EPIC sues DHS over Social Media

Posted on 22 December 2011 by


The Electronic Privacy Information Center (EPIC), has filed a lawsuit against the United States Department of Homeland Security (DHS) over what EPIC states is DHS’ failure to comply with Freedom of Information Act requests by EPIC regarding DHS programs to monitor social media.

Say that ten times fast.

The lawsuit stems from one of several events which actually helped kick off Police Led Intelligence: the 2011 breach of cyber contractor HBGary Federal, in which thousands of emails between the contractor and its government customers and prospects were leaked by Anonymous. You can still download the 4GB torrent of those emails.

The breach of the emails (everyone in the information security field spent at least an hour ego-surfing – that is, searching for their name within the leaked email) ultimately created serious political ramifications; led to the dismissal and disgrace of the firm’s president, Aaron Barr; revealed government plans to create fake campaigns on social media posing as grassroots movements, and all sorts of other salacious stuff which was common knowledge in the intelligence and information security community but which seriously pushed the buttons of privacy advocates and shameless opportunists who had long sought public (or unclassified) proof that this kind of stuff occurred.

For the record, we support EPIC – hell, we even give them money – and think that DHS should absolutely comply with FOIA.

But some of the stuff in the lawsuit concerns us.

First, it seems that EPIC is concerned about the fact that the government will read and record social media posts by people who state publicly (on social media) information about themselves.

In news reports and a Federal Register notice, the DHS has stated that it will routinely monitor the public postings of users on Twitter and Facebook.

I’m sorry, are there any other public utterings, postings or information publication that the government should not read? There is, after all, a Library of Congress, in which the government keeps copies of, you know, published thoughts, ideas, concepts and materials – even social media posts.

From the Library of Congress (which keeps all publicly tweeted stuff):

Twitter is part of the historical record of communication, news reporting, and social trends – all of which complement the Library’s existing cultural heritage collections.  It is a direct record of important events such as the 2008 U.S. presidential election or the “Green Revolution” in Iran.  It  also serves as a news feed with minute-by-minute headlines from major news sources such as Reuters, The Wall Street Journal and The New York Times.  At the same time, it is a platform for citizen journalism with many significant events being first reported by eyewitnesses.

This is, you understand, the government saying this. Should it stop?

What about the government or its agents remembering the contents of advertising billboards along the highway? I’m exaggerating to make a point, obviously, but what EPIC seems to be saying is that information which people place on public fora should not be examined or stored by the government. From the lawsuit:

Social media users routinely provide sensitive and personal information in their online communications…Social media users have no reason to believe that the Department of Homeland Security is tracking their every post…

We agree, and we disagree. We agree that people say the darndest things on social media. But to say that they have no idea the DHS is tracking every post is a little disingenuous. The DHS is not tracking every one of “their” posts, it’s tracking every post in general. This is akin, we believe, to holding a driver license checkpoint of every car on a given road – not singling anyone out but seeking information from everyone.

Also, if you’re stupid enough to say it in public, isn’t the government entitled to be stupid enough to read and record it and if proper, use it to interrogate or prosecute you? How many people have been arrested because they bragged on Facebook about crimes they committed? How many fugitives have been located thanks to their loudmouthed, if ill-advised, social media strategies?

Now, we will admit that EPIC have a good point about fictitious user names:

The agency plans to create fictitious user accounts and scan posts of users for key terms. User data will be stored for five years and shared with other government agencies.

This is, as we’ve said elsewhere, an issue. There are terms of service on most social media sites which prohibit this. And it’s against the rules of certain agencies to pose as someone else. However, we don’t believe – and we’ve discussed this with lawyers – that this invalidates a program to gather open source information publicly posted to social media sites.

In any event, the lawsuit is a good read and is an important milestone in the development of a sensible framework of ground rules in a rapidly changing environment. We applaud EPIC for sticking to its guns and holding DHS as accountable as the law permits.