What rules govern federal agencies’ use of social media?
Some agencies, like the FBI, DHS, State Department and IRS, have released information on the rules governing their use of social media in certain contexts. Other agencies — such as the ATF, DEA, Postal Service, and Social Security Administration — have not made any information public; what is known about their use of social media has emerged from media coverage, some of which has attracted congressional scrutiny. Below we describe some of what is known about the rules governing the use of social media by the FBI, DHS, and State Department.
FBI: The main document governing the FBI’s social media surveillance practices is its Domestic Investigations and Operations Guide (DIOG), last made public in redacted form in 2016. Under the DIOG, FBI agents may review publicly available social media information prior to initiating any form of inquiry. During the lowest-level investigative stage, called an assessment (which requires an “authorized purpose” such as stopping terrorism, but no factual basis), agents may also log public, real-time communications (such as public chat room conversations) and work with informants to gain access to private online spaces, though they may not record private communications in real-time.
Beginning with “preliminary investigations” (which require that there be “information or an allegation” of wrongdoing but not that it be credible), FBI agents may monitor and record private online communications in real-time using informants and may even use false social media identities with the approval of a supervisor. While conducting full investigations (which require a reasonable indication of criminal activity), FBI agents may use all of these methods and can also get probable cause warrants to conduct wiretapping, including to collect private social media communications.
The DIOG does restrict the FBI from probing social media based solely on “an individual’s legal exercise of his or her First Amendment rights,” though such activity can be a substantial motivating factor. It also requires that the collection of online information about First Amendment-protected activity be connected to an “authorized investigative purpose” and be as minimally intrusive as reasonable under the circumstances, although it is not clear how adherence to these standards is evaluated.
DHS: DHS policies can be pieced together using a combination of legally mandated disclosures — such as privacy impact assessments and data mining reports — and publicly available policy guidelines, though the amount of information available varies. In 2012, DHS published a policy requiring that components collecting personally identifiable information from social media for “operational uses,” such as investigations (but not intelligence functions), implement basic guidelines and training for employees engaged in such uses and ensure compliance with relevant laws and privacy rules. Whether this policy has been holistically implemented for “operational uses” of social media across DHS remains unclear. However, the Brennan Center has obtained a number of templates describing how DHS components use social media, created pursuant to the 2012 policy, through the Freedom of Information Act.
In practice, DHS policies are generally permissive. The examples below illustrate the ways in which various parts of the Department use social media.
- ICE agents monitor social media for purposes ranging from situational awareness and criminal intelligence gathering to support for investigations. In addition to engaging private companies to monitor social media, ICE agents may collect public social media data whenever they determine it is “relevant for developing a viable case” and “supports the investigative process.”
- Parts of DHS, including the National Operations Center (NOC) (part of the Office of Operations Coordination and Planning (OPS)), Federal Emergency Management Agency (FEMA), and Customs and Border Protection (CBP), use social media monitoring for situational awareness. The goal is generally not to “seek or collect” personally identifiable information. DHS may do so in “in extremis situations,” however, such as when serious harm to a person may be imminent or there is a “credible threat[] to [DHS] facilities or systems.” NOC’s situational awareness operations are not covered by the 2012 policy; other components carrying out situational awareness monitoring must create a but may receive an exception from the broader policy with the approval of DHS’s Chief Privacy Officer.
- DHS’s U.S. Citizenship and Immigration Services (USCIS) uses social media to verify the accuracy of materials provided by applicants for immigration benefits (such as applications for refugee status or to become a U.S. citizen) and to identify fraud and threats to public safety. USCIS says it only looks at publicly available information and that it will respect account holders’ privacy settings and refrain from direct dialogue with subjects, though staff may use fictitious accounts in certain cases, including when “overt research would compromise the integrity of an investigation.”
- DHS’s Office of Intelligence & Analysis (I&A), as a member of the Intelligence Community, is not covered by the 2012 policy. Instead it operates under a separate set of guidelines — pursuant to Executive Order 12,333, issued by the Secretary of Homeland Security and approved by the Attorney General — that govern its management of information collected about U.S. persons, including via social media. The office incorporates social media into the open-source intelligence reports it produces for federal, state, and local law enforcement; these reports provide threat warnings, investigative leads, and referrals. I&A personnel may collect and retain social media information on U.S. citizens and green card holders so long as they reasonably believe that doing so supports a national or departmental mission; these missions are broadly defined to include addressing homeland security concerns. And they may disseminate the information further if they believe it would help the recipient with “lawful intelligence, counterterrorism, law enforcement, or other homeland security-related functions.”
State Department. The Department’s policies covering social media monitoring for visa vetting purposes are not publicly available. However, public disclosures shed some light on the rules consular officers are supposed to follow when vetting visa applicants using social media. For example, consular officers are not supposed to interact with applicants on social media, request their passwords, or try to get around their privacy settings — and if they create an account to view social media information, they “must abide by the contractual rules of that service or platform provider,” such as Facebook’s real name policy. Further, information gleaned from social media must not be used to deny visas based on protected characteristics (i.e., race, religion, ethnicity, national origin, political views, gender or sexual orientation). It is supposed to be used only to confirm an applicant’s identity and visa eligibility under criteria set forth in U.S. law.