On June 16, the House of Representatives passed an Intelligence Authorization Act for Fiscal Year 2016, which requires the Director of National Intelligence (DNI) to produce a report on terrorist use of social media (Section 344). On July 7, the Senate Select Intelligence Committee approved an intelligence authorization bill that does not include the House bill’s mandate for a DNI report but does require social media companies to report terrorist activity to the federal government (Section 603). These proposals are new developments in the growing efforts to counter terrorist use of social media.

The House Requirement for a DNI Report

The House bill requires the DNI to produce a report containing the "assessment of the intelligence community on terrorist use of social media." The report must assess:

What role social media plays in radicalization in the U.S. and elsewhere;

How terrorists and terrorist organizations use social media;

The intelligence value of social media posts by terrorists; and

The impact on U.S. national security of terrorist content on social media for fundraising, radicalization, and recruitment.

This proposal connects to efforts to understand terrorist use of social media, its national security implications, and ways to counter it. Legislative interest in the intelligence community’s assessment of these issues is understandable, but controversies about, for example, the role social media plays in radicalization, will heighten scrutiny of the intelligence community’s conclusions. Depending on what it contains, the DNI’s report could increase congressional interest in regulating social media for counter-terrorism purposes—another reason such a report could be consequential.

The Senate Requirement for Social Media Company Reporting

The bill approved by the Senate Intelligence Committee requires anyone who "obtains actual knowledge of any terrorist activity" while providing electronic communication or remote computing services to the public through means of interstate or foreign commerce to provide federal authorities with "the facts or circumstances of the alleged terrorist activities." This requirement directly regulates social media providers and raises more questions and policy implications than the House mandate for a DNI report.

The provision does not define "terrorist activity," beyond requiring reports of activities touching on the federal crime of "distribution of information relating to explosives, destructive devices, and weapons of mass destruction" (see 18 USC sec. 842(p)). Without parameters, companies could interpret "terrorist activity" differently, creating under-reporting (which would harm the purpose for reporting) and over-reporting (which would create privacy and free speech concerns).

To protect privacy, the provision states that it may not be construed to require a provider to monitor users, subscribers, or customers or the content of their communications. Although social media providers do not have to conduct active surveillance, the provision does not address privacy or free speech worries associated with reporting communications to the federal government (my recent Cyber Brief provides some guidance on these issues). Further, the provision does not specify what federal agencies (FBI, DHS, NSA, CIA) should receive reports because it assigns that responsibility to the Attorney General. Nor does the provision say anything about what agencies can do with submitted information. Thus, the provision raises concerns similar to those advocates of civil liberties have raised about proposed cybersecurity legislation designed to increase information sharing between the private sector and the federal government.

News reports raise questions about the purpose of the reporting requirement. Senator Diane Feinstein, a member of the Senate Intelligence Committee, argued that "social media companies should be working with the government to prevent the use of their systems by violent militants." The Washington Post quoted an unnamed Senate aide who indicated the provision seeks to stop companies from removing content related to terrorism without informing the federal government in order to avoid losing potentially valuable intelligence. Reuters quoted "an official familiar with the bill" stating that its "main purpose was to give social media companies additional legal protection if they reported to the authorities on traffic circulated by their users." Legislation can serve multiple objectives, but, given sensitivities about tech companies providing information to the federal government, clarity on the purposes of this proposed regulation is critical.

The provision leaves other questions unanswered. What happens to a social media provider that does not report terrorist activity of which it is aware? What oversight is needed to monitor reporting terrorist activity on social media to the federal government? How will such regulation be perceived by foreign customers of U.S. companies who are, post-Snowden, upset about the U.S. tech sector’s cooperation with, and vulnerability to, the U.S. government? Does the requirement apply to foreign companies that, in providing communication or computing services, access facilities or means of foreign or interstate commerce?

The House and Senate proposals demonstrate intensifying concern in Washington, D.C. about terrorist use of social media, with the Senate bill containing the first attempt to require social media companies to support the federal government’s fight against digital terrorism. Although neither bill is close to becoming law at the moment, what happens next bears watching for national security, civil liberties, and business reasons.