Despite Facebook’s repeated warnings that law enforcement is required to use “authentic identities” on the social media platform, cops continue to create fake and impersonator accounts to secretly spy on users. By pretending to be someone else, cops are able to sneak past the privacy walls users put up and bypass legal requirements that might require a warrant to obtain that same information.

The most recent examples—and one of the most egregious—was revealed by The Guardian this week. The U.S. Department of Homeland Security executed a complex network of dummy Facebook profiles and pages to trick immigrants into registering with a fake college, The University of Farmington. The operation netted more than 170 arrests. Meanwhile, Customs and Border Protection issued a privacy impact assessment that encourages investigators to conceal their social media accounts.

Last fall, after the Memphis Police Department was caught using fake profiles to monitor Black Lives Matter activists, Facebook added new language to its law enforcement guidelines emphasizing that this practice was not permitted. Facebook also removed the offending accounts and sent Memphis a stern warning not to do it again. However, Facebook has proven resistant to sending warning letters to every agency caught red-handed; recently it turned down a request by EFF that it confront the San Francisco Police Department after court records revealed its use of fake accounts in criminal investigations.

This latest DHS investigation uncovered by The Guardian, as well as The Root’s report revealing other agencies that authorize undercover cops to friend people on Facebook, indicates that much more needs to be done.

EFF is now calling on Facebook to escalate the matter with law enforcement in the United States. Facebook should take the following actions to address the proliferation of fake/impersonator Facebook accounts operated by law enforcement, in addition to suspending the fake accounts.

As part of its regular transparency reports, Facebook should publish data on the number of fake/impersonator law enforcement accounts identified, what agencies they belonged to, and what action was taken. When a fake/impersonator account is identified, Facebook should alert the users and groups that interacted with the account whether directly or indirectly. These interactions include, but are not limited to, a friend request, Messenger messages, a comment, membership in a group, or being shown an advertisement. The user should know what agency operated the account and how long it was in operation. Facebook should also add a notification to the agency’s page informing the public that the agency is known to have created fake/impersonator law enforcement accounts. Facebook should further amend its “ Amended Terms for Federal, State and Local Governments in the United States ” to make it explicitly clear that, by agreeing to the terms, the agency is agreeing not to operate fake/impersonator profiles on the platform. Facebook has the right to take actions in response to violation of their terms, but when they do so, Facebook should be fair and consistent with the Santa Clara Principles . Facebook should review the department policies for social media use by law enforcement agencies. When law enforcement has a written policy of engaging in fake/impersonator law enforcement accounts in violation of the “Amended Terms for Federal, State and Local Governments in the United States,” Facebook should add a notification to the agency’s page to inform users of the law enforcement policy.

Facebook’s practice of taking down these individual accounts when they learn about them from the press (or from EFF) is insufficient to deter what we believe is a much larger iceberg beneath the surface. We often only discover the existence of law enforcement fake profiles months, if not years, after an investigation has concluded. These four changes are relatively light lifts that would enhance transparency and establish real consequences for agencies that deliberately violate the rules.