Last year, the EFF, in cooperation with the University of California, Berkeley, submitted requests under the Freedom of Information Act (FOIA) to a number of government agencies for documents regarding surveillance of social networks.
The EFF received DHS documents this month indicating that DHS's US Citizenship and Immigration Services (USCIS) agency was using social networks to investigate citizenship petitions and that the department had set up a social networking monitoring center to collect and monitor online communication during the 2009 presidential inauguration.
The USCIS documents revealed that the agency was instructing its agents to pose as “friends” to those applying for citizenship in order to gather evidence of fraud, such as whether the applicant was in a “valid relationship.” One of the documents, a memo entitled Social Networking Sites and Their Importance to FDNS [Office of Fraud Detection and National Security], states:
“Narcissistic tendencies in many people fuels [sic] a need to have a large group of “friends” link to their pages and many of these people accept cyber-friends that they don’t even know. This provides an excellent vantage point for FDNS to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities….This social networking gives FDNS an opportunity to reveal fraud by browsing these sites to see if petitioners and beneficiaries are in a valid relationship or are attempting to deceive [USCIS] about their relationship. Once a user posts online, they create a public record and timeline of their activities. In essence, using MySpace and other like sites is akin to doing an unannounced cyber 'site-visit' on a [sic] petitioners and beneficiaries.”
In a blog post, Jennifer Lynch, an EFF staff attorney, described the USCIS program as “disconcerting, both for its assumptions about people who use social networking sites and for its potentially deceptive and unethical approach to collecting information.”
Lynch told Infosecurity that “it is not clear what evidence they need for fraud before they can go online and look at people’s profiles. The memo seems to encourage agents to go on Facebook, MySpace, and other social media and poke around into people’s private profiles and possibly friend them in order to get access to their private profiles. It makes a lot of assumptions about how people use social media that I don’t think are necessarily correct. It assumes that everything we say online is current and accurate. That is not necessarily true.”
In another DHS document, the department describes the establishment of a social networking monitoring center to monitor sites for “items of interest in the routine of social networking posts on the events, organizations, activities and environment” surrounding the presidential inauguration.
In the set of slides, DHS said it would not collect “personally identifiable information (PII), such as full name, email address, mailing address, telephone numbers, credit card numbers, IP addresses, or specific locations during the inauguration period.” It also said it would adhere to the “fair information practice principles set forth in the DHS privacy technology implementation guide.”
Lynch expressed some skepticism about the DHS privacy caveats. “It not clear what they did with the information after the inauguration was over”, Lynch told Infosecurity. She said that studies have shown that it is possible to match information that does not contain PII with personal details gathered from various databases on the internet. “It is not difficult to re-identify people if you have enough and the right information about them. So it wasn’t completely clear from the DHS slides what the DHS was doing with information like user names.”
DHS has said that it destroyed the information gathered as part of the inauguration monitoring effort.
Lynch said that if DHS was just gathering public information from social networking sites, she wouldn’t consider it spying, but monitoring. “It’s certainly creepy to think that government agents are reading our social media pages and watching what we do online.”
She said that US citizens should be “concerned” about the US government’s surveillance of social media sites. “People need to make sure that the information they want to keep private is kept private. So they need to adjust their privacy settings accordingly and not accept friend requests from people they don’t know.”