Everyone knows it's wise to be careful about what they share on Facebook, that it's generally unwise to post pictures of last night's whiskey-thon and the naked frolic around the park that followed. Your cousin might send them to your uncle who could forward them right on to your mom. But new documents, released by the Department of Homeland Security under pressure from a Freedom of Information Act suit, reveal that social network indiscretions have the potential for much deeper impact than tarnishing reputations.
Last week, Homeland Security released an internal memo on how to use social networking websites to investigate fraud in marriage-based immigration applications. The document is the first of what's expected to be a ream of incriminating paper the suit will force out of several law enforcement agencies. The documents raise serious questions about government surveillance in the 21st century and the rules that protect everyone from activists to criminal suspects from abuse.
"The traditional advice is to be conservative about what you share," says Jason Schultz*, an attorney with the Samuelson Law, Technology & Public Policy Clinic at Berkeley Law School, which helped file the FOIA suit. "But the reality is that time has passed. Fundamentally, we are a sharing society now and we will keep doing that. We need laws that protect people accordingly."
The FOIA request, filed by the Berkeley clinic and the Electronic Frontier Foundation, requests information from the Department of Homeland Security as well as a list of other government agencies, including the FBI, CIA and National Security Agency. The agencies initially refused to release the information, but have started to respond since the groups ratcheted up pressure by filing a lawsuit.
The Homeland Security's U.S. Citizenship and Immigration Services memo, called "Social Networking Sites and Their Importance to FDNS" (Office of Fraud Detect and National Security), goes into some detail about which sites agents should join, how to join them and how to effectively use social media to uncover fraud.
"Narcissistic tendencies in many people fuels a need to have a large group of 'friends' link to their pages and many of these people accept cyber-friends that they don't even know," the document reads. These networks thus provide an "excellent vantage point ... to observe the daily life of beneficiaries and petitioners who are suspected of fraudulent activities" and "see if ... [they] are in a valid relationship or are attempting to deceive CIS."
"We assume that given what we've found so far this is the tip of the iceberg," says Schultz. As more documents emerge, Schultz hopes that they will provide greater understanding about the government's Internet-based surveillance.
The realm of government surveillance and policing through online social networks is a relative legal void, with agencies making their own rules and with little legislated oversight or regulation in place. "The rules," says Schultz, "are just not up to date. We're still using rules for email and voicemail, for a different world."
At issue is whether it should be permissible for government agents to "friend" suspects on social media sites without acknowledging that they are government agents.
According to Jim Dempsey, vice president for public policy at the Center for Democracy and Technology, the problem is that the offline rules about government investigations do not match up with the social norms of the Internet. "The offline rule is that if a government official friends you, even under a pretense, but you trust him, that that information can be used against you. Constitutionally, the rule is, you make friends at your own peril." But he explains, "in the real world, there are a whole physical set of limits on people. In the online world," Dempsey says, "there are so many possible friends and so few limits, the physical barriers are removed."
In the case of marriage fraud investigations then, in the "real world," it is legal for a Homeland Security agent to show up unannounced at an applicant's apartment when the applicant is not present and ask roommates questions. But in that case, the interaction is constrained by the limits of the conversation itself and by the directness of the interaction. When moved to the world of online social networks, if an agent "friends" a suspect under the pretense of being someone else, none of the normal social queues and temporal limitations exist. Once an agent has access to a suspect's Facebook page, they have access to a much larger quantity of information than they would have in the physical world.
"There are lower barriers to entry and the volume of info that you get once you succeed in breaking the barrier is much greater," says Dempsey.
All of this raises questions about the limits of the government's policing practices. If the norms of social interaction are different online than they are offline, then, the argument goes, the laws should reflect that difference.
"There are a whole set of concerns raised, including whether the government uses this information for profiling," says Schultz. "The more data they have the easier it is to make lists to profile people. Once the government collects information they almost never throw it away."
And with online social media providing a quantity of information that in-person interactions do not, the potential for the government to build massive databases to be used for other policing functions grows.
Schultz says the electronic Frontier Foundation and the Samuelsson Center will soon release an analysis of a set of "law enforcement guides" released by at least one of the agencies named in the suit. He says social networks like Facebook and Myspace sent these guides to government agencies to establish parameters of what they are willing to share.
"Most of the social networking sites have law enforcement guides that show you over time how these companies are giving info to government when they ask for it. We'll post copies of the manuals so that consumers have a better idea of what privacy constraints each has."
It's not clear how many marriage fraud investigations have been carried out using social networking sites and whether the government is allowed to use the information as they would other forms of investigation. It also remains to be seen what other kinds of policing and investigative work have employed online tools.
Much like the offline world, not everyone is equaly vulnerable to surveillance and intrusion on the Internet. In the case of marriage fraud, immigrants have been made the target. And, because investigators are likely to be looking for signs of extra-marital life to prove fraud, photos albums or comments that suggest a life that is anything but hetero-normative may condemn a suspect.
Of course, the reality is that offline protections are not very strong, either. Rachel Meeropol, an attorney at the advocacy group Center for Constitutional Rights, points to a number of recent incidents of government surveillance of activists by Homeland Security in which agents used questionable practices.
"There's a long history of that sort of thing," says Meeropol. The Center for Constitutional Rights has released a guide for activists called If An Agent Knocks. "There are definitely problems," Meeropol warns, "before we even talk about social networks."
*A previous version of this post incorrectly identified Jason Schultz's surname.