Do You Need to Worry About DHS Looking at Your Social Media Conversations?

The Daily Mail over the weekend published a widely picked up story on the extent of the U.S. Department of Homeland Security’s (DHS) monitoring of social media for information that not only signals a threat to the United States or other countries but also “reflect adversely” on the DHS itself and its “response activities.” In a bit of its usual over-hype, the Daily Mail story listed words like Mexico, cloud, or pork as ones to possibly avoid when posting to social media sites since they are among the hundreds of words DHS routinely searches for on various social media sites every day. But whether or not you really are subject to DHS scrutiny may rest with some rather subjective decisions by a trio of men named Brad, Ray, and Mitch.

First, a little bit of the back story.

The Daily Mail story is based upon a Freedom of Information (FOI) lawsuit filed by the Electronic Privacy Information Center (EPIC) in December of 2011 to discover the scope of DHS social media snooping activities which began in early 2010.

At that time, DHS had initiated a pilot social media surveillance capability for specific events, such as the earthquake in Haiti in January, the 2010 Vancouver Winter Olympics held in February, and the April BP oil spill. The idea–which is not entirely unreasonable–was to get a broader picture of what was happening on the ground by looking at what was being tweeted, blogged about, being put on message boards, etc., instead of waiting for regular mass media news cycle to publish information. The downside was that the raw information being posted on social media sites might reflect nothing more than rumors, speculation, and the usual conspiracy theories. But among all the chaff, the hope was, some kernels of truth that DHS could acted upon might appear in a near real time manner.

Apparently, those experimental monitoring efforts provided sufficient intelligence value that in June 2010 DHS decided that it needed to start monitoring social media on a full time basis.  So, in February 2011, the DHS signaled it was now ready to pursue this goal by putting out a public notice that it intended to establish a new DHS “Publicly Available Social Media Monitoring and Situational Awareness Initiative System of Records.” The purpose of creating this new “system of records” was to indeed monitor social media such as “publicly available online forums, blogs, public websites, and message boards” to provide DHS (and other government officials at the federal, state, local and foreign level) with increased “situational awareness and establish a common operating picture.” A slightly more detailed description of DHS’s monitoring approach is found here (pdf) in its privacy assessment of the operation. The document also gives an initial list of search terms the DHS proposed to use in monitoring social media—running from telecommunications, to terrorist, to tornado.

However, a close reading of what DHS was proposing to do wasn’t just some benign monitoring of social media but to also actively (and covertly) participate on the social media sites, as well as to obtain personally identifiable information (including full names, affiliations, and positions) of those participating in online discussions, all based on posts using those above mentioned search terms.

(I wonder how DHS separates posts created by its own social media covert agents from those created by others being monitored?)

Needless to say, this raised concerns among privacy advocates as well as members of Congress. In April of last year, EPIC requested more information from DHS about the social media surveillance program and especially the deal it inked with a government contractor to carry out the monitoring. The DHS decided to effectively ignore EPIC's request. As a result, in December 2011, EPIC filed a FOI lawsuit (pdf) against the DHS to get the information.

In January and February of this year, the DHS decided because of the lawsuit and probably congressional pressure to start releasing information about its social media monitoring program, including a redacted version of the operating procedures and search terms used by analysts in monitoring social media sites (pdf).  The Analyst’s Desktop Binder, as it is called, describes which news events and information analysts need to be on the lookout for and when and to whom to disseminate it. Apparently, according to the Item of Interest (IOI) Severity Chart,  if subjective social media reports “reflect adversely” on DHS “especially those that have a negative spin on DHS/Component preparation, planning, and response activities,” it will be passed along to others in DHS after it is verified by “Brad, Mitch or Ray, or one of the other team leads.” I wonder who Brad, Ray or Mitch are, and are they government employees or contractors?

The DHS insisted at Congressional hearings in February that what is it is doing is necessary, legal and certainly doesn’t violate anyone’s privacy rights, but others aren’t so sure. When does critiquing the government, and especially DHS which has a ragged track record on projects, appear to those inside government as a moving from being legitimate criticism to becoming threatening? Does it really depend on the personal views of the Brad’s, Ray’s and Mitch’s and other team leads that DHS employs?

Furthermore, as a post at Forbes notes, DHS isn’t saying how it is gaining access to all those social media sites it is monitoring. The post speculates that “the DHS has a ‘special arrangement’ with companies like Google, Facebook, Microsoft, Yahoo and Twitter to gain secure direct API access. This type of access would allow it to use distributed cloud technologies to monitor the daily flow of social media and search activity in something close to real time.”

The Forbes post goes on to note that “this post itself is now [likely] coming up on the DHS radar,” as no doubt this one (and comments to it) will as well.

I wonder if anyone at last week’s 24-hour Hackathon created an app to highlight DHS search terms in case you wanted to avoid using them on social media posts, or alternatively, use as many of them as possible to annoy the DHS analysts? If not, I am sure one will be available soon.

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement