Is the U.S. government monitoring social media?
Yes. Since December 2016, all visitors to the U.S. under the “Visa Waiver Program” (VWP) have been asked to identify the social media IDs they use to the Department of State on the online ESTA form. In several recent notices in the Federal Register, and in official statements in response to questions about those notices, the Department of Homeland Security has confirmed that it already searches for and reviews information about individuals from social media.
Why is the U.S. singling out immigrants and visitors for this surveillance?
The U.S. government is targeting foreigners first because they are legally more vulnerable. Under U.S. law, foreign visitors and immigrants have often been held to have fewer rights than U.S. citizens. We don’t think this is the way it ought to be, and we don’t think this is even a correct reading of the U.S. Constitution and the human rights treaties that the U.S. has ratified. But this is often the way that courts have ruled. Most acts of terrorism in the U.S., like most crimes of any sort, are committed by U.S. citizens. Most of those criminals are white, and most of them are Christian, not that this should matter either. In practice, the government knows that it is more likely to be able to get away with surveillance of foreigners — on social media or in any other realm — than with surveillance that targets U.S. citizens equally or that focuses on, say, white Christian nationalist domestic sources of terrorism.
The Federal government also appears to be motivated by a profound xenophobia. It regards foreigners, communications or association with foreigners, and foreign travel as per se suspicious and thus as justifying more intrusive search, seizure, interrogation, interference, etc. Instead, these activities should be seen as the exercise of rights recognized and protected by Federal laws, the First Amendment and other provisions of the U.S. Constitution, and international treaties. As such, they should be specially protected, not subjected to special surveillance.
Does this social media surveillance include U.S. citizens and green-card holders?
Yes. Social media is, by definition, social. It’s about connections and communication between people, not individuals in isolation. Social media networks aren’t defined by national borders. (Except in countries like China where repressive government block access to “foreign” social media to keep their citizens isolated from the thinking of the rest of the world.) Even if only non-U.S. persons are targeted, surveillance of social media will inevitably suck in information about U.S. citizens and permanent residents who are “associated” with foreigners on social media. Whoever you are, that probably includes you. Do you know which of your Facebook “friends” or Twitter followers or the people who post comments on your page are U.S. citizens or permanent U.S. residents, and which of them aren’t? We don’t, and we don’t believe the U.S. government does either. There is no way that government agents, whether human or robotic, could contain social media surveillance to foreigners even if they tried. The rights of U.S. citizens and permanent residents will be collateral damage whenever foreigners are attacked.
Is this limited to people who are suspected of immigration violations or other crimes?
No. What is being practiced already, and what is being expanded, is dragnet social media surveillance. The Department of State is already asking every applicant for admission to the U.S. under the VWP for their social media IDs. The social media surveillance authority claimed by the DHS, and the practices described in its recent notices, are not limited to specific persons of interest. The DHS and other law-enforcement agencies already have the authority to subpoena records from social media service providers if there is probable cause for suspicion that any crime has been committed, including but not limited to criminal violations of U.S. immigration laws. What’s happening now and expanding is additional surveillance of people who are not (yet) under any particularized suspicion.
The U.S. government’s interest in social media can best be understood in the context of other programs of automated suspicionless dragnet surveillance. The NSA collects metadata about the movement of our messages from telephone companies and and Internet service providers. The DHS collects metadata about the movements of our bodies from entry/exit and border crossing logs and reservation records obtained from airlines, Amtrak, and other travel companies. Why not add metadata about our associations and activities on social networks — IDs, posting histories, keywords and tags, social network maps, etc. — to that data lake?
If I’m not doing anything wrong, do I have anything to worry about?
Yes. Activities that are legal in the U.S. may be illegal in other countries, and the U.S. government claims the right to share the fruits of social media surveillance, and the blacklisting and other conclusions drawn from them, with other governments around the world. Activities that are legal today could become illegal tomorrow. People with whom you are associated, but who you may not know and may never have met, may come under suspicion in the future. Any information the government has can be used against you. Things that you say or people with whom you are “associated” on social media say could result in your being assigned a pre-crime predictive “risk score” that leads to your being placed on a government blacklist (“watchlist”) or subjected to other government sanctions, even if you are never suspected or accused of any crime. The algorithmic criteria for blacklisting, the data used as the basis for blacklisting decisions, and the lists themselves are all secret. You know you are on a blacklist only when you are unexpectedly prevented from exercising your right to travel or other rights.
Does this means that immigration and visa officers will be following me on Facebook and reading everything I post?
Probably not, but you never know. All of the information about you that is collected from social media by the DHS or the State Department either already is, or is proposed to be, exempt from the access requirements of the Privacy Act. That means that even if and when you become a U.S. citizen, you’ll never be allowed to see the secret files that have been kept about you and used by black boxes running secret algorithms to make secret decisions about what you are and aren’t allowed to do.
In practice, as a former Chief Privacy Officer for the DHS pointed out earlier this year, “we don’t have enough translators to read all that stuff,” — or even, we suspect, enough live bodies to read the portions in English. As we said last week to Wired:
Tens of thousands of people a day get off planes — imagine that you’re trying to read through all of their Facebook histories in all different foreign languages,” The Identity Project’s Hasbrouck says. “Forget it. Most of this stuff will never be read by a human, can’t possibly be read by a human and will just become grist for the mill for robotic profiling. It will be more effective as a guilt-by-association and suspicion-generating machine.
Once this information is collected by the government, it can be kept by the government for the rest of your life, shared with other Federal, state, and local government agencies or other governments around the world, and mined and used in unpredictable ways against you or anyone it links you with.
How long has this social media surveillance been going on?
At least five years, but we don’t know exactly (although we have a legal right to know).
The Paperwork Reduction Act requires any Federal agency that wants to collect information from individuals, regardless of their citizenship, to obtain approval from the Office of Management and Budget (OMB) before it starts requesting this information. The Privacy Act requires any Federal agency that wants to maintain a system of records about individual “U.S. persons” (U.S. citizens or permanent U.S. residents) to publish a notice in the Federal Register describing the system and how it will be used before the agency begins keeping those records.
The DHS issued a directive in 2012 describing “Operational Use of Social Media”, but didn’t get around to publishing the notices required by the Privacy Act until September 2017 (here, here, and here). Comments from members of the public on these notices can be submitted until October 18th and October 23rd (here and here) respectively. Maintaining such a system of Federal agency records without such a notice, or when it includes information not covered by the notice, is a crime. There is no statute of limitations for prosecution of criminal violations of the Privacy Act. But this is a crime that can only be committed by officials of Federal agencies, and nobody is ever prosecuted for it.
Foreign visitors to the U.S. (except Canadian citizens) either have to apply for an ESTA online, or apply for a visa at a U.S. consulate or embassy, depending on their citizenship and the nature of their trip. The DHS requested and obtained approval from OMB in 2016 to ask visitors for their social media IDs on the ESTA form. The State Department asked for and received approval to ask visa applicants for their social media IDs as one of the questions on a “supplemental” long-form visa questionnaire earlier this year on an emergency basis. The State Department is now asking OMB for continued permission to keep using that supplemental form beyond the initial “emergency”. Together with Restore The Fourth, Inc., we filed comments today with the State Department, arguing against approval of this form. The deadline for comments on this proposal is midnight Washington, DC time today, Monday, October 2, 2017.
We suspect, based on our experience with the similar State Department “supplementary questionnaire” for U.S. citizens applying for passports, that the State Department started asking some visa applicants for their social media IDs well before the Department asked OMB to approve this practice. The State Department eventually admitted that it was making some applicants for passports fill out this additional “long form” questionnaire before getting it approved by OMB, in violation of the Paperwork Reduction Act. But OMB approved it anyway, and its use has continued. We don’t know how long the State Department was using this form without the required OMB approval. We requested this information in 2011 under the Freedom Of Information Act (FOIA), but six years later the State Department still hasn’t responded to this request. Last year we got a formal written apology from the State Department for its mishandling of this and others of our FOIA requests, but the last word we got from the State Department FOIA office was that it doesn’t expect to respond to this request until July 2018.
If this is happening already, what is the point of the recent notices in the Federal Register?
Apparently some officials noticed that their departments were breaking the law. Rather than bringing departmental practices into compliance with the law, or referring the agency officials responsible for criminal violations of the Privacy Act for possible prosecution, they are trying to legalize their activities retroactively by giving notice and/or obtaining approval after the fact. This is standard operating procedure for both the DHS and the Department of State.
The first Privacy Act notice for the DHS “Automated Targeting System” was published by DHS in 2006. But when we obtained portions of our ATS records, we found some that went back to the early 1990s, fifteen years earlier than that notice. (We had to sue to get some of these records, and all of the “risk scores” and “handling codes” assigned to each of us each time we fly by DHS pre-crime profiling systems were redacted from the excerpts that we received.) Another DHS component, the TSA, only last year gave notice that it might someday ask OMB to approve an “ID verification” form that it has been using illegally since 2008.
Similarly, as noted above, the State Department used an impossible-to-answer “long form” as a pretext for denying passport applications (or keeping them indefinite limbo) for an unknown number of of years before asking OMB to bless its continued us.
What’s happening now with social media surveillance is par for the course. But the DHS and the State Department should stop it, not try to regularize it.
Is this legal?
No. As discussed above, the State Department and the DHS haven’t complied with even the most elementary procedural prerequisites for this questioning and keeping of dossiers about social media activity. And as discussed in the comments we filed today with the State Department, there are also substantive bars to this sort of suspicionless dragnet surveillance in Federal statutes, the U.S. Constitution, and international human rights treaties that the U.S. has ratified.
Will this be limited to information that is already publicly available? Will the U.S. government respect the privacy settings on my social media accounts?
No and no. As we note in the comments we filed today, anonymous or pseudonymous social media users who apply for visas or for admission to the U.S. would be required to disclose their private user names or other identifiers to the U.S. government:
According to the notice, “consular officers are directed not to request user passwords [and] not to violate or attempt to violate individual privacy settings or controls.” But this is contradicted by the inclusion of social media identifiers (“handles”) on Form DS-5535.
The first and most fundamental “privacy setting or control” for a social media user (or, for that matter, for most other modes of speech and publication) is whether to write or speak in a known name, a pseudonym, or anonymously. For pseudonymous speech or writing on social media, the social media identifier or handle is effectively the “key” needed to unlock the identity of the speaker or writer, and equivalent to the password for an encrypted message.
To require a pseudonymous social media user to disclose her handle or identifier is, in effect, to require her to change her most fundamental privacy settings and to disclose the root password protecting her exercise of her rights to freedom of speech and of the press.
We cannot overstate the significance of anonymity or pseudonymity as a potentially life-or-death matter for social media users, most especially for dissidents, victims of discrimination, and those living under the jurisdiction of repressive regimes or otherwise in fear of persecution.
Anonymous or pseudonymous speech, publication, and assembly are the only forms of dissident speech, publication, or assembly that are possible under some repressive regimes.
Activities which are protected by the First Amendment, including some which advance U.S. interests in freedom and democracy, are subject to legal sanctions in many other countries.
Capital crimes in Saudi Arabia, for example, include blasphemy against the state religion, disparagement of members of the royal family or the institution of hereditary absolute monarchy, trafficking in prohibited mind-altering substances including alcoholic beverages, and private sexual activity between consenting adults of the same gender in their home.
Saudi Arabia is a U.S. ally with which the U.S. Department of State might be expected to share information obtained through this collection of information – including information that could identity Saudi Arabian citizens or residents who have perpetrated these “crimes”. As a result, this collection of information could subject these individuals, including pro-democracy activists, to sanctions in Saudi Arabia ranging from public whipping to beheading.
Even if this compelled disclosure of information were lawful – which we believe it isn’t – it would be bad public policy. The possibility of anonymous and pseudonymous discourse is an essential element of an open marketplace of ideas, and plays a particularly important role in the places where identifiable speakers and speech are subject to the greatest repression.
Anonymous and pseudonymous speech and publication have a long and honorable tradition in the U.S., going back to the anonymous authors and publishers of anti-monarchist handbills in the British colonies of North America and the pseudonymous authors of the Federalist Papers. Today, these works would probably be published on social media, and “Publius” – the pseudonym used by the authors of the Federalist – would probably be a social media “handle” rather than a name printed on the title pages of a series of pamphlets.
Anonymity and pseudonymity are especially critical for social media users, whose speech can be, and sometimes is, held not only against themselves but against any or all of their social media “friends”, friends-of-friends, associates, contacts, and/or commenters.
The possibility that, at some unknown future time, any individual social media user might be required to disclose her identity to the U.S. government, and have it passed on by the U.S. to unknown third parties including other governments around the world, is already exerting a profound chilling effect on the exercise of rights to freedom of speech, freedom of the press, and freedom of assembly by individuals around the world who think they might someday wish to visit the U.S. and by U.S. citizens who wish to associate with them online and/or in person. In the absence of publicly-defined criteria for what speech on social media or association with which other individuals might lead to denial of admission to the U.S., people who want to visit the U.S. and associate with U.S. persons are afraid to say anything on social media.
What can we do about this?
- Say no. Support others who say no. Don’t tell the government what social media IDs you use, or your passwords. That’s none of its business. It’s harder for more vulnerable foreigners to stand up tot the U.S. government, which makes it more important for U.S. citizens to voice our objections.
- Talk to a lawyer before you say anything to government agents. Know your rights, including your rights under the Privacy Protection Act, which protects foreigners as well as U.S. citizens who publish information on social media as well as in any other medium.
- Submit comments on the current administrative “rulemakings” by Federal agencies. You can submit comments anonymously (even using Tor) at the links here, here, here, and here through October 23, 2017. Basically, this is asking executive agencies of the Trump Administration not to do what the President has already told them he wants them to do. It creates a public record of opposition that can be useful to anyone who challenges these agencies in court, but it’s unlikely to have much direct effect.
- Tell Congress to enact a law unambiguously prohibiting suspicionless surveillance of social media or any other category of information. This shouldn’t be necessary, but it is. The DHS and the Department of State will keep doing what they are doing, and expanding their dragnet surveillance into more and more areas of our lives, until either the President, Congress, or the courts give them unambiguous orders to stop, and enforce those orders.
- Sign up at “FlyDontSpy.com” to get updates from a coalition (including the Identity Project) working against requirements to give the government passwords to our online accounts..
- Don’t trust the government to respect your privacy as a matter of law or policy. Protect yourself. If you post to social media, post anonymously through Tor. Use encrypted messaging tools like Signal. Encrypt your phone and the hard disk or file storage of your desktop or laptop computer. Use strong passwords, not biometric keys like fingerprints or facial images that can be obtained from you without your cooperation. Don’t write your passwords down — if you need help to remember them, use a password manager that stores them in encrypted form and has its own secure master password that you memorize.