CBP finalizes rules for social media surveillance
Is suspicionless spying on what US citizens, foreign residents, visitors to the US, and their families, friends and associates do and say on social media an “essential” function of the US government?
Federal employees deemed “inessential” have been furloughed. But those still working for deferred paychecks apparently include staff of the Department of Homeland Security, including the DHS Privacy Office, responsible for promulgating rules exempting DHS surveillance from the minimal limitations imposed by the Privacy Act.
In 2017, the DHS gave notice of a new system of social media and travel surveillance records, the US Customs and Border Protection (CBP) Intelligence Records System (CIRS). At the same time, the DHS proposed to exempt these records from as many as possible of the requirements of the Privacy Act. The proposed exemptions would purport to authorize the DHS to include social media and other information in the CIRS database without regard to its accuracy or relevance to any investigation or suspicion of unlawful activity, and to keep these files and any recrods of how thety are used and shared secret from the individuals to whom they pertain.
Joined by eight other national civil liberties and human rights organizations, the Identity Project filed comments with the DHS in October 2017 opposing both the creation of this illegal database of records of suspicionless surveillance of activities protected by the First Amendment and the proposed Privacy act exemptions.
More than a year later, on December 27, 2018 — a week after the Federal government had partially shut down, and during a holiday week when fewer people than usual would be scrutinizing the Federal Register — the DHS finalized the proposed Privacy Act exemptions for CIRS.
The DHS analysis of the comments on the proposed rule completely ignored some our objections. There’s no response from the DHS to our comments on the Privacy Act’s prohibition (from which an agency cannot exempt itself) on the collection of information about how individuals exercise rights protected by the First Amendment without explicit statutory authorization, which is lacking for collection of social media data.
Others of our objections were brushed off with conclusory claims that such broad surveillance is “necessary” for predictive profiling:
Comment: DHS’s collection of records in CIRS is overly broad because, as stated in the NPRM, DHS may be collecting information that ‘‘may not be strictly relevant or necessary to a specific investigation.’’
Response: In order to conduct a complete investigation, it is necessary for DHS/CBP to collect and review large amounts of data in order to identify and understand relationships between individuals, entities, threats and events, and to monitor patterns of activity over
extended periods of time that may be indicative of criminal, terrorist, or other threat.Comment: Proposed routine uses would circumvent Privacy Act safeguards and contravene legislative intent.Response: DHS’s collection of records in CIRS is intended to permit DHS/CBP to review large amounts of data in order to identify and understand relationships between individuals, entities, threats and events, and to monitor patterns of activity over extended periods of time that may be indicative of criminal, terrorist, or other threat.