to transnational organized crime. Use of TSDB SORN; DHS, Privacy Impact Assessment for ICE Investigative Case Management, DHS/ICE/PIA-045, June 16, 2016 (hereinafter ICM 2016 PIA), 18, https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-icm-june2016.pdf.

TSA’s Secure Flight

The TSDB is the source of the No Fly List and the Selectee List, both of which also rely on broad standards that could allow, for example, the inclusion of individuals who have engaged in civil disobedience. 16The No Fly List includes those who are not allowed to board a commercial aircraft flying into, out of, over, or within U.S. airspace, or point-to-point international flights operated by U.S. carriers. The Selectee List includes those who must undergo extra screening before boarding a commercial aircraft. Office of Inspector General, Implementation and Coordination of TSA’s Secure Flight Program, 2. For a discussion of the overbroad standards of these lists, See Center for Constitutional Rights, “Leaked Guidelines for Placement on No-Fly List”; Scahill and Devereaux, “The Secret Government Rulebook for Labeling You a Terrorist.” The No Fly List has been the subject of extensive litigation, in which federal courts have criticized the government’s failure to ensure adequate procedures to allow individuals to contest their inclusion on the list. 17In the case of Rahinah Ibrahim, a Malaysian national working toward her Ph.D. at Stanford, it took nine years of litigation before her name was cleared. A January 2019 ruling in the Ninth Circuit found that even after the government determined that Ibrahim did not pose a threat to national security, the government engaged in years of “scorched earth litigation,” refusing to allow Ibrahim to return to the United States. Ibrahim v. U.S. Department of Homeland Security, No. 14-16161, 2019 WL 73988, at 17 (9th Cir., Jan. 2, 2019). The en banc Ninth Circuit found that there was considerable evidence indicating that the Justice Department attorneys had acted in “bad faith” and that Ibrahim was entitled to full attorneys’ fees under the Equal Access to Justice Act. See also “The FBI Checked the Wrong Box and a Woman Ended Up on the Terrorism Watch List for Years,” ProPublica, December 15, 2015, https://www.propublica.org/article/fbi-checked-wrong-box-rahinah-ibrahim-terrorism-watch-list. See also Latif v. Holder, 28 F. Supp. 3d 1134; Tanvir v. Lynch, 128 F. Supp. 3d 756 (S.D.N.Y. 2015) (noting that DHS lacks “a meaningful mechanism for travelers who have been denied boarding to correct erroneous information in the government’s terrorism databases”).

B. TSA Watch Lists

The watch lists created and managed by TSA’s Office of Intelligence and Analysis are also likely to incorporate social media information in at least some cases. 18Nominations to a TSA Watch List may come from within TSA, from other DHS components, or from other government agencies, and those nominations may be informed by social media. Secure Flight 2017 PIA, 3-4. See, for example, Susan Hasman, director of security operations coordination to federal security directors, “400.5 — ROUTINE — OD-400-19-12 — TSA Watch List (Security Notification),” March 19, 2018, https://www.justsecurity.org/wp-content/uploads/2018/05/watch-list_scan.pdf (noting that individuals who are “publicly notorious” can be nominated to the TSA Watch List). These lists are based on information in TSA Intelligence Service Operations Files, which are compiled from TSA security incidents, intelligence provided by other agencies, and broadly from commercial sources and publicly available data; they are used to flag people who are not on another relevant watch list to receive additional scrutiny during travel. 19Secure Flight 2017 PIA, 6. The TSA Watch List explicitly includes those “who are not on a TSDB watch list but who nonetheless present a threat to transportation or national security.” Ibid., 4. TSA retains the master files of the lists for 30 years. Ibid., 9. One such list, the “95 list,” created in February 2018, includes individuals who make physical contact with a TSA employee or dog, loiter near screening checkpoints, are the subject of a credible threat of violence, or are “publicly notorious.” 20Hasman, “400.5 — ROUTINE — OD-400-19-12 — TSA Watch List (Security Notification).” See Faiza Patel, “Does TSA Really Need a Watch List for ‘Unruly’ Travelers?” Just Security, May 23, 2018, https://www.justsecurity.org/56631/tsa-explain-unruly-passengers-watch-list/. While some of this information likely comes from agents, it seems that public notoriety and perhaps even the threat of violence are factors that TSA gleans from social media.

C. ATS-Generated Watch Lists

TSA’s Secure Flight also screens passenger records against watch lists derived from ATS’s prescreening of international flights. 21These international flights include incoming international flights, flights that fly over the United States but do not touch down, and flights on U.S. carriers that fly from one international point to another international point (point-to-point flights); it is not clear whether outgoing international flights are also prescreened by ATS. ATS 2017 PIA, 23. The ATS prescreening is informed by TSA-crafted rules or “threat-based intelligence scenarios,” which ATS then compares against both passenger records and its plethora of other sources, including social media. ATS identifies individuals for enhanced TSA screening based on “matches” to information found in ATS. 22ATS 2017 PIA, 23; Secure Flight 2017 PIA, 2. CBP also receives information from TSA about possible and confirmed watch list matches for individuals on international flights of covered U.S. aircraft operators, which it also compares against ATS records. DHS, Privacy Impact Assessment Update for the ATS-TSA/CBP Common Operating Picture Program, DHS/CBP/PIA-006(c), January 31, 2014, 5, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-atsupdate-01312014_0.pdf. Such matches could be based on a profiling rule or based on a passenger’s identifiers, which may include names, phone numbers, or social media handles. 23DHS Privacy Office, 2017 Data Mining Report to Congress, 18. When an individual matches with information or rules in ATS, the match leads either to further inspection action or to a recommendation to carriers not to allow such persons to board. Ibid., 19. ATS compiles its list of matches to share with Secure Flight, including individuals who, though not on any other watch list, “exhibit high risk indicators or travel patterns.” 24ATS 2017 PIA, 23. There are no public criteria for what constitutes a high risk indicator or travel pattern that could trigger a flag on ATS.

According to a privacy impact assessment published in April 2019, TSA uses ATS to generate watch lists for TSA’s “Silent Partner” and “Quiet Skies” programs. 25DHS, Privacy Impact Assessment Update for Secure Flight Silent Partner and Quiet Skies, DHS/TSA/PIA-018(i), April 19, 2019 (hereinafter Silent Partner and Quiet Skies 2019 PIA), 2, https://www.dhs.gov/sites/default/files/publications/pia-tsa-spqs018i-april2019_1.pdf. Little is known about Silent Partner, but according to internal TSA documents, Quiet Skies originally involved undercover federal air marshals shadowing thousands of travelers on flights and through airports, documenting whether travelers use a phone, go to the bathroom, fidget, or have a “cold penetrating stare,” among other behaviors. 26Jana Winter, “Welcome to the Quiet Skies,” Boston Globe, July 28, 2018, http://apps.bostonglobe.com/news/nation/graphics/2018/07/tsa-quiet-skies/?p1=HP_SpecialTSA. Following a series of reports by the Boston Globe, TSA announced that it curtailed the Quiet Skies program in December 2018 and will no longer require agents to compile reports on travelers who exhibit routine passenger behaviors. 27Jana Winter and Jenn Abelson, “TSA says it no longer tracks regular travelers as if they may be terrorists,” Boston Globe, December 15, 2018, https://www2.bostonglobe.com/news/nation/2018/12/15/curtails-quiet-skies-passenger-surveillance/2lRAv2AwjGpUcgq08mHaPM/story.html. However, TSA now uses ATS, with its numerous social media sources, to create a list of travelers for Quiet Skies. TSA formulates rules for CBP personnel to check against ATS holdings on passengers on outbound international flights and domestic flights subsequent to international flights to create a Quiet Skies List of individuals designated for enhanced screening. 28Silent Partner and Quiet Skies 2019 PIA, 2. A similar Silent Partner List is created for passengers on in-bound international flights. 29Ibid. The rules TSA shares with ATS to designate individuals for the Quiet Skies List “must pertain to a specific potential threat to aviation security within the Homeland, as assessed by TSA.” Ibid., 3 n7. In contrast, the Silent Partner rules are broader and “must pertain to a specific potential threat to aviation security or the Homeland” (emphasis added). Ibid., 3n7. In addition to being designated for enhanced screening, individuals on the Quiet Skies and Silent Partner Lists may be subject to “observation by the TSA Federal Air Marshal Service (FAMS) while the individual is onboard the flight or in the airport.” 30Ibid., 3.

International Flight Data Transfer

The privacy impact assessment notes that individuals “will remain on the Quiet Skies List for a period of time,” though the period is unspecified. 31Ibid., 2. Names of individuals who are flagged in ATS based on matches to TSA’s rules are retained in ATS for seven years, while names of international travelers whose activities do not match the risk patterns are retained for seven days “to conduct additional analysis.” 32Ibid., 11-12; ATS 2017 PIA, 27. For “Inhibited Passengers” identified by TSA and shared with ATS, ATS screens those records against its holdings and against lists like the TSDB. ATS identifies “possible watchlist matches who are subsequently cleared,” which are then retained in ATS for seven years. Confirmed matches to a watch list record are retained in ATS for 15 years, and in Secure Flight for 99 years. Secure Flight information that is linked to a border security, national security, significant health risk, or counterterrorism matter is retained in ATS for the life of the matter. Ibid., 27. This information can be used for future risk assessments and watch lists. 33Individuals who are flagged in ATS as “high risk” are not provided notice of their flagging as ATS does not collect information from individuals directly and DHS has exempted many parts of ATS from the notification, access, amendment, and certain accounting provisions of the Privacy Act of 1974. See ATS Final Rule. The ATS privacy impact assessments state that those who would like to contest or correct any information in ATS can contact the CBP Information Center or DHS Traveler Redress Inquiry Program. For instance, travelers may obtain access to their Passenger Name Record (PNR) data in ATS, but not to the results of any ATS rules or analyses applied to their PNR data. ATS 2012 PIA, 29-30.

Social media also plays a role in TSA screenings of passengers on domestic flights. 34TSA and CBP have a broad arrangement through which they share information, which may include social media information, about watch-listed travelers and their traveling companions. All information on TSA-identified and CBP-identified “Inhibited Passengers” is easily accessible to both TSA and CBP via a shared dashboard display. ATS-TSA PIA, Common Operating Picture, Phase II, 3. For domestic flights, Secure Flight screens airline records using watch lists and unspecified “rules” and then shares the names of watch list matches and other “Inhibited Passengers” with ATS. 35Ibid., 4-5. ATS users then perform comparisons, apply “risk-based rules,” and conduct federated queries to identify pertinent CBP-held information on those travelers, which could include social media information. At the same time, ATS users create a separate list of CBP-identified “Inhibited Passengers” based on analyses of ATS sources, including social media. 36Ibid., 8. CBP sends the results of the ATS screening back to Secure Flight, and TSA and CBP personnel compare the Secure Flight and ATS-generated lists of “Inhibited Passengers” via a common dashboard display. 37The shared dashboard display is viewable at CBP’s National Targeting Center and TSA’s Operations Center. Ibid., 2-3. CBP also displays visa denials and revocations, information on lost or stolen passports, and ESTA denial data on the common dashboard. Ibid., 5. TSA agents then make final decisions on enhanced screening and boarding denial, which could be informed by the ATS-held social media records. 38Ibid., 8.

Additionally, TSA agents use an ATS “decision-support” tool called ATS-Passenger (ATS-P), available on mobile devices through an ATS mobile application, to view information in ATS and create a prioritized list of “potentially high-risk passengers.” 39ATS 2017 PIA, 8, 9n7. Other DHS components, including ICE and Border Patrol, also use ATS-P and the mobile app for “decision-support.” Ibid., 8. According to the most recent privacy impact assessment, TSA personnel can search and filter ATS information by creating “user-defined rules” based on “operational, tactical, intelligence, or local enforcement efforts.” 40Ibid., 8. DHS personnel use ATS-P to “focus efforts on potentially high-risk passengers by eliminating labor-intensive manual reviews of traveler information.” Ibid. It is not clear what these “uniform and user-defined rules” are or how DHS ensures that they are valid and free from bias. For ATS’s “risk-based rules” in general, CBP, the DHS Privacy Office, the DHS Office for Civil Rights and Civil Liberties, and the DHS Office of the General Counsel are supposed to conduct joint quarterly reviews of the rules. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. The ability of each user to define his or her own rules — a process about which there is little information publicly available — creates opportunities for discriminatory application. ATS-P also allows users to query other available federal government systems and publicly available information, including social media data. 41ATS 2017 PIA, 8-9. ATS-P received a technology refresh, UPAX, to more succinctly display query results across multiple source systems, as well as “integrat[e] risk assessment and case management functionality with the presentation of query results.” Ibid., 10. This may suggest that users, including non-CBP users, would be able to view travelers’ risk assessments through ATS-P and the mobile application. The fact that this system is applied to domestic flights raises the possibility that it could be used to target American travelers on the basis of their political and religious views. 

Domestic Flight Data Transfer

2. TSA PreCheck

TSA also uses Secure Flight to identify low-risk passengers for TSA PreCheck, a fee-based program that allows travelers expedited transit through airports. 42Privacy Impact Assessment for the TSA PreCheck Application Program, DHS/TSA/PIA-041, September 4, 2013 (hereinafter PreCheck 2013 PIA), 1, https://www.dhs.gov/sites/default/files/publications/privacy_pia_041_tsa%20precheck%20application%20program_september%202013_0.pdf. Secure Flight screens PreCheck applicants against its own information as well as several lists of preapproved low-risk travelers from other agencies and other parts of DHS, including CBP’s Trusted Traveler programs. 43Government Accountability Office, Report to Congressional Requesters, Secure Flight: TSA Should Take Additional Steps to Determine Program Effectiveness, September 2014, 15-16, https://www.gao.gov/assets/670/665676.pdf. Since these lists rely on databases that include social media information, it is likely that what people say on social media influences PreCheck designations. 44See “CBP Trusted Traveler and Trusted Worker Populations,” ATS 2017 PIA, 30.

Indeed, TSA has sought to highlight social media in its PreCheck screening efforts. In December 2014, the agency announced that it was planning to expand PreCheck by hiring contractors to screen applicants using “risk scoring algorithms using commercial data, including social media and purchase information.” 45Agreement Relating to TSA PreCheck Application Expansion, HSTS02-15-H-OIA037X, https://s3.amazonaws.com/s3.documentcloud.org/documents/1508090/ota-articles-for-pre-check-application-expansion.pdf. In response to criticism from civil society about the use of social media data and the reliance on private companies to determine security risks, 46See, for example, Joe Sharkey, “PreCheck Expansion Plan Raises Privacy Concerns,” New York Times, March 9, 2015, https://www.nytimes.com/2015/03/10/business/precheck-expansion-plan-raises-privacy-concerns.html; Amber Corrin, “TSA Pulls Back on Big-Data PreCheck Expansion,” Federal Times, February 16, 2015, https://www.federaltimes.com/management/2015/02/16/tsa-pulls-back-on-big-data-precheck-expansion/. TSA backtracked, issuing a revised proposal that barred bidders from using any available social media for prescreening efforts. 47“Special Notice Posting for the PreCheck Application Expansion,” Solicitation HSTS02-15-R-OIA037, Federal Business Opportunities, February 7, 2015, https://www.fbo.gov/utils/view?id=d883f342353397d6ee9b5630d418c973. The TSA’s PreCheck privacy impact assessment from January 2016 reaffirms its interest in having private-sector entities “perform identity assurance and criminal history assessments” using commercial and publicly available data, though the document does not indicate that social media data will be used. DHS, Privacy Impact Assessment Update for the TSA PreCheck Application Program, DHS/TSA/PIA-041(a), January 22, 2016 (hereinafter PreCheck 2016 PIA), 1, https://www.dhs.gov/sites/default/files/publications/privacy-pia-041-a-tsa%20precheck%20application%20program-february2016.pdf. In September 2017, TSA awarded an ongoing contract worth more than $22 million to Idemia, a big-data biometrics company, for Universal Enrollment Services,

which includes PreCheck enrollment. 48DHS Universal Enrollment Services Contract with Idemia Identity & Security USA LLC, USASpending, September 1, 2017–September 4, 2019, https://www.usaspending.gov/#/award/24290264. Idemia captures and submits enrollment data, including biographic, biometric, identity, and citizenship documentation, to the government for vetting and case management purposes. 49TSA, “Justification for Other Than Full and Open Competition,” J&A Universal Enrollment Services (UES) Bridge Contract Modification, Solicitation Number 70T02018R9NOIA248, Federal Business Opportunities, September 18, 2018, 2, https://www.fbo.gov/utils/view?id=7654f14c5beec3837347c03cfccee72c; See also TSA Office of Contracting and Procurement, Universal Enrollment Services (UES) Request for Proposals, Federal Business Opportunities, March 7, 2018, 112, https://www.fbo.gov/utils/view?id=7631ca3cab726e4097c2dd5fa8e17668; Universal Enrollment Services (UES) Notice of Intent to Sole Source, GovTribe, May 1, 2018, https://govtribe.com/opportunity/federal-contract-opportunity/universal-enrollment-services-ues-notice-of-intent-to-sole-source-70t02018r9noia248. While the contract documents do not indicate that Idemia will use social media information to conduct “security threat assessments” and “identity assurances” for PreCheck, Idemia’s website describes the company’s data mining mission in general as including “geolocations, audit trails and social media conversations.” 50TSA, “Justification for Other Than Full and Open Competition”; “Big Data,” Idemia, accessed December 28, 2018, https://www.morpho.com/en/big-data. Idemia “has been building and managing databases of entire populations for governments, law enforcement agencies and other government bodies around the world, whether for national ID, health cards, bank cards or even driver license programs.” Ibid. Idemia, formerly MorphoTrust, LLC, was alleged to have embedded Russian-made code purchased from a Kremlin-connected firm into software that it sold to the FBI for its fingerprint-recognition technology, raising concerns that Russian hackers could compromise law enforcement computer systems. Chris Hamby, “FBI Software for Analyzing Fingerprints Contains Russian-Made Code, Whistleblowers Say,” Buzzfeed News, December 26, 2017, https://www.buzzfeednews.com/article/chrishamby/fbi-software-contains-russian-made-code-that-could-open-a.

In sum, TSA’s Secure Flight uses a range of watch lists that rely at least in part on social media information in its preflight screening and decision making, about which very little is known. TSA and CBP also have an extensive information-sharing arrangement in which TSA relies on ATS holdings, which include social media data, to screen “Inhibited Passengers” and to aid in “decision-support” via the ATS mobile application. TSA’s PreCheck also may include the collection and analysis of social media information to designate certain individuals as “low risk.” The use of context-dependent and easily misinterpreted social media in secret analyses raises concerns about the use of discriminatory criteria to target travelers, both domestic and international, as well as the impact on free speech.

End Notes

U.S. Immigration and Customs Enforcement

Immigration and Customs Enforcement (ICE) investigates cross-border crime and immigration violations. 1ICE, “Who We Are,” https://www.ice.gov/about. The secretary of DHS delegated ICE’s investigative authority, pursuant to the Homeland Security Act of 2002, to ICE in DHS, “Delegation of Authority to the Assistant Secretary for U.S. Immigration and Customs Enforcement,” Delegation Number 7030.2, November 13, 2004, https://www.hsdl.org/?abstract&did=234774. Its activities range from combating child pornography and human trafficking to conducting raids at workplaces and targeting people, including activists, for immigration violations outside courthouses and schools. 2See, for example, Sarah Ruiz-Grossman, “ICE Dramatically Increased Workplace Arrests of Undocumented Immigrants in 2018,” Huffington Post, December 12, 2018, https://www.huffingtonpost.com/entry/ice-immigration-arrests-work-undocumented-immigrants_us_5c105b3fe4b0ac537179c247; Maria Sacchetti and David Weigel, “ICE Has Detained or Deported Prominent Immigration Activists,” Washington Post, January 19, 2018, https://www.washingtonpost.com/powerpost/ice-has-detained-or-deported-foreigners-who-are-also-immigration-activists/2018/01/19/377af23a-fc95-11e7-a46b-a3614530bd87_story.html?utm_term=.ed71c0e7a6e1; Alanna Durkin Richer, “Ex-judges to ICE: End Immigration Arrests at Courthouses,” Associated Press, December 12, 2018, https://www.apnews.com/e401e85400ee44ab9dd51ace042be399. ICE relies on social media data, which is often unreliable, to support its extremely broad investigative authorities; the agency has also explored expanding its collection of social media data to make dubious and likely discriminatory judgments about whether individuals should be permitted to enter or remain in the country.

ICE has two main branches: Homeland Security Investigations (HSI), which conducts both criminal and civil investigations, and Enforcement and Removal Operations (ERO), which is primarily responsible for detention and deportation. 3ICE, “HSI Special Agent Brochure,” February 2011, https://www.ice.gov/doclib/careers/pdf/investigator-brochure.pdf; ICE, “Enforcement and Removal Operations,” https://www.ice.gov/ero. Most of the activities described below are conducted by HSI — the second-largest investigative arm in the federal government 4DOJ Offices of the United States Attorneys, Federal Investigative Agencies, https://www.justice.gov/usao-mdpa/federal-investigative-agencies. — which extracts, consults, and analyzes social media data during its investigations, including vetting and investigating overstay leads and conducting warrantless border searches, as well as in its intelligence-gathering and analysis initiatives. In turn, these investigations inform ERO’s removal operations.

1. Investigations

HSI often relies on social media in conducting an investigation. 5See, for example, ICM 2016 PIA, 18. First, ICE agents may manually collect data from publicly available and commercial sources, including social media, whenever they determine that the information is “relevant for developing a viable case” and “supports the investigative process.” 6Ibid., 22. According to privacy impact assessments, such information is meant to be used to verify information that is already in the agency’s possession, such as a target’s current and former places of residence and cohabitants, and to identify other personal property. 7Ibid., 18. However, it may also be used “to enhance existing case information” by providing identifying details like date of birth, criminal history, and business registration records. 8Ibid. ICE limits collection of publicly available information to “credible, industry-wide sources” but offers no information about those sources or how they are chosen. Ibid., 21-22.

Social media information is also gathered during undercover operations related to criminal investigations, during which agents are permitted to “friend” individuals on social media sites and collect any information they come across as a result. 9Undercover agents may also be granted access to a restricted site in certain circumstances. Ibid., 18. There are no publicly available criteria or standards for when ICE can initiate an undercover operation. However, a leaked handbook outlines some factors that managers should take into consideration when assessing the need for an undercover operation, such as “risk of civil liability or other loss to the U.S. Government.” See ICE Office of Investigations, Undercover Operations Handbook, OI HB 08-04, April 14, 2008, 39, https://www.unicornriot.ninja/wp-content/uploads/2018/06/ice-undercover-operations.pdf#page=50. In addition, HSI agents gain access to social media information through other investigatory activities — namely vetting and overstay enforcement initiatives and extractions of data from electronic devices obtained during border searches and investigations — which are discussed in the next sections.

The Investigative Case Management (ICM) system is the primary database that stores information collected by ICE during criminal and civil investigations. 10ICM 2016 PIA, 2. Before entering any new information, agents and support personnel are trained to compare it with information already in the system and external investigative case files, and subject records and case documents must be reviewed and approved by a supervisor before they can become “available for use” in an investigation. Audit logs capture all user activity, but it is not known how, or whether, these logs are reviewed. Ibid., 5, 21. ICE agents can use ICM to automatically query a plethora of internal and external systems, as well as to manually search various pools of data and copy and upload the results; the information ICE can query includes results from CBP’s Automated Targeting System (ATS), which contains social media information from a number of sources. 11Ibid., 6. From ICM, users can query CBP’s ATS and manually copy data into ICM. Ibid., 17. ICM data is disseminated within DHS and shared broadly with outside agencies. 12Ibid., 29-30. In addition to wide authority to share information through formal channels with state, local, and federal law enforcement agencies, ICE agents are known to share information informally with individual state or local law enforcement officers. 13See National Immigration Law Center, Untangling the Immigration Enforcement Web, September 2017, 3, https://www.nilc.org/wp-content/uploads/2017/09/Untangling-Immigration-Enforcement-Web-2017-09.pdf. In addition, ICM records that pertain to individuals, or “subject records,” are shared via the Law Enforcement Information Sharing (LEIS) Service, a web-based data exchange platform that allows partner law enforcement agencies to access DHS systems, including but not limited to ICM and TECS, CBP’s primary law enforcement system. 14ICM 2016 PIA, 30; ICE, “Law Enforcement Information Sharing Initiative,” https://www.ice.gov/le-information-sharing. For more on “subject records,” See DHS, Privacy Impact Assessment for the TECS System: CBP Primary and Secondary Processing, December 22, 2010, 2-3, https://www.dhs.gov/sites/default/files/publications/privacy-pia-cbp-tecs-december2010_0.pdf.

ICM was developed by the private data mining company Palantir. 15Woodman, “Palantir Provides the Engine for Donald Trump’s Deportation Machine.” Electronic Privacy Information Center, FOIA Request Letter to Catrina Pavlik-Keenan, FOIA officer, ICE, August 14, 2017, 1-2, https://epic.org/foia/palantir/EPIC-17-08-10-ICE-20170810-Request.pdf. According to contract notices, Palantir currently has a contract for work relating to ICM that has so far totaled $51.6 million. 16ICE contract with Palantir USG, Inc., September 26, 2014–September 25, 2019, USASpending, https://www.usaspending.gov/#/award/68924715. Though Palantir’s 2014 proposal for ICM described the system as intended for use by ICE’s investigative branch, HSI, in 2016 DHS disclosed that it is also used by ICE’s deportation branch, ERO, to obtain information “to support its civil immigration enforcement cases.” 17Contract Award Notice, ICE Investigative Case Management System, Solicitation Number HSCETC-14-R-00002, Federal Business Opportunities, https://www.fbo.gov/spg/DHS/INS/ICE-OAQ-TC/HSCETC-14-R-00002/listing.html. See also ICM 2016 PIA, 23-24.

ICE has also invested in other software systems to enable it to analyze information from social media. For example, in June 2018, it was reported that ICE had signed a $2.4 million contract with Pen-Link, 18Chantal Da Silva, “ICE Just Launched a $2.4M Contract With a Secretive Data Surveillance Company That Tracks You in Real Time,” Newsweek, June 7, 2018, https://www.newsweek.com/ice-just-signed-24m-contract-secretive-data-surveillance-company-can-track-you-962493. a company offering software to law enforcement that can collect and analyze “massive amounts of social media and internet communications data.” 19Ibid. One of the services included in the Pen-Link contract with ICE is Pen-Link X-Net, 20DHS, “Justification and Approval for Other Than Full and Open Competition.” which collects and analyzes large quantities of internet-based communications data, from an “extensive, ever-growing list of providers,” including social media platforms. 21PenLink, “XNET: Investigating Beyond Phone Calls,” https://www.penlink.com/xnet/. Such sweeping collection and analysis is likely to scoop up swaths of irrelevant and unreliable information and risks misinterpreting innocuous connections and patterns as illicit activity.

Finally, West Publishing, a subsidiary of Thomson Reuters, provides HSI with access to the company’s Consolidated Lead Evaluation and Reporting (CLEAR) system, through a 2017 contract worth $20 million. 22ICE/HSI contract with West Publishing Corporation, January 19, 2017–October 31, 2021, Federal Procurement Data System — Next Generation, https://assets.documentcloud.org/documents/4546854/TR-Attachment-1.pdf. CLEAR combines a wide array of public and proprietary records, including data from social networks and chat rooms, to create “customizable reports, Web Analytics, mapping, and link charts.” 23Thomson Reuters, CLEAR Brochure, “The Smarter Way to Get Your Investigative Facts Straight,” 2, 6, https://www.thomsonreuters.com/content/dam/openweb/documents/pdf/legal/fact-sheet/clear-brochure.pdf. According to other contract documents, CLEAR provides essential support to ICE’s ability to investigate criminals and to uphold and enforce customs and immigration law “at and beyond our nation’s borders.” 24ICE Office of Acquisition Management, Investigations & Operations Support Dallas, “Limited Source Justification — Consolidated Lead Evaluation and Reporting (CLEAR),” 2, https://www.mediafire.com/file/y2e3vk65z6v3k6x/LSJ_Final.pdf. CLEAR also interfaces with information from Palantir as well as with ICE’s main analytical system, FALCON. 25Ibid.; FALCON-SA 2016 PIA, 35. See also Homeland Security Investigations Mission Support, “FALCON Operations & Maintenance Support & System Enhancement, Performance Work Statement,” May 11, 2015, 16, https://www.ice.gov/doclib/foia/contracts/palantirTechHSCETC15C00001.pdf.

2. Visa Overstay Enforcement

ICE has identified visa overstays as a serious threat to national security and over the past several years has ramped up its enforcement, tracking travelers who have allegedly remained in the United States beyond the time originally permitted; its efforts have included social media monitoring. 26See, for example, Congressional Hearing on Visa Overstays, 2, 13; Office of Inspector General, DHS, DHS Tracking of Visa Overstays Is Hindered by Insufficient Technology, OIG-17-56, May 1, 2017 (hereinafter OIG May 2017 Visa Overstay Tracking Report), 1, ttps://www.oig.dhs.gov/sites/default/files/assets/2017/OIG-17-56-May17_0.pdf. While two of the 9/11 hijackers had overstayed their

visas, 27OIG May 2017 Visa Overstay Tracking Report, 1. there is little evidence that overstays pose a significant ongoing threat to national security. Research from the Cato Institute shows that the chance of being killed in an attack by a foreign-born terrorist is 1 in 4.1 million for an attacker on a tourist visa and 1 in 73 million for an attacker on a student visa, the two most common overstay categories. 28Alex Nowrasteh, “Terrorists by Immigration Status and Nationality: A Risk Analysis, 1975-2017.” Given that the overstay rate in 2017 was 2.06 percent for tourist visas and 4.15 percent for student visas, the chance of being killed by someone overstaying a visa is infinitesimal. 29DHS, Fiscal Year 2017 Entry/Exit Overstay Report, 11, 18, https://www.dhs.gov/sites/default/files/publications/18_1009_S1_Entry-Exit-Overstay_Report.pdf.

At a May 2017 congressional hearing, DHS described the basic process used to vet overstay leads: CBP’s arrivals and departures management system sends potential leads — identified by matching entry and exit records to ATS, which automatically screens, prioritizes, and sends them over to ICE’s lead management system, LeadTrac. 30Congressional Hearing on Visa Overstays, 10; ATS 2017 PIA, 8. ICE’s LeadTrac system stores the information, including from social media, collected by the programs and initiatives described in this section. According to the LeadTrac privacy impact assessment, information from social media can be copied and pasted or summarized in a LeadTrac subject record. DHS, Privacy Impact Assessment for LeadTrac System, DHS/ICE/PIA-044, July 22, 2016 (hereinafter LeadTrac 2016 PIA), 11, https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-leadtrac-july2016.pdf. According to the LeadTrac SORN, the system contains information not only on the target individual, but also on his or her associates (e.g., family members and employers of suspected status violators) who may be legal permanent residents or U.S. citizens. LeadTrac SORN, supra note 78, 52700. Analysts then vet these leads — against government databases, public indices, and unnamed commercial databases that provide aggregated information from social media and other public sites, as well as through internet searches on social media platforms — to determine whether there is a potential violation that could require a field investigation. 31LeadTrac 2016 PIA, 1, 9-10. According to DHS documents prepared for the incoming administration at the end of 2016, ICE personnel target individuals for overstay enforcement who exhibit “specific risk factors,” which are based in part on “analysis of dynamic social networks.” 32 These analyses of social networks may be informed by the data gathered from social media sites. According to the DHS inspector general, ICE agents do not have policies and guidance on “appropriate system use” of the roughly 17 information technology systems upon which analysts rely for overstay work. 33OIG May 2017 Visa Overstay Tracking Report, 8, 16.

In 2014 ICE set up a special unit called the Open-Source Team, which uses a broad range of publicly available information, including social media, to help “locate specific targeted individuals, identify trends and patterns, and identify subtle relationships.” 34Congressional Hearing on Visa Overstays, 13. According to the December 2016 issue of SEVP Spotlight, the Student Exchange and Visitor Program newsletter, this team also helps identify students or schools suspected of violation. HSI, SEVP Spotlight 6, no. 4 (December 2016): 3, https://studyinthestates.dhs.gov/assets/sevp_spotlight_december_2016_final.pdf. A document obtained by the Brennan Center via FOIA request highlights three Open-Source Team “success stories,” all of which involve individuals from Muslim-majority countries. 35The three “success stories” listed are “HSI Los Angeles Arrest of a Jordanian National in November 2014”; “HSI New York AWOL Case of a Yemen National in January 2015”; and “HSI San Diego Request for Open-Source Intelligence Report of Saudi Arabia National in May 2015.” The descriptions for each are entirely redacted. DHS, “CTCEU Open Source Team Success Stories,” https://www.brennancenter.org/sites/default/files/analysis/ICE%20FOIA%20Social%20Media%20Pilot%20Programs%20-%20BCJ.pdf#page=8.

In August 2016, ICE launched a series of pilot programs that aim to use social media to bolster vetting, lead investigation, and enforcement. 36See Congressional Hearing on Visa Overstays, 13. One of these programs, the “Domestic Mantis Initiative,” vets leads pulled from the Student and Exchange Visitor System (SEVIS) on students who enter the United States planning to study a “nonsensitive” field of study and later change to one the State Department categorizes as “sensitive” because of its potential connection to national security–related technology (e.g., nuclear physics, biomedical engineering, and robotics). 37A “sensitive” field is one “related to a sensitive technology on the DOS Technology Alert List.” DHS, “Visa Overstay Enforcement Investigations Expenditure Plan,” Fiscal Year 2016 Report to Congress, August 1, 2016, 4, https://www.dhs.gov/sites/default/files/publications/Immigration%20and%20Customs%20Enforcement%20-%20Visa%20Overstay%20Enforcement%20Investigations%20Expenditure%20Plan.pdf; Department of State, “Using the Technology Alert List (Update),” August 1, 2002, https://www.nafsa.org/uploadedFiles/dos_cable_provides_update.pdf?n=1034. Using social media and other sources, ICE continuously monitors these students during their time in the United States, although it is not known what would constitute suspicious activity that would cause immigration authorities to take action. 38DHS, “Visa Overstay Enforcement Investigations Expenditure Plan,” 5-6.

Also in August 2016, ICE launched another pilot program, most often referred to as the Overstay Lifecycle program. 39The program is unnamed in the Inspector General report but referred to in several reports and testimonies as the “Overstay Lifecycle pilot.” In documents obtained by the Brennan Center via FOIA it is sometimes referred to as the “Visa Security Social Media Pilot Program.” It is possible that this discrepancy is due to the fact that two different parts of HSI implement this program — the Visa Security Program (which vets visas at certain State Department posts) and the Counterterrorism and Criminal Exploitations Unit (which investigates overstay leads). See HSI, National Security Investigations Division, “Visa Security Social Media Pilot Program,” https://www.brennancenter.org/sites/default/files/analysis/ICE%20FOIA%20Social%20Media%20Pilot%20Programs%20-%20BCJ.pdf. According to a report by the DHS inspector general, the program screens the social media activity of a category of nonimmigrant visa applicants from certain countries to help uncover “potential derogatory information not found in Government databases”; both the category of applicants and the specific countries involved were redacted from the publicly available report. 40Office of Inspector General, DHS’ Pilots for Social Media Screening Need Increased Rigor to Ensure Scalability and Long-term Success, 3-4. The report noted that the pilot was to screen social media activity at the time of visa application and to “continue social media monitoring” (during a time frame or process that was redacted from the report, but could extend to the time that subjects were in the United States) using a “web search tool” that analyzes social media data to develop so-called “actionable information.” 41Ibid., 3. As with other uses of social media by DHS, it is unclear what types of information would raise flags about visa applicants.

ICE’s Overstay Lifecycle program was designed to supplement PATRIOT, an existing program that screened applicants at 28 visa security posts but did not monitor people who were granted visas and traveled to the United States. 42DHS, “Visa Overstay Enforcement Investigations Expenditure Plan,” 3-4. The newer program aims to close this gap in enforcement by conducting continuous vetting and monitoring of some visa applicants, from the time they file a visa application to the time they depart from the country or violate their terms of admission, to uncover any “derogatory information.” 43Ibid.

The visa applicants subject to continuous monitoring would be those who have applied through one of “at least two” specific State Department posts abroad, though the posts are not publicly identified. 44Ibid., 3. According to the 2016 DHS report to Congress, these posts would be selected “to complement existing HSI screening efforts and in response to recent global acts of terrorism perpetrated in those countries.” 45Ibid. According to the same report, DHS also planned to incorporate social media vetting tools into both PATRIOT and LeadTrac, and modify LeadTrac to ingest information from visa applicants upon entry. 46The report noted that enabling this capability “will require enhancements to PATRIOT through third-party systems/program modifications.” Ibid., 4. Part of the $5.295 million identified for “Information Technology, Social Media Exploitation, & Enhancements” in the expenditure plan for the report was allocated to “creating connectivity to bridge the PATRIOT database to private vendor social media software for real-time vetting during the pre-entry adjudication process and procuring associated equipment and services to execute the mission.” Ibid., 6. It is not clear whether this system change has occurred.

It is clear, however, that ICE has relied heavily on the data mining firm Giant Oak, Inc., to support these programs and will continue to do so in the future. According to publicly available contract notices, in August and September of 2018, both ICE’s Visa Security Program and its Counterterrorism and Criminal Exploitation Unit (CTCEU) contracted with Giant Oak for “open source/social media data analytics.” 47ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analytics — VSP,” August 21, 2018–August 20, 2019, USASpending, https://www.usaspending.gov/#/award/67807277; ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analytics — CTCEU,” June 13, 2018–August 31, 2019, USASpending, https://www.usaspending.gov/#/award/66685141. These contracts are in addition to previous social media data analytics contracts between ICE and Giant Oak. 48ICE contracts with Giant Oak, Inc., September 4, 2014 — September 24, 2018, “Spending by Prime Award,” USASpending, https://www.usaspending.gov/#/search/f2b8f8d69d8696753510a172f52d46ad. In September 2018, ICE contracted yet again with Giant Oak for $806,836, but the description specifies “open-source/social media data analytics for CBP.” It is not clear why ICE would designate its spending this way, rather than CBP contracting with the company itself. ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analytics for CBP,” September 24, 2018–September 24, 2019, USASpending, https://www.usaspending.gov/#/award/68790969. One of ICE’s contracts with Giant Oak extends to August 31, 2022. ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analytics,” September 25, 2017–August 31, 2022, USASpending, https://www.usaspending.gov/#/award/23831407. A contract recently obtained by the Brennan Center via FOIA request shows that CTCEU utilizes Giant Oak’s Search Technology tool (GOST) to aid in proactive investigation of national security leads that have incomplete address information or were returned from field investigations unresolved. 49“Statement of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 31. This tool is used for bulk screening and prioritization of individuals based on “threat level” and continuously monitors and evaluates changes in patterns of behavior over time. According to the CEO of Giant Oak, the tool lets the government know when overall patterns change—for example, when a group of individuals becomes “more . . . prone to violence.” 50Thomas Brewster, “Trump’s Immigration Cops Just Spent $3 Million on These Ex-DARPA Social Media Data Miners,” Forbes, September 27, 2017, https://www.forbes.com/sites/thomasbrewster/2017/09/27/trump-immigration-social-media-surveillance-giant-oak-penlink-palantir/#7a77a4933e3b.

According to the contract, Giant Oak continuously monitors social media and other online sources and returns to CTCEU any information that identifies an individual’s possible location (including location of affiliated organizations), contact information, and employers. 51“Statement of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 33. The contract outlines various restrictions relating to obtaining information from social media sources. The contractor is only to use publicly accessible, unrestricted online sources; may not circumvent restrictions placed on system users; may not interact with individuals who posted the information; may not appropriate online identities; and must abide by safeguards for personally identifiable information outlined in DHS policy. Ibid., 34. Upon “exhaustion” of that so-called tier 1 information, ICE can request a follow-up search for information about the person’s associates (e.g., friends, family members, coworkers) that could help locate an individual. 52Ibid., 33. The documents also note that the contract grants a Giant Oak “Social Scientist” access to classified information; he/she “tweaks the algorithms” behind GOST to better serve CTCEU’s needs, and works to further specialize the transliteration and name matching tools for “certain ethnic groups, non-Roman languages and alphabets, or countries of origin.” 53Ibid., 35. There is no publicly available information on the scope of ICE’s other contracts with Giant Oak.

3. Extreme Vetting

As detailed below, after sustained opposition from many stakeholders, ICE announced in May 2018 that it had shelved its search for an automated tool for its Extreme Vetting Initiative (now rebranded as the Visa Lifecycle Vetting Initiative). 54See sidebar “Automatic Extreme Vetting,” accompanying notes i-vii. Instead, it has opted to spend $100 million to hire “roughly 180 people to monitor the social media posts of those 10,000 foreign visitors flagged as high-risk, generating new leads as they keep tabs on their social media use.” 55Harwell and Miroff, “ICE Just Abandoned Its Dream of ‘Extreme Vetting’ Software.” Monitoring will continue while these individuals are in the United States, although ICE has stated that it would stop if a visitor was granted legal residency. 56Ibid. There is no public information on the types of social media posts that ICE considers indicative of risk, but if ICE endeavors to undertake predictive tasks based on the criteria outlined in the first version of this program, there is a high risk that the program can be used in discriminatory ways.

ICE awarded this reimagined, human-centered monitoring contract to SRA International (now CSRA Inc., owned by General Dynamics) in June 2018; several vendors filed challenges, which were ultimately denied by the U.S. Government Accountability Office (GAO). 57The award of the contract to CRSA was protested by ManTech, another big data analytics company. The Government Accountability Office issued a recommendation in November 2018 that ICE reevaluate the price quotations submitted by SRA and ManTech and make a new selection decision. Government Accountability Office, “Matter of ManTech Advanced Systems International, Inc.” file B-416734, November 27, 2018, https://www.gao.gov/assets/700/695802.pdf. On February 1, 2019, another protest was filed, by a company called Amyx. See G2Xchange, “Update: Protest of $113M DHS ICE Visa Lifecycle Vetting Operations Support BPA denied,” April 15, 2019, https://etc.g2xchange.com/statics/gao-sides-with-protester-on-113m-dhs-ice-visa-lifecycle-vetting-operations-support-bpa/. On April 9, 2019, Amyx’s protest was denied. Government Accountability Office, “Matter of Amyx, Inc.,” file B-416734.2, April 9, 2019, https://www.gao.gov/assets/700/698548.pdf. As of the publication of this report, no funds had yet been awarded to SRA to carry out the contract. 58DHS Contract with SRA International, August 19, 2018—August 19, 2023, USASpending, https://www.usaspending.gov/#/award/68975297.

As the above discussion makes clear, ICE relies heavily on social media to vet certain categories of individuals at the time of application. It is likely that these are predominantly individuals who are the focus of the Trump administration’s anti-Muslim extreme vetting initiatives. Moreover, the agency is moving toward using social media to monitor and track visa holders and students throughout their stay in the United States, where they would be covered by the First Amendment. It is also evident that the agency intends to rely more and more on software and other automated technologies, which the USCIS pilot programs, discussed earlier, determined were of limited usefulness. 59See supra text accompanying notes 18-24 and infra text accompanying notes 438-441.

Finally, it is worth highlighting that many of the ICE programs described above have been rolled out as pilots. While pilot programs are a useful way to assess new tools, ICE does not seem to systematically measure their effectiveness. It also does not issue privacy impact assessments for most of these activities, which would at least provide a bare minimum of information to illuminate the impacts of ICE programs. Last, public information provided by ICE does not clearly indicate which pilots are still active and how they relate to newer initiatives, leaving the public in the dark about the agency’s activities.


Automated extreme vetting

4. Electronic Device Searches

ICE also collects, extracts, and analyzes information, including social media data, from electronic devices (e.g., cell phones, laptops, tablets, thumb drives) obtained during warrantless border searches and investigations pursuant to search warrant, subpoena, or summons, or provided voluntarily. 60DHS, Privacy Impact Assessment for the Immigration and Customs Enforcement Forensic Analysis of Electronic Media, DHS/ICE/PIA-042, May 11, 2015 (hereinafter ICE Forensic Analysis of Electronic Media 2015 PIA), 1, https://www.dhs.gov/sites/default/files/publications/privacy-pia-forensicanalysisofelectronicmedia-may2015.pdf. For the past decade, ICE, like CBP, has invested in Cellebrite Universal Forensic Extraction Devices (UFEDs), hand-held tools that can instantly extract the full contents of any device, including phones, laptops, and hard drives. 61Thomas Brewster, “US Immigration Splurged $2.2 Million on Phone Hacking Tech Just After Trump’s Travel Ban,” Forbes, April 13, 2018, https://www.forbes.com/sites/thomasbrewster/2017/04/13/post-trump-order-us-immigration-goes-on-mobile-hacking-spending-spree/#16764176a1fc. In recent years ICE has ramped up its purchasing of UFEDs, spending an additional $3.7 million on the tools (which cost between $5,000 and $15,000 each) and licensing since March 2017. 62The total ICE has spent on UFEDs since 2009 is at least $4,289,048. ICE contracts with Cellebrite, February 2, 2009–April 25, 2018, “Spending by Prime Award,” USASpending, https://www.usaspending.gov/#/search/15e82c94e158f05fd85038b24821b92f. According to a forensics community source interviewed by Forbes, one UFED unit sells for between $5,000 and $15,000. Thomas Brewster, “US Immigration Splurged $2.2 Million on Phone Hacking Tech Just After Trump’s Travel Ban.” Not all of the money is spent on actual physical devices, however; some of the funds go to “annual license renewals.” See ICE contract with Cellebrite, April 25, 2018–August 15, 2018, USASpending, https://www.usaspending.gov/#/award/65728721. Though it is not known precisely in what circumstances and for what purposes ICE personnel use these devices, it is clear that ICE has the capability to easily extract swaths of data, including social media information, from electronic devices. While the searches of devices obtained during investigations are limited by the scope of the relevant search warrant, subpoena, or summons, ICE claims virtually unchecked authority to search and extract data from devices seized at the border, including social media data and other personal information.

A. Warrantless Border Searches

ICE, like CBP, collects information obtained from electronic devices at the border, which it justifies as necessary to supplement its investigations and enforcement of immigration laws. 63ICE/CBP Electronic Device Searches 2009 PIA, 18. Whereas CBP recently issued a revised policy on its border searches, ICE operates under policy guidance issued nearly a decade ago. This guidance includes neither the stricter rules for forensic searches nor the restrictions on accessing data stored in the cloud or remote networks that CBP added to its guidance seemingly in response to a federal court case. 64See supra text accompanying notes 142-148. Instead, it allows agents to “search, detain, seize, retain, and share” electronic devices and any information they contain without individualized suspicion. 65ICE 2009 Directive, Border Searches of Electronic Devices, 2. In other words, ICE appears to claim a right of access to the full gamut of information on travelers’ phones and in their social media accounts, even where there is no suspicion of wrongdoing. 66Documents note that searches should “to the extent practicable” be conducted in the presence of or with knowledge of the traveler. As with CBP, this is sometimes not practicable due to law enforcement, national security, or other concerns. Ibid.

ICE claims its authority to search electronic devices at the border derives from statutes passed by the First Congress, such as the Act of August 4, 1790, which grants customs inspection authority over “goods, wares, or merchandise” entering the country. 67ICE/CBP Electronic Device Searches 2009 PIA, 3; Act of August 4, 1790, 1 Stat. 164. Though the 2009 privacy impact assessment asserts that “travelers’ electronic devices are equally subject to search” as the “merchandise” described in 1790, the amount of sensitive information contained in electronic devices like cell phones is hardly comparable. 68ICE claims that electronic devices are equally subject to search because “the information contained in them may be relevant to DHS’s customs and immigration inspection processes and decisions.” ICE/CBP Electronic Device Searches 2009 PIA, 3. Indeed, as the Supreme Court noted critically in a recent case, treating cell phones as functionally identical to other physical items of similar size “is like saying a ride on horseback is materially indistinguishable from a flight to the moon.” 69Riley v. California, 134 S. Ct. 2473, 2488 (2014).

According to the relevant directive, detained devices are typically held for no more than 30 days, unless “circumstances exist that warrant more time.” 70ICE 2009 Directive, Border Searches of Electronic Devices, 5. If detained longer, they require supervisory approval every 15 days thereafter. Ibid. Copies of the content obtained from devices are stored on either an ICE external hard drive or a computer system, neither of which is connected to a shared or remote network. 71ICE/CBP Electronic Device Searches 2009 PIA, 8. However, notes from any stage of the search process, typically relating to information that is “relevant” to immigration, customs, or other laws enforced by DHS, 72The sole example given is that of a traveler who appears to be permitted legal entry as a visitor, but whose laptop contains a file revealing evidence of his “true intent to secure employment” in the United States, “making him inadmissible.” Ibid., 5. can be stored by ICE in “any of their recordkeeping systems,” such as the Intelligence Records System. 73Ibid., 5. Notes from the search process can be kept for as long as allowed by the retention schedule of the system the notes are stored in. Ibid., 19. See also DHS Privacy Office, Notice of Privacy Act System of Records, ICE– 006 Intelligence Records System of Records, 75 Fed. Reg. 9233, 9235 (March 1, 2010) (hereinafter IIRS SORN), https://www.federalregister.gov/d/2010-4102/p-3. The standard for relevance is left undefined, leaving ample room to collect a range of innocuous and often personal electronic content.

ICE can disseminate copies of information from an electronic device to federal, state, local, and foreign law enforcement agencies. 74ICE 2009 Directive, Border Searches of Electronic Devices, 7. CBP and ICE have 76 Customs Mutual Assistance Agreements to share information with foreign customs partners in support of specific cases. CBP, “DHS Transition Issue Paper: International Information Sharing,” in CBP Presidential Transition Records, 2. While ICE must have reasonable suspicion that the information on a device is evidence of a crime in order to share device information with other federal agencies for subject matter assistance, no suspicion is required to ask for technical assistance, which can encompass translation and decryption services. 75ICE/CBP Electronic Device Searches 2009 PIA, 9. According to the ICE directive, information shared with assisting agencies is retained only for the amount of time necessary to provide assistance and is generally returned or destroyed upon completion. However, an assisting federal agency may retain a copy if it has the independent legal authority to do so (e.g., when the information has “national security or intelligence value”). ICE 2009 Directive, Border Searches of Electronic Devices, 8. Further, ICE is specifically authorized to disseminate any device information “relating to national security” to law enforcement and intelligence agencies. 76Memorandum from director, ICE Office of Investigations, to assistant directors et al., “Field Guidance on Handling Detained or Seized Electronic Media,” 2. There are few details available about ICE’s auditing mechanisms for its border searches; we know only that the agency conducts regular “self-assessments” to “verify compliance with its responsibilities.” ICE/CBP Electronic Device Searches 2009 PIA, 25. While ICE is meant to develop and “periodically administer” an auditing mechanism to assess whether border searches of electronic devices are being conducted in line with its directive, it is not known whether the agency has done so. See ICE 2009 Directive, Border Searches of Electronic Devices, 10.

In short, ICE can access information stored on devices and from social media with no suspicion of criminal activity. It uses this information to support investigations and make admissibility determinations, but also as a broader means of information collection. There are few restrictions on how information obtained from electronic devices is used and disseminated. And the information, including social media identifiers and other personal data, can be stored in any number of ICE’s databases, to which countless people have access, and shared with law enforcement as long as it is considered to “relate” to national security.

B. Extraction and Analysis of Electronic Media

Once ICE has obtained access to electronic devices through a warrantless border search or obtained access to “electronic media” (a slightly broader category that also includes thumb drives, hard drives, other storage devices, etc.) via subpoena 77ICE has legal authority to issue subpoenas, summonses, and Form I-9 notices through 50 U.S.C. App. § 2411(a) for the Export Subpoena, 21 U.S.C. § 967 for the Controlled Substance Enforcement Subpoena, 19 U.S.C. § 1509 for the Customs Summons, Immigration and Nationality Act (INA) § 235(d)(4)(A) for the Immigration Subpoena, and INA § 274A(e)(2)(C) for the Form I-9 notice. DHS, Privacy Impact Assessment for the ICE Subpoena System, March 29, 2011, https://www.dhs.gov/sites/default/files/publications/privacy_pia_27_ice_iss.pdf. For example, ICE can subpoena witness testimony before immigration officers and the production of books, papers, and documents “relating to the privilege of any person to enter, reenter, reside in, or pass through the United States or concerning any matter which is material and relevant to the enforcement of this Act and the administration of the Service.” INA § 235(d)(4)(A). or warrant, it can extract and analyze information if the data could be “pertinent” to an investigation or enforcement activity. 78ICE Forensic Analysis of Electronic Media 2015 PIA, 5, 6. Agents use a variety of electronic tools to collect and comb through electronic media and extract “relevant evidentiary material.” For example, certain tools make digital images of the media, create a mirror copy to use as the working copy, and index and extract files and other data points. Some require an agent to create index terms for search purposes, whereas others have terms that are predetermined “based on the common type of data found in electronic media.” Ibid., 2. The 2015 privacy impact assessment does not list any tools by name, noting only that multiple tools may be used on a single device. Ibid., 6. However, given that ICE has purchased UFEDs, which are designed for these types of functions, it is likely that they are used throughout HSI operations involving electronic media, during investigations as well as border searches. See supra text accompanying notes 134-135 and 367-368.

According to the 2015 Privacy Impact Assessment for the Forensic Analysis of Electronic Media, which encompasses electronic devices obtained during both border searches and investigations, the data extracted and analyzed by ICE could pertain to numerous individuals beyond the person in possession of the device, including witnesses, informants, members of the public, and victims of crimes. 79Ibid., 5. Extracted data may also include sensitive personally identifiable information such as medical and financial information, records containing communications such as text messages and emails, and records of internet activity. 80Ibid., 2. These records could reveal a host of sensitive data, including medical conditions, political and religious affiliations, and internet browsing preferences.

Information extracted from devices that are obtained during investigations is retained according to a proposed schedule that varies depending on the nature and outcome of the investigation. 81For cases that do not result in prosecution, the original digital evidence is retained until the case is closed, unless the evidence is required for follow-up investigation, in which case it is retained for 16 years. For open cases where there is no statute of limitations for the crime, the original digital evidence is considered a permanent record and preserved indefinitely. Ibid., 8. There is extremely wide authority to disclose information to other agencies — including federal, state, local, and foreign law enforcement counterparts. 82Ibid., 9. There also seems to be broad authority for re-dissemination by law enforcement partners. 83According to the privacy impact assessment, “the information may be further disseminated by recipients on a need-to-know basis in order to ensure proper investigation and prosecution of criminal violations. If evidence of a potential law violation is extracted from digital media, it may be used as necessary by the recipient to carry out its law enforcement functions, including prosecution of the violation. This could involve re-dissemination to others whose input is needed.” Ibid., 9-10.

ICE uses a variety of unspecified electronic tools to analyze the media it extracts from devices via its border search authority or obtains during investigations. 84Ibid., 1. The 2015 privacy impact assessment lists four types of analyses that agents can conduct using these tools: time frame analyses (to help determine when various activities occurred on a device), data hiding (to find and recover concealed data), application and file analyses (to correlate files to installed applications, examine a drive’s file structure, or review metadata), and ownership and possession reviews (to identify individuals who created, modified, or accessed a given file). 85Ibid., 2. Some of the tools are “government off-the-shelf applications,” whereas others are developed specifically for and purchased by ICE. Ibid. The tools also can be used to “highlight anomalies” in the data. 86Ibid., 7.

Social media information and other data extracted from electronic devices during investigations and border searches are stored in ICE’s Intelligence Records System. 87IIRS SORN, 9235. That data is then ingested into FALCON-SA, which has a number of analytical capabilities including “social network analysis,” and will be discussed in the Analytical Tools and Databases section below. 88FALCON-SA 2016 PIA, 32; ICE, “Social Network Analysis: Advanced Reference Guide,” 1, https://epic.org/foia/dhs/ice/palantir-databases/FALCON-Social-Network-Analysis-Reference-Guide.pdf.

Thus, based on a low threshold of “pertinence,” ICE uses sophisticated tools to extract social media data from electronic devices that it obtains during border searches and investigations. The extracted data is then subject to a variety of analyses (about which we know little), while notes about the information may be shared widely within and beyond DHS and potentially channeled into other systems for additional analyses. ICE’s extraction of social media data from electronic media is yet another example of how the extensive DHS information-sharing apparatus enables data to be collected for one purpose under a malleable standard and then stored, shared, and reused for secondary purposes.

5. Analytical Tools and Databases

The numerous sources of information gathered by ICE operations and investigations are consolidated into several large databases. The main ICE database for compiling and analyzing social media information is the FALCON Search & Analysis System (FALCON-SA). 89FALCON-SA contains information on various categories of individuals, such as those who are the subject of investigations or border encounters with DHS or individuals associated with tips concerning criminal or suspicious activity. FALCON-SA 2016 PIA, 4. FALCON-SA records may include some or all of the following types of personally identifiable information: identifying and biographic data, citizenship and immigration data, customs import-export history, criminal history, contact information, criminal associations, family relationships, employment, military service, education, and other background information. Ibid. ICE personnel use FALCON-SA to conduct two kinds of analyses using social media data: trend analysis, or identifying patterns, anomalies, and shifts in data to guide operational strategy or predict future outcomes; 90DHS Management Directorate, “DHS Lexicon Terms and Definitions,” 473 (defining pattern analysis). and link and network analysis, or identifying connections among individuals, groups, incidents, or activities. 91FALCON-SA 2016 PIA, 2-3. This section will describe how FALCON-SA and its source systems enable these processes by gathering and storing information from numerous sources about a wide variety of individuals, disseminating information broadly, and applying unknown analytical tools to draw conclusions that impact ICE operations.

Although FALCON-SA does not itself extract data directly from social media, users can add social media information from other systems to FALCON-SA without restriction, and FALCON-SA automatically ingests data from several other databases that store social media information. 92Users can add social media information to FALCON-SA either to “verify or update information already in the system” or “to add other information about an individual that is not available in FALCON-SA” already. DHS, Privacy Impact Assessment Update for the FALCON Search & Analysis System, DHS/ICE/PIA-032(a), January 16, 2014, 10, https://www.dhs.gov/sites/default/files/publications/privacy_pia_ice_falconsa_january2014.pdf. “Open-source data,” which includes social media information, is listed as a category of data that can be uploaded into FALCON-SA on an ad hoc basis. FALCON-SA 2016 PIA, 35. For instance, every day, FALCON-SA ingests information from ICE’s Investigative Case Management (ICM) system relating to current or previous law enforcement investigations, as well as ICE and CBP lookout records, 93Lookout records are based on law enforcement, anti-terrorism, travel document fraud, or other interests based on previous violations of law or suspicion of violations. CBP officers use lookout records at primary and secondary inspection processing at the ports of entry. See DHS, Privacy Impact Assessment for the TECS System: Platform, DHS/CBP/PIA-021, August 12, 2016, 12, https://www.dhs.gov/sites/default/files/publications/DHS-PIA-ALL-021%20TECS%20System%20Platform.pdf. which can include records of electronic devices searched at the border, including details gleaned from inspections of social media applications. 94CBP and ICE both use TECS for lookout records, and TECS stores records of electronic device searches, which may be included in lookout records. OIG 2018 Electronic Device Report, 4. ICM also transfers to FALCON-SA telecommunications information about subjects of ICE criminal investigations, potential targets, associates of targets, or any individuals or entities who call or receive calls from these individuals. 95FALCON-SA 2016 PIA, 32-33. On an ad hoc basis, ATS border crossing data and inbound/outbound shipment records are also uploaded into FALCON-SA. 96Other data sources in FALCON-SA include ad hoc uploads of criminal history information and warrant or other lookout records from domestic and foreign law enforcement sources, including the FBI’s National Crime Information Center (NCIC); finished intelligence reports generated by DHS and other law enforcement or intelligence agencies; and information or reports supplied by foreign governments and multinational organizations. FALCON-SA 2016 PIA, 35-6. Passenger Name Record (PNR) data obtained from ATS may not be uploaded or entered into FALCON-SA. Ibid., 35. While ICM’s telecommunications data and ATS’s border crossing and shipment data likely do not include social media information, once all these elements are combined with the other sources in FALCON-SA, the aggregation of information may collectively reveal a wealth of details about an individual’s travels, family, religious affiliations, and more. 97For instance, telecommunications records could be helpful in providing additional information about one’s “social network.” According to 2013 DHS funding documents that the Intercept obtained via FOIA request, FALCON-SA allows users “to follow target telephone activity and GPS movement on a map in real time.” DHS, “FALCON New Requirements for Outline,” 2013, 5, https://www.documentcloud.org/documents/3517286-FALCON-New-Requirements-Outline.html#document/p1. See also Spencer Woodman, “Palantir Enables Immigration Agents to Access Information From the CIA,” Intercept, March 17, 2017, https://theintercept.com/2017/03/17/palantir-enables-immigration-agents-to-access-information-from-the-cia/.

FALCON-SA users are able to combine these various forms of information and apply the system’s built-in trend analysis tools in order to highlight patterns, shifts in criminal tactics, emerging threats, and strategic goals and objectives. 98FALCON-SA 2016 PIA, 2. These findings are then shared with DHS and ICE leadership, agents, officers, and other employees in the form of law enforcement intelligence products or reports. To produce these reports, FALCON-SA retains “all information that may aid in establishing patterns of unlawful activity,” even if that information may not be strictly relevant or necessary for an investigation, and even if the accuracy of the information is unclear. 99DHS Privacy Office, Notice of Proposed Rulemaking, ICE–016 FALCON Search and Analysis System of Record, 82 Fed. Reg. 20844, 20846 (May 4, 2017), https://www.regulations.gov/document?D=DHS_FRDOC_0001-1573.

To support its network analytics functions, FALCON-SA, like CBP’s Analytical Framework for Intelligence, regularly ingests large amounts of information about individuals from another database, the ICE Intelligence Records System (IIRS). 100The following types of information from IIRS are ingested by FALCON-SA: “law enforcement, intelligence, crime, and incident reports, and reports of suspicious activities, threats, or other incidents generated by ICE and other agencies.” FALCON-SA 2016 PIA, 32. ICE’s Office of Intelligence manages IIRS. IIRS SORN, 9233. IIRS, like the CBP Intelligence Records System, contains information on a wide variety of individuals, including people who are not suspected of any criminal activity or seeking any type of immigration benefit, such as associates of people seeking visas or naturalization, including Americans; people identified in public news reports; and people who have reported suspicious activities or incidents. 101IIRS SORN, 9235. IIRS also contains electronic data and other information collected during ICE investigations and border searches, likely including social media data extracted from devices. 102Ibid. The ICE Intelligence Records System maintains records to produce intelligence reports that provide actionable information to ICE personnel and other government agencies. Ibid. Sources for the system also include records from commercial vendors and publicly available data, such as social media information, which are not required to be relevant or necessary. 103All information that may help establish patterns of unlawful activity is retained, whether relevant or necessary to an investigation. DHS Privacy Office, Final Rule, ICE–006 Intelligence Records System, 75 Fed. Reg. 12437, 12438 (March 16, 2010), http://www.gpo.gov/fdsys/pkg/FR-2010-03-16/pdf/2010-5618.pdf. Other records in the system include terrorist watch list information; records pertaining to known or suspected terrorists, terrorist incidents, activities, groups, and threats; intelligence reporting from other groups or agencies; and suspicious activity and threat reports from ICE and outside entities. IIRS SORN 9235, 9237.

Information from IIRS, ICM, and ATS is transferred to FALCON-SA, where it informs FALCON-SA’s network analysis, highlighting associations between individuals and data elements. 104FALCON-SA 2016 PIA, 2, 32-3. Users can then identify possible connections among existing ICE investigations and create visualizations (e.g., maps, charts, tables) that display connections and relationships among people and enterprises. 105Ibid., 2-3. According to documents obtained by the Electronic Privacy Information Center via FOIA, FALCON has “social network analysis” capabilities that seem to rely on social media data. 106ICE, “Social Network Analysis: Advanced Reference Guide,” 1, https://epic.org/foia/dhs/ice/palantir-databases/FALCON-Social-Network-Analysis-Reference-Guide.pdf. ICE has not made clear whether ERO agents can directly access FALCON-SA to track down undocumented immigrants, although they can get such information from HSI. 107Potential ERO access to the system is not addressed in FALCON-SA privacy impact assessments or system of records notices. FALCON-SA 2016 PIA; DHS, System of Records Notice, FALCON-Search and Analysis System of Records, 82 Fed. Reg. 20905 (May 4, 2017), https://www.regulations.gov/contentStreamer?documentId=DHS-2017-0001-0001&contentType=pdf. However, HSI can share information from FALCON-SA with ERO on a need-to-know basis. Ibid., 20906. See also Woodman, “Palantir Provides the Engine for Donald Trump’s Deportation Machine” (noting that ICE did not respond to questions about whether FALCON is made available to ERO agents).

Schedule of Data Transfer to FALCON-SA

Notably, the operations of FALCON-SA, which is one of three ICE FALCON modules, 108Other FALCON modules include FALCON Data Analysis and Research for Trade Transparency (DARTTS) and the FALCON Roadrunner System. FALCON-SA 2016 PIA, 34; DHS, Privacy Impact Assessment for the FALCON-Roadrunner DHS/ICE/PIA-040, November 12, 2014, https://www.dhs.gov/sites/default/files/publications/privacy-pia-ice-falconroadrunner-november2014.pdf. are intimately connected with ICE’s contracts with the technology company Palantir. 109Electronic Privacy Information Center, FOIA Request Letter to Pavlik-Keenan, 1-2; See alsoWoodman, “Palantir Enables Immigration Agents to Access Information From the CIA.” According to the Palantir Licensing Terms and Conditions for FALCON, released in response to a FOIA request, FALCON is based on Palantir’s Gotham platform, a software system unique to ICE that allows the agency to analyze complex data sets containing detailed personal information about individuals. 110Homeland Security Investigations Mission Support, “FALCON Operations & Maintenance Support & System Enhancement, Performance Work Statement,” 16. Publicly available contract notices reveal that in November 2018, Palantir began a new one-year, $42.3 million contract with ICE for “FALCON

Operations & Maintenance,” which brings the total for such contracts for FALCON to about $94 million. 111ICE contract with Palantir Technologies Inc., “FALCON Operations and Maintenance (O&M) Support Services and Optional Enhancements,” November 28, 2018–November 27, 2019, USASpending, https://www.usaspending.gov/#/award/75332582. In May 2018, Palantir concluded a three-year contract for work on FALCON worth $39 million. ICE contract with Palantir Technologies Inc., “FALCON Operations and Maintenance (O&M), System Enhancement Support Services for Palantir Government,” May 28, 2015–May 27, 2018, USASpending, https://www.usaspending.gov/#/award/23844369. See also earlier contract for FALCON work, ICE contract with Palantir Technologies Inc., “FALCON Operations and Maintenance (O&M) Support Services,” June 14, 2013–May 27, 2015, USASpending, https://www.usaspending.gov/#/award/23843927. Between June 7 and 18, 2018, Palantir completed a $250,000 contract with ICE for “Palantir Gotham Software,” likely for FALCON software upgrades. ICE contract with Palantir Technologies Inc., “Palantir Gotham Software,” June 7–18, 2018, USASpending, https://www.usaspending.gov/#/award/66572630. Many aspects of Palantir’s work with ICE — described in further detail in the Investigations section, above — remain undisclosed, such as the privacy protections for personal information, including social media data, that resides in FALCON-SA.

In sum, ICE’s analytical tools aim to fully exploit the broad array of sensitive information, including social media data, collected by ICE agents and other DHS components. FALCON-SA houses social media data, for which there are no accuracy requirements, from numerous sources. This information is subjected to unspecified trend and network analyses, the efficacy of which is not publicly understood. While people seeking immigration benefits bear the brunt of this scrutiny, their American friends, relatives, and business associates are sucked into these repositories of information as well.

End Notes

U.S. Citizenship and Immigration Services

U.S. Citizenship and Immigration Services (USCIS) processes and adjudicates applications and petitions for a variety of immigration benefits, including adjustment of status (for instance, from a student visa to a green card), naturalization, and asylum and refugee status. 1FDNS 2014 PIA, 1-2. USCIS’s Fraud Detection and National Security Directorate (FDNS) performs background checks, processes immigration applications, investigates immigration benefit fraud, and functions as the link between USCIS and law enforcement and intelligence agencies. 2Ibid., 1. Other USCIS directorates, such as the Field Operations Directorate, are also “exploring” social media as an added vetting tool. Citizenship and Immigration Services Ombudsman, Annual Report 2018, June 28, 2018 (hereinafter USCIS 2018 Annual Report), 34, https://www.dhs.gov/sites/default/files/publications/DHS%20Annual%20Report%202018.pdf. The ambiguous nature of social media information collected by USCIS raises concerns about how it will be interpreted, especially for Muslims who are the targets of many of these programs. Indeed, while USCIS is expanding these programs, an inspector general report shows that the agency has not evaluated much less demonstrated — their effectiveness.

1. Vetting

FDNS uses social media in a few contexts relating to its vetting initiatives, primarily to aid in determining an individual’s admissibility or eligibility. 3USCIS 2018 Annual Report, 34. In 2014, FDNS started a pilot Social Media Division, which was made permanent in 2016. It was later expanded under an initiative known as FDNS “Enhanced Review.” 4Hearing on Refugee Admissions: Cissna Testimony, 5; USCIS 2018 Annual Report, 34.

In 2015 and 2016, USCIS undertook five pilot programs to test the use of social media for screening and vetting. Four programs targeted refugees, and one focused on K-1 (fiancé[e]) visa applicants for adjustment of status. 5Office of Inspector General, DHS’ Pilots for Social Media Screening Need Increased Rigor to Ensure Scalability and Long-term Success, 8; USCIS Briefing Book, 180. While it is unclear which pilots have continued or been made permanent, public documents show that examining social media has become a key part of vetting refugees and asylum seekers in particular.

A. Vetting for Refugees and Asylum Seekers

According to DHS documents, the Social Media Division of FDNS performs social media vetting on “certain” asylum applications and screens refugee applicant data for “select populations” against publicly available information. 6USCIS 2018 Annual Report, 34. In October 2017, the director of USCIS told Congress that the “select populations” included Syrians, and that USCIS was working to refine and expand its use of social media to target additional categories of refugee and asylum applicants. 7Hearing on Refugee Admissions: Cissna Testimony, 5. This statement came shortly after the Trump administration announced new “enhanced vetting capabilities” for refugees from 11 countries identified as posing a “higher risk.” 8Rex W. Tillerson, Elaine Duke, and Daniel Coats, Memorandum to the President, “Resuming the United States Refugee Admissions Program With Enhanced Vetting Capabilities,” October 23, 2017, 2, https://www.dhs.gov/sites/default/files/publications/17_1023_S1_Refugee-Admissions-Program.pdf. The countries were not publicly identified by the administration, but it seems likely that this additional screening is targeted primarily at Muslims: the FDNS “Enhanced Review” was triggered by the Muslim ban executive order. 9Exec. Order No. 13,780, 82 Fed. Reg. 13209 (March 6, 2017), https://www.gpo.gov/fdsys/pkg/FR-2017-03-09/pdf/2017-04837.pdf. Refugee Council USA, a coalition of organizations focused on refugee protection and resettlement, told CNN that as of January 2018 the list of countries subject to enhanced review included Egypt, Iran, Iraq, Libya, Mali, North Korea, Somalia, South Sudan, Sudan, Syria, and Yemen. 10Laura Koran and Tal Kopan, “US Increases Vetting and Resumes Processing of Refugees From ‘High-Risk’ Countries” Of the earlier social media pilots undertaken by USCIS, at least two focused solely on refugee applicants from Syria, one focused solely on refugee applicants from Syria and Iraq, and at least two used automated tools that were capable only of translating social media posts from Arabic. 11See USCIS, Review of the Defense Advanced Research Projects Agency 2.0 Social Media Pilot, June 2, 2016, 9, https://www.documentcloud.org/documents/4341532-COW2017000400-FOIA-Response.html#document/p1; USCIS Briefing Book, 181.

All refugee applicants, as well as those who gain status through an applicant (e.g., a spouse or child), undergo a variety of checks. 12DHS, Privacy Impact Assessment for the Refugee Case Processing and Security Vetting, DHS/USCIS/PIA-068, July 21, 2017 (hereinafter USCIS 2017 Refugee Vetting PIA), 5, https://www.dhs.gov/sites/default/files/publications/privacy-pia-uscis-refugee-july2017.pdf. The U.S. Refugee Admissions Program is the program charged with vetting the entry of and resettling eligible refugees to the United States. Although the Department of State is the overall manager, the program is jointly run with USCIS. Ibid., 1. FDNS is responsible for conducting social media checks on refugee applicants. Ibid., 7. “Select applicant populations” are subject to social media checks, during which an FDNS officer looks at social media for information relating to their claim for refugee status or indication of potential fraud, criminal activity, or national security concerns. 13Ibid., 7. During such checks, officers initially collect information using a government-affiliated account and username and do not interact with applicants through social media; this process is defined as overt research. When USCIS deems that an application presents a national security or public safety concern and overt research could “compromise the integrity” of an investigation, officers are permitted to use identities that do not identify their DHS or government affiliation in a process known as masked monitoring. 14Ibid. The prohibition on interacting with applicants, however, still applies during masked monitoring. Ibid., 8.

A 2015 FDNS memorandum on the use of social media for refugee processing notes that officers will limit collection of information related to First Amendment–protected activities to information that is “reasonably related to adjudicative, investigative, or incident response matters.” 15León Rodriguez, USCIS director, to Sarah M. Kendall, associate director, Fraud Detection and National Security, and Joseph E. Langlois, associate director, Refugee, Asylum and International Operations, “Fraud Detection and National Security Use of Social Media for Refugee Processing,” April 7, 2015, https://www.dhs.gov/sites/default/files/publications/USCIS%20Presidential%20Transition%20Records.pdf#page=1442. The privacy impact assessment for refugee vetting notes that officers may provide the refuge seeker a chance to view and explain a social media posting found during vetting, and that the decision on a refugee’s resettlement or employment eligibility cannot be made solely on the basis of information obtained from social media. 16USCIS 2017 Refugee Vetting PIA, 18.

As of November 2016, DHS reported that no immigration benefit had been denied “solely or primarily” as a result of information found on social media. 17USCIS Briefing Book, 183. In fact, DHS concluded that information found during screening had merely a “limited” impact in “a small number of cases” in which the data was used for developing additional avenues of inquiry, and that social media information had little to no impact in the vast majority of cases. 18Ibid. This low “hit” rate raises questions about the value of focusing resources on collecting and analyzing this type of data.

For asylum seekers, DHS officers compare information from social media and other public and commercial sources against the information that applicants provide regarding when they entered the United States, how long they have been in the country, and even when they “encountered harm outside the United States.” 19DHS, Privacy Impact Assessment for the USCIS Asylum Division, DHS/USCIS/PIA-027(C), July 21, 2017 (hereinafter USCIS 2017 Asylum Division PIA), 20, https://www.dhs.gov/sites/default/files/publications/privacy-pia-uscis-asylum-july2017_0.pdf. Asylum officers are trained to compare public and commercial data with “applicant-reported information”; if they find an inconsistency, they “must confront the applicant with that information” and provide an opportunity to explain it. 20USCIS 2017 Asylum Division PIA, 20-21.

Although FDNS has tested automated tools to vet the social media of individuals seeking refuge, the extent to which such tools are currently used is not known. In pilot programs related to refugee applications, officers identified serious problems with the tools tested. Some of these were practical problems, such as language limitations (most tools are English-focused) and efforts by social media companies to prevent their platforms from being used as surveillance tools by blocking access to big data feeds. 21USCIS Briefing Book, 183. Further, when automated tools were used, officers had to manually review the results just to decipher whether the applicant had been correctly matched to the social media account identified. 22USCIS, “USCIS Social Media & Vetting: Overview and Efforts to Date,” 3.

In reviewing flagged items, FDNS officers are required to check for “national security indicators,” but there seems to be a lack of clarity about what this means. In 2017, two years after the pilot programs were launched, DHS personnel reportedly expressed a need for a definition of what constitutes a “national security indicator in the context of social media.” 23Ibid. The DHS inspector general noted a similar problem: his office was unable to evaluate specific policies and procedures for the pilot programs — because none existed. 24Office of Inspector General, DHS’ Pilots for Social Media Screening Need Increased Rigor, 1, 6. Even more troubling, the inspector general found that DHS had simply failed to measure the effectiveness of the pilot programs, making them unsuitable as models for future initiatives.

According to the refugee program privacy impact assessment, five separate systems retain information for refugee processing, but none are described as containing social media data collected by DHS. 25USCIS 2017 Refugee Vetting PIA, 2. For example, the results of background checks, which may be informed by social media information, are stored in the State Department’s refugee case management system, the Worldwide Refugee Admissions Processing System (WRAPS), but only in the form of a check’s outcome (“clear” or “not clear”). 26The “clear” and “not clear” designations are applied to the date of the background check, whether the check found any derogatory results, whether the results were resolved, and the expiration date of the results. USCIS 2017 Refugee Vetting PIA, 9.

However, social media information is kept in a far-reaching system known as the Alien Files (A-Files), which covers every immigrant and some visitors to the United States. 27A-Files SORN, 43556 . USCIS is the main custodian of the system, with ICE and CBP regularly contributing to and using the data contained in it. 28Ibid., 43557. An individual’s A-File is considered the official record of his or her immigration history and is used by a wide array of agency personnel for legal, fiscal, and administrative needs, such as naturalization and deportation proceedings. 29Ibid. A September 2017 notice in the Federal Register made clear that DHS collects and keeps social media information (handles, aliases, associated identifiable information, and search results) relating to immigrants, including legal permanent residents and naturalized citizens. In an email to the news site Gizmodo, DHS stated that “the notice does not authorize USCIS to search the social media accounts of naturalized citizens,” which begs the question of whether other authorities are used to undertake such searches and leaves unaddressed the implications for people who have legal permanent resident status. 30Matt Novak, “US Homeland Security Says Tracking Social Media of Immigrants Is Nothing New,” Gizmodo, September 28, 2017, https://gizmodo.com/us-homeland-security-says-tracking-social-media-of-immi-1818875395. Regardless of whether new collection occurs, the 100-year A-File retention period means that DHS and other agencies can access and potentially use information gathered from social media long after an immigrant has completed the naturalization process. Despite questions from the press, DHS has not publicly clarified if and how this information could be used in the future.

To summarize, social media is used by USCIS in vetting people who apply for immigration benefits (such as students who become employed and change their visa status, or green card holders who become naturalized), and this information is retained in their A-Files. As discussed above, USCIS itself found that social media monitoring was not particularly helpful when it tested social media vetting for five programs. It has nonetheless proceeded with expanding its use of social media in several contexts, especially the vetting of refugee applicants and asylum seekers. It appears that such uses are focused on checking information provided by applicants, which may be justified for situations in which people seeking such status do not have documentation. But the ambiguous nature of social media raises concerns, as does the apparent targeting of certain — likely Muslim — applicants for such additional screening. Finally, as the inspector general’s evaluation of these programs clearly indicates, DHS has made no effort to evaluate their effectiveness.

B. Vetting for the Controlled Application Review and Resolution Program

Social media reviews are also used in the Controlled Application Review and Resolution Program (CARRP), a secretive FDNS program instituted in 2008 for flagging and processing cases that present “national security concerns.” 31USCIS, Review of the Defense Advanced Research Projects Agency 2.0 Social Media Pilot, 57; Jonathan R. Scharfen, deputy director, USCIS, to field leadership, “Policy for Vetting and Adjudicating Cases With National Security Concerns,” 1, April 11, 2008, (hereinafter CARRP Policy for Vetting and Adjudicating Cases With National Security Concerns), https://www.uscis.gov/sites/default/files/USCIS/About%20Us/Electronic%20Reading%20Room/Policies_and_Manuals/CARRP_Guidance.pdf. An individual who is placed on the CARRP track is essentially blacklisted. 32See, for example, Jennie Pasquarella, Muslims Need Not Apply: How USCIS Secretly Mandates Discriminatory Delays and Denials of Citizenship and Immigration Benefits to Aspiring Americans, ACLU of Southern California, August 2013, 1, https://www.aclusocal.org/sites/default/files/carrp-muslims-need-not-apply-aclu-socal-report.pdf. The CARRP policy applies to “all applications and petitions that convey immigrant and nonimmigrant status.” CARRP Policy for Vetting and Adjudicating Cases With National Security Concerns, 1. The ACLU of Southern California has further clarified that this includes individuals applying for asylum, visas, green cards, and naturalization. Pasquarella, Muslims Need Not Apply, 9. According to a study by the American Civil Liberties Union (ACLU), CARRP uses vague, overly broad, and discriminatory criteria and disproportionately targets Muslims and individuals from Muslim-majority countries. 33Pasquarella, Muslims Need Not Apply, 2-3. The program has been challenged in court as “extra-statutory, unlawful, and unconstitutional.” 34Wagafe v. Trump, No. C17-0094-RAJ, 2017 WL 2671254, at *1 (W.D. Wash. June 21, 2017). A USCIS briefing book indicates that in July 2016, officers began screening social media accounts for Syrian and Iraqi CARRP cases specifically, though other documents suggest that social media is used to vet other populations as well. 35USCIS Briefing Book, 182.

Applicants can be referred to CARRP in a variety of ways. Individuals who are flagged as known or suspected terrorists (including anyone in the FBI’s overbroad Terrorist Screening Database, discussed above 36National Counterterrorism Center, “Watchlisting Guidance,” 10. For more information on this watch list and the privacy and civil liberties issues associated with it, see supra text accompanying notes 267-273. ) are automatically flagged as a national security concern and put on the CARRP track. 37Pasquarella, Muslims Need Not Apply, 17. People can also be referred to CARRP at any stage of the screening and adjudicative process (e.g., when applying for citizenship or a green card) if they might present a “national security concern.” 38Ibid. According to CARRP officer guidance, officers may utilize open-source research, including searching social media information, to identify an indicator of a national security concern. 39According to the CARRP definition, a national security concern arises when “an individual or organization has been determined to have an articulable link to prior, current, or planned involvement in, or association with, an activity, individual or organization described in [the security and terrorism sections] of the Immigration and Nationality Act.” CARRP Policy for Vetting and Adjudicating Cases With National Security Concerns, 1n1. However, the looseness of terms used in the definition — e.g., “articulable link,” which can be attenuated or unsubstantiated, and “association,” which can be distant or marginal — means that the government has extensive leeway to place someone on the CARRP list. Amended Complaint for Declaratory and Injunctive Relief, Wagafe v. Trump (W.D. Wash. Feb. 1, 2017), https://www.aclu.org/legal-document/wagafe-v-uscis-amended-complaint. See also Katie Traverso and Jennie Pasquarella, “Practice Advisory: USCIS’s Controlled Application Review and Resolution Program,” 3, https://www.nationalimmigrationproject.org/PDFs/practitioners/our_lit/impact_litigation/2017_03Jan-ACLU-CARRP-advisory.pdf. The training handbook lists three broad categories of “non-statutory indicators” officers can consider to be indicative of a national security concern: “employment, training, or government affiliations” (e.g., foreign language expertise); “other suspicious activities” (e.g., unusual travel patterns); and “family members or close associates” (e.g., a roommate, coworker, or affiliate) who have been identified as national security concerns. 40A guidance states that in “Family Member or Close Associate” cases, officers must determine “if the [national security] concern relates to the individual, and if so, if it gives rise to a [national security] concern for the individual.” USCIS, “CARRP Officer Training,” April 2009, 5, https://www.aclusocal.org/sites/default/files/wp-content/uploads/2013/01/Guiance-for-Identifying-NS-Concerns-USCIS-CARRP-Training-Mar.-2009.pdf.

While these factors could be relevant to national security, they also give USCIS officers great discretion and present serious due process and free speech concerns, particularly in the case of individuals who are in the United States and seeking adjustment of status.

C. Immigration Benefits Determinations

FDNS officers consult social media websites and commercial data sources, including Thomson Reuters’s CLEAR database (discussed in the ICE section, above), during the screening of immigration benefit request forms, applications, or petitions. 41DHS, Privacy Impact Assessment for the Fraud Detection and National Security Data System (FDNS-DS), DHS/USCIS/PIA-013(a) May 18, 2016 (hereinafter FDNS-DS 2016 PIA), 14, https://www.dhs.gov/sites/default/files/publications/privacy-pia-uscis-fdnsds-november2017.pdf. Commercial and public sources may be used to verify information provided by the individual, support or refute signs of fraud, and identify public safety or national security concerns. Ibid. According to information provided by FDNS to the DHS Privacy Office, data collected from social media during the benefit determination process is stored in the applicant’s A-File, whether or not it was found to be derogatory, but applicants are given the opportunity to explain or refute any “adverse information” found through social media. 42“DHS Operational Use of Social Media,” 8, in USCIS Briefing Book, 141; Ibid., 137. However, USCIS has not complied with the Privacy Office’s 2012 recommendation to update the privacy impact assessments for several programs, including Deferred Action for Childhood Arrivals (DACA), to reflect that social media is used as a source of information and to address the privacy risks posed by such collection and how they would be mitigated. 43“DHS Operational Use of Social Media,” 8, in USCIS Briefing Book, 141. The other USCIS programs that require updated privacy impact assessments to reflect the use of social media include Computer Linked Application Information Management System (CLAIMS) 3; CLAIMS 4; and Refugees, Asylum, and Parole System and the Asylum Pre-Screening System (RAPS/APSS). CLAIMS 3 manages the adjudication process for most domestically filed, paper-based immigration benefit filings with the exception of naturalization; intercountry adoption; and certain requests for asylum and refugee status. DHS, Privacy Impact Assessment Update for the Computer Linked Application Information Management System (CLAIMS 3) and Associated Systems, DHS/USCIS/PIA-016(a), March 25, 2016, 1, https://www.dhs.gov/sites/default/files/publications/privacy-pia-uscis-claims3appendixaupdate-may2018.pdf. CLAIMS 4 tracks and processes naturalization applications. DHS, Privacy Impact Assessment Update for the Computer Linked Application Information Management System 4 (CLAIMS 4), DHS/USCIS/PIA-015(b), November 5, 2013, 2, https://www.dhs.gov/sites/default/files/publications/privacy-pia-update-uscis-claims4-november2013.pdf.

When someone applies for an immigration benefit (such as naturalization), the applicant’s information is screened against data contained in USCIS, ICE, and other law enforcement databases for eligibility, fraud, and national security concerns. 44Privacy Impact Assessment for the Continuous Immigration Vetting, DHS/USCIS/PIA-076, February 14, 2019 (hereinafter USCIS CIV 2019 PIA), 2, https://www.dhs.gov/sites/default/files/publications/pia-uscis-fdnsciv-february2019_0.pdf. In line with other DHS programs, USCIS is increasingly looking to automate many of the checks that it had previously performed manually. Since June 2017, USCIS and CBP have been working to gradually implement an interagency effort called “continuous immigration vetting.” 45Ibid., 6. Through this program, applicants applying for green cards or naturalization will have the biographical and biometric information they provide, as well as any information received by USCIS thereafter, automatically checked against CBP holdings. These checks will continue until the time of naturalization. 46Ibid., 7. This new program is currently intended to uncover “potential national security concerns,” 47Like CARRP, the Continuous Immigration Vetting privacy impact assessment considers a “national security concern” to arise when “an individual or organization has been determined to have an articulable link to prior, current, or planned involvement in, or association with, an activity, individual or organization described in [the security and terrorism sections] of the Immigration and Nationality Act.” Ibid. although the recently published privacy impact assessment notes that the agency hopes to expand the process to vet for public safety concerns and fraud as well. 48Ibid., 8.

Continuous immigration vetting relies on a connection between an existing USCIS screening tool called ATLAS 49ATLAS is built into the USCIS system FDNS-DS, which is the main database that FDNS officers use to manage the background check process related to immigration applications and petitions, and information related to applicants with suspected or confirmed fraud, criminal activity, public safety or national security concerns, and cases randomly selected for benefit fraud assessments. FDNS 2014 PIA, 6. and CBP’s ATS, which ingests and analyzes social media and other data from a plethora of sources. When someone applies for a benefit or information about an individual (such as an address) is updated, ATLAS automatically scans for potential matches to derogatory information in other government databases. 50FDNS-DS 2016 PIA, 3. ATLAS itself analyzes information to detect patterns and trends; for example, it visually displays relationships among individuals on the theory that they could reveal potential ties to criminal or terrorist activity. 51Ibid., 5-6. As of May 2016, USCIS was incorporating new capabilities into ATLAS, including predictive analytics, link and forensic analysis, and other analytic functions. Ibid., 6.

With continuous immigration vetting, ATLAS also automatically sends any new information it receives over to ATS. ATS checks CBP holdings for matches to information about any individuals who have been flagged as a potential national security threat. 52USCIS CIV 2019 PIA, 7. But ATS also stores the applicant or benefit holder’s information for future use. Whenever derogatory information associated with an individual is added to a government database, ATS automatically checks for a “match and/or association” to the USCIS information and sends results back to ATLAS. 53Ibid. It is not clear that this new system will rely on social media. The privacy impact assessment notes that although ATS connects with multiple data sets, USCIS and CBP have tailored the initiative so that only “relevant” data sets are checked, although these are not identified. 54Ibid., 18.

2. Administrative Investigations

FDNS conducts administrative investigations in order to procure additional information that can help determine an individual’s eligibility for an immigration benefit. Administrative investigations seek to verify relationships that are the basis for an individual to receive an immigration benefit, identify violations of the Immigration and Nationality Act, and identify other grounds of admissibility or removability. 55FDNS 2014 PIA, 38.

An officer can decide that an investigation is warranted on the basis of the results of a “manual review,” which can be triggered by three mechanisms: a notification generated by ATLAS (when there is a match to one of its predefined rules), a fraud tip referral from the public or government officials, or a manual referral submitted by USCIS adjudications staff. 56Ibid., 4. In order to officially open an administrative investigation after a manual review, the officer must determine that the tip is “actionable.” 57FDNS-DS 2016 PIA, 4. There are no publicly available criteria for this determination. The relevant privacy impact assessment notes only that investigations are performed due to suspected or confirmed fraud, criminal activity, or public safety or national security concern, or simply when a case is randomly selected for assessments to determine whether benefits have been obtained by fraud. 58FDNS 2014 PIA, 6. The broadness of these criteria suggests that the bar for opening an investigation is low and largely left to the officer’s discretion.

As is the case with the screening of immigration benefits, FDNS may collect information from public sources, including social media, to serve as an additional check for other information collected during these investigations, support or refute any indication of fraudulent behavior, and identify threats to public safety or national security. 59FDNS-DS 2016 PIA, 14. The privacy impact assessment also states that information found in open sources may be provided by FDNS to USCIS adjudications personnel to formulate a request for additional evidence when an immigration application or a petitioner lacks required documentation, to draft a notice when an individual is found ineligible for asylum, or to use during an interview with a petitioner or beneficiary in order to discuss any derogatory information that may have been found. FDNS 2014 PIA, 6. See USCIS, Adjudicator’s Field Manual, Chapter 10.5, “Requesting Additional Information,” https://www.uscis.gov/ilink/docView/AFM/HTML/AFM/0-0-0-1/0-0-0-1067/0-0-0-1318.html; USCIS, “Types of Asylum Decisions,” accessed March 26, 2019, https://www.uscis.gov/humanitarian/refugees-asylum/asylum/types-asylum-decisions. By way of example, FDNS is known to check an applicant’s social media to help uncover “sham marriages.” 60According to a 2008 internal FDNS memo, “social networking gives FDNS an opportunity to reveal fraud by browsing these sites to see if petitioners and beneficiaries are in a valid relationship or are attempting to deceive CIS about their relationship.” USCIS, “Social Networking Sites and Their Importance to DHS,” May 2008, 1, https://www.eff.org/files/filenode/social_network/dhs_customsimmigration_socialnetworking.pdf. That said, FDNS materials specify that an officer may not deny an immigration benefit, investigate benefit fraud, or identify public safety and national security concerns based solely on public source information. 61FDNS 2014 PIA, 6. Rather, such information may only be used to identify possible inconsistencies and must be corroborated with authoritative information on file with USCIS prior to taking action. 62FDNS-DS 2016 PIA, 15. Any information found on a social media site and used during an investigation will be stored in both the applicant’s hard-copy file and in the Fraud Detection and National Security Data System (FDNS-DS), regardless of whether it was found to be derogatory. If the information collected is found to be derogatory, the individual must be given the chance to explain or refute it, as is the FDNS standard with all derogatory information found from publicly available sources. 63FDNS 2014 PIA, 5

As the above discussion shows, USCIS/FDNS has taken significant steps to incorporate social media into its various vetting and screening activities, including making admissibility and eligibility determinations for certain refugees and asylum seekers and for those placed on the CARRP track. There are questions about whether this vetting disproportionately targets Muslims and those from Muslim-majority countries. In refugee and asylum cases, social media could serve as a source of information for people who don’t have many documents, but it could also serve as a way to weed out people due to ideological, racial, or religious prejudices or on the basis of misinterpretations. Administrative investigations too can use social media, although its use in that context is restricted to verification, and those affected have the opportunity to refute derogatory information. In line with other programs, USCIS is relying more and more on automation to support certain checks and screening processes.

End Notes

Conclusion

Social media provides a huge trove of information about individuals their likes and dislikes, their political and religious views, the identity of their friends and family, their health and mental state — that has proved irresistible for security and law enforcement agencies to collect and mine in the name of national security and public safety. Increasingly, DHS is vacuuming up social media information from a variety of sources, ranging from travelers’ electronic devices to commercial databases, and using it to make decisions about who gets to come to the United States and the level of screening to which travelers are subjected. But there are serious questions about these programs: the evidence shows they are not effective in identifying risk, and they open the door to discrimination and the suppression of speech, association, and religious belief. Congress must fulfill its oversight responsibilities and require DHS both to come clean about the full extent of its social media surveillance and ensure that these programs are based on empirical evidence of effectiveness, safeguard against discrimination, and include robust privacy protections.

Appendix

DHS databases generally have a records retention schedule approved by the National Archives and Records Administration. The following appendix contains details on the retention schedules for the DHS systems that likely store social media data and other sensitive information.

Endnotes for Sidebars