CBP Fails to Meaningfully Address Risks of Gathering Social Media Handles
Last month we submitted comments to Customs and Border Protection (CBP), an agency within the U.S. Department of Homeland Security, opposing its proposal to gather social media handles from foreign visitors from Visa Waiver Program (VWP) countries. CBP recently provided its preliminary responses (“Supporting Statement”) to several of our arguments (CBP also extended the comment deadline to September 30). But CBP has not adequately addressed the points we made.
1) We argued that the proposal would be ineffective at protecting homeland security, because would-be terrorists seeking to enter the U.S. under the VWP are unlikely to voluntarily provide social media handles that link to incriminating posts that are publicly available. In its Supporting Statement, CBP said:
Extensive research by DHS and our interagency partners has determined that these additional data elements will increase the ability to stop these travelers before they attempt to travel to the United States.
It may help detect potential threats because experience has shown that criminals and terrorists, whether intentionally or not, have provided previously unavailable information via social media that identified their true intentions.
But CBP has not shared its purported “extensive research” or provided any details about its asserted “experience.”
Before adopting a new policy with significant privacy and free speech implications, a federal agency should provide the public with the evidence supporting the agency’s claims of efficacy. CBP has failed to do so here.
2) We argued that the proposal would violate the privacy and freedom of speech of innocent travelers and their American associates. We also made the point that given the confusing wording of the proposed language (“Information associated with your online presence—Provider/Platform—Social media identifier”), travelers may over-share and turn over not just their handles, but also their passwords.
CBP said, “If an applicant chooses to answer this question, DHS will have timely visibility of the publicly available information on those platforms, consistent with the privacy settings the applicant has set on the platforms.”
Yet the agency notably did not say what the government would do if a traveler does provide log-in information that would enable access to private online content.
3) In arguing that the proposal would violate privacy and freedom of speech, we also explained that the proposal is vague and overbroad because it contains no definitions or limitations as to what counts as a “social media identifier,” which may lead VWP visitors to share a variety of online accounts that reveal highly personal details about them.
CBP said, “A social media identifier is any name, or ‘handle’, used by the individual on platforms including, but not limited to, Facebook, Twitter, LinkedIn, and Instagram. Applicants are able to volunteer up to 10 identifiers.”
Yet the agency did not say that it would provide such explanatory text on the online ESTA application or paper I-94W form.
4) In arguing that the proposal would violate privacy and freedom of speech, we expressed concern that the government might use the social media information it gathered in unknown and future non-travel contexts to the detriment of VWP travelers and their American associates.
CBP admitted that this will occur:
ESTA information may be shared with other agencies that have a need to know the information to carry out their national security, law enforcement, immigration, or other homeland security functions. Any and all information sharing with agencies outside DHS will abide by existing memoranda of understanding between the agencies and be consistent with applicable statutory and regulatory requirements.
This exacerbates the chilling effect we discussed in our comments. Innocent VWP travelers may engage in self-censorship and cut back on their social media activity—even in their home countries—out of fear of being misjudged by the U.S. government, or of putting their friends and loved ones at risk.
5) We argued that the proposal would have constitutional implications for the American associates of VWP visitors, or for American travelers themselves if the program were extended to request their social media handles or include invasive searches at the border of mobile devices and “apps” or other means of accessing cloud content.
In response to constitutional concerns, CBP merely listed a statute and regulation and said, “These authorities apply to the collection of social media identifiers.”
The agency failed to acknowledge that the Constitution has supremacy over any legislative rule.
6) We argued that the proposal would spur other countries to demand the same information from American travelers, which would put Americans at risk overseas.
CBP said, “All sovereign countries are within their authority to impose travel regulations and entry requirements. DHS does not dictate the rules and regulations of other countries. DHS has added additional fields to the ESTA application over the last two years and has not seen other countries reciprocate in the questions asked to U.S. visitors.”
Yet the agency failed to recognize that seeking social media handles, including from people who have legitimate reasons for being pseudonymous online yet publicly vocal, is particularly intrusive and so may incite certain foreign governments to demand the same information from American travelers.
7) We argued that the proposal contains no standards by which CBP would evaluate public social media posts, to ensure that posts would not be taken out of context and innocent individuals would not be misjudged.
CBP said, “Highly trained CBP personnel will independently research publicly available social media information and will be able to recognize factors such as context. CBP will make case-by-case determinations based on the totality of the circumstances.”
Yet this provides little guidance for the public or even the government agents tasked with evaluating social media posts. CBP did not address our specific concern about ideological exclusion, where someone such as an academic may not pose a security risk but has views critical of American foreign policy.
As we said in our comments, we do not doubt that CBP and DHS are sincerely motivated to protect homeland security. However, the proposal to collect social media handles has serious flaws—and the government has failed to adequately address them.
Recent DeepLinks Posts
Apr 27, 2017
Apr 27, 2017
Apr 27, 2017
Apr 27, 2017
Apr 26, 2017
- Fair Use and Intellectual Property: Defending the Balance
- Free Speech
- UK Investigatory Powers Bill
- Know Your Rights
- Trade Agreements and Digital Rights
- State-Sponsored Malware
- Abortion Reporting
- Analog Hole
- Anti-Counterfeiting Trade Agreement
- Artificial Intelligence & Machine Learning
- Bloggers' Rights
- Border Searches
- Broadcast Flag
- Broadcasting Treaty
- Cell Tracking
- Coders' Rights Project
- Computer Fraud And Abuse Act Reform
- Content Blocking
- Copyright Trolls
- Council of Europe
- Cyber Security Legislation
- Defend Your Right to Repair!
- Development Agenda
- Digital Books
- Digital Radio
- Digital Video
- DMCA Rulemaking
- Do Not Track
- E-Voting Rights
- EFF Europe
- Electronic Frontier Alliance
- Encrypting the Web
- Export Controls
- Eyes, Ears & Nodes Podcast
- FAQs for Lodsys Targets
- File Sharing
- Fixing Copyright? The 2013-2016 Copyright Review Process
- Genetic Information Privacy
- Government Hacking and Subversion of Digital Security
- Hollywood v. DVD
- How Patents Hinder Innovation (Graphic)
- International Privacy Standards
- Internet Governance Forum
- Law Enforcement Access
- Legislative Solutions for Patent Reform
- Locational Privacy
- Mandatory Data Retention
- Mandatory National IDs and Biometric Databases
- Mass Surveillance Technologies
- Medical Privacy
- Mobile devices
- National Security and Medical Information
- National Security Letters
- Net Neutrality
- No Downtime for Free Speech
- NSA Spying
- Offline : Imprisoned Bloggers and Technologists
- Online Behavioral Tracking
- Open Access
- Open Wireless
- Patent Busting Project
- Patent Trolls
- PATRIOT Act
- Pen Trap
- Policy Analysis
- Public Health Reporting and Hospital Discharge Data
- Reading Accessibility
- Real ID
- Reclaim Invention
- Search Engines
- Search Incident to Arrest
- Section 230 of the Communications Decency Act
- Shadow Regulation
- Social Networks
- SOPA/PIPA: Internet Blacklist Legislation
- Student Privacy
- Stupid Patent of the Month
- Surveillance and Human Rights
- Surveillance Drones
- Terms Of (Ab)Use
- Test Your ISP
- The "Six Strikes" Copyright Surveillance Machine
- The Global Network Initiative
- The Law and Medical Privacy
- TPP's Copyright Trap
- Trans-Pacific Partnership Agreement
- Travel Screening
- Trusted Computing
- Video Games