DEEP DIVE: CBP’s Social Media Surveillance Poses Risks to Free Speech and Privacy Rights

The U.S. Department of Homeland Security (DHS) and one of its component agencies, U.S. Customs and Border Protection (CBP), released a Privacy Impact Assessment [.pdf] on CBP’s practice of monitoring social media to enhance the agency’s “situational awareness.” As we’ve argued in relation to other government social media surveillance programs, this practice endangers the free speech and privacy rights of Americans.

“Situational Awareness”

The Privacy Impact Assessment (PIA) states that CBP searches public social media posts to bolster the agency’s “situational awareness”—which includes identifying “natural disasters, threats of violence, and other harmful events and activities” that may threaten the safety of CBP personnel or facilities, including ports of entry.

The PIA aims to inform the public of privacy and related free speech risks associated with CBP’s collection of personally identifiable information (PII) when monitoring social media. CBP claims it only collects PII associated with social media—including a person’s name, social media username, address or approximate location, and publicly available phone number, email address, or other contact information—when “there is an imminent threat of loss of life, serious bodily harm, or credible threats to facilities or systems.”

Why Now?

It is unclear why DHS and CBP released this PIA now, especially since both agencies have been engaging in social media surveillance, including for situational awareness, for several years.

The PIA cites authorizing policies DHS Directive No. 110-01 (June 8, 2012) [.pdf] and DHS Instruction 110-01-001 (June 8, 2012) [.pdf] as governing the use of social media by DHS and its component agencies (including CBP) for various “operational uses,” including situational awareness. The PIA also cites CBP Directive 5410-003, “Operational Use of Social Media” (Jan. 2, 2015), which does not appear to be public. EFF asked for the release of this document in a coalition letter sent to the DHS acting secretary in May.

Federal law requires government agencies to publish certain documents to facilitate public transparency and accountability related to the government’s collection and use of personal information. The E-Government Act of 2002 requires a PIA “before initiating a new collection of information that will be collected, maintained, or disseminated using information technology” and when the information is “in an identifiable form.” Additionally, the Privacy Act of 1974 requires federal agencies to publish Systems of Records Notices (SORNs) in the Federal Register when they seek create new “systems of records” to collect and store personal information, allowing for the public to comment.

This appears to be the first PIA that CBP has written related to social media monitoring. The PIA claims that the related SORN on social media monitoring for situational awareness is DHS/CBP-024 Intelligence Records System (CIRS) System of Records, 82 Fed. Reg. 44198 (Sept. 21, 2017). Given that DHS issued directives in 2012 and CBP issued a directive in 2015 around social media monitoring, this PIA comes seven years late. Moreover, there is no explanation as to why the SORN was published two years after CBP’s 2015 directive, nor why the present PIA was published two years after the SORN.

In March, CBP came under scrutiny for engaging in surveillance of activists, journalists, attorneys, and others at the U.S.-Mexico border, with evidence suggesting that their social media profiles had been reviewed by the government. DHS and CBP released this PIA only three weeks after that scandal broke.

Chilling Effect on Free Speech

CBP’s social media surveillance poses a risk to the free expression rights of social media users. The PIA claims that CBP is only monitoring public social media posts, and thus “[i]ndividuals retain the right and ability to refrain from making information pub