Skip Navigation

Social Media Monitoring

Summary: Personal information gleaned from social media posts has been used to target dissent and subject religious and ethnic minorities to enhanced vetting and surveillance.

Last Updated: March 11, 2020
Published: May 22, 2019


This report was updated in March 2020 to reflect Immig­ra­tion and Customs Enforce­ment’s new policy concern­ing border searches of elec­tronic devices.

The Depart­ment of Home­land Secur­ity (DHS) is rapidly expand­ing its collec­tion of social media inform­a­tion and using it to eval­u­ate the secur­ity risks posed by foreign and Amer­ican trav­el­ers. This year marks a major expan­sion. The visa applic­a­tions vetted by DHS will include social media handles that the State Depart­ment is set to collect from some 15 million trav­el­ers per year. foot­note1_22pbhpj 1 U.S. Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Nonim­mig­rant Visa,” 83 Fed. Reg. 13807, 13808 (March 30, 2018), https://www.regu­la­­ment?D=DOS-2018–0002–0001; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 83 Fed. Reg. 13806, 13807 (March 30, 2018), https://www.regu­la­­ment?D=DOS-2018–0003–0001; this proposed collec­tion was approved on April 11, 2019. OMB, Notice of Office of Manage­ment and Budget Action, “Online Applic­a­tion for Nonim­mig­rant Visa,” April 11, 2019,­load­NOA?requestID=292517; OMB, Notice of Office of Manage­ment and Budget Action, “Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” April 11, 2019,–1405–004. See also Bren­nan Center for Justice et al., Comments to Depart­ment of State, “Re: DS-160 and DS-156, Applic­a­tion for Nonim­mig­rant Visa, OMB Control No. 1405–0182; DS-260, Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion, OMB Control No. 1405–185,” May 29, 2018,­ment/380580064/Bren­nan-Center-Urges-State-Depart­ment-to-Aban­don-the-Collec­tion-of-Social-Media-and-Other-Data-from-Visa-Applic­ants. Depart­ment of State visa applic­a­tions are vetted using DHS’s Auto­mated Target­ing System (ATS). DHS, Privacy Impact Assess­ment Update for the Auto­mated Target­ing System, DHS/CBP/PIA-006(e), Janu­ary 13, 2017 (here­in­after ATS 2017 PIA), 8–9, 35, 59–60,­a­tions/privacy-pia-cbp006-ats-decem­ber­2018.pdf. The social media iden­ti­fi­ers that the State Depart­ment collects via visa applic­a­tions will be stored in the depart­ment’s Consol­id­ated Consu­lar Data­base, which is inges­ted into ATS and becomes avail­able to DHS person­nel. ATS 2017 PIA, 3, 8–9, 12. For more on DHS involve­ment in State Depart­ment visa vetting, see infra text accom­pa­ny­ing notes 118–131. Social media can provide a vast trove of inform­a­tion about indi­vidu­als, includ­ing their personal pref­er­ences, polit­ical and reli­gious views, phys­ical and mental health, and the iden­tity of their friends and family. But it is suscept­ible to misin­ter­pret­a­tion, and whole­sale monit­or­ing of social media creates seri­ous risks to privacy and free speech. Moreover, despite the rush to imple­ment these programs, there is scant evid­ence that they actu­ally meet the goals for which they are deployed.

While offi­cials regu­larly testify before Congress to high­light some of the ways in which DHS is using social media, they rarely give a full picture or discuss either the effect­ive­ness of such programs or their risks. The extent to which DHS exploits social media inform­a­tion is buried in jargon-filled notices about changes to docu­ment stor­age systems that impart only the vaguest outlines of the under­ly­ing activ­it­ies.

To fill this gap, this report seeks to map out the depart­ment’s collec­tion, use, and shar­ing of social media inform­a­tion by piecing together press reports, inform­a­tion obtained through Free­dom of Inform­a­tion Act requests, Privacy Impact Assess­ments, foot­note2_7x3wpln 2 Section 208 of the E-Govern­ment Act of 2002 requires privacy impact assess­ments (PIAs) for all inform­a­tion tech­no­logy that uses, main­tains, or dissem­in­ates person­ally iden­ti­fi­able inform­a­tion or when initi­at­ing a new collec­tion of person­ally iden­ti­fi­able inform­a­tion from 10 or more indi­vidu­als in the public. E-Govern­ment Act of 2002, PL 107–347, Decem­ber 17, 2002, 116 Stat 2899,­l347/pdf/PLAW-107pub­l347.pdf; DHS, “Privacy Compli­ance,” accessed April 25, 2019,­ance. DHS is required to publish or update exist­ing privacy impact assess­ments when devel­op­ing or procur­ing any new program or system that will handle or collect person­ally iden­ti­fi­able inform­a­tion; for budget submis­sions to the Office of Manage­ment and Budget that affect person­ally iden­ti­fi­able inform­a­tion; with pilot tests that affect person­ally iden­ti­fi­able inform­a­tion; when devel­op­ing program or system revi­sions that affect person­ally iden­ti­fi­able inform­a­tion; or when issu­ing a new or updated rule­mak­ing that involves the collec­tion, use, and main­ten­ance of person­ally iden­ti­fi­able inform­a­tion. Because revi­sions that affect person­ally iden­ti­fi­able inform­a­tion are common, DHS often issues multiple, updated privacy impact assess­ments for a single program or system. System of Records Notices (SORNs), foot­note3_j35atgl 3 A System of Records Notice (SORN) is required whenever the depart­ment has a “system of records” — a group of records from which inform­a­tion is retrieved by a personal iden­ti­fier, such as one’s name. SORNs, formal notices to the public published in the Federal Register, identify the purpose for which person­ally iden­ti­fi­able inform­a­tion is collec­ted, what type of inform­a­tion is collec­ted and from whom, how person­ally iden­ti­fi­able inform­a­tion is shared extern­ally (routine uses), and how to access and correct any person­ally iden­ti­fi­able inform­a­tion main­tained by DHS. DHS, “Privacy Compli­ance.” depart­mental hand­books, govern­ment contracts, and other publicly avail­able docu­ments.

In light of DHS’s expand­ing use of social media monit­or­ing programs, under­stand­ing the ways in which the depart­ment exploits social media is crit­ical. Personal inform­a­tion gleaned from social media posts has been used to target dissent and subject reli­gious and ethnic minor­it­ies to enhanced vetting and surveil­lance. Some DHS programs are targeted at trav­el­ers, both Amer­ic­ans and those from other coun­tries. And while the depart­ment’s immig­ra­tion vetting programs ostens­ibly target foreign­ers, they also sweep up inform­a­tion about Amer­ican friends, family members, and busi­ness asso­ci­ates, either delib­er­ately or as a consequence of their broad scope.

Muslims are partic­u­larly vulner­able to target­ing. Accord­ing to a 2011 Pew survey (which was followed by a similar survey in 2017), more than a third of Muslim Amer­ic­ans who traveled by air repor­ted that they had been singled out by airport secur­ity for their faith, suggest­ing a connec­tion between being a devout Muslim and enga­ging in terror­ism that has long been debunked. foot­note4_faf6yiq 4 Pew Research Center, Muslim Amer­ic­ans: No Signs of Growth in Alien­a­tion or Support for Extrem­ism, August 30, 2011, 108, http://www.pewre­­ican-Report-10–02–12-fix.pdf (41 percent of Amer­ican Muslims surveyed said they had not taken a flight in the past year, and 21 percent of those surveyed had been singled out by airport secur­ity, mean­ing that almost 36 percent of those surveyed who had taken a flight were singled out at secur­ity); Pew Research Center, U.S. Muslims Concerned About Their Place in Soci­ety, but Continue to Believe in the Amer­ican Dream, July 26, 2017, 13,­la­tion-update-v2.pdf (report­ing that 18 percent of Amer­ican Muslims were singled out at airport secur­ity in the previ­ous year, but not indic­at­ing the percent­age of Amer­ican Muslims who did not travel by air in the previ­ous year); Faiza Patel, Rethink­ing Radic­al­iz­a­tion, Bren­nan Center for Justice, March 2011, https://www.bren­nan­cen­­in­gRad­ic­al­iz­a­tion.pdf; Marc Sage­man, Misun­der­stand­ing Terror­ism (Phil­adelphia: Univer­sity of Pennsylvania Press, 2016); Jamie Bart­less, Jonathan Bird­well, and Michael King, The Edge of Viol­ence, Demos, Decem­ber 2010,­ence_-_full_-_web.pdf?1291806916. A legal chal­lenge to this prac­tice is pending. foot­note5_j77hynk 5 Cherri v. Mueller, 951 F. Supp. 2d 918 (E.D. Mich. 2013). Accord­ing to govern­ment docu­ments, one of the plaintiffs, Hassan Shibly, exec­ut­ive director of the Flor­ida chapter of the Coun­cil on Amer­ican-Islamic Rela­tions, was pulled aside for second­ary screen­ing at the border at least 20 times from 2004 to 2011. foot­note6_bx8lo98 6 Kari Huus, “Muslim Trav­el­ers Say They’re Still Saddled With 9/11 Baggage,” NBC News, Septem­ber 9, 2011,­el­ers-say-theyre-still-saddled-baggage/#.XH61NcB­Khpg. He says he was asked ques­tions like “Are you part of any Islamic tribes?” and “Do you attend a partic­u­lar mosque?” foot­note7_62yr­jey 7 ACLU and Muslim Advoc­ates to DHS Inspector General Richard L. Skin­ner, Decem­ber 16, 2010,­ates-letter-depart­ment-home­land-secur­ity-inspector-general-richard. Shibly’s story is hardly unique. foot­note8_0qeha4c 8 See Amanda Holpuch and Ashifa Kassam, “Cana­dian Muslim Grilled About Her Faith and View on Trump at U.S. Border Stop,” Guard­ian, Febru­ary 10, 2017, https://www.theguard­­dian-muslim-us-border-ques­tion­ing; Emma Graham-Harrison, “US Border Agents Ask Muhammad Ali’s Son, ‘Are You a Muslim?’ ” Guard­ian, Febru­ary 25, 2017, https://www.theguard­­tioned-us-border-control; ACLU and Muslim Advoc­ates to Skin­ner (high­light­ing the exper­i­ences of four other Muslim Amer­ic­ans who faced persist­ent reli­gious ques­tion­ing by CBP). See also Pew Research Center, Muslim Amer­ic­ans, 2.

Concerns about such screen­ings are even more urgent under the Trump admin­is­tra­tion, which has made exclud­ing Muslims a center­piece of its immig­ra­tion agenda through policies such as the Muslim ban and imple­ment­a­tion of “extreme vetting” for refugee and visa applic­ants, primar­ily those from the Muslim world. foot­note9_noy96ll 9 See Faiza Patel and Harsha Pandur­anga, “Trump’s Latest Half-Baked Muslim Ban,” Daily Beast, June 12, 2017, (noting that the admin­is­tra­tion’s “extreme vetting” rules are aimed at the same pool of people as the Muslim ban); Harsha Pandur­anga, Faiza Patel, and Michael W. Price, Extreme Vetting and the Muslim Ban, Bren­nan Center for Justice, 2017, 2, 16, https://www.bren­nan­cen­­a­tions/extreme_vetting_full_10.2_0.pdf. Bren­nan Center for Justice et al., Comments to Depart­ment of State, “Re: DS-160 and DS-156, Applic­a­tion for Nonim­mig­rant Visa, OMB Control No. 1405–0182; DS-260, Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion, OMB Control No. 1405–185,” 7–8 (noting that the State Depart­ment’s proposed collec­tion of social media inform­a­tion from visa applic­ants would dispro­por­tion­ately burden Muslims). See infra note 120 and text accom­pa­ny­ing notes 118–131. A leaked DHS draft report from 2018 suggests that the admin­is­tra­tion is consid­er­ing tagging young Muslim men as “at-risk persons” who should be subjec­ted to intens­ive screen­ing and ongo­ing monit­or­ing. foot­note10_6wtmez1 10 DHS, “Demo­graphic Profile of Perpet­rat­ors of Terror­ist Attacks in the United States Since Septem­ber 2001 Attacks Reveals Screen­ing and Vetting Implic­a­tions,” 2018, https://assets.docu­­ments/4366754/Text-of-CPB-Report.pdf. The draft report, published by Foreign Policy, was produced at the request of the commis­sioner of U.S. Customs and Border Protec­tion (CBP) to “inform United States foreign visitor screen­ing, immig­rant vetting and on-going eval­u­ations of United States-based indi­vidu­als who might have a higher risk of becom­ing radic­al­ized and conduct­ing a viol­ent attack.” It examined 29 indi­vidu­als who, accord­ing to CBP, carried out terror­ist incid­ents in the United States “driven by radical Sunni Islam­ist milit­ancy.” Given the data set the report focused on, it unsur­pris­ingly found that this cohort of people were mostly young, Muslim, and male. Ignor­ing the fact that hundreds of thou­sands of people who meet this descrip­tion travel to the United States each year, CBP concluded that these char­ac­ter­ist­ics provided a “baseline to identify at-risk persons.” In fact, CBP even sugges­ted that in addi­tion to initial screen­ings, this enorm­ous group of people should be “continu­ously eval­u­ate[d],” for example when they applied for visa renew­als or immig­ra­tion bene­fits. Ibid., 4. If imple­men­ted, such a policy would affect hundreds of thou­sands of people. foot­note11_z605jtx 11 The Depart­ment of State issued more than 900,000 immig­rant and nonim­mig­rant visas to indi­vidu­als from Muslim-major­ity coun­tries in FY 2018, which likely included hundreds of thou­sands of young Muslim men. See Depart­ment of State, Report of the Visa Office 2018, Table III and Table XVIII,­ist­ics/annual-reports/report-of-the-visa-office-2018.html. DHS’s social media monit­or­ing pilot programs seem to have focused in large part on Muslims: at least two targeted Syrian refugees, one targeted both Syrian and Iraqi refugees, and the analyt­ical tool used in at least two pilots was tailored to Arabic speak­ers. foot­note12_we2x5k2 12 See infra text accom­pa­ny­ing note 428.

More gener­ally, social media monit­or­ing — like other forms of surveil­lance — will impact what people say online, lead­ing to self-censor­ship of people apply­ing for visas as well as their family members and friends. The dele­ter­i­ous effect of surveil­lance on free speech has been well docu­mented in empir­ical research; one recent study found that aware­ness or fear of govern­ment surveil­lance of the inter­net had a substan­tial chilling effect among both U.S. Muslims and broader U.S. samples of inter­net users. foot­note13_ncxo­jnu 13 Eliza­beth Stoycheff et al., “Privacy and the Panop­ticon: Online Mass Surveil­lance’s Deterrence and Chilling Effects,” New Media & Soci­ety 21, no. 3 (2018): 1–18, https://journ­als.sage­ See also Dawinder S. Sidhu, “The Chilling Effect of Govern­ment Surveil­lance Programs on the Use of the Inter­net by Muslim-Amer­ic­ans,” Univer­sity of Mary­land Law Journal of Race, Reli­gion, Gender and Class 7, no. 2 (2007),­load/pdf/56358880.pdf. Even people who said they had noth­ing to hide were highly likely to self-censor online when they knew the govern­ment was watch­ing. foot­note14_zjbsz3a 14 Eliza­beth Stoycheff, “Under Surveil­lance: Examin­ing Face­book’s Spiral of Silence Effects in the Wake of NSA Inter­net Monit­or­ing,” Journ­al­ism & Mass Commu­nic­a­tion Quarterly 93, no. 2 (2016): 296–311, https://journ­als.sage­ Simil­arly, in a survey of a repres­ent­at­ive sample of U.S. inter­net users, 62 percent repor­ted that they would be much less or some­what less likely to touch on certain topics if the govern­ment was watch­ing, with 78 percent of respond­ents agree­ing that they would be more cautious about what they said online. J. W. Penney, “Inter­net Surveil­lance, Regu­la­tion, and Chilling Effects Online: A Compar­at­ive Case Study,” Inter­net Policy Review 6, no. 2 (2017), https://poli­cyre­­net-surveil­lance-regu­la­tion-and-chilling-effects-online-compar­at­ive-case. Another study meas­ured how inter­net users in 11 coun­tries reacted when they found out that DHS was keep­ing track of searches of terms that it regarded as suspi­cious, such as “state of emer­gency” and “drug war.” Users were less likely to search using terms that they believed might get them in trouble with the U.S. govern­ment. Alex Marthews and Cath­er­ine Tucker, “Govern­ment Surveil­lance and Inter­net Search Beha­vior,” Febru­ary 17, 2017, The study analyzed the search preval­ence of select keywords compiled by the Media Monit­or­ing Capab­il­ity section of the National Oper­a­tions Center of DHS. The list of keywords was publi­cized in 2012 as “suspi­cious” select­ors that might lead to a partic­u­lar user being flagged for analysis by the National Secur­ity Agency (NSA). See DHS, National Oper­a­tions Center Media Monit­or­ing Capab­il­ity, “Analys­t’s Desktop Binder,” 20,­or­ing/Analyst-Desktop-Binder-REDAC­TED.pdf. The authors later expan­ded their study to 41 coun­tries and found that, for terms that users believed might get them in trouble with the U.S. govern­ment, the search preval­ence fell by about 4 percent across the coun­tries stud­ied. Alex Marthews and Cath­er­ine Tucker, “The Impact of Online Surveil­lance on Beha­vior” in The Cambridge Hand­book of Surveil­lance Law, ed. David Gray and Stephen E. Hende­r­son (Cambridge: Cambridge Univer­sity Press, 2017), 446. See also Human Rights Watch, With Liberty to Monitor All: How Large-Scale U.S. Surveil­lance Is Harm­ing Journ­al­ism, Law, and Amer­ican Demo­cracy, July 28, 2014,­lance-harm­ing-journ­al­ism-law-and; PEN Amer­ica Center, Chilling Effects: NSA Surveil­lance Drives U.S. Writers to Self-Censor, Novem­ber 12, 2013,–08–01_Full%20Re­port_Chilling%20Ef­fects%20w%20Color%20cover-UPDATED.pdf (find­ing that 28 percent of writers repor­ted “curtailed social media activ­it­ies” in response to the Snowden revel­a­tions, 24 percent repor­ted that they “delib­er­ately avoided certain topics in phone or email conver­sa­tions,” and 16 percent repor­ted that they “avoided writ­ing or speak­ing about a partic­u­lar topic”). As Justice Sonia Soto­mayor warned in a 2012 Supreme Court case chal­len­ging the warrant­less use of GPS track­ing tech­no­logy, “[a]ware­ness that the Govern­ment may be watch­ing chills asso­ci­ational and express­ive freedoms. And the Govern­ment’s unres­trained power to assemble data that reveals private aspects of iden­tity is suscept­ible to abuse.” foot­note15_7hsk43d 15 United States v. Jones, 565 U.S. 400 (2012) (Soto­mayor, J., concur­ring).

DHS’s pilot programs for monit­or­ing social media have been notably unsuc­cess­ful in identi­fy­ing threats to national secur­ity. foot­note16_jk1yy4f 16 U.S. Citizen­ship and Immig­ra­tion Services, “Social Media,” in U.S. Citizen­ship and Immig­ra­tion Services Brief­ing Book, (here­in­after USCIS Brief­ing Book) 181,­a­tions/USCIS%20Pres­id­en­tial%20Trans­ition%20Re­cords.pdf. In 2016, DHS piloted several social media monit­or­ing programs, one run by ICE and five by United States Customs and Immig­ra­tion Services (USCIS). foot­note17_8qch­mth 17 Office of Inspector General, DHS’ Pilots for Social Media Screen­ing Need Increased Rigor to Ensure Scalab­il­ity and Long-term Success (Redac­ted), Febru­ary 27, 2017,–40-Feb17.pdf. A Febru­ary 2017 DHS inspector general audit of these pilot programs found that the depart­ment had not meas­ured their effect­ive­ness, render­ing them an inad­equate basis on which to build broader initi­at­ives. foot­note18_7qt8m9a 18 Ibid. In a letter to the inspector general sent in response to the invest­ig­a­tion, which was included in the publicly avail­able report, DHS person­nel noted that CBP also conduc­ted a pilot program, with another soon to be initi­ated as of Decem­ber 2016, but there is no publicly avail­able inform­a­tion about either. Ibid., 7.

Even more damning are USCIS’s own eval­u­ations of the programs, which showed them to be largely inef­fect­ive. Accord­ing to a brief prepared by DHS for the incom­ing admin­is­tra­tion at the end of 2016, for three out of the four programs used to vet refugees, “the inform­a­tion in the accounts did not yield clear, artic­ul­able links to national secur­ity concerns, even for those applic­ants who were found to pose a poten­tial national secur­ity threat based on other secur­ity screen­ing results.” foot­note19_kxl93hr 19 USCIS Brief­ing Book, 181. The brief does show that USCIS complied with its own rules, which prohibit deny­ing bene­fits solely on the basis of public-source inform­a­tion — such as that derived from social media — due to “its inher­ent lack of data integ­rity.” foot­note20_tpxl­gje 20 Ibid., 183; DHS, Privacy Impact Assess­ment for the Fraud Detec­tion and National Secur­ity Direct­or­ate, DHS/USCIS/PIA-013–01, Decem­ber 16, 2014 (here­in­after FDNS 2014 PIA), 14,­a­tions/privacy-pia-uscis-fdns-novem­ber­2016_0.pdf. The depart­ment reviewed 1,500 immig­ra­tion bene­fits cases and found that none were denied “solely or primar­ily because of inform­a­tion uncovered through social media vetting.” foot­note21_gqm0z12 21 USCIS Brief­ing Book, 183. But this inform­a­tion provided scant insights in any event: out of the 12,000 refugee applic­ants and 1,500 immig­ra­tion bene­fit applic­ants screened, USCIS found social media inform­a­tion help­ful only in “a small number of cases,” where it “had a limited impact on the processing of those cases — specific­ally in devel­op­ing addi­tional lines of inquiry.” foot­note22_lo44h8k 22 Ibid., 183.

In fact, a key takeaway from the pilot programs was that they were unable to reli­ably match social media accounts to the indi­vidual being vetted, and even where the correct accounts were found, it was hard to determ­ine “with any level of certainty” the “authen­ti­city, vera­city, [or] social context” of the data, as well as whether there were “indic­at­ors of fraud, public safety, or national secur­ity concern.” foot­note23_6bu09h3 23 Ibid., 183. Addi­tional prob­lems iden­ti­fied were the fact that refugee applic­ants had only a “minimal pres­ence” on social media plat­forms access­ible through social media monit­or­ing programs and that the content was often not in English. Ibid., 181, 184. The brief expli­citly ques­tioned the over­all value of the programs, noting that dedic­at­ing person­nel “to mass social media screen­ing diverts them away from conduct­ing the more targeted enhanced vetting they are well trained and equipped to do.” foot­note24_mjsh5tz 24 Ibid., 184.

The diffi­culties faced by DHS person­nel are hardly surpris­ing; attempts to make judg­ments based on social media are inev­it­ably plagued by prob­lems of inter­pret­a­tion. foot­note25_f6uox3x 25 See Alex­an­dra Olteanu et al., “Social Data: Biases, Meth­od­o­lo­gical Pitfalls, and Ethical Bound­ar­ies,” Decem­ber 20, 2016, http://kici­; Bren­nan Center for Justice et al., Comments to Depart­ment of State Regard­ing “Notice of Inform­a­tion Collec­tion Under OMB Emer­gency Review: Supple­mental Ques­tions for Visa Applic­ants,” May 18, 2017, https://www.bren­nan­cen­­form­a­tion%20Col­lec­tion%20Com­ments%20-%2051817_3.pdf. In 2012, for example, a Brit­ish national was denied entry at a Los Angeles airport when DHS agents misin­ter­preted his post­ing on Twit­ter that he was going to “destroy Amer­ica” — slang for party­ing — and “dig up Marilyn Monroe’s grave” — a joking refer­ence to a tele­vi­sion show. foot­note26_qd9uqjc 26 See J. David Good­man, “Trav­el­ers Say They Were Denied Entry to U.S. for Twit­ter Jokes,” New York Times, Janu­ary 30, 2012,­el­ers-say-they-were-denied-entry-to-u-s-for-twit­ter-jokes/. FBI agents and even courts have erro­neously inter­preted tweets of rap lyrics as threat­en­ing messages. See, for example, Nata­sha Lennard, “The Way Dzhokhar Tsarnaev’s Tweets Are Being Used in the Boston Bomb­ing Trial Is Very Danger­ous,” Fusion, March 12, 2015,­bomb­ing-trial-is-very-danger­ous/; a Pennsylvania man was even sentenced to more than three years in prison for rap-style lyrics he posted to Face­book. The Supreme Court reversed the convic­tion in 2015. United States v. Elonis, 2011 WL 5024284 (E.D. Pa. Oct. 20, 2011), aff’d, 730 F.3d 321 (3d Cir. 2013), rev’d and remanded, 135 S. Ct. 2001 (2015), and aff’d, 841 F.3d 589 (3d Cir. 2016). As the USCIS pilot programs demon­strate, inter­pret­a­tion is even harder when the language used is not English and the cultural context is unfa­mil­iar. If the State Depart­ment’s current plans to under­take social media screen­ing for 15 million trav­el­ers are imple­men­ted, govern­ment agen­cies will have to be able to under­stand the languages (more than 7,000) and cultural norms of 193 coun­tries. foot­note27_zqbdoap 27 The total number of world languages is disputed. One widely cited estim­ate is that there are about 7,111 living languages, of which 3,995 have a developed writ­ing system. These numbers are based on the defin­i­tion of language (as opposed to dialect) as a speech vari­ety that is not mutu­ally intel­li­gible with other speech vari­et­ies. See David M. Eber­hard, Gary F. Simons, and Charles D. Fennig (eds.), Ethno­logue: Languages of the World, 22nd ed. (Dallas, Texas: SIL Inter­na­tional, 2019), https://www.ethno­­prise-faq/how-many-languages-world-are-unwrit­ten-0. The Depart­ment of State issues nonim­mig­rant visas to indi­vidu­als from every coun­try in the world annu­ally. See Depart­ment of State, Report of the Visa Office 2018, Table XVIII: “Nonim­mig­rant Visas Issued by Nation­al­ity (Includ­ing Border Cross­ing Cards) Fiscal Year 2009–2018,”­ist­ics/Annu­alRe­ports/FY2018An­nu­alRe­port/FY18An­nu­alRe­port%20-%20TableXVIII.pdf.

Nonverbal commu­nic­a­tions on social media pose yet another set of chal­lenges. As the Bren­nan Center and 34 other civil rights and civil liber­ties organ­iz­a­tions poin­ted out in a May 2017 letter to the State Depart­ment:

“If a Face­book user posts an article about the FBI persuad­ing young, isol­ated Muslims to make state­ments in support of ISIS, and another user ‘loves’ the article, is he send­ing appre­ci­ation that the article was posted, signal­ing support for the FBI’s prac­tices, or send­ing love to a friend whose family has been affected?” foot­note28_379hikc 28 Bren­nan Center for Justice et al., Comments to Depart­ment of State Regard­ing “Notice of Inform­a­tion Collec­tion Under OMB Emer­gency Review,” 4–5.

All of these diffi­culties, already substan­tial, are compoun­ded when the process of review­ing posts is auto­mated. Obvi­ously, using simple keyword searches in an effort to identify threats would be useless because they would return an over­whelm­ing number of results, many of them irrel­ev­ant. One Amer­ican police depart­ment learned this lesson the hard way when efforts to unearth bomb threats online instead turned up refer­ences to “bomb” (i.e., excel­lent) pizza. foot­note29_6kim3nc 29 Ben Conarck, “Sher­iff’s Office’s Social Media Tool Regu­larly Yiel­ded False Alarms,” Jack­son­ville, May 30, 2017, https://www.jack­son­–05–30/sher­iff-s-office-s-social-media-tool-regu­larly-yiel­ded-false. Natural language processing, the tool used to judge the mean­ing of text, is not nearly accur­ate enough to do the job either. Stud­ies show that the highest accur­acy rate achieved by these tools is around 80 percent, with top-rated tools gener­ally achiev­ing 70–75 percent accur­acy. foot­note30_rlh5ob1 30 Nata­sha Duarte, Emma Llanso, and Anna Loup, Mixed Messages? The Limits of Auto­mated Social Media Content Analysis, Center for Demo­cracy and Tech­no­logy, 2017, 5,; Shervin Malmasi and Marcos Zampieri, “Chal­lenges in Discrim­in­at­ing Profan­ity From Hate Speech,” Journal of Exper­i­mental & Theor­et­ical Arti­fi­cial Intel­li­gence 30, no. 2 (2018): 1–16, (report­ing an 80 percent accur­acy rate in distin­guish­ing general profan­ity from hate speech in social media). Irene Kwok and Yuzhou Wang, “Locate the Hate: Detect­ing Tweets Against Blacks,” Proceed­ings of the 27th AAAI Confer­ence on Arti­fi­cial Intel­li­gence (2013), https://pdfs.semantic­­f934294617eff81eca.pdf (find­ing an aver­age 76 percent accur­acy rate clas­si­fy­ing hate speech on Twit­ter); Bo Han, “Improv­ing the Util­ity of Social Media With Natural Language Processing” (PhD disser­ta­tion, Univer­sity of Melbourne, Febru­ary 2014), https://pdfs.semantic­ (show­ing that natural language processing tools used to normal­ize “out-of-vocab­u­lary” words, such as slang and abbre­vi­ations common on social media, into stand­ard English achieved a 71.2 percent accur­acy rate). In fact, accur­acy itself is a some­what slip­pery concept in these stud­ies — it meas­ures whether the tool came to the same conclu­sion that a human would have, but it does not take into account the possib­il­ity of human error or subjectiv­ity. Duarte, Llanso, and Loup, Mixed Messages? 5, 17–18. This means that 20–30 percent of posts analyzed through natural language processing would be misin­ter­preted.

Algorithmic tone and senti­ment analysis, which senior DHS offi­cials have sugges­ted is being used to analyze social media, is even less accur­ate. foot­note31_3cwxssu 31 See Aaron Cantú and George Joseph, “Trump’s Border Secur­ity May Search Your Social Media by ‘Tone,’ ” The Nation, August 23, 2017, https://www.then­a­­ity-may-search-your-social-media-by-tone/ (noting that a senior DHS offi­cial touted the depart­ment’s capa­city to search its data sets, includ­ing social media data, “by tone”). Ahmed Abbasi, Ammar Hassan, and Milan Dhar, “Bench­mark­ing Twit­ter Senti­ment Analysis Tools,” Proceed­ings of the Ninth Language Resources and Eval­u­ation Confer­ence (2014), https://www.researchg­­a­tion/273000042_Bench­mark­ing_Twit­ter_Senti­ment_Analysis_Tools/links/54f484d70cf2ba6150634593.pdf (find­ing that the best-perform­ing senti­ment analysis tools attain over­all accuracies between 65 percent and 71 percent on aver­age, while many low-perform­ing tools yield accuracies below 50 percent); Mark Cieliebak et al., “A Twit­ter Corpus and Bench­mark Resources for German Senti­ment Analysis,” Proceed­ings of the Fifth Inter­na­tional Work­shop on Natural Language Processing for Social Media (2017): 49, https://pdfs.semantic­ (find­ing that state-of-the-art systems for senti­ment analysis in German achieve only around 60 percent accur­acy in most cases, even when a system is trained and tested on the same corpus). A recent study concluded that it could make accur­ate predic­tions of polit­ical ideo­logy based on users’ Twit­ter posts only 27 percent of the time, observing that the predict­ive exer­cise was “harder and more nuanced than previ­ously repor­ted.” foot­note32_lhkg­s33 32 Daniel Preo­tiuc-Pietro, Ye Liu, Daniel J. Hopkins, Lyle Ungar, “Beyond Binary Labels: Polit­ical Ideo­logy Predic­tion of Twit­ter Users,” Proceed­ings of the 55th Annual Meet­ing of the Asso­ci­ation for Compu­ta­tional Linguist­ics (2017),­logy/P17–1068. Accur­acy plum­mets even further when the speech being analyzed is not stand­ard English. foot­note33_cqou­atw 33 Diana Maynard, Kalina Bontcheva, and Dominic Rout, “Chal­lenges in Devel­op­ing Opin­ion Mining Tools for Social Media,” Proceed­ings of @NLP can u tag #user_gener­ated_content?! (2012),­ings/lrec2012/work­shops/21.LREC2012%20NLP4UGC%20Pro­ceed­ings.pdf#page=20 (show­ing that the accur­acy of language and senti­ment iden­ti­fic­a­tion decreases when tools are used to analyze tweets because tweets tend to have greater language vari­ation, tend to be less gram­mat­ical than longer posts, contain unortho­dox capit­al­iz­a­tions, and make frequent use of emoticons, abbre­vi­ations, and hasht­ags); Joan Codina and Jordi Atserias, “What Is the Text of a Tweet?” Proceed­ings of @NLP can u tag #user_gener­ated_content?! (2012),­ings/lrec2012/work­shops/21.LREC2012%20NLP4UGC%20Pro­ceed­ings.pdf (arguing that the use of nonstand­ard language, emoticons, spelling errors, letter casing, unusual punc­tu­ation, and more makes apply­ing natural language processing tools to user-gener­ated social media content an unre­solved issue); Dirk Von Gruni­gen et al., “Poten­tial Limit­a­tions of Cross-Domain Senti­ment Clas­si­fic­a­tion,” Proceed­ings of the Fifth Inter­na­tional Work­shop on Natural Language Processing for Social Media (2017),­logy/W17–1103 (find­ing that senti­ment analysis tools trained for one domain performed poorly in other domains). See gener­ally Will Knight, “AI’s Language Prob­lem,” MIT Tech­no­logy Review, August 9, 2016,­no­lo­gyre­­lem/. Indeed, even English speak­ers using nonstand­ard dialects or lingo may be misid­en­ti­fied by auto­mated tools as speak­ing in a differ­ent language. One tool flagged posts in English by black and Hispanic users — like “Bored af den my phone finna die!!!!” (which can be loosely trans­lated as “I’m bored as f*** and then my phone is going to die”) — as Danish with 99.9 percent confid­ence. foot­note34_caj9d2c 34 Su Lin Blod­gett and Brendan O’Con­nor, “Racial Dispar­ity in Natural Language Processing: A Case Study of Social Media African-Amer­ican English,” Proceed­ings of the Fair­ness, Account­ab­il­ity, and Trans­par­ency in Machine Learn­ing Confer­ence (2017): 2,

Crucially — as the USCIS pilot programs discussed above demon­strated — algorithms are gener­ally incap­able of making the types of subject­ive eval­u­ations that are required in many DHS immig­ra­tion programs, such as whether someone poses a threat to public safety or national secur­ity or whether certain inform­a­tion is “derog­at­ory.” Moreover, because these types of threats are diffi­cult to define and meas­ure, makers of algorithms will turn to “prox­ies” that are more easily observed. But there is a risk that the prox­ies will bear little or no rela­tion­ship to the task and that they will instead reflect stereo­types and assump­tions. The ques­tion­ing of Muslim trav­el­ers about their reli­gious prac­tice as a means of judging the threat they pose shows that unfoun­ded and biased assump­tions are already entrenched at DHS. It would be easy enough to embed them in an algorithm.

Despite these seri­ous short­com­ings in terms of effect­ive­ness and crit­ics’ well-foun­ded concerns about the poten­tial for target­ing certain polit­ical views and faiths, DHS is proceed­ing with programs for monit­or­ing social media. foot­note35_a6d0t5y 35 DHS, “DHS Trans­ition Issue Paper: Screen­ing and Vetting,” 1, in Stra­tegic Issue Paper Summar­ies: Pres­id­en­tial Trans­ition 2016–2017,­a­tions/TSA%20Pres­id­en­tial%20Trans­ition%20Re­cords.pdf#page=205 (“DHS is work­ing to expand its current uses of social media to enhance exist­ing vetting processes . . . [and] estab­lished a Social Media Task Force in Decem­ber 2015 to exam­ine current and poten­tial uses of social media and how DHS could best expand its use”). The depart­ment’s atti­tude is perhaps best summed up by an ICE offi­cial who acknow­ledged that while they had not yet found anything on social media, “you never know, the day may come when social media will actu­ally find someone that wasn’t in the govern­ment systems we check.” foot­note36_34l9ckm 36 George Joseph, “Extreme Digital Vetting of Visit­ors to the U.S. Moves Forward Under a New Name,” ProP­ub­lica, Novem­ber 22, 2017, https://www.prop­ub­­ors-to-the-u-s-moves-forward-under-a-new-name/a>.

The consequences of allow­ing these types of programs to continue unchecked are too grave to ignore. In addi­tion to respond­ing to partic­u­lar cases of abuse, Congress needs to fully address the risks of social media monit­or­ing in immig­ra­tion decisions. This requires under­stand­ing the over­all system by which DHS collects this type of inform­a­tion, how it is used, how it is shared with other agen­cies, and how it is retained – often for decades – in govern­ment data­bases. Accord­ingly, this paper maps social media exploit­a­tion by the four parts of DHS that are most cent­ral to immig­ra­tion: Customs and Border Protec­tion (CBP), the Trans­port­a­tion Secur­ity Admin­is­tra­tion (TSA), Immig­ra­tion and Customs Enforce­ment (ICE), and United States Citizen­ship and Immig­ra­tion Services (USCIS). It also exam­ines DHS’s cooper­a­tion with the Depart­ment of State, which plays a key role in immig­ra­tion vetting.

Case Studies: Using Social Media to Target First Amendment– Protected Activity

End Notes

Key Findings

While the ways in which these DHS units use social media vary, our review iden­ti­fied eight common threads.

1. Social media inform­a­tion is collec­ted from trav­el­ers, includ­ing Amer­ic­ans, even when they are not suspec­ted of any connec­tion to illegal activ­ity.

People plan­ning to travel to the United States are increas­ingly being asked to provide social media iden­ti­fi­ers, such as their Twit­ter or Instagram handles, enabling the creation of a registry of their online post­ings. In Decem­ber 2016, DHS began asking the trav­el­ers who come to the United States from coun­tries covered by the Visa Waiver Program — some 23.6 million annu­ally, primar­ily from West­ern Europe — to volun­tar­ily provide their social media iden­ti­fi­ers. foot­note1_jc4b­ksx 1 Through the Visa Waiver Program, citizens of 38 mainly west­ern European coun­tries can apply to travel to the United States for busi­ness or tour­ism without obtain­ing a visa. For the full list of eligible coun­tries, See CBP, “Frequently Asked Ques­tions About the Visa Waiver Program (VWP) and the Elec­tronic System for Travel Author­iz­a­tion (ESTA),” Febru­ary 23, 2017,­na­tional-visit­ors/frequently-asked-ques­tions-about-visa-waiver-program-vwp-and-elec­tronic-system-travel. The Office of Manage­ment and Budget (OMB) approved CBP’s proposal to collect the social media iden­ti­fi­ers of visit­ors from Visa Waiver Coun­tries on Decem­ber 19, 2016. See OMB, Notice of Office of Manage­ment and Budget Action, “Arrival and Depar­ture Record,” Decem­ber 19, 2016,­load­NOA?requestID=275860; See also DHS Privacy Office, Notice of Privacy Act System of Records, CBP-009 Elec­tronic System for Travel Author­iz­a­tion System of Records, 81 Fed. Reg. 60713 (Septem­ber 2, 2016) (here­in­after ESTA SORN),–09–02/pdf/2016–21210.pdf. DHS Office of Immig­ra­tion Stat­ist­ics, Table 28, “Nonim­mig­rant Admis­sions (I-94 Only) by Selec­ted Category of Admis­sion and Region and Coun­try of Citizen­ship: Fiscal Year 2017,” in 2017 Year­book of Immig­ra­tion Stat­ist­ics,­ra­tion-stat­ist­ics/year­book/2017/table28 (noting that the total number of trav­el­ers admit­ted to the United States through the Visa Waiver Program in fiscal year 2017 was 23,637,046). In May 2017, the State Depart­ment, as part of imple­ment­ing the Muslim ban exec­ut­ive order, began requir­ing some categor­ies of visa applic­ants — estim­ated at 65,000 applic­ants annu­ally — to provide a list of the iden­ti­fi­ers they had used on social media plat­forms within the previ­ous five years. foot­note2_bp61yfn 2 See also Depart­ment of State, “Notice of Inform­a­tion Collec­tion Under OMB Emer­gency Review: Supple­mental Ques­tions for Visa Applic­ants,” 82 Fed. Reg. 20,956 (May 4, 2017), https://www.feder­alre­–08975; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Supple­mental Ques­tions for Visa Applic­ants,” 82 Fed. Reg. 36,180 (August 3, 2017),–08–03/pdf/2017–16343.pdf. In March 2018, the State Depart­ment star­ted to ramp up its efforts, propos­ing a new rule that would collect social media iden­ti­fi­ers from every visa applic­ant — i.e., the 15 million people who apply for visas each year. foot­note3_s7bxfpp 3 Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion”; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Nonim­mig­rant Visa.” See also Bren­nan Center for Justice et al., Comments to Depart­ment of State, “Re: DS-160 and DS-156, Applic­a­tion for Nonim­mig­rant Visa, OMB Control No. 1405–0182; DS-260, Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion, OMB Control No. 1405–185.” The proposal was approved in April 2019, with minor privacy-related changes. foot­note4_6weneq0 4 OMB, Notice of Office of Manage­ment and Budget Action, “Online Applic­a­tion for Nonim­mig­rant Visa”; OMB, Notice of Office of Manage­ment and Budget Action, “Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion.”

Social media data can also be collec­ted via searches of elec­tronic devices, which DHS carries out — often without suspi­cion of crim­inal activ­ity — on both Amer­ican and foreign trav­el­ers. The depart­ment claims the author­ity to under­take warrant­less searches of these devices not just at points of entry but also in areas in the broad vicin­ity of the border. foot­note5_kmys31g 5 Beyond the “phys­ical border,” CBP also claims the author­ity to conduct elec­tronic device searches at the “func­tional equi­val­ent of the border” (such as an inter­na­tional airport within the United States) or the “exten­ded border” (as when agents stop a person or vehicle that has recently crossed the border and is in the same state as when the border was crossed, and there is reas­on­able suspi­cion of crim­inal activ­ity). Yule Kim, Protect­ing the U.S. Peri­meter: Border Searches Under the Fourth Amend­ment, Congres­sional Research Service, June 29, 2009, 7–8, These searches are conduc­ted primar­ily by CBP and ICE. While ICE does not report stat­ist­ics on these searches, CBP does. Its searches of trav­el­ers’ elec­tronic devices at ports of entry have been stead­ily increas­ing over the past several years. In fiscal year 2015, CBP searched the devices of 8,503 trav­el­ers. foot­note6_9cw6fgi 6 CBP, “CBP Releases Stat­ist­ics on Elec­tronic Device Searches,” press release, April 11, 2017,­room/national-media-release/cbp-releases-stat­ist­ics-elec­tronic-device-searches-0. The fiscal year begins on Octo­ber 1 of the prior year. So, for example, fiscal year 2017 ran from Octo­ber 1, 2016, to Septem­ber 30, 2017. By fiscal year 2017, this number had gone up to 30,200 — an increase of over three and a half times. foot­note7_si2n214 7 CBP, “CBP Releases Updated Border Search of Elec­tronic Device Direct­ive and FY17 Stat­ist­ics,” press release, Janu­ary 5, 2018,­room/national-media-release/cbp-releases-updated-border-search-elec­tronic-device-direct­ive-and/a>. Accord­ing to ABC News, 20 percent of these searches are carried out on Amer­ican trav­el­ers. foot­note8_m3r4hjw 8 Geneva Sands, “Searches of Trav­el­ers’ Elec­tronic Devices Up Nearly 60 Percent,” ABC News, Janu­ary 5, 2018,­el­ers-elec­tronic-devices-60-percent/story?id=52171977.

Finally, through contracts with vari­ous private compan­ies, DHS acquires massive commer­cial data­bases of online inform­a­tion, includ­ing social media data. foot­note9_i90scy2 9 See infra text accom­pa­ny­ing notes 243–256, 321–331, 415–417, 458. Unlike the direct collec­tion of social media handles by DHS and the State Depart­ment, there is no assur­ance that an indi­vidual will be accur­ately connec­ted to a social media profile. The diffi­culty of match­ing people to profiles was a major short­com­ing of auto­mated monit­or­ing tested by the pilot programs discussed above. foot­note10_h11t­tx3 10 See supra text accom­pa­ny­ing notes 19–24.

2. Social media checks extend to trav­el­ers’ family, friends, busi­ness asso­ci­ates, and social media contacts.

When DHS checks the social media of someone trying to obtain permis­sion to come to the United States or someone already at or near the border, it inev­it­ably picks up inform­a­tion about people with whom they inter­act. For example, ICE agents search­ing a trav­el­er’s smart­phone at or near the border can scroll through her Face­book and Twit­ter accounts and record what they find, includ­ing inform­a­tion about friends and family, loca­tion data, and sens­it­ive personal inform­a­tion, all without any suspi­cion of crim­inal activ­ity. With reas­on­able suspi­cion of crim­inal activ­ity, ICE agents can down­load the entirety of her social media accounts and go through them later. foot­note11_4xk2n9u 11 See infra text accom­pa­ny­ing notes 369–382. See also Tatum King, Assist­ant Director, Domestic Oper­a­tions, Home­land Secur­ity Invest­ig­a­tions, Legal Update: Border Search of Elec­tronic Devices, May 11, 2018, in Alas­aad v. McAleenan, 2019 WL 2219206 (D.Mass., Apr. 30, 2019), Exh. #20 (here­in­after HSI Legal Update: Border Search of Elec­tronic Devices, 2018),­ment/exhib­its_15–30.pdf#page=55; ICE, Direct­ive No. 7–6.1, “Border Searches of Elec­tronic Devices,” August 18, 2009 (here­in­after ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices), 2,­rary/assets/ice_border_search_elec­tronic_devices.pdf.

In addi­tion, CBP agents conduct­ing social media checks for people apply­ing for visa waivers (avail­able to the citizens of 38 coun­tries) can exam­ine not only the applic­ant’s posts but those of the people who inter­ac­ted with her on social media (even if unin­vited), and may retain inform­a­tion so long as the agent believes it is “relev­ant” to the waiver decision. foot­note12_rbfm69f 12 See infra text accom­pa­ny­ing notes 102–104. See also DHS, Privacy Impact Assess­ment Update for the Elec­tronic System for Travel Author­iz­a­tion (ESTA), DHS/CBP/PIA-007(g), Septem­ber 1, 2016 (here­in­after ESTA 2016 PIA), 4,­a­tions/privacy-pia-cbp-esta-septem­ber­2016.pdf. The program also allows agents to proact­ively

identify an applic­ant’s second­ary and tertiary contacts who might “pose a poten­tial risk to the home­land” or “demon­strate a nefar­i­ous affil­i­ation on the part of the applic­ant.” foot­note13_d571­grf 13 ESTA 2016 PIA, 5. Examin­ing contacts and networks may make sense when pursu­ing someone who is suspec­ted of wrong­do­ing. But apply­ing this tech­nique to people who are simply seek­ing to travel opens the door to fish­ing exped­i­tions for inform­a­tion that can easily be misin­ter­preted.

Auto­mated analyt­ical tools used by DHS combine social media with other types of inform­a­tion to identify and map possible asso­ci­ations among people and organ­iz­a­tions. ICE and CBP both use data systems developed by the data mining foot­note14_yz21lci 14 Data mining, includ­ing social media data mining, is defined as conduct­ing pattern-based quer­ies, searches, or other analyses of one or more elec­tronic data­bases to discover predict­ive patterns or anom­alies. Federal Agency Data Mining Report­ing Act of 2007, 42 U.S.C. § 2000ee-3(b)(1). See also DHS Privacy Office, 2017 Data Mining Report to Congress, Octo­ber 2018, 7,­a­tions/2017-datamin­in­gre­port_0.pdf; DHS Manage­ment Direct­or­ate, Instruc­tion Manual 262–12–001–01, “DHS Lexicon Terms and Defin­i­tions,” Octo­ber 16, 2017, 144–5,­a­tions/18_0116_MGMT_DHS-Lexicon.pdf (defin­ing data mining as the “applic­a­tion of data­base tech­no­logy and tech­niques to uncover hidden patterns, anom­alies, and subtle rela­tion­ships in data and to infer rules that allow for the predic­tion of future results”). company Palantir Tech­no­lo­gies, Inc., that are equipped with tools to analyze social networks. foot­note15_o76b­njp 15 Palantir developed CBP’s Analyt­ical Frame­work for Intel­li­gence (AFI) and ICE’s FALCON-Search and Analysis (FALCON-SA). For more on AFI’s and FALCON-SA’s analyt­ical capab­il­it­ies, See infra text accom­pa­ny­ing notes 238–255 and 395–417, respect­ively. See also Spen­cer Wood­man, “Palantir Provides the Engine for Donald Trump’s Deport­a­tion Machine,” Inter­cept, March 2, 2017, https://thein­ter­­a­tion-machine/. However, the reli­ab­il­ity of the inform­a­tion inges­ted by these systems is not veri­fied; DHS has exemp­ted them from the relev­ant require­ments of the Privacy Act, and there are func­tion­ally no mech­an­isms for the indi­vidu­als whose inform­a­tion is included to chal­lenge the accur­acy of the data. foot­note16_d9c60wg 16 See DHS Privacy Office, Final Rule, CBP — 017 Analyt­ical Frame­work for Intel­li­gence (AFI) System of Records, 77 Fed. Reg. 47767, 47768 (August 10, 2012) (here­in­after AFI Final Rule),–08–10/html/2012–19336.htm. The privacy impact assess­ment for ICE’s FALCON-SA states that indi­vidu­als seek­ing to correct any record contained in the system may submit a request, but it is unlikely that anyone would know that correc­tion was needed, given that FALCON-SA is exempt from access require­ments. Moreover, the privacy impact assess­ment clari­fies that “all or some of the reques­ted inform­a­tion may be exempt from correc­tion pursu­ant to the Privacy Act.” DHS, Privacy Impact Assess­ment Update for the FALCON Search & Analysis System, DHS/ICE/PIA-032(b) FALCON-SA, Octo­ber 11, 2016 (here­in­after FALCON-SA 2016 PIA), 25–26,­a­tions/privacy-pia-ice-032-falcons-b-octo­ber­2016.pdf. Accord­ing to reports from watch­dog groups and the press, these systems are being used by ICE to identify indi­vidu­als for deport­a­tion. foot­note17_cijl15a 17 See, for example, Erin Corbett, “Tech Compan­ies Are Profit­ing Off ICE Deport­a­tions, Report Shows,” Fortune, Octo­ber 23, 2018,­ies-surveil­lance-ice-immig­rants/.

These data sets are also used by DHS to under­take broader trend, pattern, and predict­ive analyses, through a number of systems that are described in this paper. foot­note18_c6tw120 18 DHS defines pattern analysis as “identi­fy­ing trends in activ­it­ies or beha­vi­ors using prior actions and activ­it­ies.” DHS Manage­ment Direct­or­ate, “DHS Lexicon Terms and Defin­i­tions,” 473. See also Joel B. Predd et al., Using Pattern Analysis and System­atic Random­ness to Alloc­ate U.S. Border Secur­ity Resources, RAND Corpor­a­tion (2012), 1,­text/u2/a558883.pdf (stat­ing, in the context of border secur­ity, that “pattern and trend analysis refers to predict­ive meth­ods that can identify regu­lar­it­ies in the times, places, or tactics that inter­dicted border cross­ers have histor­ic­ally employed. For example, meth­ods or tools of pattern and trend analysis may identify ‘hot spots’ — i.e., border zones or times of high or increased border activ­ity — to ascer­tain where more resources could increase inter­dic­tion rates”). While the privacy impact assess­ments for these systems often identify the sources of inform­a­tion used in these analyses, there is almost no publicly avail­able inform­a­tion regard­ing what types of trends or patterns DHS is seek­ing to identify or how social media inform­a­tion fits into these types of analyses.

3. DHS frequently uses social media inform­a­tion for vague and open-ended eval­u­ations that can be used to target unpop­u­lar views or popu­la­tions.

Our review showed that in many instances — includ­ing the Visa Waiver Program and warrant­less searches at the border by CBP and ICE — DHS person­nel are charged with examin­ing social media to identify inform­a­tion relat­ing to undefined “national secur­ity” risks or concerns. foot­note19_4cerbn6 19 See ESTA 2016 PIA, 2; CBP, “Border Search of Elec­tronic Devices,” CBP Direct­ive No. 3340–049A, Janu­ary 4, 2018 (here­in­after CBP 2018 Direct­ive), 5,­ments/2018-Jan/CBP-Direct­ive-3340–049A-Border-Search-of-Elec­tronic-Media-Compli­ant.pdf. Publicly avail­able docu­ments do not indic­ate what type of inform­a­tion might be regarded as indic­at­ive of a national secur­ity risk, and it has been repor­ted that at least some agents are uncer­tain about what type of inform­a­tion would be considered to be suggest­ive of a national secur­ity risk. foot­note20_atokacm 20 USCIS, “USCIS Social Media & Vetting: Over­view and Efforts to Date,” March 2, 2017, 3, https://assets.docu­­ments/4341532/COW2017000400-FOIA-Response.pdf#page=56. This docu­ment is part of a series of internal reviews obtained by the Daily Beast via FOIA request that offer some inform­a­tion on these pilot programs and more broadly on USCIS’s use of social media monit­or­ing in its vetting efforts. See Aliya Stern­stein, “Obama Team Did Some ‘Extreme Vetting’ of Muslims Before Trump, New Docu­ments Show,” Daily Beast, Janu­ary 2, 2018,­ments-show. While agents obvi­ously must have some flex­ib­il­ity to make judg­ments, the breadth of discre­tion combined with weak safe­guards opens the door for discrim­in­a­tion based on polit­ical or reli­gious views.

Social media inform­a­tion forms part of the data set that DHS uses to assign risk assess­ments to indi­vidual trav­el­ers through CBP’s Auto­mated Target­ing System (ATS). These assess­ments are highly consequen­tial because they determ­ine who is allowed to enter the coun­try and what level of ques­tion­ing they are required to undergo. foot­note21_iu9zy35 21 ATS 2017 PIA, 4. But there is no publicly avail­able inform­a­tion about the accur­acy, effect­ive­ness, or empir­ical basis of risk assess­ments. foot­note22_ekob­tlz 22 CBP, the DHS Privacy Office, the DHS Office for Civil Rights and Civil Liber­ties, and the DHS Office of the General Coun­sel are supposed to conduct joint quarterly reviews of the risk-based rules used in ATS to ensure that the rules are appro­pri­ate, relev­ant, and effect­ive and to assess whether privacy and civil liber­ties protec­tions are adequate and consist­ently imple­men­ted. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. There is no publicly avail­able inform­a­tion about these quarterly reviews, includ­ing whether they occur. In fact, the inform­a­tion that goes into one’s risk assess­ment need not be “accur­ate, relev­ant, timely, [or] complete,” as DHS exemp­ted ATS from these Privacy Act require­ments. foot­note23_ywr9qm3 23 DHS Privacy Office, Final Rule, CBP — 006 Auto­mated Target­ing System of Records, 75 Fed. Reg. 5487 (Febru­ary 3, 2010) (here­in­after ATS Final Rule),–02–03/html/2010–2201.htm. This is partic­u­larly troub­ling because in other settings, such as the crim­inal justice system, risk assess­ments have been shown to dispro­por­tion­ately impact minor­it­ies. foot­note24_265q5p9 24 See Hayley Tsukayama and Jamie Willi­ams, “If a Pre-Trial Risk Assess­ment Tool Does Not Satisfy These Criteria, It Needs to Stay Out of the Courtroom,” Elec­tronic Fron­tier Found­a­tion, Novem­ber 6, 2018,­ment-tool-does-not-satisfy-these-criteria-it-needs-stay; Jesse Jannetta et al., Examin­ing Racial and Ethnic Dispar­it­ies in Proba­tion Revoc­a­tion: Summary Find­ings and Implic­a­tions From a Multis­ite Study, Urban Insti­tute, April 2014,­a­tion/22746/413174-Examin­ing-Racial-and-Ethnic-Dispar­it­ies-in-Proba­tion-Revoc­a­tion.PDF; Lori D. Moore and Irene Pada­vic, “Risk Assess­ment Tools and Racial⁄Eth­nic Dispar­it­ies in the Juven­ile Justice System,” Soci­ology Compass 5, no. 10 (2011): 850–858,­mains/claud­e­pep­per­cen­ter.fsu.edu_wp/wp-content/uploads/2015/04/Risk_Assess­ment_Juvies.pdf.

For example, as of at least 2017, DHS compares refugee and asylum applic­ant inform­a­tion from social media and other sources against the inform­a­tion provided by an applic­ant to identify any incon­sist­en­cies. Such social media checks are, however, performed only on select popu­la­tions of asylum seekers and refugees. With the excep­tion of Iraqis and Syri­ans, these applic­ant popu­la­tions have not been publicly iden­ti­fied. foot­note25_z1qjkfh 25 See Hear­ing on “Refugee Admis­sions FY 2018,” Before the Subcom­mit­tee on Immig­ra­tion and Border Secur­ity House Commit­tee on the Judi­ciary, Octo­ber 26, 2017 (writ­ten testi­mony of L. Fran­cis Cissna, director, U.S. Citizen­ship and Immig­ra­tion Services, DHS) (here­in­after Hear­ing on Refugee Admis­sions: Cissna Testi­mony), 5,­ing-refugee-admis­sions-fy-2018-subcom­mit­tee-immig­ra­tion-and-border-secur­ity-house-commit­tee-judi­ciary-octo­ber-26–2017-uscis-director-l-fran­cis-cissna; USCIS Brief­ing Book, 181. However, one prom­in­ent refugee organ­iz­a­tion repor­ted in 2018 that these meas­ures are applied to refugee applic­ants from the Muslim coun­tries of Egypt, Iran, Iraq, Libya, Mali, Somalia, South Sudan, Sudan, Syria, and Yemen, as well as North Korea. foot­note26_ugseqi6 26 Laura Koran and Tal Kopan, “US Increases Vetting and Resumes Processing of Refugees From ‘High-Risk’ Coun­tries,” CNN, Janu­ary 29, 2018,­ics/us-refugee-vetting-meas­ures/index.html. All of the coun­tries covered by the Trump Muslim ban are on this list.

4. DHS is continu­ously monit­or­ing some people inside the United States and plans to expand these efforts.

DHS is increas­ingly imple­ment­ing programs to continu­ously monitor people inside the United States, where free­dom of speech, asso­ci­ation, and reli­gion are consti­tu­tion­ally protec­ted. For example, using social media and other sources, ICE monit­ors students who enter the United States plan­ning to study a “nonsens­it­ive” topic and later change to one the State Depart­ment categor­izes as “sens­it­ive” (e.g., nuclear phys­ics, biomed­ical engin­eer­ing, or robot­ics). foot­note27_bghz9d7 27 For more on the monit­or­ing of students who change their course of study to “sens­it­ive” fields, See infra text accom­pa­ny­ing notes 342–344. ICE’s Over­stay Lifecyle Program targets visit­ors from a number of uniden­ti­fied coun­tries to uncover derog­at­ory inform­a­tion for ongo­ing monit­or­ing, includ­ing through social media. And ICE’s planned Visa Life­cycle Vetting Initi­at­ive would keep tabs on 10,000 foreign visit­ors flagged as “high risk” by monit­or­ing their social media activ­ity. foot­note28_u3jd­bgj 28 For more on ICE’s social media pilot programs, See infra text accom­pa­ny­ing notes 342–359. Drew Harwell and Nick Miroff, “ICE Just Aban­doned Its Dream of ‘Extreme Vetting’ Soft­ware That Could Predict Whether a Foreign Visitor Would Become a Terror­ist,” Wash­ing­ton Post, May 17, 2018, https://www.wash­ing­ton­­doned-its-dream-of-extreme-vetting-soft­ware-that-could-predict-whether-a-foreign-visitor-would-become-a-terror­ist/. As noted earlier, a draft CBP report recom­men­ded continu­ously monit­or­ing young Muslim men while they were in the United States. If imple­men­ted, this discrim­in­at­ory policy would affect hundreds of thou­sands of people. foot­note29_6xwujti 29 See supra text accom­pa­ny­ing notes 10–11.

5. DHS is increas­ingly seek­ing and using auto­mated tools to analyze social media.

While the full scope of DHS’s efforts to use algorithms is not known, our research shows that at least three branches of DHS — CBP, ICE, and USCIS — now use auto­mated tools to analyze social media inform­a­tion, either along­side other data or by itself. For instance, CBP’s Analyt­ical Frame­work for Intel­li­gence has auto­mated analytic capab­il­it­ies, developed by Palantir, to identify “non-obvi­ous” links among data points, people, and organ­iz­a­tions. foot­note30_dpqxnnz 30 DHS Privacy Office, 2017 Data Mining Report to Congress, 26. Simil­arly, ICE has contrac­ted with the data mining firm Giant Oak to continu­ously monitor, aggreg­ate, and analyze social media data to provide ICE with prior­it­ized rank­ings of leads for its over­stay enforce­ment initi­at­ives. foot­note31_nsk9t15 31 “State­ment of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 31, https://www.bren­nan­cen­­cial%20Me­dia%20Pi­lot%20Pro­grams%20-%20BCJ.pdf. The push toward auto­ma­tion raises concerns given the poor track record of auto­mated systems trying to make complic­ated judg­ments and the ambi­gu­ity of many social media posts, as amply demon­strated by the USCIS pilot programs. foot­note32_1465599 32 See supra text accom­pa­ny­ing notes 16–24.

6. Social media inform­a­tion collec­ted for one purpose is used by DHS in a range of other contexts, increas­ing the like­li­hood of misin­ter­pret­a­tion.

The diffi­culty of inter­pret­ing Face­book posts and offhand tweets likely only worsens as they are captured in numer­ous data­bases and systems and used for a range of analyses. Empir­ical research shows that as data becomes further and further removed from the context and aim of its original collec­tion, it is less likely to be useful for second­ary analysis. foot­note33_fx4lr31 33 See, for example, Rob Kitchin, The Data Revolu­tion: Big Data, Open Data, Data Infra­struc­tures and Their Consequences (London: SAGE Public­a­tions, 2014), 178; Victoria Sher­iff, “Eval­u­at­ing Preex­ist­ing Qual­it­at­ive Research Data for Second­ary Analysis,” Forum: Qual­it­at­ive Social Research 19, no. 2 (May 2018), http://www.qual­it­at­

The DHS data archi­tec­ture is a vast, ambigu­ous, and highly inter­con­nec­ted system in which social media is avail­able for several types of second­ary analyses. For example, when someone applies for a visa waiver to visit the United States, that person is asked to provide his or her social media iden­ti­fi­ers, such as a Twit­ter handle. foot­note34_nq22ibc 34 CBP officers may use this inform­a­tion to vet the applic­ant and may also use it when trav­el­ers do not provide such inform­a­tion. See ESTA 2016 PIA, 2. The CBP officer who eval­u­ates the applic­ant’s tweets conducts an indi­vidu­al­ized assess­ment and has avail­able a range of biograph­ical inform­a­tion that provides context for what the applic­ant has said on social media. We know from DHS’s own pilot programs discussed above that this type of analysis is mostly unpro­duct­ive. These prob­lems are exacer­bated when the inform­a­tion is used for second­ary analyses. The social media iden­ti­fi­ers as well as inform­a­tion obtained from CBP border searches also make their way into the Auto­mated Target­ing System, where the inform­a­tion can be used to gener­ate “risk assess­ments” for other indi­vidu­als alto­gether. foot­note35_25d0n5w 35 ESTA 2016 PIA, 5; DHS, Privacy Impact Assess­ment Update for CBP Border Searches of Elec­tronic Devices, DHS/CBP/PIA-008(a), Janu­ary 4, 2018 (here­in­after CBP Elec­tronic Border Searches 2018 PIA), 10,­a­tions/privacy-pia-cbp008-border­searcheselec­tron­icdevices-janu­ary2018.pdf. Inform­a­tion in ATS obtained from border searches does not include inform­a­tion from searches pursu­ant to warrant, consent, or aban­don­ment. See infra text accom­pa­ny­ing notes 178–194. The inform­a­tion in ATS also feeds into numer­ous other data systems and is used, for example, by TSA to prescreen trav­el­ers and to vet visa applic­ants and people apply­ing for immig­ra­tion bene­fits. foot­note36_zn231q3 36 ATS 2017 PIA, 22–27, 35–37, 46–47, 58–60. For more on ATS and its inter­con­nec­tions with vari­ous DHS programs, See infra text accom­pa­ny­ing notes 198–256, 258–297, 317, 336, 402–410, 466–471. When already diffi­cult-to-inter­pret inform­a­tion is taken out of context, the risks of misun­der­stand­ings only increase.

7. Social media inform­a­tion collec­ted by DHS is shared with other law enforce­ment and secur­ity agen­cies under broad stand­ards.

The past two decades have seen a prolif­er­a­tion in inform­a­tion-shar­ing arrange­ments among vari­ous govern­ment agen­cies and even with foreign govern­ments. With strin­gent stand­ards and controls, such arrange­ments can serve valid purposes. But shar­ing inform­a­tion about people’s polit­ical and reli­gious views, espe­cially when gleaned from the ambigu­ous realms of social media, only expands the possib­il­ity of abuse and inap­pro­pri­ate target­ing. For example, the CBP program to track and inter­rog­ate journ­al­ists and activ­ists at the south­ern border, discussed earlier, was appar­ently carried out in cooper­a­tion with Mexican author­it­ies. foot­note37_xw0m­s4z 37 See supra notes iii-v acccom­pa­ny­ing side­bar “Case Stud­ies: Using Social Media to Target First Amend­ment–­Pro­tec­ted Activ­ity.” The docu­ment list­ing targets displayed both U.S. and Mexican flags, as well as a seal for the Inter­na­tional Liaison Unit, which coordin­ates intel­li­gence between the two coun­tries. Tom Jones, Mari Payton, and Bill Feather, “Source: Leaked Docu­ments Show the U.S. Govern­ment Track­ing Journ­al­ists and Immig­ra­tion Advoc­ates,” NBC San Diego, March 6, 2019, https://www.nbcsan­­ments-Show-the-US-Govern­ment-Track­ing-Journ­al­ists-and-Advoc­ates-Through-a-Secret-Data­base-506783231.html. The target list showed that Mexican author­it­ies had depor­ted seven people and arres­ted three others, includ­ing nation­als of the United States, Honduras, and Spain. foot­note38_b659l19 38 Ibid. These actions by Mexico, which raise seri­ous concerns about the target­ing of polit­ical speech and organ­iz­ing, could well have been the result of the shar­ing of inform­a­tion by CBP. Report­ing also indic­ates that agents from the San Diego office of the Federal Bureau of Invest­ig­a­tion (FBI) were involved in the oper­a­tion, rais­ing concerns about whether CBP inten­ded that the FBI target the Amer­ic­ans on the list for surveil­lance. foot­note39_ke1ey0c 39 Ibid.

Unfor­tu­nately, DHS programs gener­ally have low stand­ards for shar­ing highly personal inform­a­tion, such as that found on social media, and the stand­ards do not differ­en­ti­ate between Amer­ic­ans’ inform­a­tion and that of people from other coun­tries. This inform­a­tion can easily be shared with entit­ies ranging from the Depart­ment of State, the FBI, and congres­sional offices to foreign govern­ments and Inter­pol. For example, data obtained from CBP searches of trav­el­ers’ elec­tronic devices at the border, which can include the full contents of these devices, can be shared with federal, state, tribal, local, or foreign govern­mental agen­cies or multi­lat­eral govern­ment organ­iz­a­tions when CBP believes the inform­a­tion could assist enforce­ment of civil or crim­inal laws. foot­note40_aon4mdo 40 ATS 2017 PIA, 44. ICE, too, can dissem­in­ate any device inform­a­tion “relat­ing to national secur­ity” to law enforce­ment and intel­li­gence agen­cies. foot­note41_084e6o1 41 Memor­andum from director, ICE Office of Invest­ig­a­tions, to assist­ant direct­ors, all deputy assist­ant direct­ors, and all special agents in charge, “Field Guid­ance on Hand­ling Detained or Seized Elec­tronic Media From Persons of National Secur­ity Interest at Ports of Entry,” March 5, 2007, 2, Inform­a­tion from ICE’s LeadTrac system, which is used to vet and manage leads of suspec­ted over­stay­ers and status viol­at­ors and includes social media inform­a­tion, can be shared with any law enforce­ment author­it­ies engaged in collect­ing law enforce­ment intel­li­gence “whether civil or crim­inal.” foot­note42_dzt7kpe 42 DHS Privacy Office, Notice of Privacy Act System of Records, ICE–015 LeadTrac System of Records, 81 Fed. Reg. 52700 (August 9, 2016) (here­in­after LeadTrac SORN), https://www.regu­la­­ment?D=DHS-2016–0053–0001.

Inform­a­tion shared with agen­cies can prolif­er­ate even further because DHS frequently does not place limits on re-dissem­in­a­tion. USCIS’s Alien Files system, for example, stores social media inform­a­tion on people apply­ing for immig­ra­tion bene­fits (such as a change of status from one type of visa to another, or natur­al­iz­a­tion) but does not seem to limit re-dissem­in­a­tion. foot­note43_sn5mtyb 43 The Alien File, or A-File, is the offi­cial file for all immig­ra­tion records. DHS Privacy Office, Notice of Modi­fied Privacy Act System of Records, Alien File, Index, and National File Track­ing System of Records, 82 Fed. Reg. 43556 (Octo­ber 18, 2017) (here­in­after A-Files SORN),–09–18/pdf/2017–19365.pdf. In addi­tion, some­times data­bases inges­ted by DHS do not adequately reflect the dissem­in­a­tion restric­tions of the original system. For example, the Depart­ment of State data­bases for visa applic­a­tions include some modest shar­ing restric­tions, but it does not appear that these restric­tions are honored when the State Depart­ment inform­a­tion is inges­ted into CBP’s systems. foot­note44_wr73w2i 44 See infra text accom­pa­ny­ing notes 118–131. State Depart­ment docu­ments from April 2019 describ­ing the expan­sion of social media iden­ti­fier collec­tion state that “inform­a­tion obtained from applic­ants . . . is considered confid­en­tial” though it “may be made avail­able to a court or provided to a foreign govern­ment.” However, the docu­ment does not mention the extens­ive shar­ing arrange­ment with ATS. Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” OMB Number 1405–0185, DS-260, April 11, 2019, 18,­load­Doc­u­ment?objectID=85760502. Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Applic­a­tion for Nonim­mig­rant Visa,” OMB Number 1405–0182, DS-160 and DS-156, April 11, 2019, 19–20,­load­Doc­u­ment?objectID=85743802; ATS 2017 PIA 8–9.

8. DHS systems retain inform­a­tion for long peri­ods, some­times in viol­a­tion of the depart­ment’s own rules.

While data­bases are part of how DHS carries out its func­tions, its exten­ded reten­tion of large pools of personal inform­a­tion untethered to any suspi­cion of crim­inal activ­ity raises seri­ous concerns about privacy risks and misuse of data. foot­note45_lbe8cad 45 See gener­ally Rachel Levin­son-Wald­man, What the Govern­ment Does With Amer­ic­ans’ Data, Bren­nan Center for Justice, Octo­ber 8, 2013, https://www.bren­nan­cen­­a­tions/Data%20Re­ten­tion%20-%20FI­NAL.pdf. In 1974, the Church Commit­tee’s report on surveil­lance abuses by U.S. intel­li­gence agen­cies warned: “The massive cent­ral­iz­a­tion of . . . inform­a­tion creates a tempta­tion to use it for improper purposes, threatens to ‘chill’ the exer­cise of First Amend­ment rights, and is inim­ical to the privacy of citizens.” foot­note46_x3y4zo1 46 Select Commit­tee to Study Govern­ment Oper­a­tions With Respect to Intel­li­gence Activ­it­ies, Final Report, S. Rep. No. 94–755, pt. 3, 778 (1976),­li­>. The accu­mu­la­tion of data intrudes on people’s privacy by allow­ing govern­ment author­it­ies to know the details of their personal lives. These risks have only become greater because data — includ­ing what we say on social media — can be so read­ily combined and searched.

To manage these types of risks, as well as to ensure that inac­cur­ate and out-of-date inform­a­tion is weeded out, DHS’s data systems incor­por­ate rules that limit the reten­tion of inform­a­tion beyond a specified time frame. Unfor­tu­nately, these reten­tion limits are often not carried over from one DHS data­base to another, so that once social media inform­a­tion is shared (often auto­mat­ic­ally), it is kept in the receiv­ing data­base for longer than inten­ded.

For example, CBP’s ATS stores a range of data from vari­ous sources, and as DHS admits, it fails to “consist­ently follow source system reten­tion peri­ods,” instead retain­ing most inform­a­tion for 15 years by default. foot­note47_4lrzhzk 47 ATS 2017 PIA, 14. This means that inform­a­tion stored in ATS, such as Visa Waiver Program applic­a­tions that include applic­ants’ social media iden­ti­fi­ers and are supposed to be kept for no more than three years, may be retained for five times that long. foot­note48_he6ge77 48 ESTA 2016 PIA, 6 (noting that, after being retained for up to three years, ESTA applic­a­tion data must then enter archive status). However, it does not appear that ATS adheres to this rule. ATS 2017 PIA, 77.

The lack of respect for reten­tion rules is not limited to partic­u­lar programs either. Since 2015, data from ATS has been copied in bulk to go into the consol­id­ated DHS-wide Data Frame­work, a new system that is expec­ted to play an enorm­ous role in the agency’s oper­a­tions. foot­note49_9o7m­p4n 49 DHS, Privacy Impact Assess­ment for the DHS Data Frame­work — Interim Process to Address an Emer­gent Threat, DHS/ALL/PIA-051, April 15, 2015 (here­in­after Data Frame­work — Interim Process PIA), 8,­a­tions/privacy-pia-dhswide-data­frame­work-april2015.pdf. See infra text accom­pa­ny­ing notes 218–231. Because ATS does not abide by source restric­tions, the Data Frame­work likely does not comply with such restric­tions either, and will instead rely on data that may be outdated, incor­rect, or already deleted from the source system. foot­note50_wi90wux 50 The Data Frame­work oper­ates under an interim process in which data is not tagged with the relev­ant reten­tion restric­tions. Ibid., 8–9. See infra text accom­pa­ny­ing note 225.

Moreover, some systems have long reten­tion peri­ods by design. USCIS’s Alien Files — which contain the offi­cial record of an indi­vidu­al’s visa and immig­ra­tion history and may include social media inform­a­tion — are stored for 100 years after the indi­vidu­al’s date of birth. foot­note51_2m49nnf 51 A-Files SORN, 43564. Long reten­tion peri­ods for social media inform­a­tion further exacer­bate the risk of misin­ter­pret­a­tion. A social media post from 2007 may take on a whole new mean­ing by 2022, and even more so decades later.

The appendix at the end of this report contains further details on the reten­tion of inform­a­tion in DHS systems.

As the find­ings above show, DHS incor­por­ates social media into almost all aspects of its immig­ra­tion oper­a­tions, from visa vetting to searches of trav­el­ers to identi­fy­ing targets for deport­a­tion. Hundreds of thou­sands or even millions of people, includ­ing Amer­ic­ans, are caught up in this net. While some of what the depart­ment is doing may well be justi­fied, the scope of its monit­or­ing activ­it­ies is hidden behind jargon-filled notices and only rarely eval­u­ated. Poli­cy­makers and the public need to know the when, why, what, and how behind DHS social media monit­or­ing so that they can make informed judg­ments about the risk, effic­acy, and impact of these initi­at­ives.

End Notes

Customs and Border Protection

Customs and Border Protec­tion (CBP) is the arm of DHS charged primar­ily with secur­ing the nation’s borders. CBP uses social media inform­a­tion as part of its review of applic­a­tions to enter the United States. Social media inform­a­tion is also part of CBP’s preflight risk assess­ments and watch list screen­ing and is used to develop broader intel­li­gence analysis products. foot­note1_488jsnm 1 CBP screens trav­el­ers before they board a flight on a U.S.-registered airline anywhere in the world, regard­less of whether or not the flight touches down in the United States or flies in U.S. airspace. DHS, Privacy Impact Assess­ment Update for the Auto­mated Target­ing System — TSA/CBP Common Oper­at­ing Picture, Phase II, DHS/CBP/PIA-006(d), Septem­ber 16, 2014 (here­in­after ATS-TSA PIA, Common Oper­at­ing Picture, Phase II), 3,­a­tions/privacy_pia_cbp_tsacop_09162014.pdf. CBP and TSA cooper­ate closely in conduct­ing screen­ings. See infra text accom­pa­ny­ing notes 277–297 for more on CBP’s preflight screen­ing and watch list­ing. CBP’s reli­ance on social media to perform these crit­ic­ally import­ant func­tions is misplaced. DHS’s own pilot programs show that social media inform­a­tion is rarely a reli­able basis for making judg­ments. And the vague stand­ards used to assess social media invite discrim­in­a­tion against certain indi­vidu­als, such as those involved in protest and activ­ism and Muslim trav­el­ers. Unre­li­able social media inform­a­tion is easily shared within and beyond DHS, expos­ing personal inform­a­tion to a range of actors and increas­ing the risk that the data will be used out of context.

1. Visa Vetting

A. Visa Waivers (ESTA Program)

DHS, in consulta­tion with the State Depart­ment, admin­is­ters the Visa Waiver Program, through which citizens of 38 mainly West­ern European coun­tries can travel to the United States for busi­ness or tour­ism without obtain­ing a visa. foot­note2_h0o6awf 2 ESTA, U.S. Travel Author­iz­a­tion Applic­a­tion, “Visa Waiver Coun­tries,” "­tries.html. However, if an indi­vidual traveled to Iran, Iraq, Sudan, Syria, Libya, Somalia, or Yemen on or after March 1, 2011, he or she is ineligible for the program. CBP, “Visa Waiver Program Improve­ment and Terror­ist Travel Preven­tion Act, Frequently Asked Ques­tions,”­na­tional-visit­ors/visa-waiver-program/visa-waiver-program-improve­ment-and-terror­ist-travel-preven­tion-act-faq. In fiscal year 2017, more than 23 million trav­el­ers came to the United States through the program. foot­note3_jm8ikzc 3 See DHS Office of Immig­ra­tion Stat­ist­ics, Table 28, “Nonim­mig­rant Admis­sions (I-94 Only).” Trav­el­ers from these coun­tries who wish to obtain a visa waiver must complete a mandat­ory online applic­a­tion on the Elec­tronic System for Travel Author­iz­a­tion (ESTA). foot­note4_g64b9nx 4 Visa waiver applic­ants who do not submit the online ESTA form must complete an I-94W form when they arrive at the border, but they may be denied board­ing, exper­i­ence delayed processing, or be denied admis­sion. CBP, “Frequently Asked Ques­tions About the Visa Waiver Program (VWP) and the Elec­tronic System for Travel Author­iz­a­tion (ESTA),” 2016. The inform­a­tion provided through ESTA is vetted against secur­ity and law enforce­ment data­bases to determ­ine whether applic­ants are eligible to travel under the program and to ensure they do not pose a law enforce­ment or secur­ity risk. foot­note5_r8813i1 5 ESTA 2016 PIA, 5. If an applic­ant does not qual­ify for the Visa Waiver Program, he or she must go through the nonim­mig­rant visa applic­a­tion process. CBP, “ESTA Applic­a­tion Denied,” June 14, 2017,­a­tion-denied. These trav­el­ers are also continu­ally screened in real time. foot­note6_a8lg­pkz 6 DHS, “National Target­ing Center: Passen­ger Oper­a­tions,” in CBP Pres­id­en­tial Trans­ition Records, 5,­a­tions/CBP%20Pres­id­en­tial%20Trans­ition%20Re­cords.pdf.

Social media inform­a­tion is increas­ingly being used in this process to vet for national secur­ity concerns, although only one Amer­ican was killed in a terror­ist attack by a trav­eler on the Visa Waiver Program between 1975 and 2017, accord­ing to a study by the Cato Insti­tute. foot­note7_l1o1x9k 7 The attack by a VWP trav­eler killing one Amer­ican resid­ent occurred in 1990. Alex Nowras­teh, “Terror­ists by Immig­ra­tion Status and Nation­al­ity: A Risk Analysis, 1975–2017,” Policy Analysis no. 866, May 7, 2019,­a­tions/policy-analysis/terror­ists-immig­ra­tion-status-nation­al­ity-risk-analysis-1975–2017. While social media checks were previ­ously used by CBP, the agency added a new ques­tion to the forms in Decem­ber 2016, asking all applic­ants to volun­tar­ily provide their social media iden­ti­fi­ers, such as any user­names and plat­forms used. foot­note8_6ykyl70 8 ESTA 2016 PIA, 2. OMB, Notice of Office of Manage­ment and Budget Action, “Arrival and Depar­ture Record” (noting that the social media iden­ti­fier collec­tion was approved on Decem­ber 19, 2016). ESTA privacy docu­ments note that provid­ing social media inform­a­tion is “optional” for visa waiver applic­ants and omis­sion will not affect their eligib­il­ity determ­in­a­tion. ESTA SORN; DHS Privacy Office, Notice of Privacy Act System of Records, CBP — 009 Elec­tronic System for Travel Author­iz­a­tion System of Records Notice, 81 Fed. Reg. 39680 (June 17, 2016),–06–17/pdf/2016–14422.pdf. Regard­less, applic­ants will likely feel pres­sure to comply. The ESTA form requires applic­ants to affirm that the inform­a­tion they have supplied is “true and correct.” If they provide their user­name for one social media account but not for another, they may worry that their submis­sion will be perceived as untruth­ful. See Bren­nan Center for Justice, Comments to CBP, August 22, 2016, https://www.bren­nan­cen­­nan-Center-Submits-Comments-on-DHS-Plan-to-Collect-Social-Media-Inform­a­tion.pdf. If applic­ants choose to provide identi­fy­ing inform­a­tion, officers may use it to locate their profiles and accounts when the initial screen­ing indic­ates “possible inform­a­tion of concern” or “a need to further valid­ate inform­a­tion.” foot­note9_bkx5twp 9 ESTA 2016 PIA, 2. CBP, Frequently Asked Ques­tions, “How will CBP use my social media inform­a­tion collec­ted through the addi­tional ques­tion that was added to the ESTA applic­a­tion in Decem­ber 2016?”­a­tion.html?execu­tion=e2s1/a>.

Regard­less of whether ESTA applic­ants have chosen to provide their social media iden­ti­fi­ers, CBP officers may still choose to manu­ally check their accounts; it does not appear that the officer must first make a find­ing of “possible inform­a­tion of concern” or “a need to further valid­ate inform­a­tion” in order to do so. foot­note10_h3ws­mc4 10 ESTA 2016 PIA, 2. In such instances, in addi­tion to the inter­pret­ive issues iden­ti­fied above, it is unclear how CBP offi­cials confirm that they have correctly connec­ted the applic­ant to the right social media accounts. This was a recur­ring prob­lem in the pilot programs discussed previ­ously. foot­note11_d8kbwnb 11 See supra text accom­pa­ny­ing notes 16–24.

Publicly avail­able docu­ments do not indic­ate what types of post­ings on social media would be considered by CBP to be indic­at­ive of a national secur­ity threat. foot­note12_78dz8j3 12 The inform­a­tion is also used for “law enforce­ment vetting purposes,” which could mean ensur­ing that there are no crim­inal charges against an ESTA applic­ant but could also be construed more broadly, and for “eligib­il­ity determ­in­a­tions,” which presum­ably would reflect the legal para­met­ers of immig­ra­tion law. ESTA 2016 PIA, 2. But the vague­ness of the stand­ards creates the risk that innoc­u­ous social media activ­ity will be used as a means of exclud­ing people of certain polit­ical or reli­gious beliefs. In a nod to this risk, CBP docu­ments state that inform­a­tion from social media “will not” be the sole basis upon which CBP denies someone entry to the United States. foot­note13_ms812o2 13 ESTA 2016 PIA, 4. But this restric­tion may not be partic­u­larly effect­ive because CBP could combine one ques­tion­able or weak social media “find” with virtu­ally any other inform­a­tion to deny a visa waiver. For example, CBP and other arms of DHS are not permit­ted to use ethni­city as the sole basis for suspect­ing an indi­vidual is undoc­u­mented, but ethni­city combined with other factors — such as appear­ing nervous — has been used to stop people on suspi­cion of undoc­u­mented status. foot­note14_u9cou8p 14 See, for example, Kavitha Surana, “How Racial Profil­ing Goes Unchecked in Immig­ra­tion Enforce­ment,” ProP­ub­lica, June 8, 2018, https://www.prop­ub­­ing-ice-immig­ra­tion-enforce­ment-pennsylvania. Accord­ing to a former ICE agent, officers use obser­va­tions about people’s demeanor to eval­u­ate whether they might be undoc­u­mented, such as “when people speak only Span­ish” or “appear nervous when encountered by an immig­ra­tion officer.” Ibid.

The social media check can also extend to asso­ci­ates who posted on or inter­ac­ted with an applic­ant on their social media profile, which could include Amer­ic­ans and other contacts living in the United States if “relev­ant to making an ESTA determ­in­a­tion.” foot­note15_lsupe1k 15 ESTA 2016 PIA, 4. In addi­tion, CBP uses “link analysis” to proact­ively identify contacts of applic­ants (e.g., friends, follow­ers, or “likes”), as well as the applic­ant’s second­ary and tertiary contacts who might “pose a poten­tial risk to the home­land” or “demon­strate a nefar­i­ous affil­i­ation on the part of the applic­ant.” foot­note16_lhk3a5j 16 Ibid., 5. CBP has no qualms about draw­ing adverse conclu­sions from things that third parties have posted — rather, it “presumes” that at least some of the inform­a­tion posted on the applic­ant’s site, includ­ing from third parties, is accur­ate because “indi­vidu­als gener­ally have some degree of control over what is posted on their sites.” foot­note17_kfx3e6o 17 Ibid., 3–4.

Thus, even if noth­ing posted by the applic­ant suggests he or she poses a risk, CBP could still poten­tially deny a visa waiver based in part on concerns related to a tweet posted by a “friend” or follower, who could easily be someone the applic­ant does not even know. Unfor­tu­nately, unlike some other DHS programs, there is no oppor­tun­ity for the applic­ant to address or explain the infer­ences that CBP draws from their social media.

DHS rules require officers to collect only the minimum person­ally iden­ti­fi­able inform­a­tion “neces­sary for the proper perform­ance of their author­ized duties.” foot­note18_6m6dkaz 18 DHS, Direct­ive 110–01, “Privacy Policy for Oper­a­tional Use of Social Media,” June 8, 2012, 8,­a­tions/Instruc­tion_110–01–001_Privacy_Policy_for_Oper­a­tional_Use_of_Social_Media.pdf. But accord­ing to the 2017 privacy audit of ESTA, DHS’s Privacy Office could not verify whether CBP was adher­ing to this require­ment. foot­note19_s2tbgh3 19 CBP, Privacy Compli­ance Review of the U.S. Customs and Border Protec­tion Elec­tronic System for Travel Author­iz­a­tion, Octo­ber 27, 2017, 8,­a­tions/CBP-ESTA%20PCR%20fi­nal%20re­port%2020171027.pdf. Other signi­fic­ant controls — that DHS officers are limited to review­ing publicly avail­able inform­a­tion and must use offi­cial DHS accounts to conduct such checks — can be circum­ven­ted using a tech­nique called “masked monit­or­ing.” foot­note20_3qxkbm5 20 ESTA 2016 PIA, 4–5. But the circum­stances trig­ger­ing such monit­or­ing and the applic­able rules are not publicly avail­able. foot­note21_hiqfweh 21 The detailed CBP rules imple­ment­ing the direct­ive, which were obtained by the Bren­nan Center via FOIA, confirm that its officers can under­take masked monit­or­ing, but the trig­gers and rules for util­iz­ing this tech­nique are redac­ted. DHS, “DHS Oper­a­tional Use of Social Media,” July 24, 2012, 5, https://www.bren­nan­cen­­cial%20Me­dia%20Use%20Tem­plate.pdf.

All social media inform­a­tion about those apply­ing for visa waivers (and poten­tially about their friends and contacts), as well as other data from ESTA applic­a­tions and related paper­work, is stored in CBP’s Auto­mated Target­ing System (ATS). foot­note22_lkwg99t 22 ESTA 2016 PIA, 5. CBP agents use the inform­a­tion in ATS to assign risk assess­ments to trav­el­ers, which can impact their vetting and ques­tion­ing at the border. ATS risk assess­ments and other analyses also feed into a number of watch lists, such as the FBI’s Terror­ist Screen­ing Data­base and TSA Watch Lists, as well as analyt­ical products on trends and threats. foot­note23_a04u0bc 23 ATS 2017 PIA, 25. The role of ATS in preflight and watch list screen­ing is described in more detail in the TSA section; See infra text accom­pa­ny­ing notes 258–297. Vari­ous records from ATS are shared with CBP’s Analyt­ical Frame­work for Intel­li­gence (AFI), which is used to create vari­ous analyt­ical products. See DHS, Privacy Impact Assess­ment Update for the Analyt­ical Frame­work for Intel­li­gence (AFI), DHS/CBP/PIA-010(a), Septem­ber 1, 2016 (here­in­after AFI 2016 PIA), 1, 3,­a­tions/privacy-pia-cbp-010-a-afi-2016.pdf; See infra text accom­pa­ny­ing notes 236–255. In other words, what a person says on social media, which is often context-specific and ambigu­ous to outsiders, feeds into every aspect of CBP’s work and that of DHS more broadly.

ESTA inform­a­tion — about applic­ants and their friends and famil­ies — is also dissem­in­ated widely to a broad range of entit­ies, includ­ing the Depart­ments of Justice and State. foot­note24_l1dh­fel 24 ESTA SORN, 60717. As of Decem­ber 2018, the National Vetting Center (NVC), a pres­id­en­tially created clear­ing­house and coordin­a­tion center for vetting inform­a­tion, has been involved in ESTA’s work. foot­note25_tore­gh4 25 See National Secur­ity Pres­id­en­tial Memor­andum (NSPM-9), “Optim­iz­ing the Use of Federal Govern­ment Inform­a­tion in Support of the National Vetting Enter­prise,” Febru­ary 6, 2018, https://www.white­­id­en­tial-actions/pres­id­en­tial-memor­andum-optim­iz­ing-use-federal-govern­ment-inform­a­tion-support-national-vetting-enter­prise/; DHS, “Plan to Imple­ment the Pres­id­en­tial Memor­andum on Optim­iz­ing the Use of Federal Govern­ment Inform­a­tion in Support of the National Vetting Enter­prise,” August 5, 2018,­a­tions/NSPM-9%20Im­ple­ment­a­tion%20Plan.pdf; DHS, Privacy Impact Assess­ment for the National Vetting Center (NVC), DHS/ALL/PIA-072, Decem­ber 11, 2018,­a­tions/privacy-pia-dhsall072-nvc-decem­ber­2018.pdf. CBP is required to regu­larly share ESTA applic­a­tion data with a number of agen­cies involved in the NVC, includ­ing the CIA and the Depart­ment of Defense, to be compared against the hold­ings of those agen­cies. foot­note26_lez51hn 26 DHS, “Plan to Imple­ment the Pres­id­en­tial Memor­andum,” 13. Beyond the bulk shar­ing with the NVC, ESTA inform­a­tion shar­ing with other agen­cies is not confined to situ­ations in which there is an indic­a­tion that the trav­eler has viol­ated the law. Rather, it can take place simply when DHS determ­ines that the inform­a­tion “would assist in the enforce­ment of civil or crim­inal matters.” foot­note27_78f2ozp 27 Inform­a­tion may be shared with any “appro­pri­ate federal, state, tribal, local, inter­na­tional, or foreign law enforce­ment agency or other appro­pri­ate author­ity charged with invest­ig­at­ing or prosec­ut­ing a viol­a­tion or enfor­cing or imple­ment­ing a law, rule, regu­la­tion, or order.” ESTA SORN, 60717. In addi­tion, DHS and the National

Coun­terter­ror­ism Center (NCTC), which is charged with collect­ing coun­terter­ror­ism intel­li­gence, have entered into a memor­andum of under­stand­ing allow­ing DHS to disclose the entire ESTA data set to the NCTC. foot­note28_0spg­dor 28 For more on the NCTC, See National Coun­terter­ror­ism Center, Today’s NTC, August 2017, 3,­ments/features_docu­ments/NCTC-Primer_FINAL.pdf; Sari Horwitz and Ellen Nakashima, “New Coun­terter­ror­ism Guidelines Permit Data on U.S. Citizens to Be Held Longer,” Wash­ing­ton Post, March 22, 2012, https://www.wash­ing­ton­­ity/new-coun­terter­ror­ism-guidelines-would-permit-data-on-us-citizens-to-be-held-longer/2012/03/21/gIQAFLm7TS_story.html. DHS, Privacy Impact Assess­ment Update for the Elec­tronic System for Travel Author­iz­a­tion, DHS/CBP/PIA-007(c), June 5, 2013 (here­in­after ESTA 2013 PIA), 3–4,­a­tions/privacy-pia-cbp-esta-update-20130606_0.pdf. The memor­andum of under­stand­ing was updated in 2013. Ibid., 5. See also Rachel Levin­son-Wald­man, What the Govern­ment Does With Amer­ic­ans’ Data, 20 (noting that NCTC has access to data related to inter­na­tional travel and immig­ra­tion bene­fits, as well as finan­cial data, none of which is related to terror­ism). This data set would go far beyond inform­a­tion about indi­vidu­als suspec­ted of any connec­tion to terror­ism and would include inform­a­tion gathered during routine inter­ac­tions with the public (e.g., screen­ing trav­el­ers, review­ing immig­ra­tion bene­fit applic­a­tions, issu­ing immig­ra­tion bene­fits). foot­note29_sdom­wqj 29 ESTA 2013 PIA, 2–4, n8.

In sum, the ESTA program demon­strates that CBP collects highly personal inform­a­tion avail­able on social media about those apply­ing for visa waivers and the people in their networks. CBP uses this inform­a­tion, which is highly contex­tual and subject to inter­pret­a­tion, to decide whether an indi­vidual poses an undefined “secur­ity risk.” All of this inform­a­tion is stored in DHS data­bases for years and poten­tially used for a range of purposes, often far removed from the purpose of the initial collec­tion. foot­note30_90fo9i2 30 See supra text accom­pa­ny­ing notes 109–110. The inform­a­tion is shared in bulk with the NCTC, and with other law enforce­ment agen­cies as long as it could be of “assist­ance” to them, creat­ing risks to privacy and free­dom of speech and asso­ci­ation.

B. Visa Applic­a­tions

The State Depart­ment has ramped up its collec­tion of social media inform­a­tion from people apply­ing for visas, which it shares with DHS to be vetted using ATS. foot­note31_ja6qeaj 31 Visa applic­a­tion data from two Depart­ment of State sources, the Consu­lar Consol­id­ated Data­base and the Consu­lar Elec­tronic Applic­a­tion Center, are compared with exist­ing inform­a­tion in CBP’s ATS for vetting purposes. ATS 2017 PIA, 8–9, 59–60. The Consu­lar Consol­id­ated Data­base contains records of all visa applic­a­tions, begin­ning from the mid-1990s — a total of more than 140 million records. Ruth Ellen Wasem, Immig­ra­tion: Visa Secur­ity Policies, Congres­sional Research Service, R43589, 2015, 6, The Consu­lar Consol­id­ated Data­base receives inform­a­tion from ATS indic­at­ing whether or not DHS iden­ti­fied derog­at­ory inform­a­tion about the visa applic­ant. If ATS iden­ti­fies derog­at­ory inform­a­tion relat­ing to an applic­a­tion, that applic­a­tion is referred for manual review. If, follow­ing manual review, an applic­ant is determ­ined to be eligible for a visa, an updated response is sent to the Consu­lar Consol­id­ated Data­base. ATS 2017 PIA, 34. In May 2017, the State Depart­ment began requir­ing some categor­ies of visa applic­ants — estim­ated at 65,000 per year — to provide the iden­ti­fi­ers they used on all social media plat­forms within the previ­ous five years. foot­note32_qzuw­f0f 32 Depart­ment of State, “Notice of Inform­a­tion Collec­tion Under OMB Emer­gency Review.” It seems likely that this move was aimed primar­ily at trav­el­ers from the Muslim ban coun­tries; the Federal Register notice announ­cing the rule change indic­ated that it was being imple­men­ted as part of the Muslim ban, and the notice’s estim­ate of the number of trav­el­ers who would be affected by the change approx­im­ately matched those affected by the over­all ban. foot­note33_trz04wq 33 Ibid. The estim­ate in the Federal Register notice that about 65,000 people will be subject to “increased scru­tiny” closely tracks the roughly 68,000 nonim­mig­rant visas issued in 2016 to nation­als of the seven coun­tries included in the first travel ban. See Depart­ment of State, Bureau of Consu­lar Affairs, Table XVIII: “Nonim­mig­rant Visas Issued by Nation­al­ity (Includ­ing Border Cross­ing Cards), Fiscal Year, 2007–2016,”­ist­ics/Annu­alRe­ports/FY2016An­nu­alRe­port/FY16An­nu­alRe­port-TableXVIII.pdf. Addi­tion­ally, the State Depart­ment’s first attempt at imple­ment­ing the new rule requir­ing some categor­ies of visa applic­ants to provide their social media iden­ti­fi­ers — which was halted due to litig­a­tion — direc­ted consu­lar offi­cials to imple­ment these meas­ures for all nation­als of the initial Muslim ban coun­tries. Depart­ment of State, “Imple­ment­ing Imme­di­ate Heightened Screen­ing and Vetting of Visa Applic­a­tions,” 17 STATE 24324, ¶ 9–14,­ics/791246151. See also Alex Nowras­teh, “New Trump Exec­ut­ive Order Fails Cost-Bene­fit Test,” Cato at Liberty (blog), Cato Insti­tute, Septem­ber 25, 2017,­ut­ive-order-fails-cost-bene­fit-test (noting that, had the third iter­a­tion of the Muslim ban — Pres­id­en­tial Proclam­a­tion 9645 — been in effect in 2016, “it would have halted the travel, migra­tion and immig­ra­tion of roughly 66,000 people”); Patel and Pandur­anga, “Trump’s Latest Half-Baked Muslim Ban.”

In March 2018, the State Depart­ment sought to vastly expand the collec­tion of social media iden­ti­fi­ers to the approx­im­ately 15 million people who apply for visas each year. foot­note34_fix6ptd 34 Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion”; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Nonim­mig­rant Visa.” The social media iden­ti­fi­ers will be collec­ted via the visa applic­a­tion forms DS-156, 160, and 260, all three of which are stored in the Consu­lar Consol­id­ated Data­base. Depart­ment of State, Bureau of Consu­lar Affairs Visa Services, “Records Dispos­i­tion Sched­ule,”­ules/depart­ments/depart­ment-of-state/rg-0084/n1–084–09–002_sf115.pdf. See also Bren­nan Center for Justice et al., Comments to Depart­ment of State, “Re: DS-160 and DS-156, Applic­a­tion for Nonim­mig­rant Visa, OMB Control No. 1405–0182; DS-260, Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion, OMB Control No. 1405–185.” The Office of Manage­ment and Budget (OMB) approved the proposal in April 2019, which means the State Depart­ment will begin collect­ing from nearly all visa applic­ants their social media iden­ti­fi­ers asso­ci­ated with any of 20 listed social media plat­forms, more than half of which are based in the United States (Face­book, Flickr, Google+, Instagram, LinkedIn, Myspace, Pinterest, Reddit, Tumblr, Twit­ter, Vine, and YouTube). foot­note35_glfql7o 35 OMB, Notice of Office of Manage­ment and Budget Action, “Online Applic­a­tion for Nonim­mig­rant Visa”; OMB, Notice of Office of Manage­ment and Budget Action, “Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion.” See Depart­ment of State, Consol­id­ated Nonim­mig­rant Visa Applic­a­tion, DS-0156, 2, https://www.regu­la­­Streamer?docu­mentId=DOS-2018–0002–0001&attach­ment­Num­ber=2&content­Type=pdf; Depart­ment of State, Online Immig­rant Visa and Alien Regis­tra­tion Applic­a­tion, OMB Submis­sion, DS-260, 13,­load­Doc­u­ment?objectID=85760401. The other plat­forms are based in China (Douban, QQ, Sina Weibo, Tencent Weibo, and Youku), Russia (Vkon­takte), Belgium (Twoo), and Latvia ( foot­note36_9yfylon 36 See Depart­ment of State, Consol­id­ated Nonim­mig­rant Visa Applic­a­tion, DS-0156, 2; Depart­ment of State, Online Immig­rant Visa and Alien Regis­tra­tion Applic­a­tion, DS-260, 13. Applic­ants will also have the option of provid­ing iden­ti­fi­ers for plat­forms not included on the list. foot­note37_gp4m7x5 37 Depart­ment of State, Consol­id­ated Nonim­mig­rant Visa Applic­a­tion, DS-0156, 2; Depart­ment of State, Online Immig­rant Visa and Alien Regis­tra­tion Applic­a­tion, DS-260, 13; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion”; Depart­ment of State, “60-Day Notice of Proposed Inform­a­tion Collec­tion: Applic­a­tion for Nonim­mig­rant Visa.”

As with the DHS social media collec­tion programs described through­out this paper, there is limited inform­a­tion on what the State Depart­ment’s review of applic­ants’ social media activ­ity will entail. We only know that it is meant to enable consu­lar officers to confirm applic­ants’ iden­tity and adju­dic­ate their eligib­il­ity for a visa under the Immig­ra­tion and Nation­al­ity Act. foot­note38_ag8f60m 38 Under applic­able U.S. law, an applic­ant may be ineligible for a visa on grounds, among others, related to health, crime, labor, terror­ism, and prior immig­ra­tion viol­a­tions. See8 U.S.C. § 1182(a); 8 U.S.C. § 1184(b); 8 U.S.C. § 1158(d)(6). Section 1202(a) provides that an applic­ant for an immig­rant visa must “state his full and true name, and any other name which he has used or by which he has been known; age and sex; the date and place of his birth; and such addi­tional inform­a­tion neces­sary to the iden­ti­fic­a­tion of the applic­ant and the enforce­ment of the immig­ra­tion and nation­al­ity laws as may be [required] by regu­la­tions prescribed.” 8 U.S.C.A. § 1202(a). Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 10–11; Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Applic­a­tion for Nonim­mig­rant Visa,” 11. While the notice does state that “the collec­tion of social media plat­forms and iden­ti­fi­ers will not be used to deny visas based on applic­ants’ race, reli­gion, ethni­city, national origin, polit­ical views, gender, or sexual orient­a­tion,” this restric­tion is easily circum­ven­ted: a social media post reveal­ing an applic­ant’s reli­gious or polit­ical affil­i­ation may not alone justify denial, but other inform­a­tion in his or her file could easily be used as a pretext, partic­u­larly given the broad discre­tion exer­cised by consu­lar offi­cials. foot­note39_w539x98 39 Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Applic­a­tion for Nonim­mig­rant Visa,” 20; Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 18–19. Accord­ing to the state­ment support­ing the notice, consu­lar officers will also be direc­ted not to request pass­words, viol­ate the applic­ant’s privacy settings or the plat­forms’ terms of service, or engage with the applic­ant on social media; to comply with State Depart­ment guid­ance limit­ing the use of social media; and to avoid collect­ing third-party inform­a­tion. foot­note40_54wwzn2 40 Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Applic­a­tion for Nonim­mig­rant Visa,” 8–9, 20; Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 8, 19.

The State Depart­ment’s expec­ted trove of inform­a­tion will likely be used for a vari­ety of purposes beyond visa vetting. Social media iden­ti­fi­ers collec­ted by the State Depart­ment will be stored in the Consol­id­ated Consu­lar Data­base, which is inges­ted into ATS and becomes avail­able to DHS person­nel. foot­note41_o90m2ms 41 ATS 2017 PIA, 3, 35–37. The State Depart­ment’s support­ing state­ment describ­ing the expan­sion of social media iden­ti­fier collec­tion states that “inform­a­tion obtained from applic­ants . . . is considered confid­en­tial” though it “may be made avail­able to a court or provided to a foreign govern­ment.” See Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 18. All Consu­lar Consol­id­ated Data­base (CCD) visa record reports are subject to confid­en­ti­al­ity require­ments and cannot be shared without the permis­sion of the Depart­ment of State. Depart­ment of State, Privacy Impact Assess­ment (PIA), Consu­lar Consol­id­ated Data­base (CCD), Version 04.00.00, July 17, 2015 (here­in­after CCD 2015 PIA), 8,­ments/organ­iz­a­tion/242316.pdf. However, the support­ing state­ment does not mention the extens­ive shar­ing arrange­ment with ATS, and it remains unclear how far social media iden­ti­fi­ers and other CCD inform­a­tion may spread within DHS and to external agen­cies after being inges­ted into ATS. The CCD PIA from 2015, which pred­ates the social media iden­ti­fier collec­tion, lists CBP as an external organ­iz­a­tion with which CCD may share inform­a­tion but does not address privacy concerns related to the extens­ive shar­ing of person­ally iden­ti­fi­able inform­a­tion with CBP. CCD 2015 PIA, 11. See also ATS 2017 PIA, 8, 11. In 2016, the CCD was found to have glar­ing secur­ity vulner­ab­il­it­ies. Mike Levine and Justin Fishel, “Exclus­ive: Secur­ity Gaps Found in Massive Visa Data­base,” ABC News, March 31, 2016,­ive-secur­ity-gaps-found-massive-visa-data­base/story?id=38041051. Further, that inform­a­tion will be used in coordin­a­tion with other depart­ment offi­cials and part­ner U.S. govern­ment agen­cies. foot­note42_eh1jln2 42 Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Applic­a­tion for Nonim­mig­rant Visa,” 2; Depart­ment of State, “Support­ing State­ment for Paper­work Reduc­tion Act Submis­sion: Elec­tronic Applic­a­tion for Immig­rant Visa and Alien Regis­tra­tion,” 2. Indeed, numer­ous other agen­cies have access to the visa records system in which applic­ants’ social media inform­a­tion will be stored, and — along with foreign govern­ments — can obtain inform­a­tion from the system. foot­note43_wa6m963 43 Depart­ment of State, Notice of a Modi­fied System of Records, Visa Records, State-39, 83 Fed. Reg. 28062 (June 15, 2018) (here­in­after Visa SORN),–06–15/pdf/2018–12871.pdf. Agen­cies such as the CIA and the Depart­ment of Defense may soon have access to State Depart­ment visa inform­a­tion through the National Vetting Center (NVC), and the State Depart­ment is likely to share the visa data it collects with DHS through the NVC as well. See supra text accom­pa­ny­ing notes 111–114; “Plan to Imple­ment the Pres­id­en­tial Memor­andum,” 8. See National Secur­ity Pres­id­en­tial Memor­andum, “Optim­iz­ing the Use of Federal Govern­ment Inform­a­tion in Support of the National Vetting Enter­prise.”

In sum, the State Depart­ment’s collec­tion of social media inform­a­tion, which already includes 65,000 visa applic­ants (likely those targeted by Trump’s Muslim ban), is on track to begin creat­ing a registry that will include 15 million people after the first year alone. Not only will this inform­a­tion be used by the State Depart­ment in undefined ways to make visa determ­in­a­tions, but it will be yet another source of personal inform­a­tion that is funneled into DHS’s many inter­con­nec­ted and far-reach­ing systems. foot­note44_npb1fts 44 See infra text accom­pa­ny­ing notes 198–256.

2. Warrant­less Border Searches

CBP conducts warrant­less searches at the border on a wide vari­ety of elec­tronic devices, such as phones, laptops, computers, and tablets, many of which are likely to result in the collec­tion of social media inform­a­tion. Accord­ing to CBP, these searches are meant to help uncover evid­ence concern­ing terror­ism and other national secur­ity matters, crim­inal activ­ity like child porno­graphy and smug­gling, and inform­a­tion about finan­cial and commer­cial crimes. foot­note45_dq4te5n 45 CBP 2018 Direct­ive, 1. However, CBP docu­ments also describe these searches as “integ­ral” to determ­in­ing an indi­vidu­al’s “inten­tions upon entry” and to provid­ing other inform­a­tion regard­ing admiss­ib­il­ity. foot­note46_wtj6904 46 Ibid.

While some of these searches are conduc­ted manu­ally, CBP also has tech­nical tools for extract­ing inform­a­tion from these devices, poten­tially includ­ing inform­a­tion stored remotely. foot­note47_3empr89 47 The relev­ant CBP direct­ive is some­what confus­ing in regard to inform­a­tion stored remotely. On one hand, it states that officers “may not inten­tion­ally use the device to access inform­a­tion that is solely stored remotely” for CBP basic or advanced searches. CBP 2018 Direct­ive, 4; CBP Elec­tronic Border Searches 2018 PIA, 8. But the same direct­ive notes that “an advanced search is any search in which an Officer connects external equip­ment, through a wired or wire­less connec­tion, to an elec­tronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.” CBP 2018 Direct­ive, 5. It has purchased power­ful hand­held Univer­sal Forensic Extrac­tion Devices (UFEDs), developed by the Israeli company Cellebrite, which can be plugged into phones and laptops to extract in a matter of seconds the entirety of a device’s memory, includ­ing all data from social media applic­a­tions both on the device and from cloud-based accounts like Face­book, Gmail, iCloud, and What­s­App. foot­note48_bjb9xhc 48 The website USASpend­ing lists CBP contracts for UFEDs total­ing $1,594,366. CBP contract with Cellebrite, May 12, 2009–­Septem­ber 25, 2018, USASpend­ing, https://www.usaspend­ See Jose Pagliery, “Cellebrite Is the FBI’s Go-To Phone Hacker,” CNN, April 1, 2016,­no­logy/cellebrite-fbi-phone/index.html; “The Feds Can Now (Prob­ably) Unlock Every iPhone Model in Exist­ence,” Forbes, Febru­ary 26, 2018,­brew­ster/2018/02/26/govern­ment-can-access-any-apple-iphone-cellebrite/#70d4f042667a; Cellebrite, “UFED Cloud Analyzer,”

Searches by CBP of trav­el­ers’ elec­tronic devices at ports of entry have increased dramat­ic­ally over the past several years. In fiscal year 2015, 8,503 people had their devices searched. foot­note49_orgde5w 49 CBP, “CBP Releases Stat­ist­ics on Elec­tronic Device Searches.” By fiscal year 2017, the number had reached 30,200 — an increase of over three and a half times. foot­note50_fpk1304 50 CBP, “CBP Releases Updated Border Search of Elec­tronic Device Direct­ive and FY17 Stat­ist­ics.” Accord­ing to CBP, these searches do not require a warrant, due to “a reduced expect­a­tion of privacy asso­ci­ated with inter­na­tional travel.” foot­note51_t7hu2f9 51 CBP 2018 Direct­ive, 3. Both Amer­ican and foreign trav­el­ers are subjec­ted to these warrant­less searches. foot­note52_gwypiis 52 While DHS itself does not provide a break­down, ABC News reports that about 80 percent of searches are of noncit­izens, which would mean that in fiscal year 2017, CBP conduc­ted more than 6,000 searches of devices belong­ing to U.S. citizens. Sands, “Searches of Trav­el­ers’ Elec­tronic Devices Up Nearly 60 Percent.” In 2017, 10 U.S. citizens and one green card holder filed suit chal­len­ging warrant­less searches of elec­tronic devices at the border. foot­note53_bg2pa2e 53 Amended Complaint, Alas­aad v. Duke, 2017 WL 4037436 (D.Mass. Sept. 13, 2017), The complaint high­lights the intrus­ive­ness of these searches, both for the person being searched and for the trav­el­er’s family, friends, and acquaint­ances, given the many contact lists, email messages, texts, social media post­ings, and voice­mails that cell­phones and laptops often contain. In Novem­ber 2019, the U.S. District Court in Massachu­setts ruled in the case that CBP’s and ICE’s suspi­cion­less searches of elec­tronic devices at ports of entry viol­ate the Fourth Amend­ment and that these searches require reas­on­able suspi­cion that devices contain contra­band. foot­note54_jxh84pq 54 Alas­aad v. Nielsen, No. 17-CV-11730-DJC, 2019 WL 5899371 (D.Mass. Nov. 12, 2019),

Under a Janu­ary 2018 direct­ive, CBP is permit­ted to conduct two types of searches: “basic” and “advanced,” both of which would allow collec­tion of inform­a­tion from social media. foot­note55_1iz0pt4 55 CBP 2018 Direct­ive, 4–5. The 2018 direct­ive changed CBP’s previ­ous, more permissive rule, likely as a partial and belated response to a 2013 federal court decision, United States v. Cotter­man. In that case, a federal court of appeals held that the fact that a device was seized at a border did “not justify unfettered crime-fight­ing searches or an unreg­u­lated assault on citizens’ private inform­a­tion,” and required that officers have reas­on­able suspi­cion of crim­inal activ­ity to conduct forensic searches of elec­tronic devices. foot­note56_luk535c 56 United States v. Cotter­man, 709 F.3d 952 (9th Cir. 2013). CBP is permit­ted to refer trav­el­ers to ICE at any stage of the inspec­tion process, at which point ICE’s rules would apply; while ICE also issued a 2018 policy barring the use of advanced searches without reas­on­able suspi­cion, it is not yet known how person­nel are being direc­ted to imple­ment this policy, mean­ing that ICE’s searches may in prac­tice be more permissive than CBP’s. foot­note57_tyb11p5 57 DHS, Privacy Impact Assess­ment for CBP and ICE Border Searches of Elec­tronic Devices, August 25, 2009 (here­in­after ICE/CBP Elec­tronic Device Searches 2009 PIA), 4,­a­tions/privacy_pia_cbp_laptop.pdf; HSI Legal Update: Border Search of Elec­tronic Devices, 2018.

Under CBP’s new rules, a basic search permits an agent to view inform­a­tion that “would ordin­ar­ily be visible by scrolling through the phone manu­ally.” foot­note58_4u3qdi2 58 CBP Elec­tronic Border Searches 2018 PIA, 6. No suspi­cion of crim­inal wrong­do­ing or national secur­ity risk is required for basic searches. For either type of search, agents are prohib­ited from “inten­tion­ally” access­ing data that is “solely stored remotely”; only inform­a­tion that is “resid­ent on the device and access­ible through the device’s oper­at­ing system or through other soft­ware, tools, or applic­a­tions” may be viewed. foot­note59_3eso9rf 59 CBP 2018 Direct­ive, 4. This restric­tion was absent from CBP’s original elec­tronic border search direct­ive (2009). In response to ques­tions posed by Senator Ron Wyden, CBP clari­fied that its agents do not access inform­a­tion found on remote serv­ers during elec­tronic device searches, but it did not state how agents were to ensure this in prac­tice (e.g., disabling connectiv­ity via airplane mode). CBP, “Due Dili­gence Ques­tions for Kevin McAleenan, Nominee for Commis­sioner of U.S. Customs and Border Protec­tion (CBP),” June 20, 2017, 3, https://www.wash­ing­ton­ CBP officers are supposed to disable network connectiv­ity or request that the trav­eler do so (e.g., by switch­ing to airplane mode) prior to the search; they are also supposed to conduct the search in the pres­ence of the trav­eler in most circum­stances, though the indi­vidual will not always observe the actual search. foot­note60_491mg1n 60 The officer may discon­nect the device herself or conduct the search without the indi­vidual present if there are national secur­ity, law enforce­ment, officer safety, or other oper­a­tional consid­er­a­tions. CBP 2018 Direct­ive, 5, 6.

Despite these new guidelines, CBP agents will prob­ably still be able to access social media inform­a­tion during a search. If a trav­eler has social media data down­loaded onto his or her device or cached in some way, it is likely access­ible even if connectiv­ity is turned off. foot­note61_4u39lgy 61 Esha Bhandari, staff attor­ney, Amer­ican Civil Liber­ties Union, email message to authors, August 13, 2018. For example, if a trav­eler was scrolling through a Twit­ter or Face­book feed prior to being selec­ted for a search, any loaded data, such as his or her news­feed, would be access­ible on the user’s phone or laptop.

The officer may also request that the trav­eler provide any passcodes needed to access the contents of a device. foot­note62_9ybeubg 62 CBP 2018 Direct­ive, 6 . Although a trav­eler can refuse to provide a code, CBP may then keep the device in order to try to access its contents by other means. foot­note63_tiei6zo 63 Ibid. U.S. citizens must be admit­ted to the coun­try even if they do not provide passcodes, though their phones may still be held for five days or longer. foot­note64_15x9bnn 64 Unless unspe­cified “exten­u­at­ing circum­stances” exist, CBP policy states that devices should not be detained for longer than five days . CBP 2018 Direct­ive, 7 . Noncit­izens, however, includ­ing visa hold­ers and tour­ists from visa waiver coun­tries, may be denied entry entirely. foot­note65_cg8s135 65 See Seth Schoen, Marcia Hofmann, and Rowan Reyn­olds, “Defend­ing Privacy at the U.S. Border: A Guide for Trav­el­ers Carry­ing Digital Devices,” Elec­tronic Fron­tier Found­a­tion, Decem­ber 2011, 5, There are a vari­ety of reas­ons why a noncit­izen may be denied entry. See Immig­ra­tion and Nation­al­ity Act § 212(a), 8 U.S.C. § 1182 (2010). See also Daniel Victor, “What Are Your Rights if Border Agents Want to Search Your Phone?” New York Times, Febru­ary 14, 2017,­ness/border-enforce­ment-airport-phones.html.

An advanced search occurs when an officer connects an elec­tronic device to external equip­ment, via a wired or wire­less connec­tion, to review, copy, or analyze its contents. foot­note66_skteqeq 66 CBP 2018 Direct­ive, 5. In 2007, CBP began using external equip­ment for advanced searches at four ports of entry. As of July 2017, such use had expan­ded to 67 ports of entry. Office of Inspector General, DHS, CBP’s Searches of Elec­tronic Devices at Ports of Entry, Decem­ber 3, 2018 (here­in­after OIG 2018 Elec­tronic Device Report), 9,–12/OIG-19–10-Nov18.pdf. Advanced searches are highly intrus­ive, and the tools that CBP has purchased allow it to capture all files and inform­a­tion on the device, includ­ing pass­word-protec­ted or encryp­ted data. foot­note67_u283l75 67 See supra text accom­pa­ny­ing notes 134–135.

Officers are author­ized to perform advanced searches if there is reas­on­able suspi­cion that one of the laws enforced or admin­istered by CBP has been viol­ated or if there is a “national secur­ity concern.” foot­note68_5k48au1 68 CBP 2018 Direct­ive, 5. In creat­ing an excep­tion for “national secur­ity concerns,” DHS policy departs from the Cotter­man decision, which required reas­on­able suspi­cion for all forensic searches. While DHS does not define what consti­tutes a national secur­ity concern, national secur­ity is an expans­ive term that could easily swal­low up the require­ment of suspi­cion for these highly intrus­ive searches. The examples listed in the 2018 privacy impact assess­ment suggest that national secur­ity searches will be based on watch lists. However, this category includes not just lists kept by the govern­ment — primar­ily the FBI and DHS — but other lists as well, such as unspe­cified “govern­ment-vetted” watch lists and a “national secur­ity-related lookout in combin­a­tion with other artic­ul­able factors as appro­pri­ate.” foot­note69_df84iuu 69 Ibid. And, of course, these examples are not exhaust­ive, leav­ing open the possib­il­ity that agents will use the cover of national secur­ity to under­take forensic searches even when there is no relev­ant watch list.

Follow­ing both basic and advanced searches, the officer enters notes about the inter­ac­tion, includ­ing “a record of any elec­tronic devices searched,” into TECS, CBP’s primary law enforce­ment system. foot­note70_lx0pt6e 70 CBP Elec­tronic Border Searches 2018 PIA, 3, 6 This typic­ally includes device details, the type of search performed (basic or advanced), and the “officer’s remarks of the inspec­tion.” foot­note71_xm06eit 71 OIG 2018 Elec­tronic Device Report, 4. CBP may detain a device, or copies of the inform­a­tion it contains, for up to five days, although it can keep a device longer when there are unspe­cified “exten­u­at­ing circum­stances.” foot­note72_w00b6rk 72 CBP 2018 Direct­ive, 7 . If there is no prob­able cause to seize and retain a device or the inform­a­tion it contains, the device must be returned to the trav­eler and any copies destroyed. foot­note73_6l1t­da8 73 Ibid. However, CBP may retain without prob­able cause any inform­a­tion “relat­ing to immig­ra­tion, customs, and other enforce­ment matters,” which seems to allow it to essen­tially circum­vent the prob­able cause require­ment. foot­note74_pisqqy0 74 Ibid., 9–10. CBP can retain such inform­a­tion so long as “the reten­tion is consist­ent with the applic­able system of records notice.” Ibid. For instance, inform­a­tion that could be considered useful for determ­in­ing whether an indi­vidual may be permit­ted to travel to the United States could be stored in the indi­vidu­al’s Alien File, 100 years after their date of birth. foot­note75_1m12sjm 75 Ibid., 10; A-Files SORN, 43564

Any inform­a­tion that is copied directly from an elec­tronic device during an advanced search (presum­ably based on prob­able cause) is stored in ATS, which allows agents to further analyze inform­a­tion collec­ted by compar­ing it against vari­ous pools of data and apply­ing ATS’s analytic and machine learn­ing tools to recog­nize trends and patterns. foot­note76_sw3ytc6 76 CBP Elec­tronic Border Searches 2018 PIA, 10. DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 1. CBP may disclose inform­a­tion from elec­tronic device searches to other agen­cies, both within and outside DHS, if it is evid­ence of viol­a­tion of a law or rule that those agen­cies are charged with enfor­cing. foot­note77_8m615uf 77 CBP Elec­tronic Border Searches 2018 PIA, 15. CBP may also share the device or inform­a­tion from the device with third parties to receive tech­nical assist­ance in access­ing the device’s contents. In general, such assist­ing agen­cies are permit­ted to retain the inform­a­tion only as long as neces­sary to provide such assist­ance, unless the devices are seized on the basis of prob­able cause or if an assist­ing federal agency elects to retain it under its own inde­pend­ent legal author­ity. CBP 2018 Direct­ive, 11.

Notably, a Decem­ber 2018 DHS inspector general report concluded that CBP had not been follow­ing its own stand­ard oper­at­ing proced­ures prior to the imple­ment­a­tion of the new rules. foot­note78_1bzgu3y 78 OIG 2018 Elec­tronic Device Report, 1. CBP’s original policy from 2009 was in effect at the time of this review. Ibid., 5. The report, which was based on a review of CBP’s elec­tronic device searches at ports of entry from April 2016 to July 2017, found that officers frequently did not docu­ment searches prop­erly, that they consist­ently failed to disable network connec­tion prior to search (specific­ally for cell phones), and that the systems used and data collec­ted during searches were in many cases not adequately managed and secured. foot­note79_t5sdpw2 79 Ibid., 1. For instance, officers often failed to delete trav­el­ers’ inform­a­tion stored on the thumb drives used to trans­fer data to ATS during advanced searches. foot­note80_w6fs­fzx 80 Ibid., 8. The report also found that CBP had no perform­ance meas­ures in place to assess the effect­ive­ness of its forensic searches of elec­tronic devices. foot­note81_eo202mi 81 Ibid., 9. The report describes CBP’s forensic elec­tronic device searches as a “pilot program,” which was rolled out in 2009, but it is clear given the Janu­ary 2018 privacy impact assess­ment update that forensic searches are now a perman­ent part of CBP’s border searches.

The 2018 direct­ive instruc­ted CBP to develop and peri­od­ic­ally admin­is­ter an audit­ing mech­an­ism to ensure that border searches of elec­tronic devices were comply­ing with its require­ments. foot­note82_u211f9x 82 CBP 2018 Direct­ive, 12. However, the agency has published neither the require­ments nor the results of the audits. In Febru­ary 2019, the Elec­tronic Privacy Inform­a­tion Center (EPIC) sued for the release of this inform­a­tion. foot­note83_k4140zb 83 Complaint for Injunc­tion Relief, Elec­tronic Privacy Inform­a­tion Center v. U.S. Customs and Border Protec­tion, No. 1:19-cv-00279 (D.D.C. Feb. 1, 2019),

Even if the rules are oper­at­ing as inten­ded, they may also be applied discrim­in­at­or­ily. For instance, Muslim trav­el­ers have long been singled out for addi­tional scru­tiny because of their faith, foot­note84_eei5cra 84 See, for example, Holpuch and Kassam, “Cana­dian Muslim Grilled About Her Faith”; Sedria Renee, “Muhammad Ali Jr. on Airport Detain­ment: ‘I’m Not Amer­ican?’ ” NBC News, Febru­ary 27, 2017,­ment-i-m-not-amer­ican-n726246. See also Complaint for Injunct­ive and Declar­at­ory Relief and Damages, El Ali et al. v. Sessions et al., No. 8:18-cv-02415-PX (D. Md. Aug. 8, 2018), https://paper­­list-complaint-8AUG2018.pdf; Amer­ican Civil Liber­ties Union et al. v. TSA, No. 1:15-cv-02061-JPO (S.D.N.Y. 2015),­ment/aclu-v-tsa-complaint; Michael S. Schmidt and Eric Licht­blau, “Racial Profil­ing Rife at Airport, U.S. Officers Say,” New York Times, August 11, 2012, which Pres­id­ent Trump and his admin­is­tra­tion have repeatedly and inac­cur­ately connec­ted with “terror­ism.” foot­note85_00y1sbq 85 See, for example, Theodore Schleifer, “Donald Trump: ‘I Think Islam Hates Us,’ ” CNN, March 10, 2016,­ics/donald-trump-islam-hates-us/index.html; Philip Bump and Aaron Blake, “Donald Trump’s Dark Speech to the Repub­lican National Conven­tion, Annot­ated,” Wash­ing­ton Post, July 21, 2016, https://www.wash­ing­ton­­ing-the-repub­lican-nomin­a­tion/?utm_term=.3d7121332501; Meet the Press, July 24, 2016, NBC News,–2016-n615706. Just months after the new policy was issued, the Coun­cil on Amer­ican-Islamic Rela­tions (CAIR) sued CBP on behalf of a Muslim Amer­ican woman whose iPhone was seized and its contents imaged when she came home from Zurich. foot­note86_49pg43l 86 Cyrus Farivar, “Woman: My iPhone Was Seized at Border, Then Imaged — Feds Must Now Delete Data,” Ars Tech­nica, August 23, 2018, https://arstech­ She was also ques­tioned about her travel history and whether she had ever been a refugee. foot­note87_l3b3t3m 87 Brief of Peti­tioner, Lazoja v. Nielsen, No. 18-cv-13113 (D.N.J. Aug. 23, 2018), https://assets.docu­­ments/4781285/Docu­ment.pdf. The lawsuit asked CBP to explain what suspi­cion warran­ted the forensic search and deman­ded dele­tion of the inform­a­tion seized. foot­note88_60n6hmi 88 Ibid., 15. The govern­ment quickly settled, agree­ing to delete the data it had seized. foot­note89_b7zs­dbb 89 Cyrus Farivar, “Feds Took Woman’s Iphone at Border, She Sued, Now They Agree to Delete Data,” Ars Tech­nica, Octo­ber 31, 2018, https://arstech­

In sum, CBP is increas­ingly deploy­ing its claimed warrant­less border search author­ity to search the elec­tronic devices of both visit­ors and Amer­ican trav­el­ers. Basic searches conduc­ted without any suspi­cion of wrong­do­ing can result in the scru­tiny of trav­el­ers’ social media inform­a­tion. Advanced searches will result in the collec­tion of huge amounts of personal inform­a­tion, includ­ing from social media, about both the person whose device is being searched and that person’s contacts. CBP has stated that it has this broad author­ity in order to help uncover inform­a­tion related to terror­ism and crim­inal activ­ity and to determ­ine admiss­ib­il­ity. But there is little indic­a­tion in public docu­ments as to what type of content officers should be look­ing for, espe­cially in decid­ing whether a trav­eler can enter the coun­try, allow­ing for unfocused fish­ing exped­i­tions. And these searches are not subject to even minimal safe­guard­s—such as an instruc­tion to avoid making decisions based solely on social media or a prohib­i­tion on profil­ing. And the search is just the start. CBP is permit­ted to retain inform­a­tion relat­ing to immig­ra­tion, customs, or other enforce­ment matters it finds useful, includ­ing a copy of the contents of phones and laptops; as discussed further below, the agency may also further analyze the inform­a­tion using unknown tools and algorithms. foot­note90_obc70pi 90 See infra text accom­pa­ny­ing notes 195–256.

3. Searches Pursu­ant to Warrant, Consent, or Aban­don­ment

CBP also collects inform­a­tion from elec­tronic devices in three other situ­ations:

  • When it has a warrant author­ized by a judge or magis­trate based on prob­able cause; foot­note91_pagx3r9 91 DHS, Privacy Impact Assess­ment for U.S. Border Patrol Digital Forensics Programs, April 6, 2018 (here­in­after CBP 2018 Digital Forensics PIA), 2,­a­tions/privacy-pia-cbp053-digit­alforensics-april2018.pdf.
  • When an officer finds an aban­doned device that he or she suspects “might be asso­ci­ated with a crim­inal act” or was found in “unusual circum­stances” (such as between points of entry in the “border zone,” foot­note92_t5a8ykl 92 Ibid., 2. the area within 100 miles of any U.S. bound­ary in which Border Patrol claims author­ity to conduct immig­ra­tion checks foot­note93_pi8t­bxu 93 Cath­er­ine E. Shoi­chet, “The U.S. Border Is Bigger Than You Think,” CNN, May 24, 2018,­ra­tion-checks/index.html. CBP offi­cials claim author­ity to board and search “any rail­way car, aircraft, convey­ance, or vehicle” anywhere within a reas­on­able distance from any external bound­ary of the United States.” 8 U.S.C. § 1357(a)(3). Reas­on­able distance is defined as “100 air miles from any external bound­ary of the United States . . .” 8 C.F.R. § 287.1(a)(1). ); and
  • When the owner has consen­ted. foot­note94_osfingr 94 CBP 2018 Digital Forensics PIA, 2.

Accord­ing to CBP, once the inform­a­tion is determ­ined to be “accur­ate and reli­able,” it is used to support the agency’s border enforce­ment oper­a­tions and crim­inal invest­ig­a­tions. foot­note95_ritx­spk 95 CBP does not define accurate or reli­able. Ibid., 10. DHS mater­i­als note that such inform­a­tion is “typic­ally” used only to corrob­or­ate evid­ence already in the agency’s posses­sion. foot­note96_n1cf9gy 96 Ibid. There is an excep­tion for cases where the evid­ence itself indic­ates a viol­a­tion of law — for instance, child porno­graphy — in which case action presum­ably could be taken solely on the basis of inform­a­tion retrieved from the device. Ibid.

Agents are expli­citly allowed to collect inform­a­tion stored in the cloud when spelled out in a warrant or when the owner consents, but it is not clear whether cloud data can be accessed from aban­doned devices. foot­note97_x2fke9l 97 Ibid., 8. A CBP officer or agent can submit devices found in one of the afore­men­tioned scen­arios for digital forensic analysis, which is usually under­taken by a team of agents at the intel­li­gence unit for the relev­ant Border Patrol sector. foot­note98_0xca7rh 98 Ibid., 3.

If the CBP agent determ­ines after conduct­ing one of these exam­in­a­tions that an elec­tronic device holds inform­a­tion that is “relev­ant” to the agency’s law enforce­ment author­it­ies, the agent may load all inform­a­tion into a stan­dalone inform­a­tion tech­no­logy system for analysis. foot­note99_9wykuu3 99 In the case of searches author­ized by a warrant, inform­a­tion must be within the scope of the warrant. Ibid., 4. This is the rare data­base that “may not be connec­ted to a CBP or DHS network.” foot­note100_2mqxrxg 100 Ibid ., 4. (Emphasis theirs.) The tools built into these stand-alone systems allow CBP to perform vari­ous analyses on the collec­ted inform­a­tion. foot­note101_6nck­o4f 101 Ibid., 4–5. These tools include “time­frame analysis, which can help in determ­in­ing when data were entered, modi­fied, or deleted from a device”; “detec­tion recov­ery of concealed data”; “correl­a­tion of files to installed applic­a­tions, exam­in­a­tion of drive file struc­ture, and review of metadata”; and “reviews to help to identify indi­vidu­als who created, modi­fied, or accessed a file.” Ibid., 4–5. If the analyt­ical results produced by a system “develop leads, identify trends asso­ci­ated with illi­cit activ­ity, and further law enforce­ment actions,” they will be included in an enforce­ment case file or law enforce­ment intel­li­gence product, such as a field intel­li­gence report, “for dissem­in­a­tion.” Ibid., 11. One system, ADACS4, is used to analyze data from elec­tronic devices in order to discover “connec­tions, patterns, and trends” relat­ing to “terror­ism” and the smug­gling of people and drugs, as well as other activ­it­ies that threaten border secur­ity. foot­note102_e8a7yhp 102 Ibid., 4. While the privacy impact assess­ment does not specify that ADACS4 includes social media data, it seems likely given that such inform­a­tion is typic­ally found on elec­tronic devices.

CBP retains inform­a­tion asso­ci­ated with arrests, deten­tions, and removals, includ­ing data obtained from elec­tronic devices, for up to 75 years. Even inform­a­tion that does not lead to the arrest, deten­tion, or removal of an indi­vidual and that may be completely irrel­ev­ant to DHS’s duties — may be stored for 20 years “after the matter is closed.” foot­note103_b63t­g22 103 Ibid., 7. In the special case of inform­a­tion obtained through a search warrant that is subsequently found to be outside the scope of that warrant, it will be deleted from the system once the case or trial is complete. Ibid., 5.

The inform­a­tion collec­ted by CBP from elec­tronic devices is frequently dissem­in­ated within DHS and to other federal agen­cies or state and local law enforce­ment agen­cies with a need to know, and less frequently to foreign law enforce­ment part­ners. foot­note104_jxf2qbt 104 Ibid., 14. In addi­tion to shar­ing with agen­cies invest­ig­at­ing or prosec­ut­ing a viol­a­tion of law, CBP may also share inform­a­tion for unspe­cified coun­terter­ror­ism and intel­li­gence reas­ons. foot­note105_3pxwxz8 105 Ibid., 14. If a recip­i­ent wants to re-dissem­in­ate inform­a­tion, it must obtain permis­sion from CBP, though permis­sion is some­times gran­ted when CBP inform­a­tion is first shared. Ibid., 14.

The CBP search author­it­ies detailed above allow the collec­tion of social media inform­a­tion. While the warrant and consent author­it­ies seem reas­on­ably cabined, the author­ity to search aban­doned devices is quite expans­ive, espe­cially if it is read to apply to all devices found within 100 miles of U.S. land or coastal borders, where two-thirds of Amer­ic­ans live. foot­note106_mudy­ax7 106 Carmen Sesin, “Two-Thirds of Amer­ic­ans Live in a Border Zone; What Are Their Rights?” NBC News, Janu­ary 26, 2018,­ic­ans-live-border-zone-what-are-their-rights-n841141. It is not clear why the inform­a­tion from these categor­ies of devices is held in a separ­ate data­base, uncon­nec­ted to other DHS systems. As with other collec­tion programs, CBP uses the social media inform­a­tion it collects to conduct trend or pattern analyses and shares it with other agen­cies, rais­ing concerns about how poten­tial misin­ter­pret­a­tions and out-of-context inform­a­tion are deployed. foot­note107_2a68eeb 107 See supra text accom­pa­ny­ing notes 186–192.

4. Analyt­ical Tools and Data­bases

After CBP person­nel collect social media inform­a­tion includ­ing from ESTA and visa applic­a­tions, from elec­tronic devices searched under their claimed border search author­ity, and from numer­ous other sources foot­note108_961o77p 108 ATS 2017 PIA, 2–3, 82–83. — the data is provided to analysts who conduct one or more of three main types of analyses:

A. Assign­ing indi­vidual risk assess­ments: compar­ing an indi­vidu­al’s person­ally iden­ti­fi­able inform­a­tion against DHS-held sources to assess his or her level of risk, such as whether the indi­vidual or her asso­ci­ates may present a secur­ity threat, in order to determ­ine what level of inspec­tion she is required to undergo and whether to allow her to enter the coun­try;

B. Trend, pattern, and predict­ive analysis: identi­fy­ing patterns, anom­alies, and subtle rela­tion­ships in data to guide oper­a­tional strategy or predict future outcomes; foot­note109_ehk388n 109 DHS Manage­ment Direct­or­ate, “DHS Lexicon Terms and Defin­i­tions,” 473. and

C. Link and network analysis: identi­fy­ing possible asso­ci­ations among data points, people, groups, entit­ies, events, and invest­ig­a­tions. foot­note110_67z28lz 110 See DHS, Privacy Impact Assess­ment for the Analyt­ical Frame­work for Intel­li­gence (AFI), June 1, 2012 (here­in­after AFI 2012 PIA), 4,­a­tions/privacy_pia_cbp_afi_june_2012_0.pdf.

These analyt­ical capab­il­it­ies are inter­re­lated and inter­de­pend­ent and serve as the back­bone of CBP intel­li­gence work. Because the ways in which CBP conducts these analyses and draws conclu­sions from data depend heav­ily on inter­ac­tions among the agency’s vari­ous data systems, this section will provide an over­view of the key systems and their analyt­ical func­tions. It shows that the social media inform­a­tion in each of these data­bases is amassed on the basis of over­broad criteria and without accur­acy require­ments, shared widely with few or no restric­tions, analyzed using opaque algorithms and tools, and often retained longer than the approved reten­tion sched­ules.

A. Assign­ing Indi­vidual Risk Assess­ments

The primary system CBP uses for combin­ing and analyz­ing data, includ­ing for assign­ing risk assess­ments, is the Auto­mated Target­ing System (ATS). There is scant publicly avail­able inform­a­tion regard­ing the found­a­tion, accur­acy, or relev­ance of these risk assess­ments; nor do we know whether the factors used in assess­ments are non-discrim­in­at­ory. foot­note111_k02jlfn 111 While the rules under­ly­ing risk assess­ments are subject to quarterly reviews to assess whether privacy and civil liber­ties protec­tions are adequate and consist­ently imple­men­ted, there is no publicly avail­able inform­a­tion about these quarterly reviews, includ­ing whether they occur. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. Moreover, as risk assess­ments them­selves have no accep­ted empir­ical basis, it is unlikely that these reviews could adequately address the core issues of the assess­ments’ found­a­tion or the valid­ity of the factors used in the assess­ments. Addi­tion­ally, risk assess­ments have been shown to dispro­por­tion­ately impact minor­it­ies in other settings, such as the crim­inal justice system. See supra text accom­pa­ny­ing notes 57–60. We do know, however, that social media is likely a common source in formu­lat­ing risk assess­ments. ATS contains copies of numer­ous data­bases and data sets that include social media inform­a­tion, such as CBP’s ESTA, the FBI’s Terror­ist Screen­ing Data­base (TSDB), and data from elec­tronic devices collec­ted during CBP border searches. foot­note112_u9shq8z 112 ATS also ingests and stores data from the Depart­ment of State’s Consu­lar Consol­id­ated Data­base and Consu­lar Elec­tronic Applic­a­tion Center, TSA’s Secure Flight Passen­ger Data, the FBI’s Terror­ist Screen­ing Data­base, devices searched at the border, ICE’s Student Exchange and Visitor Inform­a­tion System (SEVIS), and Passen­ger Name Records (PNR), among other sources. ATS 2017 PIA, 2–3, 39–41; PNR data can include name, ticket inform­a­tion, contact inform­a­tion, travel itin­er­ary, billing inform­a­tion, and all histor­ical changes to one’s PNR. DHS, Privacy Impact Assess­ment for the Auto­mated Target­ing System, DHS/CBP/PIA-006(b), June 1, 2012 (here­in­after ATS 2012 PIA), 35,­a­tions/privacy_pia_cbp_ats006b_0.pdf. For more on ATS’s role in elec­tronic device border searches, See supra text accom­pa­ny­ing notes 163–168; See also CBP Elec­tronic Border Searches 2018 PIA, 10. ATS also appears to ingest social media inform­a­tion directly from commer­cial vendors. foot­note113_zzp6swx 113 Accord­ing to an Octo­ber 3, 2018, addendum to the 2017 ATS PIA, CBP entered into a contract with a private data­base vendor to test and assess whether “inges­tion of commer­cially avail­able social media inform­a­tion” into ATS would aid CBP’s work. CBP’s stated goal, accord­ing to the privacy impact assess­ment, is to use social media inform­a­tion to better identify poten­tial connec­tions to known terror­ist propa­ganda chan­nels and actors. Where there are matches or poten­tial matches between social media handles and inform­a­tion already in ATS, CBP analysts conduct manual, direc­ted quer­ies and upload addi­tional data into ATS, which may include social media inform­a­tion, in order to substan­ti­ate inform­a­tion link­ing an indi­vidual to terror­ism or other suspi­cious activ­ity. Once CBP incor­por­ates the social media handles into a record in TECS, ATS, or AFI, it will be view­able to other users both internal and external to CBP. It is not clear what stand­ards are used to identify matches and in what circum­stances this inform­a­tion collec­tion is occur­ring; in one instance, it is referred to as a “pilot.” ATS 2017 PIA, “Addendum 3.3, ATS Intel­Cen­ter,” 76–9. While the contrac­ted vendor is not named in the addendum, ICE awar­ded a contract worth more than $800,000 to the data analyt­ics company Giant Oak, Inc., on Septem­ber 24, 2018, for “Open Source/Social Media Data Analyt­ics for CBP.” See ICE contracts with Giant Oak, Inc., Septem­ber 24, 2018–­Septem­ber 24, 2019, USASpend­ing, https://www.usaspend­ More inform­a­tion on Giant Oak and its DHS contracts can be found in the ICE section, infra text accom­pa­ny­ing notes 353–359. CBP agents use secret analytic tools to combine the inform­a­tion gathered from these vari­ous sources, includ­ing from social media, to assign risk assess­ments to trav­el­ers, includ­ing Amer­ic­ans flying domest­ic­ally. foot­note114_weofc5i 114 ATS applies its risk-based rules to domestic passen­gers as part of the joint CBP-TSA flight screen­ing oper­a­tion. See DHS Privacy Office, 2017 Data Mining Report to Congress, 10; ATS 2017 PIA, 23; ATS-TSA PIA, Common Oper­at­ing Picture, Phase II, 3–5. See also Elec­tronic Privacy Inform­a­tion Center, “EPIC v. CBP (Analyt­ical Frame­work for Intel­li­gence),” These assess­ments may get a person placed on a watch list like the TSDB, foot­note115_yzcupwm 115 CBP uses ATS to nomin­ate addi­tional indi­vidu­als for inclu­sion in the TSDB. ATS 2017 PIA, 25. The role of ATS in preflight and watch list screen­ing is described in more detail in the TSA section; See infra text accom­pa­ny­ing notes 258–297. and determ­ine whether the person gets a board­ing pass or if addi­tional screen­ing is neces­sary. foot­note116_8k51tme 116 DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 23; ATS-TSA PIA, Common Oper­at­ing Picture, Phase II, 2–3. These assess­ments are also used to decide who gets permis­sion to engage in trade across U.S. borders and, at the border, to decide who is allowed to enter the coun­try and what level of ques­tion­ing they must undergo. ATS 2017 PIA, 4.

To be clear, the indi­vidu­als who are subjec­ted to these meas­ures are not neces­sar­ily suspec­ted of a crime or a link to crim­inal activ­ity. foot­note117_85281gf 117 CBP uses ATS risk assess­ments to determ­ine whether further inspec­tion of a person, ship­ment, or convey­ance may be warran­ted, “even though an indi­vidual may not have been previ­ously asso­ci­ated with a law enforce­ment action or other­wise be noted as a person of concern.” ATS 2017 PIA, 4; ATS 2012 PIA, 19. Rather, an indi­vidu­al’s risk level is determ­ined by a profile, which can be influ­enced by social media inform­a­tion contained in ATS or other data­bases, as well as ad hoc quer­ies of inform­a­tion on the inter­net, includ­ing quer­ies of social media plat­forms. foot­note118_jpwtbkh 118 In assign­ing risk assess­ments, ATS incor­por­ates inform­a­tion from many sources, includ­ing private contract­ors, the FBI’s Terror­ist Screen­ing Data­base, and other govern­ment agen­cies. ATS 2017 PIA, 1, 10, 76. Notably, DHS exemp­ted ATS from accur­acy require­ments under the Privacy Act, so the inform­a­tion that goes into one’s risk assess­ment need not be correct, relev­ant, or complete. foot­note119_uwt25u0 119 ATS Final Rule, 5491.

ATS’s indi­vidual risk assess­ment capab­il­it­ies are also lever­aged by ICE in its enforce­ment activ­it­ies against people who have over­stayed their visas. ATS receives the names of poten­tial over­stays from CBP’s arrivals and depar­tures manage­ment system, and ATS auto­mat­ic­ally vets each name against its records to create a prior­it­ized list based on indi­vidu­als’ “asso­ci­ated risk patterns.” foot­note120_fpsjwx6 120 ATS 2017 PIA, 8; Hear­ing on “Visa Over­stays: A Gap in the Nation’s Border Secur­ity” before the Subcom­mit­tee on Border and Mari­time Secur­ity of the Commit­tee on Home­land Secur­ity, House of Repres­ent­at­ives, 115th Congress, May 23, 2017, No. 115–17 (here­in­after Congres­sional Hear­ing on Visa Over­stays), 10,­hr­g27610/pdf/CHRG-115h­hr­g27610.pdf. The prior­it­ized list is then sent to ICE’s lead manage­ment system, LeadTrac (discussed further in the ICE Visa Over­stay Enforce­ment section below). foot­note121_w6yp7co 121 ATS 2017 PIA, 8

It is not clear what stand­ard is used in determ­in­ing “risk” in these profiles or how exactly social media inform­a­tion is weighted. But it seems likely that ATS’s data mining toolkit, which includes “social network analysis” capab­il­it­ies that may rely on social media inform­a­tion, is an import­ant part of formu­lat­ing risk assess­ments. foot­note122_4ci890d 122 These analyt­ical and data mining tools are provided by a facet of ATS, the Auto­mated Target­ing Initi­at­ive. DHS Privacy Office, 2017 Data Mining Report to Congress, 16.

Risk assess­ments and other records in ATS are retained for 15 years, unless the inform­a­tion is “linked to active law enforce­ment lookout records . . . or other defined sets of circum­stances,” in which case the inform­a­tion is retained for “the life of the law enforce­ment matter.” foot­note123_hhr9nni 123 ATS 2017 PIA, 14, 43; DHS Privacy Office, Notice of Privacy Act System of Records, CBP–006 Auto­mated Target­ing System, System of Records, 77 Fed. Reg. 30297 (May 22, 2012),–05–22/pdf/2012–12396.pdf. Notably, the most recent ATS privacy impact assess­ment admits that the system fails to “consist­ently follow source system reten­tion peri­ods, but instead relies on the ATS-specific reten­tion period of 15 years,” often retain­ing data for a period that exceeds the data reten­tion require­ments of the system from which it origin­ated (for instance, three years for sources from ESTA). foot­note124_c66azm9 124 ATS 2017 PIA, 14; ESTA 2016 PIA, 6. There­fore, ATS passes inform­a­tion to part­ners long after it has been correc­ted or deleted from other data­bases.

ATS inform­a­tion, includ­ing person­ally iden­ti­fi­able inform­a­tion, is dissem­in­ated broadly within DHS and to other federal agen­cies, and many DHS officers have direct access to ATS. foot­note125_qt0thb6 125 For example, ICE, U.S. Coast Guard, and TSA person­nel have direct access to ATS. ATS 2017 PIA, 5, 8. Person­ally iden­ti­fi­able inform­a­tion held in ATS can be shared outside DHS as long as person­nel prepare a DHS-191 form to note the shar­ing of inform­a­tion. ATS 2012 PIA, 28. As an example of such dissem­in­a­tion of personal inform­a­tion, CBP passes photo­graphs and certain person­ally iden­ti­fi­able inform­a­tion via ATS to the DHS Auto­mated Biomet­ric Iden­ti­fic­a­tion System (IDENT), which is then forwar­ded to the FBI’s Next Gener­a­tion Iden­ti­fic­a­tion (NGI) for compar­ison. ATS 2017 PIA, 17–19. It is unclear, however, whether risk assess­ments and the under­ly­ing social media data on which they are based may be dissem­in­ated beyond ATS.

B. Trend, Pattern, and Predict­ive Analysis

Essen­tial to the process of assign­ing risk assess­ments are the CBP-formu­lated “rules,” or “patterns” iden­ti­fied as “requir­ing addi­tional scru­tiny,” that CBP person­nel use to vet inform­a­tion in ATS in order to eval­u­ate an indi­vidu­al’s risk level. foot­note126_zcqt­sqn 126 ATS 2017 PIA, 1. These patterns are based on trend analyses of suspi­cious activ­ity and raw intel­li­gence, as well as CBP officer exper­i­ence and law enforce­ment cases. foot­note127_n9cidhl 127 Ibid. In addi­tion to assign­ing risk assess­ments, ATS is used as a vetting tool by both USCIS (for refugees and applic­ants for certain immig­ra­tion bene­fits) and the Depart­ment of State (for visa applic­ants) and to analyze device data obtained at the border. foot­note128_jx4abrf 128 Ibid., 35–37, 39–41, 46–47, 58–60. For each of these func­tions, CBP agents use ATS to compare incom­ing inform­a­tion against ATS hold­ings and apply ATS’s analytic and machine learn­ing tools to recog­nize trends and patterns. foot­note129_acefpq9 129 DHS Privacy Office, 2017 Data Mining Report to Congress, 16; ATS 2017 PIA, 1.

CBP agents also use ATS for preflight screen­ings (which will be discussed in more detail in the TSA section) to identify indi­vidu­als who, though not on any watch list, “exhibit high risk indic­at­ors or travel patterns.” foot­note130_bi50uue 130 ATS 2017 PIA, 23. See infra text accom­pa­ny­ing notes 277–297. ATS’s analytic capab­il­it­ies likely under­pin its determ­in­a­tions of “high risk” patterns.

ATS is also cent­ral to a DHS-wide “big data” effort, the DHS Data Frame­work. Similar to ATS in struc­ture and purpose but wider in scope, the Data Frame­work is an inform­a­tion tech­no­logy system with vari­ous analytic capab­il­it­ies, includ­ing tools to create maps and time lines and analyze trends and patterns. foot­note131_mt0i7bi 131 These tools also include stat­ist­ical, geospa­tial, and temporal analysis capab­il­it­ies. DHS, Privacy Impact Assess­ment for the DHS Data Frame­work, DHS/ALL/PIA-046, Novem­ber 6, 2013 (here­in­after DHS Data Frame­work 2013 PIA), 13,­a­tions/privacy-pia-dhs-wide-dhsdata­frame­work-11062013.pdf.

The Data Frame­work ingests and analyzes huge amounts of data from across the depart­ment and from other agen­cies. foot­note132_rje86m5 132 As of Febru­ary 2018, data sets from at least 16 programs had been inges­ted into the DHS Data Frame­work, includ­ing CBP’s ATS, ESTA, and border cross­ing inform­a­tion; ICE’s SEVIS; TSA’s Secure Flight; USCIS’s index of A-Files relat­ing to indi­vidu­als who were victims of abuse or human traf­fick­ing; and USCIS and NPPD’s Auto­mated Biomet­ric Iden­ti­fic­a­tion System (IDENT). DHS, Privacy Impact Assess­ment for the DHS Data Frame­work, Appendix A, Approved Data Sets, DHS/ALL/PIA-046(b), Febru­ary 14, 2018, 44,­a­tions/privacy-pia-dhswide-dhsdata­frame­work­appendixa-febru­ary2018.pdf Origin­ally the Data Frame­work was meant to import data sets directly from dozens of source systems and categor­ize the data in order to abide by reten­tion limits, access restric­tion policies, and ensure that only partic­u­lar data sets are subject to certain analyt­ical processes. foot­note133_9w2rd8y 133 DHS, Privacy Impact Assess­ment for the DHS Data Frame­work, DHS/ALL/PIA-046(b), Febru­ary 27, 2015, 3,­a­tions/privacy-pia-046b-dhs-data-frame­work-20150227.pdf. The Data Frame­work includes two cent­ral repos­it­or­ies for data: Neptune and Cerberus. The previ­ous prac­tice was for the Data Frame­work to ingest unclas­si­fied inform­a­tion from DHS data systems into Neptune, which Neptune then stored and tagged. Once tagged, the unclas­si­fied data from Neptune was trans­ferred to Cerberus, the clas­si­fied “data lake” that DHS uses to perform clas­si­fied searches of the unclas­si­fied data. Neptune tags data based on the type of data involved, the system from which the data origin­ated, and when it was inges­ted into the Frame­work. DHS, Privacy Impact Assess­ment for the DHS Data Frame­work, DHS/ALL/PIA-046(a), August 29, 2014, 3,­a­tions/privacy-pia-update-dhs-all-pia-046-a-dhs-data-frame­work-08292014.pdf. Cerberus is part of the “Top Secret/Sens­it­ive Compart­men­ted Inform­a­tion” domain. DHS, Privacy Impact Assess­ment Update for Neptune, DHS/ALL/PIA-046–1(b), Febru­ary 27, 2015, 2,­a­tions/privacy-pia-046–1-b-neptune-20150227.pdf. However, as of April 2015, data sets star­ted being pulled straight from ATS instead of from the source systems, and the Data Frame­work stopped tagging and categor­iz­ing data before running analyt­ics. foot­note134_fc0suhl 134 Data Frame­work — Interim Process PIA, 8. DHS said this change was merely an “interim process” of mass data trans­fer in order to exped­ite its abil­ity to identify indi­vidu­als “support­ing the terror­ist activ­it­ies” in the Middle East. foot­note135_ebpbo4y 135 Specific­ally, the interim process was meant to exped­ite the iden­ti­fic­a­tion of indi­vidu­als “support­ing the terror­ist activ­it­ies” of the Islamic State of Iraq and the Levant, al-Qa’ida in the Arabian Penin­sula, the al-Nusrah Front, affil­i­ated offshoots of these groups, or indi­vidu­als seek­ing to join the Syria-Iraq conflict. Ibid., 1. The interim process was origin­ally estab­lished to last for 180 days, with the possib­il­ity of exten­sions in 90-day incre­ments. foot­note136_yz7jrb3 136 Ibid., 7. However, the interim period contin­ued for at least three and a half years (April 2015–Oc­to­ber 2018), and it is unclear whether it is still ongo­ing. foot­note137_xadutkz 137 DHS Privacy Office, 2017 Data Mining Report to Congress, 46. See also DHS Privacy Office, 2016 Data Mining Report to Congress, April 2017, 57,­a­tions/2016%20Data%20Min­ing%20Re­port%20FI­NAL.pdf.

The Data Frame­work’s interim process and its extrac­tion of data directly from ATS are troub­ling in part because ATS does not comply with the reten­tion sched­ules of differ­ent source systems but rather tends to rely on its own 15-year reten­tion period. foot­note138_y091pxq 138 ATS 2017 PIA, 14. By bypassing source systems and extract­ing inform­a­tion directly from ATS, the interim process creates a risk that outdated or incor­rect inform­a­tion, or inform­a­tion that was deleted from its source system many years earlier, will be input into the Data Frame­work’s clas­si­fied repos­it­ory. Hence, inform­a­tion collec­ted from an indi­vidual for one purpose — such as screen­ing for the Visa Waiver Program — not only is retained longer than it should be, but is channeled into larger and larger analyt­ical systems for unknown and unre­lated purposes.

Accord­ing to DHS senior lead­er­ship, the Data Frame­work also incor­por­ates “tone” analysis. foot­note139_0yrpo55 139 Cantú and Joseph, “Trump’s Border Secur­ity May Search Your Social Media by ‘Tone.’” Purvey­ors of tone analysis soft­ware have made dubi­ous claims about its abil­ity to predict emotional states and aspects of people’s person­al­ity on the basis of social media data. foot­note140_traiu8o 140 For instance, the Defense Depart­ment uses a tone analysis system developed by IBM that purports to be able to inter­pret and visu­al­ize emotional styles and moods from Twit­ter time lines. Ibid. See also Jian Zhao et al., “PEARL: An Inter­act­ive Visual Analytic Tool for Under­stand­ing Personal Emotion Style Derived From Social Media,” Proceed­ings of the IEEE Symposium on Visual Analyt­ics Science and Tech­no­logy (2014): 203–212, https://ieeex­­ment/7042496. These claims, however, have been thor­oughly debunked by empir­ical stud­ies. foot­note141_krqqy5s 141 See, for instance, Ahmed Abbasi, Ammar Hassan, and Milan Dhar, “Bench­mark­ing Twit­ter Senti­ment Analysis Tools” (find­ing that the best-perform­ing senti­ment analysis tools attain over­all accur­acy levels between 65 percent and 71 percent, with many low-perform­ing tools yield­ing accuracies below 50 percent); Asaf Beas­ley, Winter Mason, and Eliot Smith, “Infer­ring Emotions and Self-Relev­ant Domains in Social Media: Chal­lenges and Future Direc­tions,” Trans­la­tional Issues in Psycho­lo­gical Science 2, no. 3 (2016): 238–247,–47442–004 (noting that social media posts contain­ing senti­ment only weakly predict users’ self-repor­ted meas­ure of emotion); Asaf Beas­ley and Winter Mason, “Emotional States vs. Emotional Words in Social Media,” Proceed­ings of the Asso­ci­ation for Comput­ing Machinery Web Science Confer­ence (2015),­tion.cfm?id=278647 (noting that senti­ment analysis tools are not suffi­cient to infer how users feel). The unre­li­ab­il­ity of such soft­ware increases dramat­ic­ally for non-English content, espe­cially when people use slang or short­hand, which is often the case with social media inter­ac­tions. foot­note142_2yxrea6 142 Siaw Ling Lo et al., “Multi­lin­gual Senti­ment Analysis: From Formal to Informal and Scarce Resource Languages,” Arti­fi­cial Intel­li­gence Review 48, no. 4 (2017): 515, 518­lin­gual-senti­ment-analysis.pdf (noting that most of the senti­ment analysis stud­ies to date have util­ized lexicons and corpora in “proper English”). See also Duarte,Llanso, and Loup, Mixed Messages?, 14–15.

The Data Frame­work and its analyt­ical results are used extens­ively through­out DHS, includ­ing by CBP, DHS’s Office of Intel­li­gence and Analysis, TSA’s Office of Intel­li­gence and Analysis, and the DHS Coun­ter­in­tel­li­gence Mission Center. foot­note143_p82lqwb 143 DHS, Privacy Impact Assess­ment for DHS Data Frame­work, Appendix C — Approved Users, DHS/ALL/PIA-046(b), Septem­ber 2018, 2,­a­tions/privacy-pia-dhswide-dhsdata­frame­work­appendixc-septem­ber­2018.pdf. DHS uses the Data Frame­work’s clas­si­fied data repos­it­ory to dissem­in­ate inform­a­tion extern­ally, includ­ing “bulk inform­a­tion shar­ing” with U.S. govern­ment part­ners. foot­note144_w0ny0hy 144 DHS, Privacy Impact Assess­ment Update for the DHS Data Frame­work — External Shar­ing, DHS/ALL/PIA-046(c), March 30, 2016, 1,­a­tions/privacy-pia-dhs-data%20frame­work-march2016%20%28003%29.pdf.

C. Link and Network Analysis

A cent­ral element of CBP network analysis capab­il­it­ies is the collec­tion of inform­a­tion on a huge number of indi­vidu­als in order to draw connec­tions among people, organ­iz­a­tions, and data. For this purpose, CBP agents use the CBP Intel­li­gence Records System (CIRS) to gather inform­a­tion about a wide vari­ety of indi­vidu­als, includ­ing many who are not suspec­ted of any crim­inal activ­ity or seek­ing any type of immig­ra­tion bene­fit, such as people who report suspi­cious activ­it­ies; indi­vidu­als appear­ing in U.S. visa, border, immig­ra­tion, and natur­al­iz­a­tion bene­fit data who could be asso­ci­ates of people seek­ing visas or natur­al­iz­a­tion, includ­ing Amer­ic­ans; and indi­vidu­als iden­ti­fied in public news reports. foot­note145_guijoqd 145 DHS Privacy Office, Notice of New Privacy Act System of Records, CBP–024 Intel­li­gence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (Septem­ber 21, 2017) (here­in­after CIRS SORN), https://www.feder­alre­–19718. The system stores a broad range of inform­a­tion, includ­ing raw intel­li­gence collec­ted by CBP’s Office of Intel­li­gence, data collec­ted by CBP pursu­ant to its immig­ra­tion and customs author­it­ies (e.g., processing foreign nation­als and cargo at U.S. ports of entry), commer­cial data, and inform­a­tion from public sources such as social media, news media outlets, and the inter­net. foot­note146_azsx­s91 146 Ibid., 44201. Social media inform­a­tion collec­ted by CBP for “situ­ational aware­ness” activ­it­ies is also likely stored in CIRS. DHS, Privacy Impact Assess­ment for the Publicly Avail­able Social Media Monit­or­ing and Situ­ational Aware­ness Initi­at­ive, DHS/CBP/PIA-058, March 25, 2019, 6,­a­tions/privacy-pia-cbp58-social­me­dia-march2019.pdf. Notably, the system is exempt from a number of require­ments of the Privacy Act that aim to ensure the accur­acy of records. foot­note147_cxgwl3l 147 DHS, Final Rule, CBP–024 CBP Intel­li­gence Records System (CIRS) System of Records, 83 Fed. Reg. 66557 (Decem­ber 27, 2018)–12–27/pdf/2018–27944.pdf. Accord­ingly, it appears that inform­a­tion in CIRS may be inges­ted, stored, and shared regard­less of whether it is accur­ate, complete, relev­ant, or neces­sary for an invest­ig­a­tion. There is no public guid­ance on qual­ity controls for inform­a­tion eligible for inclu­sion in CIRS. foot­note148_dbhh­caq 148 Ibid.

Huge swaths of data from CIRS, ATS, and other systems, includ­ing social media inform­a­tion, are then inges­ted by another data­base, the Analyt­ical Frame­work for Intel­li­gence (AFI). foot­note149_7umy­e6m 149 CIRS SORN, 44199. In addi­tion to ATS and CIRS, AFI also ingests CBP’s ESTA and ICE’s Student and Exchange Visitor System. AFI 2016 PIA, 3–4. It is unclear how specific­ally inform­a­tion from CIRS is trans­mit­ted to AFI — whether CIRS data is routinely uploaded into AFI or specific CIRS data sets are copied ad hoc for analysis in AFI. AFI provides a range of analyt­ical tools that allow DHS to conduct network analysis, such as identi­fy­ing links or “non-obvi­ous rela­tion­ships” between indi­vidu­als or entit­ies based on addresses, travel-related inform­a­tion, Social Secur­ity numbers, or other inform­a­tion, includ­ing social media data. foot­note150_yqj3ssx 150 AFI 2016 PIA, 1; AFI 2012 PIA, 1, 4; CBP, Perform­ance and Account­ab­il­ity Report Fiscal Year 2014, 26,­ments/CBP_DHS_2014%20PAR_508C.PDF. Other AFI analytic capab­il­it­ies include creat­ing an index of data in exist­ing DHS systems, carry­ing out geospa­tial and temporal analysis, and perform­ing feder­ated quer­ies against external data sources includ­ing the Depart­ment of State, the FBI, and commer­cial data aggreg­at­ors. Feder­ated or univer­sal quer­ies allow users to search data across many differ­ent data­bases and systems to provide a consol­id­ated view of data about a person or entity. ATS 2017 PIA, 1. AFI also includes capab­il­it­ies for detect­ing trends, patterns, and emer­ging threats, but little is known about the under­ly­ing data AFI users have access to in conduct­ing those types of analyses. DHS Privacy Office, 2017 Data Mining Report to Congress, 26.

It is possible that ATS risk assess­ments are among the unspe­cified data trans­ferred from ATS to AFI. foot­note151_mky3tsu 151 See Elec­tronic Privacy Inform­a­tion Center v. U.S. Customs and Border Protec­tion, 2015 WL 12434257 (D.D.C.), In addi­tion, AFI users may upload inter­net sources and other public and commer­cial data, such as social media, on an ad hoc basis. foot­note152_dg9j19l 152 The only criterion that AFI users must meet to upload inter­net sources is that they believe the inform­a­tion is relev­ant to a project . AFI 2012 PIA, 9; AFI 2016 PIA, 4n19; DHS Privacy Office, Notice of Privacy Act System of Records, DHS/CBP–017 Analyt­ical Frame­work for Intel­li­gence (AFI) System of Records, 77 Fed . Reg . 33753 (June 7, 2012) (here­in­after AFI SORN),–06–07/html/2012–13813.htm. The data need only be relev­ant, a fairly low stand­ard, and the rules allow data of “unclear” accur­acy to be uploaded. foot­note153_ykbzq9o 153 Inform­a­tion in AFI can include “inform­a­tion from any source includ­ing public and commer­cial sources, which may be relev­ant .” AFI SORN . Publicly avail­able sources are stored even if “the accur­acy of inform­a­tion obtained or intro­duced occa­sion­ally may be unclear .” AFI Final Rule, 47768. CBP agents use AFI to search and analyze data­bases from vari­ous sources, includ­ing Depart­ment of State and FBI data­bases and commer­cial data aggreg­at­ors. foot­note154_9o3n­p06 154 For the full list of data sources avail­able through AFI, See AFI 2016 PIA, Appendix B, updated Novem­ber 30, 2018, 23–29. Start­ing in Septem­ber 2016, AFI began copy­ing the volumes of inform­a­tion it accesses into its own serv­ers. AFI 2016 PIA, 2–3. AFI now uses an open-source plat­form designed by Palantir that requires AFI to store multiple copies of data within the plat­form. This plat­form provides for shared stor­age and analysis by replic­at­ing the under­ly­ing data sources and stor­ing the replic­ated data in multiple places. This open-source plat­form model, DHS acknow­ledged, “presents privacy chal­lenges as its func­tion­al­ity relies on continu­ous replic­a­tion of data.” Ibid. Social media inform­a­tion in AFI can be used in ongo­ing projects and finished intel­li­gence products, which can be dissem­in­ated broadly within DHS and to external part­ners. foot­note155_nijcn1q 155 AFI 2016 PIA, 4 . The differ­ence between AFI “projects” and “products” is that the former involve “in progress” research and analysis that may or may not lead to a finished intel­li­gence product . DHS, Privacy Compli­ance Review of the U .S . Customs and Border Protec­tion (CBP) Analyt­ical Frame­work for Intel­li­gence (AFI), Decem­ber 19, 2014, 2, 6,­a­tions/ dhs-privacy-pcr-afi-12–19–2014.pdf.

The data mining firm Palantir — a long­time govern­ment contract­ing part­ner that helped facil­it­ate one of the National Secur­ity Agency’s most sweep­ing surveil­lance programs foot­note156_b7mr­grr 156 Sam Biddle, “How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World,” Inter­cept, Febru­ary 22, 2017, https://thein­ter­ — is intim­ately involved in AFI’s oper­a­tion. foot­note157_mqjy­hdb 157 Spen­cer Wood­man, “Palantir Provides the Engine for Donald Trump’s Deport­a­tion Machine”; Spen­cer Wood­man, “Docu­ments Suggest Palantir Could Help Power Trump’s ‘Extreme Vetting’ of Immig­rants,” Verge, Decem­ber 21, 2016,­rant-extreme-vetting. Docu­ments obtained by the Elec­tronic Privacy Inform­a­tion Center (EPIC) through a Free­dom of Inform­a­tion Act (FOIA) request refer to joint “AFI and Palantir data” and state that “data from AFI and Palantir can be shared with other stake­holder[s] and agen­cies” in compli­ance with AFI rules. foot­note158_xhx9ob0 158 CBP, “Analyt­ical Frame­work for Intel­li­gence Oper­a­tional Status & Secur­ity,”–04–08-CBP-FOIA-20150205-Produc­tion-p4.pdf#page=8. “Palantir data” may refer to personal inform­a­tion about people that Palantir ingests from dispar­ate sour­ces­such as airline reser­va­tions, cell phone records, finan­cial docu­ments, and social media — and combines into a color­ful graphic that purports to show soft­ware-gener­ated link­ages between crimes and people. foot­note159_rxld­c14 159 Sam Biddle, “How Peter Thiel’s Palantir Helped the NSA Spy on the Whole World.”

Accord­ing to an invest­ig­a­tion by Bloomberg News, law enforce­ment agen­cies may use this “digital drag­net” to identify people who are only very tangen­tially related to crim­inal activ­ity: “People and objects pop up on the Palantir screen inside boxes connec­ted to other boxes by radi­at­ing lines labeled with the rela­tion­ship: ‘Col­league of,’ ‘Lives with,’ ‘Oper­ator of [cell number],’ ‘Owner of [vehicle],’ ‘Sib­ling of,’ even ‘Lover of.’” foot­note160_lw0ideu 160 Peter Wald­man, Lizette Chap­man, and Jordan Robertson, “Palantir Knows Everything About You,” Bloomberg Busi­nes­s­Week, April 19, 2018, The value of discov­er­ing such link­ages in invest­ig­a­tions, while much hyped, is open to debate. foot­note161_f4fay36 161 Ibid. (noting that after the depar­ture of several JP Morgan exec­ut­ives who had taken advant­age of Palantir’s capab­il­it­ies, the bank “drastic­ally curtailed its Palantir use, in part because ‘it never lived up to its prom­ised poten­tial’”). And as the volume of inform­a­tion grows, so does the risk of error. Given that the inform­a­tion in AFI is not required to be accur­ate, it is likely that the data from Palantir is simil­arly unveri­fied. foot­note162_8ex8099 162 AFI Final Rule, 66558. Palantir also supplies AFI’s analyt­ical plat­form and works extens­ively with ICE, as discussed later. foot­note163_7ghf4jg 163 CBP, “AFI Analyst Train­ing,”–04–08-CBP-FOIA-20150205-Produc­tion-p4.pdf#page=219. See infra text accom­pa­ny­ing notes 414–417.

Data Transfer From CIRS & ATS to AFI

Since 2015, CBP has awar­ded contracts worth about $3.2 million to Babel Street, an open-source and social media intel­li­gence company, for soft­ware licenses and main­ten­ance for the CBP unit that manages AFI, the Target­ing and Analysis Systems Program Direct­or­ate. foot­note164_c9s69p5 164 DHS contract with Thun­der­cat Tech­no­logy, LLC, Septem­ber 21, 2017–­Septem­ber 20, 2018, USASpend­ing, https://www.usaspend­; DHS contract with Panamer­ica Computers, Inc., for Babel Soft­ware Licenses, Septem­ber 21, 2018–­Septem­ber 20, 2019, USASpend­ing, https://www.usaspend­; CBP contract with Thun­der­cat Tech­no­logy, LLC, Septem­ber 21, 2016–­Septem­ber 20, 2017, USASpend­ing, https://www.usaspend­; CBP contract with Thun­der­cat Tech­no­logy, LLC, Septem­ber 21, 2015–­Septem­ber 20, 2016, USASpend­ing, https://www.usaspend­; Office of Inspector General, DHS, Enhance­ments to Tech­nical Controls Can Improve the Secur­ity of CBP’s Analyt­ical Frame­work for Intel­li­gence, Septem­ber 2, 2015, 2,–137-Sep15.pdf (noting that the Target­ing and Analysis Systems Program Direct­or­ate admin­is­ters and manages AFI). Accord­ing to the company’s website, Babel Street tech­no­lo­gies provide access to millions of data sources in more than 200 languages; a number of analytic capab­il­it­ies, includ­ing senti­ment analysis in 18 languages; and link analysis. foot­note165_bcet5j1 165 Babel Street, “How It’s Done,” https://www.babel­ Users can also export data to integ­rate with Palantir analytic soft­ware. foot­note166_i8z0e36 166 Curtis Walt­man, “Meet Babel Street, the Power­ful Social Media Surveil­lance Used by Police, Secret Service, and Sports Stadi­ums,” Mother­board, April 17, 2017, https://mother­­ful-social-media-surveil­lance-used-by-police-secret-service-and-sports-stadi­ums. CBP likely uses Babel Street’s web-based applic­a­tion, Babel X, which is a multi­lin­gual text-analyt­ics plat­form that has access to more than 25 social media sites, includ­ing Face­book, Instagram, and Twit­ter. foot­note167_gqylezf 167 Ibid.; Babel Street, “Babel X,” https://www.babel­ While the Wash­ing­ton Post repor­ted in 2017 that Babel Street does not access indi­vidu­als’ Face­book profiles, it is not clear whether that is still the case and what kinds of Face­book inform­a­tion Babel Street tech­no­lo­gies currently collect. Aaron Gregg, “For This Company, Online Surveil­lance Leads to Profit in Wash­ing­ton’s Suburbs,” Wash­ing­ton Post, Septem­ber 10, 2017, https://www.wash­ing­ton­­ness/economy/for-this-company-online-surveil­lance-leads-to-profit-in-wash­ing­tons-suburbs/2017/09/08/6067c924–9409–11e7–89fa-bb822a46da5b_story.html?utm_term=.4f7b99f­d5135. There are few details about how Babel Street soft­ware is used by CBP and what sorts of social media data it may provide for AFI.

Addi­tion­ally, ATS and the DHS Data Frame­work both have their own link and “social network” analysis capab­il­it­ies, though little is known about how those capab­il­it­ies func­tion. foot­note168_cc3z5c4 168 DHS Privacy Office, 2017 Data Mining Report to Congress, 16; DHS Data Frame­work 2013 PIA, 13.

In sum, while we know that CBP under­takes extens­ive analyses of social media inform­a­tion, from assess­ing risk level to predict­ive and trend analysis to “social network analysis,” we know almost noth­ing about the valid­ity of these tech­niques or whether they are using discrim­in­at­ory prox­ies. Part­ner­ships with data mining compan­ies such as Palantir raise addi­tional concerns about the incor­por­a­tion of large pools of unveri­fied data into DHS systems, as well as privacy concerns about allow­ing a private company access to sens­it­ive personal data. foot­note169_sjfd­cg7 169 See, for example, Wald­man, Chap­man, and Robertson, “Palantir Knows Everything About You”; Angel Diaz and Rachel Levin­son-Wald­man, “Hold Private Police Part­ners Account­able, Too: For-Profit Compan­ies Are Making Millions With Special Access to NYPD Inform­a­tion,” Daily News, Octo­ber 26, 2018,­ion/ny-oped-hold-private-police-part­ners-account­able-too-20181025-story.html. The increas­ing consol­id­a­tion of data into CBP’s expans­ive intel­li­gence-gath­er­ing data­bases, as well as into the DHS Data Frame­work, further compounds the issues created by DHS’s vague, over­broad, and opaque stand­ards for collec­tion of social media data and its tend­ency to recycle that data for unknown and poten­tially discrim­in­at­ory ends.

End Notes

Transportation Security Administration

The Trans­port­a­tion Secur­ity Admin­is­tra­tion (TSA) is in charge of secur­ity for all modes of trans­port­a­tion — aviation, mari­time, mass transit, high­way and motor carrier, freight rail, and pipeline — into, out of, and within the United States. foot­note1_jy4t0ur 1 Aviation and Trans­port­a­tion Secur­ity Act, 49 U.S.C. § 114(d). Although most visible at airports, TSA also works behind the scenes via its Secure Flight program, which runs passen­ger records against a vari­ety of watch lists and inform­a­tion held in CBP’s Auto­mated Target­ing System (ATS). foot­note2_r9l4jz9 2 ATS 2017 PIA, 22–23. As with ATS’s risk assess­ments, very little is publicly known about the scientific found­a­tion and valid­ity of TSA’s secur­ity determ­in­a­tions. We do know that many of the lists that TSA uses to vet passen­gers rely on social media inform­a­tion, with the attend­ant risks of misin­ter­pret­a­tion, and have been widely criti­cized for being inac­cur­ate. foot­note3_75fp­izb 3 See, for example, Center for Consti­tu­tional Rights, “Leaked Guidelines for Place­ment on No-Fly List Show System Ripe for Abuse,” July 24, 2014,­ment-no-fly-list-show-system-ripe-abuse; El Ali et al., No. 8:18-cv-02415-PX; David Smith, “ ‘The Illu­sion of Secur­ity’: No-Fly List Draws Scru­tiny From Left and Right,” The Guard­ian, Decem­ber 9, 2015, https://www.theguard­

Concerns about TSA’s use of social media inform­a­tion are compoun­ded by the lack of trans­par­ency surround­ing how indi­vidu­als are desig­nated as secur­ity risks.

TSA’s Secure Flight program collects passen­ger records from airlines and works in conjunc­tion with CBP’s ATS to flag passen­gers for enhanced screen­ing or denial of board­ing. foot­note4_u5bb25h 4 DHS, “DHS Trans­ition Issue Paper: Enhan­cing Inter­na­tional Aviation Secur­ity,” in Stra­tegic Issue Paper Summar­ies, 28. Secure Flight checks roughly two million passen­ger records daily against a vari­ety of watch lists. foot­note5_z0h7ta3 5 Hear­ing on “Secure Flight: Addi­tional Actions Needed to Determ­ine Program Effect­ive­ness and Strengthen Privacy Over­sight Mech­an­isms” before the Subcom­mit­tee on Trans­port­a­tion Secur­ity, House Commit­tee on Home­land Secur­ity, House of Repres­ent­at­ives, 113th Congress, Septem­ber 18, 2014 (state­ment of Jennifer Grover, acting director, Home­land Secur­ity and Justice), 1, Its auto­mated match­ing system assigns a percent­age score to each record, indic­at­ing the confid­ence level of a match between the passen­ger and a watch list entry. foot­note6_m100nbx 6 Office of Inspector General, DHS, Imple­ment­a­tion and Coordin­a­tion of TSA’s Secure Flight Program, OIG-12–94, July 2012, 23,–94_Jul12.pdf. Scores must meet a minimum threshold to be considered a poten­tial match, but it is not clear what that threshold is, rais­ing concerns about whether the system is suffi­ciently rigor­ous. Ibid. Those whose scores meet the minimum threshold are iden­ti­fied and subjec­ted to enhanced secur­ity screen­ing by on-the-ground TSA person­nel. foot­note7_wxfm­dd7 7 DHS, Privacy Impact Assess­ment Update for Secure Flight, DHS/TSA/PIA-018(f), Septem­ber 4, 2013, 5,­a­tions/privacy-pia-tsa-secure-flight-update-09042013.pdf. Secure Flight also iden­ti­fies a (poten­tially over­lap­ping) category of trav­el­ers and their compan­ions called “Inhib­ited Passen­gers,” which includes indi­vidu­als who are confirmed or possible matches to watch lists, as well as indi­vidu­als about whom DHS possesses “certain derog­at­ory hold­ings that warrant enhanced scru­tiny” or who have “a high prob­ab­il­ity of being denied board­ing.” Both of the latter categor­ies remain undefined. foot­note8_rb0q8gb 8 ATS-TSA PIA, Common Oper­at­ing Picture, Phase II, 3.

The watch lists used to desig­nate indi­vidu­als as secur­ity risks include the No Fly and Selectee compon­ents of the Terror­ist Screen­ing Data­base (TSDB), TSA Watch Lists, and watch lists derived from ATS’s prescreen­ing of inter­na­tional flights. foot­note9_9is123o 9 DHS, Privacy Impact Assess­ment for Secure Flight, DHS/TSA/PIA-018(h), July 12, 2017 (here­in­after Secure Flight 2017 PIA), 1–2,­a­tions/pia_tsa_secure­flight_18%28h%29_july2017.pdf. CBP also uses the Centers for Disease Control and Preven­tion’s Do Not Board List for Secure Flight. Ibid., 2n4. Social media forms part of the basis for placing indi­vidu­als on these watch lists, which are described below. foot­note10_p29aqwg 10 See National Coun­terter­ror­ism Center, “Watch­list­ing Guid­ance,” March 2013, 10,­list-guid­ance_1.pdf; Jeremy Scahill and Ryan Dever­eaux, “The Secret Govern­ment Rule­book for Labeling You a Terror­ist,” Inter­cept, July 23, 2014, https://thein­ter­­lis­ted/; Center for Consti­tu­tional Rights, “Leaked Guidelines for Place­ment on No-Fly List.”

1. Watch Lists

A. Terror­ist Screen­ing Data­base

Main­tained by the FBI’s Terror­ist Screen­ing Center and commonly known as the “terror­ist watch list,” the TSDB is the data­base of indi­vidu­als whom the govern­ment categor­izes as being “known” or “suspec­ted” of having ties to terror­ism. foot­note11_jixpoyf 11 DHS, Privacy Impact Assess­ment Update for the Watch­list Service, DHS/ALL-027(e), May 5, 2016, 1,­a­tions/privacy-pia-027-E-uscis-wlsf­dnsds-may2016.pdf. See also Jerome P. Bjel­opera, Bart Elias, and Alison Siskin, The Terror­ist Screen­ing Data­base and Prevent­ing Terror­ist Travel, Congres­sional Research Service, 7–5700, Novem­ber 7, 2016, 1, DHS receives inform­a­tion from the TSDB through the DHS Watch­list Service, which main­tains a synchron­ized copy of the data­base and dissem­in­ates records from it to parts of DHS. foot­note12_xf5ggla 12 DHS, Use of the Terror­ist Screen­ing Data­base System of Records, 81 Fed. Reg. 3811 (Janu­ary 22, 2016) (here­in­after Use of TSDB SORN),–01–22/pdf/2016–01167.pdf. The FBI and other federal agen­cies submit­ting nomin­a­tions for the TSDB are encour­aged to include social media inform­a­tion as a source for suspi­cion, even if the inform­a­tion is uncor­rob­or­ated. foot­note13_krkdbso 13 National Coun­terter­ror­ism Center, “Watch­list­ing Guid­ance,” 10. This guid­ance also specifies that a post­ing on a social media site “should not auto­mat­ic­ally be discoun­ted merely because of the manner in which it was received. Instead, the nomin­at­ing agency should eval­u­ate the cred­ib­il­ity of the source, as well as the nature and specificity of the inform­a­tion, and nomin­ate even if that source is uncor­rob­or­ated.” Ibid., 34. CBP is one such agency that submits watch list nomin­a­tions. ATS 2017 PIA, 25. In fiscal year 2016, CBP nomin­ated more than 3,400 indi­vidu­als to the Terror­ist Screen­ing Data­base. DHS, “DHS Trans­ition Issue Paper: Travel Secur­ity and Facil­it­a­tion,” in Stra­tegic Issue Paper Summar­ies, 216. A nomin­a­tion is accep­ted to the TSDB if the Terror­ist Screen­ing Center determ­ines that the inform­a­tion meets a reas­on­able-suspi­cion stand­ard and there is suffi­cient identi­fy­ing inform­a­tion. Bjel­opera, Elias, and Siskin, The Terror­ist Screen­ing Data­base and Prevent­ing Terror­ist Travel, 5. The watch list has long been criti­cized for being bloated and error prone; as of 2016 it included one million names, includ­ing those of about 5,000 Amer­ic­ans. foot­note14_zomepyn 14 Office of Senator Dianne Fein­stein, “Find­ings From Joint Response From the National Coun­terter­ror­ism Center (NCTC) and the Federal Bureau of Invest­ig­a­tion (FBI) to Congres­sional Ques­tions Regard­ing the Terror­ist Iden­tit­ies Datamart Envir­on­ment (TIDE) and the Terror­ist Screen­ing Data­base (TSDB),” 2016, https://www.fein­–1dbb-4802-a866-cfdfa300a5ad/BCD664419E5B375C638A0F250B37D­CB2.nctc-tsc-numbers-to-congress-06172016-nctc-tsc-final.pdf. See also Jeremy Scahill and Ryan Dever­eaux, “Watch Commander: Barack Obama’s Secret Terror­ist-Track­ing System, by the Numbers,” Inter­cept, August 5, 2014, https://thein­ter­ (noting that, as of 2013, 680,000 names were in the TSDB, includ­ing those of 5,000 Amer­ic­ans). The stand­ards for categor­iz­ing indi­vidu­als as “suspec­ted” of ties to terror­ism are so broad that even people three degrees removed from a “suspi­cious” person could be included on the list. foot­note15_gx4ljiy 15 See, for example, El Ali et al., No. 8:18-cv-02415-PX; Latif v. Holder, 28 F. Supp. 3d 1134 (D. Or. 2014); Tarhuni v. Sessions, No. 3:13-CV-00001-BR, 2018 WL 3614192 (D. Or. July 27, 2018); National Coun­terter­ror­ism Center, “Watch­list­ing Guid­ance,” 37–42. In 2016, DHS revised the Watch­list Service System of Records Notice (SORN) to further expand the categor­ies of indi­vidu­als covered by the system. The revised SORN expli­citly includes those who “do not other­wise satisfy the require­ments for inclu­sion in the TSDB” but (1) are relat­ives, asso­ci­ates, or others closely connec­ted with a known or suspec­ted terror­ist, (2) “were offi­cially detained during milit­ary oper­a­tions, but not as enemy pris­on­ers of war, and who have been iden­ti­fied as possibly posing a threat to national secur­ity,” or (3) are known or suspec­ted to be or have been engaged in conduct consti­tut­ing, in aid of, or related to transna­tional organ­ized crime. Use of TSDB SORN; DHS, Privacy Impact Assess­ment for ICE Invest­ig­at­ive Case Manage­ment, DHS/ICE/PIA-045, June 16, 2016 (here­in­after ICM 2016 PIA), 18,­a­tions/privacy-pia-ice-icm-june2016.pdf.

TSA’s Secure Flight

The TSDB is the source of the No Fly List and the Selectee List, both of which also rely on broad stand­ards that could allow, for example, the inclu­sion of indi­vidu­als who have engaged in civil disobedi­ence. foot­note16_elqrejl 16 The No Fly List includes those who are not allowed to board a commer­cial aircraft flying into, out of, over, or within U.S. airspace, or point-to-point inter­na­tional flights oper­ated by U.S. carri­ers. The Selectee List includes those who must undergo extra screen­ing before board­ing a commer­cial aircraft. Office of Inspector General, Imple­ment­a­tion and Coordin­a­tion of TSA’s Secure Flight Program, 2. For a discus­sion of the over­broad stand­ards of these lists, See Center for Consti­tu­tional Rights, “Leaked Guidelines for Place­ment on No-Fly List”; Scahill and Dever­eaux, “The Secret Govern­ment Rule­book for Labeling You a Terror­ist.” The No Fly List has been the subject of extens­ive litig­a­tion, in which federal courts have criti­cized the govern­ment’s fail­ure to ensure adequate proced­ures to allow indi­vidu­als to contest their inclu­sion on the list. foot­note17_fd30alu 17 In the case of Rahi­nah Ibrahim, a Malay­sian national work­ing toward her Ph.D. at Stan­ford, it took nine years of litig­a­tion before her name was cleared. A Janu­ary 2019 ruling in the Ninth Circuit found that even after the govern­ment determ­ined that Ibrahim did not pose a threat to national secur­ity, the govern­ment engaged in years of “scorched earth litig­a­tion,” refus­ing to allow Ibrahim to return to the United States. Ibrahim v. U.S. Depart­ment of Home­land Secur­ity, No. 14–16161, 2019 WL 73988, at 17 (9th Cir., Jan. 2, 2019). The en banc Ninth Circuit found that there was consid­er­able evid­ence indic­at­ing that the Justice Depart­ment attor­neys had acted in “bad faith” and that Ibrahim was entitled to full attor­neys’ fees under the Equal Access to Justice Act. See also “The FBI Checked the Wrong Box and a Woman Ended Up on the Terror­ism Watch List for Years,” ProP­ub­lica, Decem­ber 15, 2015, https://www.prop­ub­­nah-ibrahim-terror­ism-watch-list. See also Latif v. Holder, 28 F. Supp. 3d 1134; Tanvir v. Lynch, 128 F. Supp. 3d 756 (S.D.N.Y. 2015) (noting that DHS lacks “a mean­ing­ful mech­an­ism for trav­el­ers who have been denied board­ing to correct erro­neous inform­a­tion in the govern­ment’s terror­ism data­bases”).

B. TSA Watch Lists

The watch lists created and managed by TSA’s Office of Intel­li­gence and Analysis are also likely to incor­por­ate social media inform­a­tion in at least some cases. foot­note18_zcklxom 18 Nomin­a­tions to a TSA Watch List may come from within TSA, from other DHS compon­ents, or from other govern­ment agen­cies, and those nomin­a­tions may be informed by social media. Secure Flight 2017 PIA, 3–4. See, for example, Susan Hasman, director of secur­ity oper­a­tions coordin­a­tion to federal secur­ity direct­ors, “400.5 — ROUTINE — OD-400–19–12 — TSA Watch List (Secur­ity Noti­fic­a­tion),” March 19, 2018, https://www.just­se­cur­ (noting that indi­vidu­als who are “publicly notori­ous” can be nomin­ated to the TSA Watch List). These lists are based on inform­a­tion in TSA Intel­li­gence Service Oper­a­tions Files, which are compiled from TSA secur­ity incid­ents, intel­li­gence provided by other agen­cies, and broadly from commer­cial sources and publicly avail­able data; they are used to flag people who are not on another relev­ant watch list to receive addi­tional scru­tiny during travel. foot­note19_xuky2gh 19 Secure Flight 2017 PIA, 6. The TSA Watch List expli­citly includes those “who are not on a TSDB watch list but who nonethe­less present a threat to trans­port­a­tion or national secur­ity.” Ibid., 4. TSA retains the master files of the lists for 30 years. Ibid., 9. One such list, the “95 list,” created in Febru­ary 2018, includes indi­vidu­als who make phys­ical contact with a TSA employee or dog, loiter near screen­ing check­points, are the subject of a cred­ible threat of viol­ence, or are “publicly notori­ous.” foot­note20_2mtnted 20 Hasman, “400.5 — ROUTINE — OD-400–19–12 — TSA Watch List (Secur­ity Noti­fic­a­tion).” See Faiza Patel, “Does TSA Really Need a Watch List for ‘Unruly’ Trav­el­ers?” Just Secur­ity, May 23, 2018, https://www.just­se­cur­­gers-watch-list/. While some of this inform­a­tion likely comes from agents, it seems that public notori­ety and perhaps even the threat of viol­ence are factors that TSA gleans from social media.

C. ATS-Gener­ated Watch Lists

TSA’s Secure Flight also screens passen­ger records against watch lists derived from ATS’s prescreen­ing of inter­na­tional flights. foot­note21_6tgddzz 21 These inter­na­tional flights include incom­ing inter­na­tional flights, flights that fly over the United States but do not touch down, and flights on U.S. carri­ers that fly from one inter­na­tional point to another inter­na­tional point (point-to-point flights); it is not clear whether outgo­ing inter­na­tional flights are also prescreened by ATS. ATS 2017 PIA, 23. The ATS prescreen­ing is informed by TSA-craf­ted rules or “threat-based intel­li­gence scen­arios,” which ATS then compares against both passen­ger records and its pleth­ora of other sources, includ­ing social media. ATS iden­ti­fies indi­vidu­als for enhanced TSA screen­ing based on “matches” to inform­a­tion found in ATS. foot­note22_2zt9sz4 22 ATS 2017 PIA, 23; Secure Flight 2017 PIA, 2. CBP also receives inform­a­tion from TSA about possible and confirmed watch list matches for indi­vidu­als on inter­na­tional flights of covered U.S. aircraft oper­at­ors, which it also compares against ATS records. DHS, Privacy Impact Assess­ment Update for the ATS-TSA/CBP Common Oper­at­ing Picture Program, DHS/CBP/PIA-006(c), Janu­ary 31, 2014, 5,­a­tions/privacy-pia-cbp-atsup­date-01312014_0.pdf. Such matches could be based on a profil­ing rule or based on a passen­ger’s iden­ti­fi­ers, which may include names, phone numbers, or social media handles. foot­note23_wn90w3s 23 DHS Privacy Office, 2017 Data Mining Report to Congress, 18. When an indi­vidual matches with inform­a­tion or rules in ATS, the match leads either to further inspec­tion action or to a recom­mend­a­tion to carri­ers not to allow such persons to board. Ibid., 19. ATS compiles its list of matches to share with Secure Flight, includ­ing indi­vidu­als who, though not on any other watch list, “exhibit high risk indic­at­ors or travel patterns.” foot­note24_9n2k­sx8 24 ATS 2017 PIA, 23. There are no public criteria for what consti­tutes a high risk indic­ator or travel pattern that could trig­ger a flag on ATS.

Accord­ing to a privacy impact assess­ment published in April 2019, TSA uses ATS to gener­ate watch lists for TSA’s “Silent Part­ner” and “Quiet Skies” programs. foot­note25_xscm­b3b 25 DHS, Privacy Impact Assess­ment Update for Secure Flight Silent Part­ner and Quiet Skies, DHS/TSA/PIA-018(i), April 19, 2019 (here­in­after Silent Part­ner and Quiet Skies 2019 PIA), 2,­a­tions/pia-tsa-spqs018i-april2019_1.pdf. Little is known about Silent Part­ner, but accord­ing to internal TSA docu­ments, Quiet Skies origin­ally involved under­cover federal air marshals shad­ow­ing thou­sands of trav­el­ers on flights and through airports, docu­ment­ing whether trav­el­ers use a phone, go to the bath­room, fidget, or have a “cold penet­rat­ing stare,” among other beha­vi­ors. foot­note26_9m1ardl 26 Jana Winter, “Welcome to the Quiet Skies,” Boston Globe, July 28, 2018,­­ics/2018/07/tsa-quiet-skies/?p1=HP_SpecialTSA. Follow­ing a series of reports by the Boston Globe, TSA announced that it curtailed the Quiet Skies program in Decem­ber 2018 and will no longer require agents to compile reports on trav­el­ers who exhibit routine passen­ger beha­vi­ors. foot­note27_lj4x­cne 27 Jana Winter and Jenn Abel­son, “TSA says it no longer tracks regu­lar trav­el­ers as if they may be terror­ists,” Boston Globe, Decem­ber 15, 2018,­­ger-surveil­lance/2lRAv2AwjG­pUcgq08m­HaPM/story.html. However, TSA now uses ATS, with its numer­ous social media sources, to create a list of trav­el­ers for Quiet Skies. TSA formu­lates rules for CBP person­nel to check against ATS hold­ings on passen­gers on outbound inter­na­tional flights and domestic flights subsequent to inter­na­tional flights to create a Quiet Skies List of indi­vidu­als desig­nated for enhanced screen­ing. foot­note28_el06ub8 28 Silent Part­ner and Quiet Skies 2019 PIA, 2. A similar Silent Part­ner List is created for passen­gers on in-bound inter­na­tional flights. foot­note29_on2dkfc 29 Ibid. The rules TSA shares with ATS to desig­nate indi­vidu­als for the Quiet Skies List “must pertain to a specific poten­tial threat to aviation secur­ity within the Home­land, as assessed by TSA.” Ibid., 3 n7. In contrast, the Silent Part­ner rules are broader and “must pertain to a specific poten­tial threat to aviation secur­ity or the Home­land” (emphasis added). Ibid., 3n7. In addi­tion to being desig­nated for enhanced screen­ing, indi­vidu­als on the Quiet Skies and Silent Part­ner Lists may be subject to “obser­va­tion by the TSA Federal Air Marshal Service (FAMS) while the indi­vidual is onboard the flight or in the airport.” foot­note30_guth­dj1 30 Ibid., 3.

International Flight Data Transfer

The privacy impact assess­ment notes that indi­vidu­als “will remain on the Quiet Skies List for a period of time,” though the period is unspe­cified. foot­note31_e9d85kg 31 Ibid., 2. Names of indi­vidu­als who are flagged in ATS based on matches to TSA’s rules are retained in ATS for seven years, while names of inter­na­tional trav­el­ers whose activ­it­ies do not match the risk patterns are retained for seven days “to conduct addi­tional analysis.” foot­note32_k4om6nk 32 Ibid., 11–12; ATS 2017 PIA, 27. For “Inhib­ited Passen­gers” iden­ti­fied by TSA and shared with ATS, ATS screens those records against its hold­ings and against lists like the TSDB. ATS iden­ti­fies “possible watch­list matches who are subsequently cleared,” which are then retained in ATS for seven years. Confirmed matches to a watch list record are retained in ATS for 15 years, and in Secure Flight for 99 years. Secure Flight inform­a­tion that is linked to a border secur­ity, national secur­ity, signi­fic­ant health risk, or coun­terter­ror­ism matter is retained in ATS for the life of the matter. Ibid., 27. This inform­a­tion can be used for future risk assess­ments and watch lists. foot­note33_hhi3c3b 33 Indi­vidu­als who are flagged in ATS as “high risk” are not provided notice of their flag­ging as ATS does not collect inform­a­tion from indi­vidu­als directly and DHS has exemp­ted many parts of ATS from the noti­fic­a­tion, access, amend­ment, and certain account­ing provi­sions of the Privacy Act of 1974. See ATS Final Rule. The ATS privacy impact assess­ments state that those who would like to contest or correct any inform­a­tion in ATS can contact the CBP Inform­a­tion Center or DHS Trav­eler Redress Inquiry Program. For instance, trav­el­ers may obtain access to their Passen­ger Name Record (PNR) data in ATS, but not to the results of any ATS rules or analyses applied to their PNR data. ATS 2012 PIA, 29–30.

Social media also plays a role in TSA screen­ings of passen­gers on domestic flights. foot­note34_dsq99ue 34 TSA and CBP have a broad arrange­ment through which they share inform­a­tion, which may include social media inform­a­tion, about watch-listed trav­el­ers and their trav­el­ing compan­ions. All inform­a­tion on TSA-iden­ti­fied and CBP-iden­ti­fied “Inhib­ited Passen­gers” is easily access­ible to both TSA and CBP via a shared dash­board display. ATS-TSA PIA, Common Oper­at­ing Picture, Phase II, 3. For domestic flights, Secure Flight screens airline records using watch lists and unspe­cified “rules” and then shares the names of watch list matches and other “Inhib­ited Passen­gers” with ATS. foot­note35_ccfb8gg 35 Ibid., 4–5. ATS users then perform compar­is­ons, apply “risk-based rules,” and conduct feder­ated quer­ies to identify pertin­ent CBP-held inform­a­tion on those trav­el­ers, which could include social media inform­a­tion. At the same time, ATS users create a separ­ate list of CBP-iden­ti­fied “Inhib­ited Passen­gers” based on analyses of ATS sources, includ­ing social media. foot­note36_17kyhp0 36 Ibid., 8. CBP sends the results of the ATS screen­ing back to Secure Flight, and TSA and CBP person­nel compare the Secure Flight and ATS-gener­ated lists of “Inhib­ited Passen­gers” via a common dash­board display. foot­note37_1pcux0w 37 The shared dash­board display is view­able at CBP’s National Target­ing Center and TSA’s Oper­a­tions Center. Ibid., 2–3. CBP also displays visa deni­als and revoc­a­tions, inform­a­tion on lost or stolen pass­ports, and ESTA denial data on the common dash­board. Ibid., 5. TSA agents then make final decisions on enhanced screen­ing and board­ing denial, which could be informed by the ATS-held social media records. foot­note38_ndyy3qp 38 Ibid., 8.

Addi­tion­ally, TSA agents use an ATS “decision-support” tool called ATS-Passen­ger (ATS-P), avail­able on mobile devices through an ATS mobile applic­a­tion, to view inform­a­tion in ATS and create a prior­it­ized list of “poten­tially high-risk passen­gers.” foot­note39_zs774b5 39 ATS 2017 PIA, 8, 9n7. Other DHS compon­ents, includ­ing ICE and Border Patrol, also use ATS-P and the mobile app for “decision-support.” Ibid., 8. Accord­ing to the most recent privacy impact assess­ment, TSA person­nel can search and filter ATS inform­a­tion by creat­ing “user-defined rules” based on “oper­a­tional, tactical, intel­li­gence, or local enforce­ment efforts.” foot­note40_o12pomb 40 Ibid., 8. DHS person­nel use ATS-P to “focus efforts on poten­tially high-risk passen­gers by elim­in­at­ing labor-intens­ive manual reviews of trav­eler inform­a­tion.” Ibid. It is not clear what these “uniform and user-defined rules” are or how DHS ensures that they are valid and free from bias. For ATS’s “risk-based rules” in general, CBP, the DHS Privacy Office, the DHS Office for Civil Rights and Civil Liber­ties, and the DHS Office of the General Coun­sel are supposed to conduct joint quarterly reviews of the rules. DHS Privacy Office, 2017 Data Mining Report to Congress, 22. The abil­ity of each user to define his or her own rules — a process about which there is little inform­a­tion publicly avail­able — creates oppor­tun­it­ies for discrim­in­at­ory applic­a­tion. ATS-P also allows users to query other avail­able federal govern­ment systems and publicly avail­able inform­a­tion, includ­ing social media data. foot­note41_idgity5 41 ATS 2017 PIA, 8–9. ATS-P received a tech­no­logy refresh, UPAX, to more succinctly display query results across multiple source systems, as well as “integ­rat[e] risk assess­ment and case manage­ment func­tion­al­ity with the present­a­tion of query results.” Ibid., 10. This may suggest that users, includ­ing non-CBP users, would be able to view trav­el­ers’ risk assess­ments through ATS-P and the mobile applic­a­tion. The fact that this system is applied to domestic flights raises the possib­il­ity that it could be used to target Amer­ican trav­el­ers on the basis of their polit­ical and reli­gious views. 

Domestic Flight Data Transfer

2. TSA PreCheck

TSA also uses Secure Flight to identify low-risk passen­gers for TSA PreCheck, a fee-based program that allows trav­el­ers exped­ited transit through airports. foot­note42_cbhkqp9 42 Privacy Impact Assess­ment for the TSA PreCheck Applic­a­tion Program, DHS/TSA/PIA-041, Septem­ber 4, 2013 (here­in­after PreCheck 2013 PIA), 1,­a­tions/privacy_pia_041_tsa%20precheck%20ap­plic­a­tion%20pro­gram_septem­ber%202013_0.pdf. Secure Flight screens PreCheck applic­ants against its own inform­a­tion as well as several lists of preapproved low-risk trav­el­ers from other agen­cies and other parts of DHS, includ­ing CBP’s Trus­ted Trav­eler programs. foot­note43_adqf059 43 Govern­ment Account­ab­il­ity Office, Report to Congres­sional Requesters, Secure Flight: TSA Should Take Addi­tional Steps to Determ­ine Program Effect­ive­ness, Septem­ber 2014, 15–16, Since these lists rely on data­bases that include social media inform­a­tion, it is likely that what people say on social media influ­ences PreCheck desig­na­tions. foot­note44_ygc9q2b 44 See “CBP Trus­ted Trav­eler and Trus­ted Worker Popu­la­tions,” ATS 2017 PIA, 30.

Indeed, TSA has sought to high­light social media in its PreCheck screen­ing efforts. In Decem­ber 2014, the agency announced that it was plan­ning to expand PreCheck by hiring contract­ors to screen applic­ants using “risk scor­ing algorithms using commer­cial data, includ­ing social media and purchase inform­a­tion.” foot­note45_a51fz3a 45 Agree­ment Relat­ing to TSA PreCheck Applic­a­tion Expan­sion, HSTS02–15-H-OIA037X,­­­ments/1508090/ota-articles-for-pre-check-applic­a­tion-expan­sion.pdf. In response to criti­cism from civil soci­ety about the use of social media data and the reli­ance on private compan­ies to determ­ine secur­ity risks, foot­note46_7ch0efb 46 See, for example, Joe Shar­key, “PreCheck Expan­sion Plan Raises Privacy Concerns,” New York Times, March 9, 2015,­ness/precheck-expan­sion-plan-raises-privacy-concerns.html; Amber Corrin, “TSA Pulls Back on Big-Data PreCheck Expan­sion,” Federal Times, Febru­ary 16, 2015, https://www.feder­al­­ment/2015/02/16/tsa-pulls-back-on-big-data-precheck-expan­sion/. TSA back­tracked, issu­ing a revised proposal that barred bidders from using any avail­able social media for prescreen­ing efforts. foot­note47_idwu91y 47 “Special Notice Post­ing for the PreCheck Applic­a­tion Expan­sion,” Soli­cit­a­tion HSTS02–15-R-OIA037, Federal Busi­ness Oppor­tun­it­ies, Febru­ary 7, 2015, The TSA’s PreCheck privacy impact assess­ment from Janu­ary 2016 reaf­firms its interest in having private-sector entit­ies “perform iden­tity assur­ance and crim­inal history assess­ments” using commer­cial and publicly avail­able data, though the docu­ment does not indic­ate that social media data will be used. DHS, Privacy Impact Assess­ment Update for the TSA PreCheck Applic­a­tion Program, DHS/TSA/PIA-041(a), Janu­ary 22, 2016 (here­in­after PreCheck 2016 PIA), 1,­a­tions/privacy-pia-041-a-tsa%20precheck%20ap­plic­a­tion%20pro­gram-febru­ary2016.pdf. In Septem­ber 2017, TSA awar­ded an ongo­ing contract worth more than $22 million to Idemia, a big-data biomet­rics company, for Univer­sal Enroll­ment Services, which includes PreCheck enroll­ment. foot­note48_6pll6qe 48 DHS Univer­sal Enroll­ment Services Contract with Idemia Iden­tity & Secur­ity USA LLC, USASpend­ing, Septem­ber 1, 2017–­Septem­ber 4, 2019, https://www.usaspend­ Idemia captures and submits enroll­ment data, includ­ing biographic, biomet­ric, iden­tity, and citizen­ship docu­ment­a­tion, to the govern­ment for vetting and case manage­ment purposes. foot­note49_jh4c1bk 49 TSA, “Justi­fic­a­tion for Other Than Full and Open Compet­i­tion,” J&A Univer­sal Enroll­ment Services (UES) Bridge Contract Modi­fic­a­tion, Soli­cit­a­tion Number 70T02018R9NOI­A248, Federal Busi­ness Oppor­tun­it­ies, Septem­ber 18, 2018, 2,­beec3837347c03cfc­cee72c; See also TSA Office of Contract­ing and Procure­ment, Univer­sal Enroll­ment Services (UES) Request for Propos­als, Federal Busi­ness Oppor­tun­it­ies, March 7, 2018, 112,­ab726e4097c2d­d5­fa8e17668; Univer­sal Enroll­ment Services (UES) Notice of Intent to Sole Source, GovTribe, May 1, 2018,­tun­ity/federal-contract-oppor­tun­ity/univer­sal-enroll­ment-services-ues-notice-of-intent-to-sole-source-70t02018r9noi­a248. While the contract docu­ments do not indic­ate that Idemia will use social media inform­a­tion to conduct “secur­ity threat assess­ments” and “iden­tity assur­ances” for PreCheck, Idemi­a’s website describes the company’s data mining mission in general as includ­ing “geoloca­tions, audit trails and social media conver­sa­tions.” foot­note50_8othisr 50 TSA, “Justi­fic­a­tion for Other Than Full and Open Compet­i­tion”; “Big Data,” Idemia, accessed Decem­ber 28, 2018, Idemia “has been build­ing and managing data­bases of entire popu­la­tions for govern­ments, law enforce­ment agen­cies and other govern­ment bodies around the world, whether for national ID, health cards, bank cards or even driver license programs.” Ibid. Idemia, formerly Morpho­Trust, LLC, was alleged to have embed­ded Russian-made code purchased from a Krem­lin-connec­ted firm into soft­ware that it sold to the FBI for its finger­print-recog­ni­tion tech­no­logy, rais­ing concerns that Russian hack­ers could comprom­ise law enforce­ment computer systems. Chris Hamby, “FBI Soft­ware for Analyz­ing Finger­prints Contains Russian-Made Code, Whis­tleblowers Say,” Buzzfeed News, Decem­ber 26, 2017, https://www.buzzfeed­­ware-contains-russian-made-code-that-could-open-a.

In sum, TSA’s Secure Flight uses a range of watch lists that rely at least in part on social media inform­a­tion in its preflight screen­ing and decision making, about which very little is known. TSA and CBP also have an extens­ive inform­a­tion-shar­ing arrange­ment in which TSA relies on ATS hold­ings, which include social media data, to screen “Inhib­ited Passen­gers” and to aid in “decision-support” via the ATS mobile applic­a­tion. TSA’s PreCheck also may include the collec­tion and analysis of social media inform­a­tion to desig­nate certain indi­vidu­als as “low risk.” The use of context-depend­ent and easily misin­ter­preted social media in secret analyses raises concerns about the use of discrim­in­at­ory criteria to target trav­el­ers, both domestic and inter­na­tional, as well as the impact on free speech.

End Notes

U.S. Immigration and Customs Enforcement

Immig­ra­tion and Customs Enforce­ment (ICE) invest­ig­ates cross-border crime and immig­ra­tion viol­a­tions. foot­note1_q1q0zky 1 ICE, “Who We Are,” The secret­ary of DHS deleg­ated ICE’s invest­ig­at­ive author­ity, pursu­ant to the Home­land Secur­ity Act of 2002, to ICE in DHS, “Deleg­a­tion of Author­ity to the Assist­ant Secret­ary for U.S. Immig­ra­tion and Customs Enforce­ment,” Deleg­a­tion Number 7030.2, Novem­ber 13, 2004, Its activ­it­ies range from combat­ing child porno­graphy and human traf­fick­ing to conduct­ing raids at work­places and target­ing people, includ­ing activ­ists, for immig­ra­tion viol­a­tions outside court­houses and schools. foot­note2_itjngil 2 See, for example, Sarah Ruiz-Gross­man, “ICE Dramat­ic­ally Increased Work­place Arrests of Undoc­u­mented Immig­rants in 2018,” Huff­ing­ton Post, Decem­ber 12, 2018, https://www.huff­ing­ton­­ra­tion-arrests-work-undoc­u­mented-immig­rants_us_5c105b3fe4b0ac537179c247; Maria Sacchetti and David Weigel, “ICE Has Detained or Depor­ted Prom­in­ent Immig­ra­tion Activ­ists,” Wash­ing­ton Post, Janu­ary 19, 2018, https://www.wash­ing­ton­­post/ice-has-detained-or-depor­ted-foreign­ers-who-are-also-immig­ra­tion-activ­ists/2018/01/19/377af23a-fc95–11e7-a46b-a3614530b­d87_story.html?utm_term=.ed71c0e7a6e1; Alanna Durkin Richer, “Ex-judges to ICE: End Immig­ra­tion Arrests at Court­houses,” Asso­ci­ated Press, Decem­ber 12, 2018,­ab9d­d51ace042be399. ICE relies on social media data, which is often unre­li­able, to support its extremely broad invest­ig­at­ive author­it­ies; the agency has also explored expand­ing its collec­tion of social media data to make dubi­ous and likely discrim­in­at­ory judg­ments about whether indi­vidu­als should be permit­ted to enter or remain in the coun­try.

ICE has two main branches: Home­land Secur­ity Invest­ig­a­tions (HSI), which conducts both crim­inal and civil invest­ig­a­tions, and Enforce­ment and Removal Oper­a­tions (ERO), which is primar­ily respons­ible for deten­tion and deport­a­tion. foot­note3_ip6nkhx 3 ICE, “HSI Special Agent Brochure,” Febru­ary 2011,­ig­ator-brochure.pdf; ICE, “Enforce­ment and Removal Oper­a­tions,” Most of the activ­it­ies described below are conduc­ted by HSI — the second-largest invest­ig­at­ive arm in the federal govern­ment foot­note4_4ban675 4 DOJ Offices of the United States Attor­neys, Federal Invest­ig­at­ive Agen­cies,­ig­at­ive-agen­cies. — which extracts, consults, and analyzes social media data during its invest­ig­a­tions, includ­ing vetting and invest­ig­at­ing over­stay leads and conduct­ing warrant­less border searches, as well as in its intel­li­gence-gath­er­ing and analysis initi­at­ives. In turn, these invest­ig­a­tions inform ERO’s removal oper­a­tions.

1. Invest­ig­a­tions

HSI often relies on social media in conduct­ing an invest­ig­a­tion. foot­note5_osub­y1g 5 See, for example, ICM 2016 PIA, 18. First, ICE agents may manu­ally collect data from publicly avail­able and commer­cial sources, includ­ing social media, whenever they determ­ine that the inform­a­tion is “relev­ant for devel­op­ing a viable case” and “supports the invest­ig­at­ive process.” foot­note6_4s8e353 6 Ibid., 22. Accord­ing to privacy impact assess­ments, such inform­a­tion is meant to be used to verify inform­a­tion that is already in the agency’s posses­sion, such as a target’s current and former places of resid­ence and cohab­it­ants, and to identify other personal prop­erty. foot­note7_40zyryp 7 Ibid., 18. However, it may also be used “to enhance exist­ing case inform­a­tion” by provid­ing identi­fy­ing details like date of birth, crim­inal history, and busi­ness regis­tra­tion records. foot­note8_rflx2pc 8 Ibid. ICE limits collec­tion of publicly avail­able inform­a­tion to “cred­ible, industry-wide sources” but offers no inform­a­tion about those sources or how they are chosen. Ibid., 21–22.

Social media inform­a­tion is also gathered during under­cover oper­a­tions related to crim­inal invest­ig­a­tions, during which agents are permit­ted to “friend” indi­vidu­als on social media sites and collect any inform­a­tion they come across as a result. foot­note9_3xi3a8e 9 Under­cover agents may also be gran­ted access to a restric­ted site in certain circum­stances. Ibid., 18. There are no publicly avail­able criteria or stand­ards for when ICE can initi­ate an under­cover oper­a­tion. However, a leaked hand­book outlines some factors that managers should take into consid­er­a­tion when assess­ing the need for an under­cover oper­a­tion, such as “risk of civil liab­il­ity or other loss to the U.S. Govern­ment.” See ICE Office of Invest­ig­a­tions, Under­cover Oper­a­tions Hand­book, OI HB 08–04, April 14, 2008, 39,­cover-oper­a­tions.pdf#page=50. In addi­tion, HSI agents gain access to social media inform­a­tion through other invest­ig­at­ory activ­it­ies — namely vetting and over­stay enforce­ment initi­at­ives and extrac­tions of data from elec­tronic devices obtained during border searches and invest­ig­a­tions — which are discussed in the next sections.

The Invest­ig­at­ive Case Manage­ment (ICM) system is the primary data­base that stores inform­a­tion collec­ted by ICE during crim­inal and civil invest­ig­a­tions. foot­note10_zrjd5k7 10 ICM 2016 PIA, 2. Before enter­ing any new inform­a­tion, agents and support person­nel are trained to compare it with inform­a­tion already in the system and external invest­ig­at­ive case files, and subject records and case docu­ments must be reviewed and approved by a super­visor before they can become “avail­able for use” in an invest­ig­a­tion. Audit logs capture all user activ­ity, but it is not known how, or whether, these logs are reviewed. Ibid., 5, 21. ICE agents can use ICM to auto­mat­ic­ally query a pleth­ora of internal and external systems, as well as to manu­ally search vari­ous pools of data and copy and upload the results; the inform­a­tion ICE can query includes results from CBP’s Auto­mated Target­ing System (ATS), which contains social media inform­a­tion from a number of sources. foot­note11_c04s­gao 11 Ibid., 6. From ICM, users can query CBP’s ATS and manu­ally copy data into ICM. Ibid., 17. ICM data is dissem­in­ated within DHS and shared broadly with outside agen­cies. foot­note12_ro5279g 12 Ibid., 29–30. In addi­tion to wide author­ity to share inform­a­tion through formal chan­nels with state, local, and federal law enforce­ment agen­cies, ICE agents are known to share inform­a­tion inform­ally with indi­vidual state or local law enforce­ment officers. foot­note13_59ff881 13 See National Immig­ra­tion Law Center, Untangling the Immig­ra­tion Enforce­ment Web, Septem­ber 2017, 3,­ra­tion-Enforce­ment-Web-2017–09.pdf. In addi­tion, ICM records that pertain to indi­vidu­als, or “subject records,” are shared via the Law Enforce­ment Inform­a­tion Shar­ing (LEIS) Service, a web-based data exchange plat­form that allows part­ner law enforce­ment agen­cies to access DHS systems, includ­ing but not limited to ICM and TECS, CBP’s primary law enforce­ment system. foot­note14_1nb3ys9 14 ICM 2016 PIA, 30; ICE, “Law Enforce­ment Inform­a­tion Shar­ing Initi­at­ive,”­a­tion-shar­ing. For more on “subject records,” See DHS, Privacy Impact Assess­ment for the TECS System: CBP Primary and Second­ary Processing, Decem­ber 22, 2010, 2–3,­a­tions/privacy-pia-cbp-tecs-decem­ber­2010_0.pdf.

ICM was developed by the private data mining company Palantir. foot­note15_bkwzp7u 15 Wood­man, “Palantir Provides the Engine for Donald Trump’s Deport­a­tion Machine.” Elec­tronic Privacy Inform­a­tion Center, FOIA Request Letter to Catrina Pavlik-Keenan, FOIA officer, ICE, August 14, 2017, 1–2,–08–10-ICE-20170810-Request.pdf. Accord­ing to contract notices, Palantir currently has a contract for work relat­ing to ICM that has so far totaled $51.6 million. foot­note16_0z6r40n 16 ICE contract with Palantir USG, Inc., Septem­ber 26, 2014–­Septem­ber 25, 2019, USASpend­ing, https://www.usaspend­ Though Palantir’s 2014 proposal for ICM described the system as inten­ded for use by ICE’s invest­ig­at­ive branch, HSI, in 2016 DHS disclosed that it is also used by ICE’s deport­a­tion branch, ERO, to obtain inform­a­tion “to support its civil immig­ra­tion enforce­ment cases.” foot­note17_aottnqy 17 Contract Award Notice, ICE Invest­ig­at­ive Case Manage­ment System, Soli­cit­a­tion Number HSCETC-14-R-00002, Federal Busi­ness Oppor­tun­it­ies,­ing.html. See also ICM 2016 PIA, 23–24.

ICE has also inves­ted in other soft­ware systems to enable it to analyze inform­a­tion from social media. For example, in June 2018, it was repor­ted that ICE had signed a $2.4 million contract with Pen-Link, foot­note18_iixcwdq 18 Chantal Da Silva, “ICE Just Launched a $2.4M Contract With a Secret­ive Data Surveil­lance Company That Tracks You in Real Time,” News­week, June 7, 2018,­­ive-data-surveil­lance-company-can-track-you-962493. a company offer­ing soft­ware to law enforce­ment that can collect and analyze “massive amounts of social media and inter­net commu­nic­a­tions data.” foot­note19_1my3p3l 19 Ibid. One of the services included in the Pen-Link contract with ICE is Pen-Link X-Net, foot­note20_tikz­sbq 20 DHS, “Justi­fic­a­tion and Approval for Other Than Full and Open Compet­i­tion.” which collects and analyzes large quant­it­ies of inter­net-based commu­nic­a­tions data, from an “extens­ive, ever-grow­ing list of providers,” includ­ing social media plat­forms. foot­note21_8m8tens 21 PenLink, “XNET: Invest­ig­at­ing Beyond Phone Calls,” Such sweep­ing collec­tion and analysis is likely to scoop up swaths of irrel­ev­ant and unre­li­able inform­a­tion and risks misin­ter­pret­ing innoc­u­ous connec­tions and patterns as illi­cit activ­ity.

Finally, West Publish­ing, a subsi­di­ary of Thom­son Reuters, provides HSI with access to the company’s Consol­id­ated Lead Eval­u­ation and Report­ing (CLEAR) system, through a 2017 contract worth $20 million. foot­note22_9mha2ec 22 ICE/HSI contract with West Publish­ing Corpor­a­tion, Janu­ary 19, 2017–Oc­to­ber 31, 2021, Federal Procure­ment Data System — Next Gener­a­tion, https://assets.docu­­ments/4546854/TR-Attach­ment-1.pdf. CLEAR combines a wide array of public and propri­et­ary records, includ­ing data from social networks and chat rooms, to create “custom­iz­able reports, Web Analyt­ics, mapping, and link charts.” foot­note23_zd6k­d4t 23 Thom­son Reuters, CLEAR Brochure, “The Smarter Way to Get Your Invest­ig­at­ive Facts Straight,” 2, 6, https://www.thom­son­reu­­web/docu­ments/pdf/legal/fact-sheet/clear-brochure.pdf. Accord­ing to other contract docu­ments, CLEAR provides essen­tial support to ICE’s abil­ity to invest­ig­ate crim­in­als and to uphold and enforce customs and immig­ra­tion law “at and beyond our nation’s borders.” foot­note24_a2ow­b4r 24 ICE Office of Acquis­i­tion Manage­ment, Invest­ig­a­tions & Oper­a­tions Support Dallas, “Limited Source Justi­fic­a­tion — Consol­id­ated Lead Eval­u­ation and Report­ing (CLEAR),” 2, https://www.medi­ CLEAR also inter­faces with inform­a­tion from Palantir as well as with ICE’s main analyt­ical system, FALCON. foot­note25_ptg84eu 25 Ibid.; FALCON-SA 2016 PIA, 35. See also Home­land Secur­ity Invest­ig­a­tions Mission Support, “FALCON Oper­a­tions & Main­ten­ance Support & System Enhance­ment, Perform­ance Work State­ment,” May 11, 2015, 16,­H­S­CETC15C00001.pdf.

2. Visa Over­stay Enforce­ment

ICE has iden­ti­fied visa over­stays as a seri­ous threat to national secur­ity and over the past several years has ramped up its enforce­ment, track­ing trav­el­ers who have allegedly remained in the United States beyond the time origin­ally permit­ted; its efforts have included social media monit­or­ing. foot­note26_nsdq­iz7 26 See, for example, Congres­sional Hear­ing on Visa Over­stays, 2, 13; Office of Inspector General, DHS, DHS Track­ing of Visa Over­stays Is Hindered by Insuf­fi­cient Tech­no­logy, OIG-17–56, May 1, 2017 (here­in­after OIG May 2017 Visa Over­stay Track­ing Report), 1, ttps://–56-May17_0.pdf. While two of the 9/11 hijack­ers had over­stayed their visas, foot­note27_n9587b9 27 OIG May 2017 Visa Over­stay Track­ing Report, 1. there is little evid­ence that over­stays pose a signi­fic­ant ongo­ing threat to national secur­ity. Research from the Cato Insti­tute shows that the chance of being killed in an attack by a foreign-born terror­ist is 1 in 4.1 million for an attacker on a tour­ist visa and 1 in 73 million for an attacker on a student visa, the two most common over­stay categor­ies. foot­note28_68n1sfz 28 Alex Nowras­teh, “Terror­ists by Immig­ra­tion Status and Nation­al­ity: A Risk Analysis, 1975–2017.” Given that the over­stay rate in 2017 was 2.06 percent for tour­ist visas and 4.15 percent for student visas, the chance of being killed by someone over­stay­ing a visa is infin­ites­imal. foot­note29_prgba6m 29 DHS, Fiscal Year 2017 Entry/Exit Over­stay Report, 11, 18,­a­tions/18_1009_S1_Entry-Exit-Over­stay_Report.pdf.

At a May 2017 congres­sional hear­ing, DHS described the basic process used to vet over­stay leads: CBP’s arrivals and depar­tures manage­ment system sends poten­tial leads — iden­ti­fied by match­ing entry and exit records to ATS, which auto­mat­ic­ally screens, prior­it­izes, and sends them over to ICE’s lead manage­ment system, LeadTrac. foot­note30_aemzd0a 30 Congres­sional Hear­ing on Visa Over­stays, 10; ATS 2017 PIA, 8. ICE’s LeadTrac system stores the inform­a­tion, includ­ing from social media, collec­ted by the programs and initi­at­ives described in this section. Accord­ing to the LeadTrac privacy impact assess­ment, inform­a­tion from social media can be copied and pasted or summar­ized in a LeadTrac subject record. DHS, Privacy Impact Assess­ment for LeadTrac System, DHS/ICE/PIA-044, July 22, 2016 (here­in­after LeadTrac 2016 PIA), 11,­a­tions/privacy-pia-ice-leadtrac-july2016.pdf. Accord­ing to the LeadTrac SORN, the system contains inform­a­tion not only on the target indi­vidual, but also on his or her asso­ci­ates (e.g., family members and employ­ers of suspec­ted status viol­at­ors) who may be legal perman­ent resid­ents or U.S. citizens. LeadTrac SORN, supra note 78, 52700. Analysts then vet these leads — against govern­ment data­bases, public indices, and unnamed commer­cial data­bases that provide aggreg­ated inform­a­tion from social media and other public sites, as well as through inter­net searches on social media plat­forms — to determ­ine whether there is a poten­tial viol­a­tion that could require a field invest­ig­a­tion. foot­note31_23smymb 31 LeadTrac 2016 PIA, 1, 9–10. Accord­ing to DHS docu­ments prepared for the incom­ing admin­is­tra­tion at the end of 2016, ICE person­nel target indi­vidu­als for over­stay enforce­ment who exhibit “specific risk factors,” which are based in part on “analysis of dynamic social networks.” foot­note32_hya8kal 32 These analyses of social networks may be informed by the data gathered from social media sites. Accord­ing to the DHS inspector general, ICE agents do not have policies and guid­ance on “appro­pri­ate system use” of the roughly 17 inform­a­tion tech­no­logy systems upon which analysts rely for over­stay work. foot­note33_hyrz7ql 33 OIG May 2017 Visa Over­stay Track­ing Report, 8, 16.

In 2014 ICE set up a special unit called the Open-Source Team, which uses a broad range of publicly avail­able inform­a­tion, includ­ing social media, to help “locate specific targeted indi­vidu­als, identify trends and patterns, and identify subtle rela­tion­ships.” foot­note34_mep393b 34 Congres­sional Hear­ing on Visa Over­stays, 13. Accord­ing to the Decem­ber 2016 issue of SEVP Spot­light, the Student Exchange and Visitor Program news­let­ter, this team also helps identify students or schools suspec­ted of viol­a­tion. HSI, SEVP Spot­light 6, no. 4 (Decem­ber 2016): 3, https://study­in­­light_decem­ber_2016_final.pdf. A docu­ment obtained by the Bren­nan Center via FOIA request high­lights three Open-Source Team “success stor­ies,” all of which involve indi­vidu­als from Muslim-major­ity coun­tries. foot­note35_uax1u5d 35 The three “success stor­ies” listed are “HSI Los Angeles Arrest of a Jord­anian National in Novem­ber 2014”; “HSI New York AWOL Case of a Yemen National in Janu­ary 2015”; and “HSI San Diego Request for Open-Source Intel­li­gence Report of Saudi Arabia National in May 2015.” The descrip­tions for each are entirely redac­ted. DHS, “CTCEU Open Source Team Success Stor­ies,” https://www.bren­nan­cen­­cial%20Me­dia%20Pi­lot%20Pro­grams%20-%20BCJ.pdf#page=8.

In August 2016, ICE launched a series of pilot programs that aim to use social media to bolster vetting, lead invest­ig­a­tion, and enforce­ment. foot­note36_o53g­g1w 36 See Congres­sional Hear­ing on Visa Over­stays, 13. One of these programs, the “Domestic Mantis Initi­at­ive,” vets leads pulled from the Student and Exchange Visitor System (SEVIS) on students who enter the United States plan­ning to study a “nonsens­it­ive” field of study and later change to one the State Depart­ment categor­izes as “sens­it­ive” because of its poten­tial connec­tion to national secur­ity–re­lated tech­no­logy (e.g., nuclear phys­ics, biomed­ical engin­eer­ing, and robot­ics). foot­note37_c8z9k27 37 A “sens­it­ive” field is one “related to a sens­it­ive tech­no­logy on the DOS Tech­no­logy Alert List.” DHS, “Visa Over­stay Enforce­ment Invest­ig­a­tions Expendit­ure Plan,” Fiscal Year 2016 Report to Congress, August 1, 2016, 4,­a­tions/Immig­ra­tion%20and%20Cus­toms%20En­force­ment%20-%20Visa%20Over­stay%20En­force­ment%20In­vest­ig­a­tions%20Ex­pendit­ure%20Plan.pdf; Depart­ment of State, “Using the Tech­no­logy Alert List (Update),” August 1, 2002,­Files/dos_cable_provides_update.pdf?n=1034. Using social media and other sources, ICE continu­ously monit­ors these students during their time in the United States, although it is not known what would consti­tute suspi­cious activ­ity that would cause immig­ra­tion author­it­ies to take action. foot­note38_sp6138g 38 DHS, “Visa Over­stay Enforce­ment Invest­ig­a­tions Expendit­ure Plan,” 5–6.

Also in August 2016, ICE launched another pilot program, most often referred to as the Over­stay Life­cycle program. foot­note39_byd40z4 39 The program is unnamed in the Inspector General report but referred to in several reports and testi­mon­ies as the “Over­stay Life­cycle pilot.” In docu­ments obtained by the Bren­nan Center via FOIA it is some­times referred to as the “Visa Secur­ity Social Media Pilot Program.” It is possible that this discrep­ancy is due to the fact that two differ­ent parts of HSI imple­ment this program — the Visa Secur­ity Program (which vets visas at certain State Depart­ment posts) and the Coun­terter­ror­ism and Crim­inal Exploit­a­tions Unit (which invest­ig­ates over­stay leads). See HSI, National Secur­ity Invest­ig­a­tions Divi­sion, “Visa Secur­ity Social Media Pilot Program,” https://www.bren­nan­cen­­cial%20Me­dia%20Pi­lot%20Pro­grams%20-%20BCJ.pdf. Accord­ing to a report by the DHS inspector general, the program screens the social media activ­ity of a category of nonim­mig­rant visa applic­ants from certain coun­tries to help uncover “poten­tial derog­at­ory inform­a­tion not found in Govern­ment data­bases”; both the category of applic­ants and the specific coun­tries involved were redac­ted from the publicly avail­able report. foot­note40_74d11bk 40 Office of Inspector General, DHS’ Pilots for Social Media Screen­ing Need Increased Rigor to Ensure Scalab­il­ity and Long-term Success, 3–4. The report noted that the pilot was to screen social media activ­ity at the time of visa applic­a­tion and to “continue social media monit­or­ing” (during a time frame or process that was redac­ted from the report, but could extend to the time that subjects were in the United States) using a “web search tool” that analyzes social media data to develop so-called “action­able inform­a­tion.” foot­note41_tgzg70o 41 Ibid., 3. As with other uses of social media by DHS, it is unclear what types of inform­a­tion would raise flags about visa applic­ants.

ICE’s Over­stay Life­cycle program was designed to supple­ment PATRIOT, an exist­ing program that screened applic­ants at 28 visa secur­ity posts but did not monitor people who were gran­ted visas and traveled to the United States. foot­note42_pmm08qn 42 DHS, “Visa Over­stay Enforce­ment Invest­ig­a­tions Expendit­ure Plan,” 3–4. The newer program aims to close this gap in enforce­ment by conduct­ing continu­ous vetting and monit­or­ing of some visa applic­ants, from the time they file a visa applic­a­tion to the time they depart from the coun­try or viol­ate their terms of admis­sion, to uncover any “derog­at­ory inform­a­tion.” foot­note43_miz3qlk 43 Ibid.

The visa applic­ants subject to continu­ous monit­or­ing would be those who have applied through one of “at least two” specific State Depart­ment posts abroad, though the posts are not publicly iden­ti­fied. foot­note44_b5ul54i 44 Ibid., 3. Accord­ing to the 2016 DHS report to Congress, these posts would be selec­ted “to comple­ment exist­ing HSI screen­ing efforts and in response to recent global acts of terror­ism perpet­rated in those coun­tries.” foot­note45_tqdlrq0 45 Ibid. Accord­ing to the same report, DHS also planned to incor­por­ate social media vetting tools into both PATRIOT and LeadTrac, and modify LeadTrac to ingest inform­a­tion from visa applic­ants upon entry. foot­note46_9xyafgt 46 The report noted that enabling this capab­il­ity “will require enhance­ments to PATRIOT through third-party systems/program modi­fic­a­tions.” Ibid., 4. Part of the $5.295 million iden­ti­fied for “Inform­a­tion Tech­no­logy, Social Media Exploit­a­tion, & Enhance­ments” in the expendit­ure plan for the report was alloc­ated to “creat­ing connectiv­ity to bridge the PATRIOT data­base to private vendor social media soft­ware for real-time vetting during the pre-entry adju­dic­a­tion process and procur­ing asso­ci­ated equip­ment and services to execute the mission.” Ibid., 6. It is not clear whether this system change has occurred.

It is clear, however, that ICE has relied heav­ily on the data mining firm Giant Oak, Inc., to support these programs and will continue to do so in the future. Accord­ing to publicly avail­able contract notices, in August and Septem­ber of 2018, both ICE’s Visa Secur­ity Program and its Coun­terter­ror­ism and Crim­inal Exploit­a­tion Unit (CTCEU) contrac­ted with Giant Oak for “open source/social media data analyt­ics.” foot­note47_lfl1ojk 47 ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analyt­ics — VSP,” August 21, 2018–August 20, 2019, USASpend­ing, https://www.usaspend­; ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analyt­ics — CTCEU,” June 13, 2018–August 31, 2019, USASpend­ing, https://www.usaspend­ These contracts are in addi­tion to previ­ous social media data analyt­ics contracts between ICE and Giant Oak. foot­note48_1eroewb 48 ICE contracts with Giant Oak, Inc., Septem­ber 4, 2014 — Septem­ber 24, 2018, “Spend­ing by Prime Award,” USASpend­ing, https://www.usaspend­ In Septem­ber 2018, ICE contrac­ted yet again with Giant Oak for $806,836, but the descrip­tion specifies “open-source/social media data analyt­ics for CBP.” It is not clear why ICE would desig­nate its spend­ing this way, rather than CBP contract­ing with the company itself. ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analyt­ics for CBP,” Septem­ber 24, 2018–­Septem­ber 24, 2019, USASpend­ing, https://www.usaspend­ One of ICE’s contracts with Giant Oak extends to August 31, 2022. ICE contract with Giant Oak, Inc., “Open Source/Social Media Data Analyt­ics,” Septem­ber 25, 2017–August 31, 2022, USASpend­ing, https://www.usaspend­ A contract recently obtained by the Bren­nan Center via FOIA request shows that CTCEU util­izes Giant Oak’s Search Tech­no­logy tool (GOST) to aid in proact­ive invest­ig­a­tion of national secur­ity leads that have incom­plete address inform­a­tion or were returned from field invest­ig­a­tions unre­solved. foot­note49_p51q8w6 49 “State­ment of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 31. This tool is used for bulk screen­ing and prior­it­iz­a­tion of indi­vidu­als based on “threat level” and continu­ously monit­ors and eval­u­ates changes in patterns of beha­vior over time. Accord­ing to the CEO of Giant Oak, the tool lets the govern­ment know when over­all patterns change—­for example, when a group of indi­vidu­als becomes “more . . . prone to viol­ence.” foot­note50_kc9me2b 50 Thomas Brew­ster, “Trump’s Immig­ra­tion Cops Just Spent $3 Million on These Ex-DARPA Social Media Data Miners,” Forbes, Septem­ber 27, 2017,­brew­ster/2017/09/27/trump-immig­ra­tion-social-media-surveil­lance-giant-oak-penlink-palantir/#7a77a4933e3b.

Accord­ing to the contract, Giant Oak continu­ously monit­ors social media and other online sources and returns to CTCEU any inform­a­tion that iden­ti­fies an indi­vidu­al’s possible loca­tion (includ­ing loca­tion of affil­i­ated organ­iz­a­tions), contact inform­a­tion, and employ­ers. foot­note51_gez80k5 51 “State­ment of Work,” ICE Contract #HSCEMD-14-C-00002 P00007, 33. The contract outlines vari­ous restric­tions relat­ing to obtain­ing inform­a­tion from social media sources. The contractor is only to use publicly access­ible, unres­tric­ted online sources; may not circum­vent restric­tions placed on system users; may not inter­act with indi­vidu­als who posted the inform­a­tion; may not appro­pri­ate online iden­tit­ies; and must abide by safe­guards for person­ally iden­ti­fi­able inform­a­tion outlined in DHS policy. Ibid., 34. Upon “exhaus­tion” of that so-called tier 1 inform­a­tion, ICE can request a follow-up search for inform­a­tion about the person’s asso­ci­ates (e.g., friends, family members, cowork­ers) that could help locate an indi­vidual. foot­note52_6ph9ux3 52 Ibid., 33. The docu­ments also note that the contract grants a Giant Oak “Social Scient­ist” access to clas­si­fied inform­a­tion; he/she “tweaks the algorithms” behind GOST to better serve CTCEU’s needs, and works to further special­ize the trans­lit­er­a­tion and name match­ing tools for “certain ethnic groups, non-Roman languages and alpha­bets, or coun­tries of origin.” foot­note53_aqhfye1 53 Ibid., 35. There is no publicly avail­able inform­a­tion on the scope of ICE’s other contracts with Giant Oak.

3. Extreme Vetting

As detailed below, after sustained oppos­i­tion from many stake­hold­ers, ICE announced in May 2018 that it had shelved its search for an auto­mated tool for its Extreme Vetting Initi­at­ive (now rebranded as the Visa Life­cycle Vetting Initi­at­ive). foot­note54_9745290 54 See side­bar “Auto­matic Extreme Vetting,” accom­pa­ny­ing notes i-vii. Instead, it has opted to spend $100 million to hire “roughly 180 people to monitor the social media posts of those 10,000 foreign visit­ors flagged as high-risk, gener­at­ing new leads as they keep tabs on their social media use.” foot­note55_g84h­ccb 55 Harwell and Miroff, “ICE Just Aban­doned Its Dream of ‘Extreme Vetting’ Soft­ware.” Monit­or­ing will continue while these indi­vidu­als are in the United States, although ICE has stated that it would stop if a visitor was gran­ted legal resid­ency. foot­note56_kujgrrg 56 Ibid. There is no public inform­a­tion on the types of social media posts that ICE considers indic­at­ive of risk, but if ICE endeavors to under­take predict­ive tasks based on the criteria outlined in the first version of this program, there is a high risk that the program can be used in discrim­in­at­ory ways.

ICE awar­ded this reima­gined, human-centered monit­or­ing contract to SRA Inter­na­tional (now CSRA Inc., owned by General Dynam­ics) in June 2018; several vendors filed chal­lenges, which were ulti­mately denied by the U.S. Govern­ment Account­ab­il­ity Office (GAO). foot­note57_bd0l­wz7 57 The award of the contract to CRSA was protested by ManTech, another big data analyt­ics company. The Govern­ment Account­ab­il­ity Office issued a recom­mend­a­tion in Novem­ber 2018 that ICE reevalu­ate the price quota­tions submit­ted by SRA and ManTech and make a new selec­tion decision. Govern­ment Account­ab­il­ity Office, “Matter of ManTech Advanced Systems Inter­na­tional, Inc.” file B-416734, Novem­ber 27, 2018, On Febru­ary 1, 2019, another protest was filed, by a company called Amyx. See G2Xchange, “Update: Protest of $113M DHS ICE Visa Life­cycle Vetting Oper­a­tions Support BPA denied,” April 15, 2019,­ics/gao-sides-with-protester-on-113m-dhs-ice-visa-life­cycle-vetting-oper­a­tions-support-bpa/. On April 9, 2019, Amyx’s protest was denied. Govern­ment Account­ab­il­ity Office, “Matter of Amyx, Inc.,” file B-416734.2, April 9, 2019, As of May 2019, about $15 million has been awar­ded to SRA to carry out the contract. foot­note58_03ifx1w 58 DHS Contract with SRA Inter­na­tional, August 19, 2018—August 19, 2023, USASpend­ing, https://www.usaspend­

As the above discus­sion makes clear, ICE relies heav­ily on social media to vet certain categor­ies of indi­vidu­als at the time of applic­a­tion. It is likely that these are predom­in­antly indi­vidu­als who are the focus of the Trump admin­is­tra­tion’s anti-Muslim extreme vetting initi­at­ives. Moreover, the agency is moving toward using social media to monitor and track visa hold­ers and students through­out their stay in the United States, where they would be covered by the First Amend­ment. It is also evid­ent that the agency intends to rely more and more on soft­ware and other auto­mated tech­no­lo­gies, which the USCIS pilot programs, discussed earlier, determ­ined were of limited useful­ness. foot­note59_rh1h­hsl 59 See supra text accom­pa­ny­ing notes 18–24 and infra text accom­pa­ny­ing notes 438–441.

Finally, it is worth high­light­ing that many of the ICE programs described above have been rolled out as pilots. While pilot programs are a useful way to assess new tools, ICE does not seem to system­at­ic­ally meas­ure their effect­ive­ness. It also does not issue privacy impact assess­ments for most of these activ­it­ies, which would at least provide a bare minimum of inform­a­tion to illu­min­ate the impacts of ICE programs. Last, public inform­a­tion provided by ICE does not clearly indic­ate which pilots are still active and how they relate to newer initi­at­ives, leav­ing the public in the dark about the agency’s activ­it­ies.

Automated extreme vetting

4. Elec­tronic Device Searches

ICE also collects, extracts, and analyzes inform­a­tion, includ­ing social media data, from elec­tronic devices (e.g., cell phones, laptops, tablets, thumb drives) obtained during warrant­less border searches and invest­ig­a­tions pursu­ant to search warrant, subpoena, or summons, or provided volun­tar­ily. foot­note60_pz44wss 60 DHS, Privacy Impact Assess­ment for the Immig­ra­tion and Customs Enforce­ment Forensic Analysis of Elec­tronic Media, DHS/ICE/PIA-042, May 11, 2015 (here­in­after ICE Forensic Analysis of Elec­tronic Media 2015 PIA), 1,­a­tions/privacy-pia-forensic­ana­lys­isofelec­tron­ic­me­dia-may2015.pdf. For the past decade, ICE, like CBP, has inves­ted in Cellebrite Univer­sal Forensic Extrac­tion Devices (UFEDs), hand-held tools that can instantly extract the full contents of any device, includ­ing phones, laptops, and hard drives. foot­note61_aqrrwjb 61 Thomas Brew­ster, “US Immig­ra­tion Splurged $2.2 Million on Phone Hack­ing Tech Just After Trump’s Travel Ban,” Forbes, April 13, 2018,­brew­ster/2017/04/13/post-trump-order-us-immig­ra­tion-goes-on-mobile-hack­ing-spend­ing-spree/#16764176a1fc. In recent years ICE has ramped up its purchas­ing of UFEDs, spend­ing an addi­tional $3.7 million on the tools (which cost between $5,000 and $15,000 each) and licens­ing since March 2017. foot­note62_1iithz5 62 The total ICE has spent on UFEDs since 2009 is at least $4,289,048. ICE contracts with Cellebrite, Febru­ary 2, 2009–April 25, 2018, “Spend­ing by Prime Award,” USASpend­ing, https://www.usaspend­­d85038b24821b92f. Accord­ing to a forensics community source inter­viewed by Forbes, one UFED unit sells for between $5,000 and $15,000. Thomas Brew­ster, “US Immig­ra­tion Splurged $2.2 Million on Phone Hack­ing Tech Just After Trump’s Travel Ban.” Not all of the money is spent on actual phys­ical devices, however; some of the funds go to “annual license renew­als.” See ICE contract with Cellebrite, April 25, 2018–August 15, 2018, USASpend­ing, https://www.usaspend­ Though it is not known precisely in what circum­stances and for what purposes ICE person­nel use these devices, it is clear that ICE has the capab­il­ity to easily extract swaths of data, includ­ing social media inform­a­tion, from elec­tronic devices. While the searches of devices obtained during invest­ig­a­tions are limited by the scope of the relev­ant search warrant, subpoena, or summons, ICE claims broad author­ity to search and store data from devices seized at the border, includ­ing social media data and other personal inform­a­tion.

A. Warrant­less Border Searches

ICE, like CBP, collects inform­a­tion obtained from elec­tronic devices at the border, which it justi­fies as neces­sary to supple­ment its invest­ig­a­tions and enforce­ment of immig­ra­tion laws, and both agen­cies draw distinc­tions between “basic” (manual) and “advanced” (forensic) device searches. foot­note63_rea43fs 63 ICE/CBP Elec­tronic Device Searches 2009 PIA, 18. For more on the distinc­tions between “basic” and “advanced” searches, see supra text accom­pa­ny­ing notes 142–154. Follow­ing the May 2018 decision in United States v. Kolsuz, which found that forensic exam­in­a­tions of cell phones at the border require some level of indi­vidu­al­ized suspi­cion, ICE issued an internal policy update that month prohib­it­ing the use of advanced searches without reas­on­able suspi­cion “in order to limit litig­a­tion risk.” foot­note64_9je83tl 64 HSI Legal Update: Border Search of Elec­tronic Devices, 2018; United States v. Kolsuz, 890 F.3d 133 (4th Cir. 2018). Previ­ously, ICE oper­ated under policy guid­ance issued nearly a decade prior, which allowed agents to “search, detain, seize, retain, and share” elec­tronic devices and any inform­a­tion they contain without indi­vidu­al­ized suspi­cion. foot­note65_dixkrns 65 ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices, 2. Formal guid­ance on the imple­ment­a­tion of the May 2018 policy change for advanced searches has yet to be released, and the language of the policy suggests that ICE contin­ues to claim a right of access to inform­a­tion on trav­el­ers’ phones and in their social media accounts through basic searches, even where there is no suspi­cion of wrong­do­ing. A 2019 federal district court decision — hold­ing that both basic and advanced border searches of elec­tronic devices can reveal a wealth of personal inform­a­tion and there­fore require reas­on­able suspi­cion that devices contain contra­band — may prompt further change, though for now it only governs the activ­it­ies of CBP and ICE agents in Massachu­setts, where the case was filed. foot­note66_6zfu­lup 66 Alas­aad v. Nielsen, 2019 WL 5899371, at *1.

ICE claims its author­ity to search elec­tronic devices at the border derives from stat­utes passed by the First Congress, such as the Act of August 4, 1790, which grants customs inspec­tion author­ity over “goods, wares, or merchand­ise” enter­ing the coun­try. foot­note67_xlscb0a 67 ICE/CBP Elec­tronic Device Searches 2009 PIA, 3; Act of August 4, 1790, 1 Stat. 164. Though the 2009 privacy impact assess­ment asserts that “trav­el­ers’ elec­tronic devices are equally subject to search” as the “merchand­ise” described in 1790, the amount of sens­it­ive inform­a­tion contained in elec­tronic devices like cell phones is hardly compar­able. foot­note68_b75q97o 68 ICE claims that elec­tronic devices are equally subject to search because “the inform­a­tion contained in them may be relev­ant to DHS’s customs and immig­ra­tion inspec­tion processes and decisions.” ICE/CBP Elec­tronic Device Searches 2009 PIA, 3. Indeed, as the Supreme Court noted crit­ic­ally in a recent case, treat­ing cell phones as func­tion­ally identical to other phys­ical items of similar size “is like saying a ride on horse­back is mater­i­ally indis­tin­guish­able from a flight to the moon.” foot­note69_luqwioc 69 Riley v. Cali­for­nia, 134 S. Ct. 2473, 2488 (2014).

Accord­ing to the 2009 ICE direct­ive on border searches of elec­tronic devices, detained devices are typic­ally held for no more than 30 days, unless “circum­stances exist that warrant more time.” foot­note70_qr30xnc 70 ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices, 5. If detained longer, they require super­vis­ory approval every 15 days there­after. Ibid. Copies of the content obtained from devices are stored on either an ICE external hard drive or a computer system, neither of which is connec­ted to a shared or remote network. foot­note71_0utcgzb 71 ICE/CBP Elec­tronic Device Searches 2009 PIA, 8. However, notes from any stage of the search process, typic­ally relat­ing to inform­a­tion that is “relev­ant” to immig­ra­tion, customs, or other laws enforced by DHS, foot­note72_f8qnu3f 72 The sole example given is that of a trav­eler who appears to be permit­ted legal entry as a visitor, but whose laptop contains a file reveal­ing evid­ence of his “true intent to secure employ­ment” in the United States, “making him inad­miss­ible.” Ibid., 5. can be stored by ICE in “any of their record­keep­ing systems,” such as the Intel­li­gence Records System. foot­note73_za7b­kzr 73 Ibid., 5. Notes from the search process can be kept for as long as allowed by the reten­tion sched­ule of the system the notes are stored in. Ibid., 19. See also DHS Privacy Office, Notice of Privacy Act System of Records, ICE– 006 Intel­li­gence Records System of Records, 75 Fed. Reg. 9233, 9235 (March 1, 2010) (here­in­after IIRS SORN), https://www.feder­alre­–4102/p-3. The stand­ard for relev­ance is left undefined, leav­ing ample room to collect a range of innoc­u­ous and often personal elec­tronic content.

ICE can dissem­in­ate copies of inform­a­tion from an elec­tronic device to federal, state, local, and foreign law enforce­ment agen­cies. foot­note74_mdr050w 74 ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices, 7. CBP and ICE have 76 Customs Mutual Assist­ance Agree­ments to share inform­a­tion with foreign customs part­ners in support of specific cases. CBP, “DHS Trans­ition Issue Paper: Inter­na­tional Inform­a­tion Shar­ing,” in CBP Pres­id­en­tial Trans­ition Records, 2. While ICE must have reas­on­able suspi­cion that the inform­a­tion on a device is evid­ence of a crime in order to share device inform­a­tion with other federal agen­cies for subject matter assist­ance, no suspi­cion is required to ask for tech­nical assist­ance, which can encom­pass trans­la­tion and decryp­tion services. foot­note75_05tl4os 75 ICE/CBP Elec­tronic Device Searches 2009 PIA, 9. Accord­ing to the ICE direct­ive, inform­a­tion shared with assist­ing agen­cies is retained only for the amount of time neces­sary to provide assist­ance and is gener­ally returned or destroyed upon comple­tion. However, an assist­ing federal agency may retain a copy if it has the inde­pend­ent legal author­ity to do so (e.g., when the inform­a­tion has “national secur­ity or intel­li­gence value”). ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices, 8. Further, ICE is specific­ally author­ized to dissem­in­ate any device inform­a­tion “relat­ing to national secur­ity” to law enforce­ment and intel­li­gence agen­cies. foot­note76_qakqs2u 76 Memor­andum from director, ICE Office of Invest­ig­a­tions, to assist­ant direct­ors et al., “Field Guid­ance on Hand­ling Detained or Seized Elec­tronic Media,” 2. There are few details avail­able about ICE’s audit­ing mech­an­isms for its border searches; we know only that the agency conducts regu­lar “self-assess­ments” to “verify compli­ance with its respons­ib­il­it­ies.” ICE/CBP Elec­tronic Device Searches 2009 PIA, 25. While ICE is meant to develop and “peri­od­ic­ally admin­is­ter” an audit­ing mech­an­ism to assess whether border searches of elec­tronic devices are being conduc­ted in line with its direct­ive, it is not known whether the agency has done so. See ICE 2009 Direct­ive, Border Searches of Elec­tronic Devices, 10.

In short, while ICE’s advanced searches now require reas­on­able suspi­cion, ICE can access inform­a­tion stored on devices and from social media with no suspi­cion of crim­inal activ­ity by conduct­ing basic searches, which can reveal a wealth of inform­a­tion gleaned from trav­el­ers’ social media accounts. It uses this inform­a­tion to support invest­ig­a­tions and make admiss­ib­il­ity determ­in­a­tions, but also as a broader means of inform­a­tion collec­tion. There are few restric­tions on how inform­a­tion obtained from elec­tronic devices is used and dissem­in­ated. And the inform­a­tion, includ­ing social media iden­ti­fi­ers and other personal data, can be stored in any number of ICE’s data­bases, to which count­less people have access, and shared with law enforce­ment as long as it is considered to “relate” to national secur­ity.

B. Extrac­tion and Analysis of Elec­tronic Media

Once ICE has obtained access to elec­tronic devices through a warrant­less border search or obtained access to “elec­tronic media” (a slightly broader category that also includes thumb drives, hard drives, other stor­age devices, etc.) via subpoena foot­note77_ud4hsf7 77 ICE has legal author­ity to issue subpoenas, summonses, and Form I-9 notices through 50 U.S.C. App. § 2411(a) for the Export Subpoena, 21 U.S.C. § 967 for the Controlled Substance Enforce­ment Subpoena, 19 U.S.C. § 1509 for the Customs Summons, Immig­ra­tion and Nation­al­ity Act (INA) § 235(d)(4)(A) for the Immig­ra­tion Subpoena, and INA § 274A(e)(2)(C) for the Form I-9 notice. DHS, Privacy Impact Assess­ment for the ICE Subpoena System, March 29, 2011,­a­tions/privacy_pia_27_ice_iss.pdf. For example, ICE can subpoena witness testi­mony before immig­ra­tion officers and the produc­tion of books, papers, and docu­ments “relat­ing to the priv­ilege of any person to enter, reenter, reside in, or pass through the United States or concern­ing any matter which is mater­ial and relev­ant to the enforce­ment of this Act and the admin­is­tra­tion of the Service.” INA § 235(d)(4)(A). or warrant, it can extract and analyze inform­a­tion if the data could be “pertin­ent” to an invest­ig­a­tion or enforce­ment activ­ity. foot­note78_fefwzlm 78 ICE Forensic Analysis of Elec­tronic Media 2015 PIA, 5, 6. Agents use a vari­ety of elec­tronic tools to collect and comb through elec­tronic media and extract “relev­ant evid­en­tiary mater­ial.” For example, certain tools make digital images of the media, create a mirror copy to use as the work­ing copy, and index and extract files and other data points. Some require an agent to create index terms for search purposes, whereas others have terms that are prede­ter­mined “based on the common type of data found in elec­tronic media.” Ibid., 2. The 2015 privacy impact assess­ment does not list any tools by name, noting only that multiple tools may be used on a single device. Ibid., 6. However, given that ICE has purchased UFEDs, which are designed for these types of func­tions, it is likely that they are used through­out HSI oper­a­tions involving elec­tronic media, during invest­ig­a­tions as well as border searches. See supra text accom­pa­ny­ing notes 134–135 and 367–368.

Accord­ing to the 2015 Privacy Impact Assess­ment for the Forensic Analysis of Elec­tronic Media, which encom­passes elec­tronic devices obtained during both border searches and invest­ig­a­tions, the data extrac­ted and analyzed by ICE could pertain to numer­ous indi­vidu­als beyond the person in posses­sion of the device, includ­ing witnesses, inform­ants, members of the public, and victims of crimes. foot­note79_6jddmm9 79 Ibid., 5. Extrac­ted data may also include sens­it­ive person­ally iden­ti­fi­able inform­a­tion such as medical and finan­cial inform­a­tion, records contain­ing commu­nic­a­tions such as text messages and emails, and records of inter­net activ­ity. foot­note80_wwhxyez 80 Ibid., 2. These records could reveal a host of sens­it­ive data, includ­ing medical condi­tions, polit­ical and reli­gious affil­i­ations, and inter­net brows­ing pref­er­ences.

Inform­a­tion extrac­ted from devices that are obtained during invest­ig­a­tions is retained accord­ing to a proposed sched­ule that varies depend­ing on the nature and outcome of the invest­ig­a­tion. foot­note81_ajw6l79 81 For cases that do not result in prosec­u­tion, the original digital evid­ence is retained until the case is closed, unless the evid­ence is required for follow-up invest­ig­a­tion, in which case it is retained for 16 years. For open cases where there is no stat­ute of limit­a­tions for the crime, the original digital evid­ence is considered a perman­ent record and preserved indef­in­itely. Ibid., 8. There is extremely wide author­ity to disclose inform­a­tion to other agen­cies — includ­ing federal, state, local, and foreign law enforce­ment coun­ter­parts. foot­note82_eleigu7 82 Ibid., 9. There also seems to be broad author­ity for re-dissem­in­a­tion by law enforce­ment part­ners. foot­note83_kb3ixxd 83 Accord­ing to the privacy impact assess­ment, “the inform­a­tion may be further dissem­in­ated by recip­i­ents on a need-to-know basis in order to ensure proper invest­ig­a­tion and prosec­u­tion of crim­inal viol­a­tions. If evid­ence of a poten­tial law viol­a­tion is extrac­ted from digital media, it may be used as neces­sary by the recip­i­ent to carry out its law enforce­ment func­tions, includ­ing prosec­u­tion of the viol­a­tion. This could involve re-dissem­in­a­tion to others whose input is needed.” Ibid., 9–10.

ICE uses a vari­ety of unspe­cified elec­tronic tools to analyze the media it extracts from devices via its border search author­ity or obtains during invest­ig­a­tions. foot­note84_er5w0u7 84 Ibid., 1. The 2015 privacy impact assess­ment lists four types of analyses that agents can conduct using these tools: time frame analyses (to help determ­ine when vari­ous activ­it­ies occurred on a device), data hiding (to find and recover concealed data), applic­a­tion and file analyses (to correl­ate files to installed applic­a­tions, exam­ine a drive’s file struc­ture, or review metadata), and owner­ship and posses­sion reviews (to identify indi­vidu­als who created, modi­fied, or accessed a given file). foot­note85_i9yyxel 85 Ibid., 2. Some of the tools are “govern­ment off-the-shelf applic­a­tions,” whereas others are developed specific­ally for and purchased by ICE. Ibid. The tools also can be used to “high­light anom­alies” in the data. foot­note86_gpq6su4 86 Ibid., 7.

Social media inform­a­tion and other data extrac­ted from elec­tronic devices during invest­ig­a­tions and border searches are stored in ICE’s Intel­li­gence Records System. foot­note87_fry9no7 87 IIRS SORN, 9235. That data is then inges­ted into FALCON-SA, which has a number of analyt­ical capab­il­it­ies includ­ing “social network analysis,” and will be discussed in the Analyt­ical Tools and Data­bases section below. foot­note88_87j41ni 88 FALCON-SA 2016 PIA, 32; ICE, “Social Network Analysis: Advanced Refer­ence Guide,” 1,­bases/FALCON-Social-Network-Analysis-Refer­ence-Guide.pdf.

Thus, based on a low threshold of “pertin­ence,” ICE uses soph­ist­ic­ated tools to extract social media data from elec­tronic devices that it obtains during border searches and invest­ig­a­tions. The extrac­ted data is then subject to a vari­ety of analyses (about which we know little), while notes about the inform­a­tion may be shared widely within and beyond DHS and poten­tially channeled into other systems for addi­tional analyses. ICE’s extrac­tion of social media data from elec­tronic media is yet another example of how the extens­ive DHS inform­a­tion-shar­ing appar­atus enables data to be collec­ted for one purpose under a malle­able stand­ard and then stored, shared, and reused for second­ary purposes.

5. Analyt­ical Tools and Data­bases

The numer­ous sources of inform­a­tion gathered by ICE oper­a­tions and invest­ig­a­tions are consol­id­ated into several large data­bases. The main ICE data­base for compil­ing and analyz­ing social media inform­a­tion is the FALCON Search & Analysis System (FALCON-SA). foot­note89_1qey­a2i 89 FALCON-SA contains inform­a­tion on vari­ous categor­ies of indi­vidu­als, such as those who are the subject of invest­ig­a­tions or border encoun­ters with DHS or indi­vidu­als asso­ci­ated with tips concern­ing crim­inal or suspi­cious activ­ity. FALCON-SA 2016 PIA, 4. FALCON-SA records may include some or all of the follow­ing types of person­ally iden­ti­fi­able inform­a­tion: identi­fy­ing and biographic data, citizen­ship and immig­ra­tion data, customs import-export history, crim­inal history, contact inform­a­tion, crim­inal asso­ci­ations, family rela­tion­ships, employ­ment, milit­ary service, educa­tion, and other back­ground inform­a­tion. Ibid. ICE person­nel use FALCON-SA to conduct two kinds of analyses using social media data: trend analysis, or identi­fy­ing patterns, anom­alies, and shifts in data to guide oper­a­tional strategy or predict future outcomes; foot­note90_u0um­rkc 90 DHS Manage­ment Direct­or­ate, “DHS Lexicon Terms and Defin­i­tions,” 473 (defin­ing pattern analysis). and link and network analysis, or identi­fy­ing connec­tions among indi­vidu­als, groups, incid­ents, or activ­it­ies. foot­note91_5118yoh 91 FALCON-SA 2016 PIA, 2–3. This section will describe how FALCON-SA and its source systems enable these processes by gath­er­ing and stor­ing inform­a­tion from numer­ous sources about a wide vari­ety of indi­vidu­als, dissem­in­at­ing inform­a­tion broadly, and apply­ing unknown analyt­ical tools to draw conclu­sions that impact ICE oper­a­tions.

Although FALCON-SA does not itself extract data directly from social media, users can add social media inform­a­tion from other systems to FALCON-SA without restric­tion, and FALCON-SA auto­mat­ic­ally ingests data from several other data­bases that store social media inform­a­tion. foot­note92_btkp604 92 Users can add social media inform­a­tion to FALCON-SA either to “verify or update inform­a­tion already in the system” or “to add other inform­a­tion about an indi­vidual that is not avail­able in FALCON-SA” already. DHS, Privacy Impact Assess­ment Update for the FALCON Search & Analysis System, DHS/ICE/PIA-032(a), Janu­ary 16, 2014, 10,­a­tions/privacy_pia_ice_falconsa_janu­ary2014.pdf. “Open-source data,” which includes social media inform­a­tion, is listed as a category of data that can be uploaded into FALCON-SA on an ad hoc basis. FALCON-SA 2016 PIA, 35. For instance, every day, FALCON-SA ingests inform­a­tion from ICE’s Invest­ig­at­ive Case Manage­ment (ICM) system relat­ing to current or previ­ous law enforce­ment invest­ig­a­tions, as well as ICE and CBP lookout records, foot­note93_14fn­m13 93 Lookout records are based on law enforce­ment, anti-terror­ism, travel docu­ment fraud, or other interests based on previ­ous viol­a­tions of law or suspi­cion of viol­a­tions. CBP officers use lookout records at primary and second­ary inspec­tion processing at the ports of entry. See DHS, Privacy Impact Assess­ment for the TECS System: Plat­form, DHS/CBP/PIA-021, August 12, 2016, 12,­a­tions/DHS-PIA-ALL-021%20TECS%20Sys­tem%20Plat­form.pdf. which can include records of elec­tronic devices searched at the border, includ­ing details gleaned from inspec­tions of social media applic­a­tions. foot­note94_wfzcw8b 94 CBP and ICE both use TECS for lookout records, and TECS stores records of elec­tronic device searches, which may be included in lookout records. OIG 2018 Elec­tronic Device Report, 4. ICM also trans­fers to FALCON-SA tele­com­mu­nic­a­tions inform­a­tion about subjects of ICE crim­inal invest­ig­a­tions, poten­tial targets, asso­ci­ates of targets, or any indi­vidu­als or entit­ies who call or receive calls from these indi­vidu­als. foot­note95_qyyhqwo 95 FALCON-SA 2016 PIA, 32–33. On an ad hoc basis, ATS border cross­ing data and inbound/outbound ship­ment records are also uploaded into FALCON-SA. foot­note96_t1kl3zh 96 Other data sources in FALCON-SA include ad hoc uploads of crim­inal history inform­a­tion and warrant or other lookout records from domestic and foreign law enforce­ment sources, includ­ing the FBI’s National Crime Inform­a­tion Center (NCIC); finished intel­li­gence reports gener­ated by DHS and other law enforce­ment or intel­li­gence agen­cies; and inform­a­tion or reports supplied by foreign govern­ments and multina­tional organ­iz­a­tions. FALCON-SA 2016 PIA, 35–6. Passen­ger Name Record (PNR) data obtained from ATS may not be uploaded or entered into FALCON-SA. Ibid., 35. While ICM’s tele­com­mu­nic­a­tions data and ATS’s border cross­ing and ship­ment data likely do not include social media inform­a­tion, once all these elements are combined with the other sources in FALCON-SA, the aggreg­a­tion of inform­a­tion may collect­ively reveal a wealth of details about an indi­vidu­al’s travels, family, reli­gious affil­i­ations, and more. foot­note97_fa7ytjj 97 For instance, tele­com­mu­nic­a­tions records could be help­ful in provid­ing addi­tional inform­a­tion about one’s “social network.” Accord­ing to 2013 DHS fund­ing docu­ments that the Inter­cept obtained via FOIA request, FALCON-SA allows users “to follow target tele­phone activ­ity and GPS move­ment on a map in real time.” DHS, “FALCON New Require­ments for Outline,” 2013, 5, https://www.docu­­ments/3517286-FALCON-New-Require­ments-Outline.html#docu­ment/p1. See also Spen­cer Wood­man, “Palantir Enables Immig­ra­tion Agents to Access Inform­a­tion From the CIA,” Inter­cept, March 17, 2017, https://thein­ter­­ra­tion-agents-to-access-inform­a­tion-from-the-cia/.

FALCON-SA users are able to combine these vari­ous forms of inform­a­tion and apply the system’s built-in trend analysis tools in order to high­light patterns, shifts in crim­inal tactics, emer­ging threats, and stra­tegic goals and object­ives. foot­note98_0fi5go9 98 FALCON-SA 2016 PIA, 2. These find­ings are then shared with DHS and ICE lead­er­ship, agents, officers, and other employ­ees in the form of law enforce­ment intel­li­gence products or reports. To produce these reports, FALCON-SA retains “all inform­a­tion that may aid in estab­lish­ing patterns of unlaw­ful activ­ity,” even if that inform­a­tion may not be strictly relev­ant or neces­sary for an invest­ig­a­tion, and even if the accur­acy of the inform­a­tion is unclear. foot­note99_9udh09e 99 DHS Privacy Office, Notice of Proposed Rule­mak­ing, ICE–016 FALCON Search and Analysis System of Record, 82 Fed. Reg. 20844, 20846 (May 4, 2017), https://www.regu­la­­ment?D=DHS_FRDOC_0001–1573.

To support its network analyt­ics func­tions, FALCON-SA, like CBP’s Analyt­ical Frame­work for Intel­li­gence, regu­larly ingests large amounts of inform­a­tion about indi­vidu­als from another data­base, the ICE Intel­li­gence Records System (IIRS). foot­note100_hwwdir2 100 The follow­ing types of inform­a­tion from IIRS are inges­ted by FALCON-SA: “law enforce­ment, intel­li­gence, crime, and incid­ent reports, and reports of suspi­cious activ­it­ies, threats, or other incid­ents gener­ated by ICE and other agen­cies.” FALCON-SA 2016 PIA, 32. ICE’s Office of Intel­li­gence manages IIRS. IIRS SORN, 9233. IIRS, like the CBP Intel­li­gence Records System, contains inform­a­tion on a wide vari­ety of indi­vidu­als, includ­ing people who are not suspec­ted of any crim­inal activ­ity or seek­ing any type of immig­ra­tion bene­fit, such as asso­ci­ates of people seek­ing visas or natur­al­iz­a­tion, includ­ing Amer­ic­ans; people iden­ti­fied in public news reports; and people who have repor­ted suspi­cious activ­it­ies or incid­ents. foot­note101_bylxyp8 101 IIRS SORN, 9235. IIRS also contains elec­tronic data and other inform­a­tion collec­ted during ICE invest­ig­a­tions and border searches, likely includ­ing social media data extrac­ted from devices. foot­note102_maqn6wt 102 Ibid. The ICE Intel­li­gence Records System main­tains records to produce intel­li­gence reports that provide action­able inform­a­tion to ICE person­nel and other govern­ment agen­cies. Ibid. Sources for the system also include records from commer­cial vendors and publicly avail­able data, such as social media inform­a­tion, which are not required to be relev­ant or neces­sary. foot­note103_hb0y­met 103 All inform­a­tion that may help estab­lish patterns of unlaw­ful activ­ity is retained, whether relev­ant or neces­sary to an invest­ig­a­tion. DHS Privacy Office, Final Rule, ICE–006 Intel­li­gence Records System, 75 Fed. Reg. 12437, 12438 (March 16, 2010),–03–16/pdf/2010–5618.pdf. Other records in the system include terror­ist watch list inform­a­tion; records pertain­ing to known or suspec­ted terror­ists, terror­ist incid­ents, activ­it­ies, groups, and threats; intel­li­gence report­ing from other groups or agen­cies; and suspi­cious activ­ity and threat reports from ICE and outside entit­ies. IIRS SORN 9235, 9237.

Inform­a­tion from IIRS, ICM, and ATS is trans­ferred to FALCON-SA, where it informs FALCON-SA’s network analysis, high­light­ing asso­ci­ations between indi­vidu­als and data elements. foot­note104_tzi8wle 104 FALCON-SA 2016 PIA, 2, 32–3. Users can then identify possible connec­tions among exist­ing ICE invest­ig­a­tions and create visu­al­iz­a­tions (e.g., maps, charts, tables) that display connec­tions and rela­tion­ships among people and enter­prises. foot­note105_0q82n5g 105 Ibid., 2–3. Accord­ing to docu­ments obtained by the Elec­tronic Privacy Inform­a­tion Center via FOIA, FALCON has “social network analysis” capab­il­it­ies that seem to rely on social media data. foot­note106_6u7gkyd 106 ICE, “Social Network Analysis: Advanced Refer­ence Guide,” 1,­bases/FALCON-Social-Network-Analysis-Refer­ence-Guide.pdf. ICE has not made clear whether ERO agents can directly access FALCON-SA to track down undoc­u­mented immig­rants, although they can get such inform­a­tion from HSI. foot­note107_uwg93dp 107 Poten­tial ERO access to the system is not addressed in FALCON-SA privacy impact assess­ments or system of records notices. FALCON-SA 2016 PIA; DHS, System of Records Notice, FALCON-Search and Analysis System of Records, 82 Fed. Reg. 20905 (May 4, 2017), https://www.regu­la­­Streamer?docu­mentId=DHS-2017–0001–0001&content­Type=pdf. However, HSI can share inform­a­tion from FALCON-SA with ERO on a need-to-know basis. Ibid., 20906. See also Wood­man, “Palantir Provides the Engine for Donald Trump’s Deport­a­tion Machine” (noting that ICE did not respond to ques­tions about whether FALCON is made avail­able to ERO agents).

Schedule of Data Transfer to FALCON-SA

Notably, the oper­a­tions of FALCON-SA, which is one of three ICE FALCON modules, foot­note108_ieqyef1 108 Other FALCON modules include FALCON Data Analysis and Research for Trade Trans­par­ency (DARTTS) and the FALCON Road­run­ner System. FALCON-SA 2016 PIA, 34; DHS, Privacy Impact Assess­ment for the FALCON-Road­run­ner DHS/ICE/PIA-040, Novem­ber 12, 2014,­a­tions/privacy-pia-ice-falcon­road­run­ner-novem­ber­2014.pdf. are intim­ately connec­ted with ICE’s contracts with the tech­no­logy company Palantir. foot­note109_b0t84n6 109 Elec­tronic Privacy Inform­a­tion Center, FOIA Request Letter to Pavlik-Keenan, 1–2; See also­Wood­man, “Palantir Enables Immig­ra­tion Agents to Access Inform­a­tion From the CIA.” Accord­ing to the Palantir Licens­ing Terms and Condi­tions for FALCON, released in response to a FOIA request, FALCON is based on Palantir’s Gotham plat­form, a soft­ware system unique to ICE that allows the agency to analyze complex data sets contain­ing detailed personal inform­a­tion about indi­vidu­als. foot­note110_xyw1ypk 110 Home­land Secur­ity Invest­ig­a­tions Mission Support, “FALCON Oper­a­tions & Main­ten­ance Support & System Enhance­ment, Perform­ance Work State­ment,” 16. Publicly avail­able contract notices reveal that in Novem­ber 2018, Palantir began a new one-year, $42.3 million contract with ICE for “FALCON Oper­a­tions & Main­ten­ance,” which brings the total for such contracts for FALCON to about $94 million. foot­note111_4qir­jcz 111 ICE contract with Palantir Tech­no­lo­gies Inc., “FALCON Oper­a­tions and Main­ten­ance (O&M) Support Services and Optional Enhance­ments,” Novem­ber 28, 2018–Novem­ber 27, 2019, USASpend­ing, https://www.usaspend­ In May 2018, Palantir concluded a three-year contract for work on FALCON worth $39 million. ICE contract with Palantir Tech­no­lo­gies Inc., “FALCON Oper­a­tions and Main­ten­ance (O&M), System Enhance­ment Support Services for Palantir Govern­ment,” May 28, 2015–May 27, 2018, USASpend­ing, https://www.usaspend­ See also earlier contract for FALCON work, ICE contract with Palantir Tech­no­lo­gies Inc., “FALCON Oper­a­tions and Main­ten­ance (O&M) Support Services,” June 14, 2013–May 27, 2015, USASpend­ing, https://www.usaspend­ Between June 7 and 18, 2018, Palantir completed a $250,000 contract with ICE for “Palantir Gotham Soft­ware,” likely for FALCON soft­ware upgrades. ICE contract with Palantir Tech­no­lo­gies Inc., “Palantir Gotham Soft­ware,” June 7–18, 2018, USASpend­ing, https://www.usaspend­ Many aspects of Palantir’s work with ICE — described in further detail in the Invest­ig­a­tions section, above — remain undis­closed, such as the privacy protec­tions for personal inform­a­tion, includ­ing social media data, that resides in FALCON-SA.

In sum, ICE’s analyt­ical tools aim to fully exploit the broad array of sens­it­ive inform­a­tion, includ­ing social media data, collec­ted by ICE agents and other DHS compon­ents. FALCON-SA houses social media data, for which there are no accur­acy require­ments, from numer­ous sources. This inform­a­tion is subjec­ted to unspe­cified trend and network analyses, the effic­acy of which is not publicly under­stood. While people seek­ing immig­ra­tion bene­fits bear the brunt of this scru­tiny, their Amer­ican friends, relat­ives, and busi­ness asso­ci­ates are sucked into these repos­it­or­ies of inform­a­tion as well.

End Notes

U.S. Citizenship and Immigration Services

U.S. Citizen­ship and Immig­ra­tion Services (USCIS) processes and adju­dic­ates applic­a­tions and peti­tions for a vari­ety of immig­ra­tion bene­fits, includ­ing adjust­ment of status (for instance, from a student visa to a green card), natur­al­iz­a­tion, and asylum and refugee status. foot­note1_1hcqdj9 1 FDNS 2014 PIA, 1–2. USCIS’s Fraud Detec­tion and National Secur­ity Direct­or­ate (FDNS) performs back­ground checks, processes immig­ra­tion applic­a­tions, invest­ig­ates immig­ra­tion bene­fit fraud, and func­tions as the link between USCIS and law enforce­ment and intel­li­gence agen­cies. foot­note2_13op­m4o 2 Ibid., 1. Other USCIS direct­or­ates, such as the Field Oper­a­tions Direct­or­ate, are also “explor­ing” social media as an added vetting tool. Citizen­ship and Immig­ra­tion Services Ombuds­man, Annual Report 2018, June 28, 2018 (here­in­after USCIS 2018 Annual Report), 34,­a­tions/DHS%20An­nual%20Re­port%202018.pdf. The ambigu­ous nature of social media inform­a­tion collec­ted by USCIS raises concerns about how it will be inter­preted, espe­cially for Muslims who are the targets of many of these programs. Indeed, while USCIS is expand­ing these programs, an inspector general report shows that the agency has not eval­u­ated much less demon­strated — their effect­ive­ness.

1. Vetting

FDNS uses social media in a few contexts relat­ing to its vetting initi­at­ives, primar­ily to aid in determ­in­ing an indi­vidu­al’s admiss­ib­il­ity or eligib­il­ity. foot­note3_37n3gmu 3 USCIS 2018 Annual Report, 34. In 2014, FDNS star­ted a pilot Social Media Divi­sion, which was made perman­ent in 2016. It was later expan­ded under an initi­at­ive known as FDNS “Enhanced Review.” foot­note4_7u5rt2y 4 Hear­ing on Refugee Admis­sions: Cissna Testi­mony, 5; USCIS 2018 Annual Report, 34.

In 2015 and 2016, USCIS under­took five pilot programs to test the use of social media for screen­ing and vetting. Four programs targeted refugees, and one focused on K-1 (fiancé[e]) visa applic­ants for adjust­ment of status. foot­note5_jkzflic 5 Office of Inspector General, DHS’ Pilots for Social Media Screen­ing Need Increased Rigor to Ensure Scalab­il­ity and Long-term Success, 8; USCIS Brief­ing Book, 180. While it is unclear which pilots have contin­ued or been made perman­ent, public docu­ments show that examin­ing social media has become a key part of vetting refugees and asylum seekers in partic­u­lar.

A. Vetting for Refugees and Asylum Seekers

Accord­ing to DHS docu­ments, the Social Media Divi­sion of FDNS performs social media vetting on “certain” asylum applic­a­tions and screens refugee applic­ant data for “select popu­la­tions” against publicly avail­able inform­a­tion. foot­note6_6gso46i 6 USCIS 2018 Annual Report, 34. In Octo­ber 2017, the director of USCIS told Congress that the “select popu­la­tions” included Syri­ans, and that USCIS was work­ing to refine and expand its use of social media to target addi­tional categor­ies of refugee and asylum applic­ants. foot­note7_qzbg6ux 7 Hear­ing on Refugee Admis­sions: Cissna Testi­mony, 5. This state­ment came shortly after the Trump admin­is­tra­tion announced new “enhanced vetting capab­il­it­ies” for refugees from 11 coun­tries iden­ti­fied as posing a “higher risk.” foot­note8_x75yqhd 8 Rex W. Tiller­son, Elaine Duke, and Daniel Coats, Memor­andum to the Pres­id­ent, “Resum­ing the United States Refugee Admis­sions Program With Enhanced Vetting Capab­il­it­ies,” Octo­ber 23, 2017, 2,­a­tions/17_1023_S1_Refugee-Admis­sions-Program.pdf. The coun­tries were not publicly iden­ti­fied by the admin­is­tra­tion, but it seems likely that this addi­tional screen­ing is targeted primar­ily at Muslims: the FDNS “Enhanced Review” was triggered by the Muslim ban exec­ut­ive order. foot­note9_gcip­pgo 9 Exec. Order No. 13,780, 82 Fed. Reg. 13209 (March 6, 2017),–03–09/pdf/2017–04837.pdf. Refugee Coun­cil USA, a coali­tion of organ­iz­a­tions focused on refugee protec­tion and reset­tle­ment, told CNN that as of Janu­ary 2018 the list of coun­tries subject to enhanced review included Egypt, Iran, Iraq, Libya, Mali, North Korea, Somalia, South Sudan, Sudan, Syria, and Yemen. foot­note10_gykbe39 10 Laura Koran and Tal Kopan, “US Increases Vetting and Resumes Processing of Refugees From ‘High-Risk’ Coun­tries” Of the earlier social media pilots under­taken by USCIS, at least two focused solely on refugee applic­ants from Syria, one focused solely on refugee applic­ants from Syria and Iraq, and at least two used auto­mated tools that were capable only of trans­lat­ing social media posts from Arabic. foot­note11_npgswl2 11 See USCIS, Review of the Defense Advanced Research Projects Agency 2.0 Social Media Pilot, June 2, 2016, 9, https://www.docu­­ments/4341532-COW2017000400-FOIA-Response.html#docu­ment/p1; USCIS Brief­ing Book, 181.

All refugee applic­ants, as well as those who gain status through an applic­ant (e.g., a spouse or child), undergo a vari­ety of checks. foot­note12_9pe9tn3 12 DHS, Privacy Impact Assess­ment for the Refugee Case Processing and Secur­ity Vetting, DHS/USCIS/PIA-068, July 21, 2017 (here­in­after USCIS 2017 Refugee Vetting PIA), 5,­a­tions/privacy-pia-uscis-refugee-july2017.pdf. The U.S. Refugee Admis­sions Program is the program charged with vetting the entry of and reset­tling eligible refugees to the United States. Although the Depart­ment of State is the over­all manager, the program is jointly run with USCIS. Ibid., 1. FDNS is respons­ible for conduct­ing social media checks on refugee applic­ants. Ibid., 7. “Select applic­ant popu­la­tions” are subject to social media checks, during which an FDNS officer looks at social media for inform­a­tion relat­ing to their claim for refugee status or indic­a­tion of poten­tial fraud, crim­inal activ­ity, or national secur­ity concerns. foot­note13_eon4lft 13 Ibid., 7. During such checks, officers initially collect inform­a­tion using a govern­ment-affil­i­ated account and user­name and do not inter­act with applic­ants through social media; this process is defined as overt research. When USCIS deems that an applic­a­tion presents a national secur­ity or public safety concern and overt research could “comprom­ise the integ­rity” of an invest­ig­a­tion, officers are permit­ted to use iden­tit­ies that do not identify their DHS or govern­ment affil­i­ation in a process known as masked monit­or­ing. foot­note14_k575e17 14 Ibid. The prohib­i­tion on inter­act­ing with applic­ants, however, still applies during masked monit­or­ing. Ibid., 8.

A 2015 FDNS memor­andum on the use of social media for refugee processing notes that officers will limit collec­tion of inform­a­tion related to First Amend­ment–­pro­tec­ted activ­it­ies to inform­a­tion that is “reas­on­ably related to adju­dic­at­ive, invest­ig­at­ive, or incid­ent response matters.” foot­note15_1g7lzp8 15 León Rodrig­uez, USCIS director, to Sarah M. Kend­all, asso­ci­ate director, Fraud Detec­tion and National Secur­ity, and Joseph E. Langlois, asso­ci­ate director, Refugee, Asylum and Inter­na­tional Oper­a­tions, “Fraud Detec­tion and National Secur­ity Use of Social Media for Refugee Processing,” April 7, 2015,­a­tions/USCIS%20Pres­id­en­tial%20Trans­ition%20Re­cords.pdf#page=1442. The privacy impact assess­ment for refugee vetting notes that officers may provide the refuge seeker a chance to view and explain a social media post­ing found during vetting, and that the decision on a refugee’s reset­tle­ment or employ­ment eligib­il­ity cannot be made solely on the basis of inform­a­tion obtained from social media. foot­note16_xz6667l 16 USCIS 2017 Refugee Vetting PIA, 18.

As of Novem­ber 2016, DHS repor­ted that no immig­ra­tion bene­fit had been denied “solely or primar­ily” as a result of inform­a­tion found on social media. foot­note17_lqdqgd6 17 USCIS Brief­ing Book, 183. In fact, DHS concluded that inform­a­tion found during screen­ing had merely a “limited” impact in “a small number of cases” in which the data was used for devel­op­ing addi­tional aven­ues of inquiry, and that social media inform­a­tion had little to no impact in the vast major­ity of cases. foot­note18_qognkh2 18 Ibid. This low “hit” rate raises ques­tions about the value of focus­ing resources on collect­ing and analyz­ing this type of data.

For asylum seekers, DHS officers compare inform­a­tion from social media and other public and commer­cial sources against the inform­a­tion that applic­ants provide regard­ing when they entered the United States, how long they have been in the coun­try, and even when they “encountered harm outside the United States.” foot­note19_0j26941 19 DHS, Privacy Impact Assess­ment for the USCIS Asylum Divi­sion, DHS/USCIS/PIA-027(C), July 21, 2017 (here­in­after USCIS 2017 Asylum Divi­sion PIA), 20,­a­tions/privacy-pia-uscis-asylum-july2017_0.pdf. Asylum officers are trained to compare public and commer­cial data with “applic­ant-repor­ted inform­a­tion”; if they find an incon­sist­ency, they “must confront the applic­ant with that inform­a­tion” and provide an oppor­tun­ity to explain it. foot­note20_ik8gx6s 20 USCIS 2017 Asylum Divi­sion PIA, 20–21.

Although FDNS has tested auto­mated tools to vet the social media of indi­vidu­als seek­ing refuge, the extent to which such tools are currently used is not known. In pilot programs related to refugee applic­a­tions, officers iden­ti­fied seri­ous prob­lems with the tools tested. Some of these were prac­tical prob­lems, such as language limit­a­tions (most tools are English-focused) and efforts by social media compan­ies to prevent their plat­forms from being used as surveil­lance tools by block­ing access to big data feeds. foot­note21_4ksok79 21 USCIS Brief­ing Book, 183. Further, when auto­mated tools were used, officers had to manu­ally review the results just to decipher whether the applic­ant had been correctly matched to the social media account iden­ti­fied. foot­note22_ct19jw3 22 USCIS, “USCIS Social Media & Vetting: Over­view and Efforts to Date,” 3.

In review­ing flagged items, FDNS officers are required to check for “national secur­ity indic­at­ors,” but there seems to be a lack of clar­ity about what this means. In 2017, two years after the pilot programs were launched, DHS person­nel reportedly expressed a need for a defin­i­tion of what consti­tutes a “national secur­ity indic­ator in the context of social media.” foot­note23_4x8j­frg 23 Ibid. The DHS inspector general noted a similar prob­lem: his office was unable to eval­u­ate specific policies and proced­ures for the pilot programs — because none exis­ted. foot­note24_lzhsl1h 24 Office of Inspector General, DHS’ Pilots for Social Media Screen­ing Need Increased Rigor, 1, 6. Even more troub­ling, the inspector general found that DHS had simply failed to meas­ure the effect­ive­ness of the pilot programs, making them unsuit­able as models for future initi­at­ives.

Accord­ing to the refugee program privacy impact assess­ment, five separ­ate systems retain inform­a­tion for refugee processing, but none are described as contain­ing social media data collec­ted by DHS. foot­note25_u5xe523 25 USCIS 2017 Refugee Vetting PIA, 2. For example, the results of back­ground checks, which may be informed by social media inform­a­tion, are stored in the State Depart­ment’s refugee case manage­ment system, the World­wide Refugee Admis­sions Processing System (WRAPS), but only in the form of a check’s outcome (“clear” or “not clear”). foot­note26_kk19w4n 26 The “clear” and “not clear” desig­na­tions are applied to the date of the back­ground check, whether the check found any derog­at­ory results, whether the results were resolved, and the expir­a­tion date of the results. USCIS 2017 Refugee Vetting PIA, 9.

However, social media inform­a­tion is kept in a far-reach­ing system known as the Alien Files (A-Files), which covers every immig­rant and some visit­ors to the United States. foot­note27_he5ftnr 27 A-Files SORN, 43556 . USCIS is the main custodian of the system, with ICE and CBP regu­larly contrib­ut­ing to and using the data contained in it. foot­note28_0ofx11x 28 Ibid., 43557. An indi­vidu­al’s A-File is considered the offi­cial record of his or her immig­ra­tion history and is used by a wide array of agency person­nel for legal, fiscal, and admin­is­trat­ive needs, such as natur­al­iz­a­tion and deport­a­tion proceed­ings. foot­note29_n9nol59 29 Ibid. A Septem­ber 2017 notice in the Federal Register made clear that DHS collects and keeps social media inform­a­tion (handles, aliases, asso­ci­ated iden­ti­fi­able inform­a­tion, and search results) relat­ing to immig­rants, includ­ing legal perman­ent resid­ents and natur­al­ized citizens. In an email to the news site Gizmodo, DHS stated that “the notice does not author­ize USCIS to search the social media accounts of natur­al­ized citizens,” which begs the ques­tion of whether other author­it­ies are used to under­take such searches and leaves unad­dressed the implic­a­tions for people who have legal perman­ent resid­ent status. foot­note30_32e57gx 30 Matt Novak, “US Home­land Secur­ity Says Track­ing Social Media of Immig­rants Is Noth­ing New,” Gizmodo, Septem­ber 28, 2017,­land-secur­ity-says-track­ing-social-media-of-immi-1818875395. Regard­less of whether new collec­tion occurs, the 100-year A-File reten­tion period means that DHS and other agen­cies can access and poten­tially use inform­a­tion gathered from social media long after an immig­rant has completed the natur­al­iz­a­tion process. Despite ques­tions from the press, DHS has not publicly clari­fied if and how this inform­a­tion could be used in the future.

To summar­ize, social media is used by USCIS in vetting people who apply for immig­ra­tion bene­fits (such as students who become employed and change their visa status, or green card hold­ers who become natur­al­ized), and this inform­a­tion is retained in their A-Files. As discussed above, USCIS itself found that social media monit­or­ing was not partic­u­larly help­ful when it tested social media vetting for five programs. It has nonethe­less proceeded with expand­ing its use of social media in several contexts, espe­cially the vetting of refugee applic­ants and asylum seekers. It appears that such uses are focused on check­ing inform­a­tion provided by applic­ants, which may be justi­fied for situ­ations in which people seek­ing such status do not have docu­ment­a­tion. But the ambigu­ous nature of social media raises concerns, as does the appar­ent target­ing of certain — likely Muslim — applic­ants for such addi­tional screen­ing. Finally, as the inspector gener­al’s eval­u­ation of these programs clearly indic­ates, DHS has made no effort to eval­u­ate their effect­ive­ness.

B. Vetting for the Controlled Applic­a­tion Review and Resol­u­tion Program

Social media reviews are also used in the Controlled Applic­a­tion Review and Resol­u­tion Program (CARRP), a secret­ive FDNS program insti­tuted in 2008 for flag­ging and processing cases that present “national secur­ity concerns.” foot­note31_p8oe2e6 31 USCIS, Review of the Defense Advanced Research Projects Agency 2.0 Social Media Pilot, 57; Jonathan R. Schar­fen, deputy director, USCIS, to field lead­er­ship, “Policy for Vetting and Adju­dic­at­ing Cases With National Secur­ity Concerns,” 1, April 11, 2008, (here­in­after CARRP Policy for Vetting and Adju­dic­at­ing Cases With National Secur­ity Concerns),­tronic%20Read­ing%20Room/Policies_and_Manu­als/CARRP_Guid­ance.pdf. An indi­vidual who is placed on the CARRP track is essen­tially black­lis­ted. foot­note32_pkmg­gq1 32 See, for example, Jennie Pasquarella, Muslims Need Not Apply: How USCIS Secretly Mandates Discrim­in­at­ory Delays and Deni­als of Citizen­ship and Immig­ra­tion Bene­fits to Aspir­ing Amer­ic­ans, ACLU of South­ern Cali­for­nia, August 2013, 1, The CARRP policy applies to “all applic­a­tions and peti­tions that convey immig­rant and nonim­mig­rant status.” CARRP Policy for Vetting and Adju­dic­at­ing Cases With National Secur­ity Concerns, 1. The ACLU of South­ern Cali­for­nia has further clari­fied that this includes indi­vidu­als apply­ing for asylum, visas, green cards, and natur­al­iz­a­tion. Pasquarella, Muslims Need Not Apply, 9. Accord­ing to a study by the Amer­ican Civil Liber­ties Union (ACLU), CARRP uses vague, overly broad, and discrim­in­at­ory criteria and dispro­por­tion­ately targets Muslims and indi­vidu­als from Muslim-major­ity coun­tries. foot­note33_5dygyeo 33 Pasquarella, Muslims Need Not Apply, 2–3. The program has been chal­lenged in court as “extra-stat­utory, unlaw­ful, and uncon­sti­tu­tional.” foot­note34_smmulms 34 Wagafe v. Trump, No. C17–0094-RAJ, 2017 WL 2671254, at *1 (W.D. Wash. June 21, 2017). A USCIS brief­ing book indic­ates that in July 2016, officers began screen­ing social media accounts for Syrian and Iraqi CARRP cases specific­ally, though other docu­ments suggest that social media is used to vet other popu­la­tions as well. foot­note35_zpgxpwa 35 USCIS Brief­ing Book, 182.

Applic­ants can be referred to CARRP in a vari­ety of ways. Indi­vidu­als who are flagged as known or suspec­ted terror­ists (includ­ing anyone in the FBI’s over­broad Terror­ist Screen­ing Data­base, discussed above foot­note36_x8hf8s0 36 National Coun­terter­ror­ism Center, “Watch­list­ing Guid­ance,” 10. For more inform­a­tion on this watch list and the privacy and civil liber­ties issues asso­ci­ated with it, see supra text accom­pa­ny­ing notes 267–273. ) are auto­mat­ic­ally flagged as a national secur­ity concern and put on the CARRP track. foot­note37_4nfekr1 37 Pasquarella, Muslims Need Not Apply, 17. People can also be referred to CARRP at any stage of the screen­ing and adju­dic­at­ive process (e.g., when apply­ing for citizen­ship or a green card) if they might present a “national secur­ity concern.” foot­note38_x1ahr2f 38 Ibid. Accord­ing to CARRP officer guid­ance, officers may util­ize open-source research, includ­ing search­ing social media inform­a­tion, to identify an indic­ator of a national secur­ity concern. foot­note39_djjl­n1t 39 Accord­ing to the CARRP defin­i­tion, a national secur­ity concern arises when “an indi­vidual or organ­iz­a­tion has been determ­ined to have an artic­ul­able link to prior, current, or planned involve­ment in, or asso­ci­ation with, an activ­ity, indi­vidual or organ­iz­a­tion described in [the secur­ity and terror­ism sections] of the Immig­ra­tion and Nation­al­ity Act.” CARRP Policy for Vetting and Adju­dic­at­ing Cases With National Secur­ity Concerns, 1n1. However, the loose­ness of terms used in the defin­i­tion — e.g., “artic­ul­able link,” which can be atten­u­ated or unsub­stan­ti­ated, and “asso­ci­ation,” which can be distant or marginal — means that the govern­ment has extens­ive leeway to place someone on the CARRP list. Amended Complaint for Declar­at­ory and Injunct­ive Relief, Wagafe v. Trump (W.D. Wash. Feb. 1, 2017),­ment/wagafe-v-uscis-amended-complaint. See also Katie Traverso and Jennie Pasquarella, “Prac­tice Advis­ory: USCIS’s Controlled Applic­a­tion Review and Resol­u­tion Program,” 3, https://www.nation­alim­mig­ra­tion­pro­­ti­tion­ers/our_lit/impact_litig­a­tion/2017_03Jan-ACLU-CARRP-advis­ory.pdf. The train­ing hand­book lists three broad categor­ies of “non-stat­utory indic­at­ors” officers can consider to be indic­at­ive of a national secur­ity concern: “employ­ment, train­ing, or govern­ment affil­i­ations” (e.g., foreign language expert­ise); “other suspi­cious activ­it­ies” (e.g., unusual travel patterns); and “family members or close asso­ci­ates” (e.g., a room­mate, coworker, or affil­i­ate) who have been iden­ti­fied as national secur­ity concerns. foot­note40_25z8qpf 40 A guid­ance states that in “Family Member or Close Asso­ci­ate” cases, officers must determ­ine “if the [national secur­ity] concern relates to the indi­vidual, and if so, if it gives rise to a [national secur­ity] concern for the indi­vidual.” USCIS, “CARRP Officer Train­ing,” April 2009, 5,­fy­ing-NS-Concerns-USCIS-CARRP-Train­ing-Mar.-2009.pdf.

While these factors could be relev­ant to national secur­ity, they also give USCIS officers great discre­tion and present seri­ous due process and free speech concerns, partic­u­larly in the case of indi­vidu­als who are in the United States and seek­ing adjust­ment of status.

C. Immig­ra­tion Bene­fits Determ­in­a­tions

FDNS officers consult social media websites and commer­cial data sources, includ­ing Thom­son Reuter­s’s CLEAR data­base (discussed in the ICE section, above), during the screen­ing of immig­ra­tion bene­fit request forms, applic­a­tions, or peti­tions. foot­note41_ik1uamy 41 DHS, Privacy Impact Assess­ment for the Fraud Detec­tion and National Secur­ity Data System (FDNS-DS), DHS/USCIS/PIA-013(a) May 18, 2016 (here­in­after FDNS-DS 2016 PIA), 14,­a­tions/privacy-pia-uscis-fdnsds-novem­ber­2017.pdf. Commer­cial and public sources may be used to verify inform­a­tion provided by the indi­vidual, support or refute signs of fraud, and identify public safety or national secur­ity concerns. Ibid. Accord­ing to inform­a­tion provided by FDNS to the DHS Privacy Office, data collec­ted from social media during the bene­fit determ­in­a­tion process is stored in the applic­ant’s A-File, whether or not it was found to be derog­at­ory, but applic­ants are given the oppor­tun­ity to explain or refute any “adverse inform­a­tion” found through social media. foot­note42_nsl1l8g 42 “DHS Oper­a­tional Use of Social Media,” 8, in USCIS Brief­ing Book, 141; Ibid., 137. However, USCIS has not complied with the Privacy Office’s 2012 recom­mend­a­tion to update the privacy impact assess­ments for several programs, includ­ing Deferred Action for Child­hood Arrivals (DACA), to reflect that social media is used as a source of inform­a­tion and to address the privacy risks posed by such collec­tion and how they would be mitig­ated. foot­note43_1sw3b0d 43 “DHS Oper­a­tional Use of Social Media,” 8, in USCIS Brief­ing Book, 141. The other USCIS programs that require updated privacy impact assess­ments to reflect the use of social media include Computer Linked Applic­a­tion Inform­a­tion Manage­ment System (CLAIMS) 3; CLAIMS 4; and Refugees, Asylum, and Parole System and the Asylum Pre-Screen­ing System (RAPS/APSS). CLAIMS 3 manages the adju­dic­a­tion process for most domest­ic­ally filed, paper-based immig­ra­tion bene­fit filings with the excep­tion of natur­al­iz­a­tion; inter­coun­try adop­tion; and certain requests for asylum and refugee status. DHS, Privacy Impact Assess­ment Update for the Computer Linked Applic­a­tion Inform­a­tion Manage­ment System (CLAIMS 3) and Asso­ci­ated Systems, DHS/USCIS/PIA-016(a), March 25, 2016, 1,­a­tions/privacy-pia-uscis-claim­s3ap­pendixaup­date-may2018.pdf. CLAIMS 4 tracks and processes natur­al­iz­a­tion applic­a­tions. DHS, Privacy Impact Assess­ment Update for the Computer Linked Applic­a­tion Inform­a­tion Manage­ment System 4 (CLAIMS 4), DHS/USCIS/PIA-015(b), Novem­ber 5, 2013, 2,­a­tions/privacy-pia-update-uscis-claims4-novem­ber­2013.pdf.

When someone applies for an immig­ra­tion bene­fit (such as natur­al­iz­a­tion), the applic­ant’s inform­a­tion is screened against data contained in USCIS, ICE, and other law enforce­ment data­bases for eligib­il­ity, fraud, and national secur­ity concerns. foot­note44_cs834hq 44 Privacy Impact Assess­ment for the Continu­ous Immig­ra­tion Vetting, DHS/USCIS/PIA-076, Febru­ary 14, 2019 (here­in­after USCIS CIV 2019 PIA), 2,­a­tions/pia-uscis-fdnsciv-febru­ary2019_0.pdf. In line with other DHS programs, USCIS is increas­ingly look­ing to auto­mate many of the checks that it had previ­ously performed manu­ally. Since June 2017, USCIS and CBP have been work­ing to gradu­ally imple­ment an inter­agency effort called “continu­ous immig­ra­tion vetting.” foot­note45_k5619qj 45 Ibid., 6. Through this program, applic­ants apply­ing for green cards or natur­al­iz­a­tion will have the biograph­ical and biomet­ric inform­a­tion they provide, as well as any inform­a­tion received by USCIS there­after, auto­mat­ic­ally checked against CBP hold­ings. These checks will continue until the time of natur­al­iz­a­tion. foot­note46_lgipujs 46 Ibid., 7. This new program is currently inten­ded to uncover “poten­tial national secur­ity concerns,” foot­note47_m7wj18j 47 Like CARRP, the Continu­ous Immig­ra­tion Vetting privacy impact assess­ment considers a “national secur­ity concern” to arise when “an indi­vidual or organ­iz­a­tion has been determ­ined to have an artic­ul­able link to prior, current, or planned involve­ment in, or asso­ci­ation with, an activ­ity, indi­vidual or organ­iz­a­tion described in [the secur­ity and terror­ism sections] of the Immig­ra­tion and Nation­al­ity Act.” Ibid. although the recently published privacy impact assess­ment notes that the agency hopes to expand the process to vet for public safety concerns and fraud as well. foot­note48_n143j40 48 Ibid., 8.

Continu­ous immig­ra­tion vetting relies on a connec­tion between an exist­ing USCIS screen­ing tool called ATLAS foot­note49_wjz66xj 49 ATLAS is built into the USCIS system FDNS-DS, which is the main data­base that FDNS officers use to manage the back­ground check process related to immig­ra­tion applic­a­tions and peti­tions, and inform­a­tion related to applic­ants with suspec­ted or confirmed fraud, crim­inal activ­ity, public safety or national secur­ity concerns, and cases randomly selec­ted for bene­fit fraud assess­ments. FDNS 2014 PIA, 6. and CBP’s ATS, which ingests and analyzes social media and other data from a pleth­ora of sources. When someone applies for a bene­fit or inform­a­tion about an indi­vidual (such as an address) is updated, ATLAS auto­mat­ic­ally scans for poten­tial matches to derog­at­ory inform­a­tion in other govern­ment data­bases. foot­note50_hzf44na 50 FDNS-DS 2016 PIA, 3. ATLAS itself analyzes inform­a­tion to detect patterns and trends; for example, it visu­ally displays rela­tion­ships among indi­vidu­als on the theory that they could reveal poten­tial ties to crim­inal or terror­ist activ­ity. foot­note51_crt1om3 51 Ibid., 5–6. As of May 2016, USCIS was incor­por­at­ing new capab­il­it­ies into ATLAS, includ­ing predict­ive analyt­ics, link and forensic analysis, and other analytic func­tions. Ibid., 6.

With continu­ous immig­ra­tion vetting, ATLAS also auto­mat­ic­ally sends any new inform­a­tion it receives over to ATS. ATS checks CBP hold­ings for matches to inform­a­tion about any indi­vidu­als who have been flagged as a poten­tial national secur­ity threat. foot­note52_5f1zmg3 52 USCIS CIV 2019 PIA, 7. But ATS also stores the applic­ant or bene­fit hold­er’s inform­a­tion for future use. Whenever derog­at­ory inform­a­tion asso­ci­ated with an indi­vidual is added to a govern­ment data­base, ATS auto­mat­ic­ally checks for a “match and/or asso­ci­ation” to the USCIS inform­a­tion and sends results back to ATLAS. foot­note53_jusjo44 53 Ibid. It is not clear that this new system will rely on social media. The privacy impact assess­ment notes that although ATS connects with multiple data sets, USCIS and CBP have tailored the initi­at­ive so that only “relev­ant” data sets are checked, although these are not iden­ti­fied. foot­note54_i9dbaxs 54 Ibid., 18.

2. Admin­is­trat­ive Invest­ig­a­tions

FDNS conducts admin­is­trat­ive invest­ig­a­tions in order to procure addi­tional inform­a­tion that can help determ­ine an indi­vidu­al’s eligib­il­ity for an immig­ra­tion bene­fit. Admin­is­trat­ive invest­ig­a­tions seek to verify rela­tion­ships that are the basis for an indi­vidual to receive an immig­ra­tion bene­fit, identify viol­a­tions of the Immig­ra­tion and Nation­al­ity Act, and identify other grounds of admiss­ib­il­ity or remov­ab­il­ity. foot­note55_k9xgy2r 55 FDNS 2014 PIA, 38.

An officer can decide that an invest­ig­a­tion is warran­ted on the basis of the results of a “manual review,” which can be triggered by three mech­an­isms: a noti­fic­a­tion gener­ated by ATLAS (when there is a match to one of its predefined rules), a fraud tip refer­ral from the public or govern­ment offi­cials, or a manual refer­ral submit­ted by USCIS adju­dic­a­tions staff. foot­note56_s2ia5aa 56 Ibid., 4. In order to offi­cially open an admin­is­trat­ive invest­ig­a­tion after a manual review, the officer must determ­ine that the tip is “action­able.” foot­note57_pi7diyi