THE IRONIC PRIVACY ACT.

• Author: Hu, Margaret

ABSTRACT

This Article contends that the Privacy Act of 1974, a law intended to engender trust in government records, can be implemented in a way that inverts its intent. Specifically, pursuant to the Privacy Act's reporting requirements, in September 2017, the U.S. Department of Homeland Security (DHS) notified the public that record systems would be modified to encompass the collection of social media data. The notification justified the collection of social media data as a part of national security screening and immigration vetting procedures. However, the collection will encompass social media data on both citizens and noncitizens, and was not explicitly authorized by Congress. Social media surveillance programs by federal agencies are largely unregulated and the announcement of social media data collection pursuant to the reporting requirements of the Privacy Act deserves careful legal attention. Trust in the Privacy Act is at risk when the Act's notice requirements announce social media data collection and analysis systems under the guise of modifying record collection and retention protocols. This Article concludes that the social media data collection program proposed by DHS in September 2017 requires express legislative authorization.

TABLE OF CONTENTS INTRODUCTION I. INTRODUCTION TO PRIVACY ACT AND SUMMARY OF CONCERNS RAISED BY THE DHS NOTICE: "PRIVACY ACT OF 1974; SYSTEM OF RECORDS" (SEPTEMBER 18, 2017) A. Introduction to the Privacy Act of 1974 B. A Brief Overview of Selected Comments to DHS Notice "Privacy Act of 1974; System of Records" (September 18, 2017) II. BRIEF HISTORY OF SOCIAL MEDIA INTELLIGENCE GATHERING BY DHS A. DHS Social Media Monitoring Pilot Programs B. DHS Social Media Monitoring as Official Policy: DHS Directive 110-01 C. SOCMINT: Social Media Intelligence and Algorithmic Decision-making III. EXTREME VETTING A. Muslim Ban and Social Media Screening of Immigrants B. Extreme Vetting Initiative and Visa Lifecyle Vetting Initiative IV. PRIVACY AND TRUST: DISTRUST IN THE PRIVACY ACT A. Examining Methods of Subverting the Privacy Act's Intent: DHS Notice "Privacy Act of 1974; System of Records" (September 18, 2017) B. Undermining Trust in the Privacy Act: Potential Misuse and Overuse of Privacy Act's Exemptions by DHS CONCLUSION APPENDIX A APPENDIX B APPENDIX C APPENDIX D INTRODUCTION

Social media surveillance (1) tools allow the government to collect, aggregate, and analyze billions of pieces of social media data points. (2) With approximately "2.3 billion active social media users[,]" (3) the ubiquity and public availability of social media (4) allows the government to monitor those who "upload hundreds of millions of photos and send 500 million tweets each day, add 300 hours of video to YouTube each minute, and create six new Facebook profiles each second." (5) Nick Rasmussen, Director of the National Counterterrorism Center, explained: "[T]he work we're doing now with our partners in the intelligence community often doesn't involve really, really sensitive intelligence. It involves looking at Twitter and or looking at some other social media platform and trying to figure out who that individual behind that screen name, behind that handle might actually be and whether that person poses a threat...," (6)

The advent of the digital age has brought the advent of Social Media Intelligence (SOCMINT) and Open-Source Intelligence (OSINT) to accompany other intelligence gathering tools, such as Human Intelligence (HUMINT) and Signals Intelligence (SIGINT). (7) The disclosures of former National Security Agency (NSA) contractor Edward Snowden in 2013 revealed the extent to which the intelligence community relies upon social media and internet surveillance, (8) and other data surveillance and cybersurveillance tools." PRISM, for example, one of the first revelations, allowed the NSA and Federal Bureau of Investigation (FBI) to retrieve data from Microsoft, Yahoo, Google, Facebook, Skype, YouTube, Apple, and other companies. (10) Much research examining the legal consequences of the Snowden revelations has focused on activities that are explicitly recognized as foreign intelligence gathering and national security surveillance activities. (11) This Article, however, does not focus on foreign intelligence gathering or law enforcement data collection that is self-described by the federal government as surveillance. It also does not analyze the constitutional impact of social media data collection by the U.S. Department of Homeland Security (DHS) or other federal agencies. (12)

Instead, this Article focuses its attention on how social media intelligence-gathering programs conducted by the intelligence community may be replicated by DHS government record collection and retention protocols. Specifically, it aims to demonstrate how data surveillance, or dataveillance, (13) is increasingly bureaucratized in the digital age, often taking advantage of citizens' trust in day-to-day governance activities, such as the federal government's public announcement of its records collection and records maintenance protocols. To illustrate how social media intelligence objectives can be replicated under federal immigration law and policy, and through the record collection protocols of DHS, this Article focuses on a "Privacy Act of 1974; System of Records[:] Notice of Modified Privacy Act System of Records," published in the Federal Register by DHS on September 18, 2017 (September 2017 DHS Notice). (14) The Notice announced a modification of a specific system of records maintained by DHS: "DHS/USCIS [United States Citizenship and Immigration Services]ICE [Immigration and Customs Enforcement]-CBP [Customs and Border Protection]-001 Alien File, Index, and National File Tracking System of Records." (15)

Under the public notice requirements of the Privacy Act of 1974, (16) in a Federal Register Notice published by DHS on September 18, 2017, DHS notified the public that this DHS record system would be modified to encompass social media data collection. (17) This social media data collection program should be understood as representing a bureaucratized evolution of digital surveillance or cybersurveillance. (18) Many new efforts to collect and analyze social media data are not labeled as surveillance or intelligence gathering programs. Rather, social media surveillance on citizens and noncitizens alike can occur administratively. As an outgrowth of the administrative state, they may at times fall outside of the legal restraints (19) imposed on the intelligence community by foreign intelligence surveillance law or the criminal procedure protections of the Fourth Amendment of the U.S. Constitution. Better understanding the routinized administration of social media surveillance as a screening and vetting procedure under immigration law, or as a homeland security or national security policy under DHS programs, can shed light on this emerging phenomenon. (20)

In the September 2017 DHS Notice, for instance, DHS explained that social media data now will be included in the Alien File (A-File). (21) The AFile is an official record of an immigrant applicant's visa and immigration history. (22) Alien registration numbers and related A-Files are created for immigrants and certain categories of non-immigrants who are granted employment authorization. (23) In addition to naturalized citizens and lawful permanent residents (green card holders), immigrant visa holders, asylees, and special immigrant juveniles, and student visa holders with optional practical training also possess A-File records by DHS. (24)

The September 2017 DHS Notice revealed that social media data can now be retained in the A-Files for both noncitizens and lawful permanent residents, as well as naturalized or foreign-born citizens of the United States. By some estimates, there are approximately forty-three million foreign-born individuals currently residing in the United States. (25) DHS retains A-File records after individuals gain naturalized U.S. citizenship. (26)

DHS claims that the September 2017 DHS Notice conforms to the existing protocol. In response to requests to clarify the Notice, DHS stated: "The notice did not announce a new policy. The notice simply reiterated existing DHS policy regarding the use of social media." (27) Yet, the Notice indicates that social media screening is emerging as a routinized aspect of DHS screening and vetting procedures. The Notice also signals how social media intelligence is increasingly becoming bureaucratized--treated not as a surveillance practice, but, rather, as a records collection practice.

This Article proceeds in four parts. Part I offers a brief overview of the Privacy Act and why experts have raised concerns that social media data collection promulgated by DHS is inconsistent with the law. Part II provides a summary of how DHS has engaged in social media monitoring since at least 2010. It also attempts to contextualize DHS social media surveillance practices within other algorithmic decisionmaking systems that are increasingly dependent upon mass data collection, including the gathering of social media data. Part III focuses on extreme vetting as a case study to better understand the data analytics-driven screening programs embraced by contemporary immigration and national security policies. Part IV explains why the reliance upon the Privacy Act's system of records notice (SORN) requirements to expand social media data collection undermines trust in federal administrative action and deserves careful legal attention.

Trust in the Privacy Act is at risk when the Act's required notice announces social media data collection and analysis systems under the guise of modifying record collection and retention protocols. This Article concludes that the social media data collection proposed by DHS requires express legislative authorization. (28) The Privacy Act does not authorize data collection. A Federal...