The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.

“Situational Awareness”

The Privacy Impact Assessment (PIA) states that CBP searches public social media posts to bolster the agency’s “situational awareness”—which includes identifying “natural disasters, threats of violence, and other harmful events and activities” that may threaten the safety of CBP personnel or facilities, including ports of entry.

The PIA aims to inform the public of privacy and related free speech risks associated with CBP’s collection of personally identifiable information (PII) when monitoring social media. CBP claims it only collects PII associated with social media—including a person’s name, social media username, address or approximate location, and publicly available phone number, email address, or other contact information—when “there is an imminent threat of loss of life, serious bodily harm, or credible threats to facilities or systems.”

Why Now?

It is unclear why DHS and CBP released this PIA now, especially since both agencies have been engaging in social media surveillance, including for situational awareness, for several years.

The PIA cites authorizing policies DHS Directive No. 110-01 (June 8, 2012) [.pdf] and DHS Instruction 110-01-001 (June 8, 2012) [.pdf] as governing the use of social media by DHS and its component agencies (including CBP) for various “operational uses,” including situational awareness. The PIA also cites CBP Directive 5410-003, “Operational Use of Social Media” (Jan. 2, 2015), which does not appear to be public. EFF asked for the release of this document in a coalition letter sent to the DHS acting secretary in May.

Federal law requires government agencies to publish certain documents to facilitate public transparency and accountability related to the government’s collection and use of personal information. The E-Government Act of 2002 requires a PIA “before initiating a new collection of information that will be collected, maintained, or disseminated using information technology” and when the information is “in an identifiable form.” Additionally, the Privacy Act of 1974 requires federal agencies to publish Systems of Records Notices (SORNs) in the Federal Register when they seek create new “systems of records” to collect and store personal information, allowing for the public to comment.

This appears to be the first PIA that CBP has written related to social media monitoring. The PIA claims that the related SORN on social media monitoring for situational awareness is DHS/CBP-024 Intelligence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (Sept. 21, 2017). Given that DHS issued directives in 2012 and CBP issued a directive in 2015 around social media monitoring, this PIA comes seven years late. Moreover, there is no explanation as to why the SORN was published two years after CBP’s 2015 directive, nor why the present PIA was published two years after the SORN.

In March, CBP came under scrutiny for engaging in surveillance of activists, journalists, attorneys, and others at the U.S.-Mexico border, with evidence suggesting that their social media profiles had been reviewed by the government. DHS and CBP released this PIA only three weeks after that scandal broke.

Chilling Effect on Free Speech

CBP’s social media surveillance poses a risk to the free expression rights of social media users. The PIA claims that CBP is only monitoring public social media posts, and thus “[i]ndividuals retain the right and ability to refrain from making information public or, in most cases, to remove previously posted information from their respective social media accounts.”

While social media users retain control of their privacy settings, CBP’s policy chills free speech by causing people to self-censor—including curbing their public expression on the Internet for fear that CBP could collect their PII for discussing a topic of interest to CBP. Additionally, people running anonymous social media accounts might be afraid that PII collected could lead to their true identities being unmasked, despite that the Supreme Court has long held that anonymous speech is protected by the First Amendment.

This chilling effect is exacerbated by the fact that CBP does not notify users when their PII is collected. CBP also may share information with other law enforcement agencies, which could result in immigration consequences or being added to a government watchlist. Finally, CBP’s definition of situational awareness is broad, and includes “information gathered from a variety of sources that, when communicated to emergency managers and decision makers, can form the basis for incident management decision making.”

We have seen this chilling effect play out in real life. Only three weeks before DHS and CBP released this PIA, NBC7 San Diego broke the story that CBP, along with other DHS agencies, created a secret database of 59 activists, journalists, and attorneys whom the government flagged for additional screening at the U.S. border because they were allegedly associated with the migrant caravan. Dossiers on certain individuals included pictures from social media and notations of designations such as “administrator” of a Facebook group providing support to the caravan, indicating that the government had surveilled their social media profiles.

As one lawyer stated, “It has a real chilling effect on people who might go down [to the border].” A journalist who was on the list of 59 individuals said the “increased scrutiny by border officials could have a chilling effect on freelance journalists covering the border.”

EFF joined a coalition letter to the DHS acting secretary about CBP’s secret dossiers. Several senators wrote a follow-up letter [.pdf]. In May, CBP finally admitted to targeting journalists and others at the border, but justified its actions by claiming, without evidence, that journalists had “some level of participation in the violent incursion events.” In July, the DHS Inspector General [.pdf] informed the senators that her office would be launching an investigation into the circumstances surrounding the creation of the secret dossiers. She also indicated that the investigation will look into “other specific allegations of targeting and/or harassment of lawyers, journalists, and advocates, and evaluate whether CBP’s actions complied with law and policy.”

CBP’s Practices Don’t Mitigate Risks to Free Speech

The PIA claims that any negative impacts on free speech of social media surveillance are mitigated by both CBP policy and the Privacy Act’s prohibition on maintaining records of First Amendment activity. Yet, these supposed safeguards ultimately provide little protection.

First Amendment

The PIA emphasizes that CBP personnel are trained to “use a balancing test” to determine whether social media information presents a “credible threat”—as opposed to First Amendment-protected speech—and thus may be collected. According to the PIA, the balancing test involves gauging “the weight of a First Amendment claim, the severity of the threat, and the credibility of the threat.” However, this balancing test has no basis in constitutional law.

The Supreme Court has a long line of decisions that have established when speech rises to the level of a true threat or incitement to violence and is thus unprotected by the First Amendment.

In Watts v. United States (1969), the Supreme Court held that under the First Amendment only “true threats” may be punishable. The Court stated that alleged threats must be viewed in context, and noted that in the “political arena” in particular, language “is often vituperative, abusive, and inexact.” Thus, the Court further held that “political hyperbole” is not a true threat. In Elonis v. United States (2015), the Supreme Court held that an individual may not be criminally prosecuted for making a true threat based only on an objective test of negligence, i.e., whether a reasonable person would have understood the communication as a threat. Rather, the defendant’s subjective state of mind must be considered, including whether he intended to make a threat or knew that his statement would be viewed as a threat. (The Court left open whether a recklessness standard would also be sufficient for the speech to fall out of First Amendment protections.)

Additionally, in Brandenburg v. Ohio (1969), the Supreme Court held that “the constitutional guarantees of free speech and free press do not permit a State to forbid or proscribe advocacy of the use of force or of law violation except where such advocacy is directed to inciting or producing imminent lawless action and is likely to incite or produce such action.” There, the Court struck down an Ohio law that penalized individuals who advocated for violence to accomplish political reform, holding that the abstract advocacy of violence “is not the same as preparing a group for violent action and steeling it to such action.” In Hess v. Indiana (1973), the Court further clarified that speech that is mere “advocacy of illegal action at some indefinite future time,” is “not directed to any person or group of persons,” and is unsupported by evidence or rational inference that the speaker’s words were “intended to produce, and likely to produce, imminent disorder,” remains protected by the First Amendment. Similarly, the Court in NAACP v. Claiborne Hardware Co. (1982), held that “[a]n advocate must be free to stimulate his audience with spontaneous and emotional appeals for unity and action in a common cause. When such appeals do not incite lawless action, they must be regarded as protected speech.”

While the PIA states that CBP considers threatening posts to be those that “infer an intent, or incite others, to do physical harm or cause damage, injury, or destruction,” the PIA does not fully embrace the nuances of the Supreme Court’s jurisprudence—and CBP’s balancing test fails to comport with constitutional law. A seemingly threatening social media post may, in fact, be protected by the First Amendment if it is political hyperbole or other contextual facts suggest that the speaker did not intend to make a threat or did not believe that readers would view the post as a threat. Furthermore, a social media post that advocates for violence against CBP facilities or personnel may nevertheless be protected by the First Amendment if it is not directed at any particular person or group, and evidence does not reasonably indicate that the speaker intended to incite imminent violence or illegal action, or that imminent violence or illegal action is likely to result from the speech.

Thus, CBP may be collecting social media information and related PII even when the speech is protected by the First Amendment—contrary to its own policy—and further contributing to the chilling effect of CBP’s social media surveillance program.

Privacy Act

The PIA also mentions the Privacy Act, a federal law that establishes rules about what type of information the government can collect and keep about U.S. persons. In particular, the PIA points to 5 U.S.C. § 552a(e)(7), the prohibition against federal agencies maintaining records “describing how any individual exercises rights guaranteed by the First Amendment.”

Unfortunately, this prohibition is followed by an exception that effectively swallows the rule—that information about First Amendment activity may be collected if it is “pertinent to and within the scope of an authorized law enforcement activity.”

In Raimondo v. FBI, a Privacy Act case currently before the Ninth Circuit, the FBI kept surveillance files for “threat assessments” on two individuals who ran an antiwar website. EFF argued in an amicus brief against an expansive interpretation of the Privacy Act’s law enforcement activity exception in light of modern technology—specifically, given the ease with which law enforcement can collect, store, and share information about First Amendment activity on the internet, such information should not be stored “in government files in perpetuity when the record is not relevant to an active investigation.” We reminded the Ninth Circuit that in MacPherson v. I.R.S. (1986), the court recognized that “even ‘incidental’ surveillance and recording of innocent people exercising their First Amendment rights may have a ‘chilling effect’ on those rights that (e)(7) [of the Privacy Act] was intended to prohibit.”

Raimondo demonstrates the seemingly limitless nature of the law enforcement activity exception, including allowing for the indefinite retention of records of online activism and journalism, activity that is clearly protected by the First Amendment.

Similarly, under this PIA, because CBP follows a “credible threat” assessment not rooted in the First Amendment and the Privacy Act’s law enforcement activity exception can be interpreted broadly, CBP could very well collect and retain information that is protected by the First Amendment.

Unidentified Government Social Media Profiles Pose Risk to User Privacy

The PIA inspires little confidence not only in DHS and CBP’s interpretation of the law related to protected speech, but also in CBP personnel’s ability to follow the agencies’ own policies related to respecting social media users’ privacy.

The PIA states that CBP personnel “may conceal their identity when viewing social media for operational security purposes,” effectively allowing CBP agents to create fake accounts. However, this provision conflicts with DHS’s 2012 directive, which requires employees to “[u]se online screen names or identities that indicate an official DHS affiliation and use DHS email addresses to open accounts used when engaging in social media in the performance of their duties.”

Moreover, if, as according to the PIA, CBP personnel do not engage with other social media users and may only monitor “publicly available, open source social media,” it begs the question: why would a CBP agent need to create a fake account? Public posts or information are equally available to all social media users on a platform. Why would CBP personnel need to conceal their identity before viewing a publicly available post if they are not attempting to engage with a user?

This concern is backed by past practices where DHS agencies used fake profiles and interacted with users during the course of monitoring their social media activity. Earlier this year, journalists revealed that U.S. Immigration and Customs Enforcement (ICE) officers created fake Facebook and LinkedIn profiles to lend legitimacy to a sham university intended to identify individuals allegedly engaged in immigration fraud. There, ICE officers friended other users and exchanged emails with students, thereby potentially bypassing social media privacy settings and gaining access to information intended to remain private.

Such practices not only violate DHS’ existing policies, but also allow law enforcement to obtain access to content that would otherwise require a probable cause warrant. Furthermore, fake profiles violate the policies of several social media platforms. Facebook has publicly stated that law enforcement impersonator profiles violate the company’s terms of service.

Fighting Back

The CBP PIA is just one sliver of a broad federal government campaign to engage in social media surveillance. DHS, through its National Operations Center, has been monitoring social media for “situational awareness” since at least 2010. DHS also has been monitoring social media for intelligence gathering purposes. More recently, DHS and the State Department have greatly expanded social media surveillance to vet visitors and immigrants to the U.S., which EFF and other civil society groups have consistently opposed.

Several congressional committees have the responsibility and the opportunity to review CBP’s budget and provide oversight of the agency’s operations, including its social media surveillance. At a minimum, EFF urges these committees to ensure that CBP is following DHS’ own policies and is reporting, both to Congress and the public, how often officers are engaging in social media monitoring to understand the prevalence and scale of this program. Fundamentally, Congress should be asking why social media surveillance programs are necessary for public safety. Additionally, Congress has the responsibility to ensure that CBP and DHS are abiding by settled case law respecting the free speech and privacy rights of Americans and foreign travelers.

We’re also pushing social media companies to do more when they identify law enforcement impersonator profiles at the local, state, and federal level. Earlier this year, Facebook’s legal staff demanded that the Memphis Police Department “cease all activities on Facebook that involve the use of fake accounts or impersonation of others.” Additionally, Facebook updated its “Information for Law Enforcement Authorities” page to highlight how its misrepresentation policy also applies to police. While EFF applauds these steps, we are skeptical that warnings or policy changes alone will deter the activity. Facebook says it will delete accounts brought to its attention, but too often these accounts only become publicly known—through a lawsuit or a media report—long after the damage has been done. Instead, EFF is calling on Facebook to take specific steps to provide transparency into these law enforcement impersonator accounts by notifying users who have interacted with these accounts, following the Santa Clara Principles when removing the law enforcement accounts, and adding notifications to agencies’ Facebook pages to inform the public when the agencies’ policies permit impersonator accounts in violation of Facebook’s policy.

Please contact your members of Congress and urge them to hold CBP accountable. Congress depends on hearing from their constituents to know where to focus, and public pressure can ensure that social media surveillance won’t get overlooked.