On Social Media, How Can DHS Tell Who’s an Immigrant?

On September 18, the Department of Homeland Security (DHS) revealed a new policy for collecting immigrants’ social media information. According to a Notice published in the Federal Register, effective October 18, DHS is expanding its categories of records that “constitute the official record of an individual’s immigration history” to include “social media handles, aliases, associated identifiable information, and search results.” In addition, the sources from which DHS creates immigration-history records will be expanded to include, among others, “publicly available information obtained from the internet,” “commercial data providers” (also called “commercial data aggregators”), and “information obtained and disclosed pursuant to information sharing agreements.”

DHS characterized this Notice as an administrative formality, given that the agency “has and continues to monitor publicly-available social media to protect the homeland.” Indeed, this is not DHS’s first rodeo when it comes to monitoring non-citizens’ social media. But existing screening programs (such as those at Customs and Border Protection and the State Department), as well as a border surveillance bill now pending in the Senate, have focused on visa applicants and temporary visitors to the U.S. As noted in BuzzFeed News, which first reported on the Notice, DHS’s policy will cover not just new immigrants, but also legal permanent residents (LPRs, i.e., green-card holders) and naturalized citizens. (I’m using the term “immigrants” loosely here, to include all of these categories.) That means DHS could monitor immigrants’ social media long after they’ve settled in the U.S., not just while initially evaluating whether to admit them to the country.

So: how does DHS figure out which accounts on Facebook, Twitter, Instagram, and other services belong to existing or would-be immigrants to the U.S., rather than natural-born U.S. citizens? (That is, assuming the agency cares if you fall into the latter category, which isn’t necessarily so.) Anonymous and pseudonymous accounts abound on these services. Many people share the same first and last names, so even a real name attached to an account might need disambiguation. Further, demanding that immigrants disclose their social media handles might yield underinclusive results. Many people have multiple accounts: an “official” account, meant to be seen by parents, potential employers, and the like; and another, more secretive account kept separate from one’s “real” identity. If DHS was monitoring social media even before making this official change, then it must be dealing with this issue already.

One possible avenue for determining whether a social media user is an immigrant is to demand information on the user from the platform. With a subpoena or court order, DHS can get basic subscriber information about a particular account, such as the email or IP address(es) associated with an account. The agency can then check whether the email address is associated with an individual in DHS’s systems. Given an IP address, it could determine which ISP owns that IP address, then serve another subpoena or court order on the ISP to learn the subscriber’s name and address, and, again, search its own systems for a match.

It’s not clear from the Notice, though, that user-data demands to platforms fall among the “record source categories” available to DHS as a routine matter. Plus, there must be some grounds for legal process to issue, and compliance is not guaranteed. What if there’s no specific investigation or proceeding to justify a subpoena or get a judge to sign off on a court order? What if, when served with the demand, the company does not hand over the requested account information? Twitter and Facebook both receive numerous requests every year from the federal government for basic subscriber information, and typically they provide it. However, they sometimes fight back to protect their users’ anonymity, as Twitter did against an administrative summons from DHS earlier this year (prompting the agency to swiftly withdraw the summons).

This is where the newly expanded sources of records come in. Gizmodo noted that “information sharing agreements” could include surveillance agreements among the Five Eyes countries (the U.S., Canada, the U.K., Australia, and New Zealand), or DHS’s agreements with private companies in the Internet and communications sectors.

The “commercial data providers” category is also unsettling. Data brokers collect and sell information about you, which they gather from public, governmental, and commercial sources. As a 2014 FTC report on data brokers notes, a data broker’s dossier on an individual might identify her social media accounts. It might also include country of origin, or proxies for it: data points such as ethnicity, language, and religion from which DHS could draw an inference (however inaccurate or biased) about the individual’s citizenship. (Edited to add: Of the nine brokers the FTC report studied, DHS currently contracts with two: Corelogic and Recorded Future. That's in addition to other major data brokers such as LexisNexis, credit bureaus like Equifax and TransUnion, and various background-check companies, among many others.) Of course, these dossiers aren’t necessarily accurate. The risk of false positives and false negatives makes DHS’s use of “commercial data providers” for immigration record purposes even more troubling.

Social media companies have acted to stop data-mining entities such as Geofeedia and Dataminr from enabling government surveillance of their users. Yet as long as they continue to sell their users’ information to third-party companies (for purposes such as advertising and analytics), they have little effective control over where it ultimately ends up. Once it goes out the door, user data can get re-sold and combined with other information by a constellation of data-mining companies. Cutting off Geofeedia and Dataminr means that government agencies will simply switch to other monitoring companies that are ready, willing, and able to provide the information they need, whether directly or through layers of intermediaries.

Finally, it may be that for all the massive amounts of data they hold about us, existing data aggregators cannot meet DHS’s information needs. After all, over 43 million people in the U.S. are foreign-born. (That includes over 13 million LPRs and over 7 million citizens who were naturalized in the last decade alone.) But DHS need not worry: companies such as IBM are lining up for the opportunity to develop data-mining software for “extreme vetting” of visitors to the U.S. That software could be repurposed, or new software developed, to monitor immigrants living in the U.S. as well as temporary visitors to our country.

This blog post thought through some of the ways DHS might try to tell immigrants apart from natural-born American citizens on social media. Suspicionless mass monitoring of immigrants via social media is surely a complicated logistical challenge. It’s also privacy-invasive, speech-chilling, and un-American. DHS is accepting public comments on the Notice through October 18, 2017. You can submit your comment here, and you can read others’ comments (1,574 and counting as of this writing) here.