[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
DHS MONITORING OF SOCIAL NETWORKING AND MEDIA: ENHANCING INTELLIGENCE
GATHERING AND ENSURING PRIVACY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON COUNTERTERRORISM
AND INTELLIGENCE
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
FEBRUARY 16, 2012
__________
Serial No. 112-68
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] CONGRESS.13
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
76-514 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Jackie Speier, California
Joe Walsh, Illinois Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania Hansen Clarke, Michigan
Ben Quayle, Arizona William R. Keating, Massachusetts
Scott Rigell, Virginia Kathleen C. Hochul, New York
Billy Long, Missouri Janice Hahn, California
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE
Patrick Meehan, Pennsylvania, Chairman
Paul C. Broun, Georgia, Vice Chair Jackie Speier, California
Chip Cravaack, Minnesota Loretta Sanchez, California
Joe Walsh, Illinois Brian Higgins, New York
Ben Quayle, Arizona Kathleen C. Hochul, New York
Scott Rigell, Virginia Janice Hahn, California
Billy Long, Missouri Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Kevin Gundersen, Staff Director
Zachary Harris, Subcommittee Clerk
Hope Goins, Minority Subcommittee Director
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Counterterrorism and Intelligence.............................. 1
The Honorable Jackie Speier, a Representative in Congress From
the State of California, and Ranking Member, Subcommittee on
Counterterrorism and Intelligence.............................. 3
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security.............................................. 4
Witnesses
Ms. Mary Ellen Callahan, Chief Privacy Officer, Department of
Homeland Security:
Oral Statement................................................. 10
Joint Prepared Statement....................................... 12
Mr. Richard Chavez, Director, Office of Operations Coordination
and Planning, Department of Homeland Security:
Oral Statement................................................. 16
Joint Prepared Statement....................................... 12
For the Record
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Counterterrorism and Intelligence:
Statement of Marc Rotenberg, President, and Ginger McCall,
Staff Counsel, The Electronic Privacy Information Center
(EPIC)....................................................... 6
Appendix
Letter Submitted to Chairman Patrick Meehan From Mary Ellen
Callahan and Richard Chavez.................................... 39
Questions Submitted by Ranking Member Bennie G. Thompson for Mary
Ellen Callahan and Richard Chavez.............................. 40
DHS MONITORING OF SOCIAL NETWORKING AND MEDIA: ENHANCING INTELLIGENCE
GATHERING AND ENSURING PRIVACY
----------
Thursday, February 16, 2012
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Counterterrorism and Intelligence,
Washington, DC.
The subcommittee met, pursuant to call, at 10:04 a.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the subcommittee] presiding.
Present: Representatives Meehan, Cravaack, Quayle, Long,
Speier, Thompson, and Hahn.
Mr. Meehan. Good morning. I get to do this, which indicates
that the Committee on Homeland Security's Subcommittee on
Counterterrorism and Intelligence will come to order.
The subcommittee is meeting today to hear testimony
regarding tactics that are employed by the Department of
Homeland Security to monitor social networking and media to
enhance intelligence gathering, while at the same time
protecting privacy. I would like to welcome everyone to today's
hearing, and I look forward to hearing from today's witnesses
on this very, very important issue.
Over the last year, this subcommittee has had hearings on a
multitude of terror-related threats, particularly focusing on
those that have influence on the homeland, including those
posed by Hezbollah, AQAP, and Boko Haram, to be specific. A
common theme that has emerged among many of these is the
groups' use of social media and networking to recruit, to plan,
to plot attacks against the homeland or U.S. interests abroad.
I emphasize that a lot of this was focused on foreign-based
websites on which this activity was presumed to be taking
place.
In December, we held a hearing on the terrorists' use of
social media. While there was disagreement among the witnesses
on the effectiveness of that, we do know that terrorists use
social media. All agreed that terrorist groups used these tools
ultimately to their advantage.
However, the use of social media isn't confined to
terrorists. It is also a criminal issue and represents an
entirely new operating space for all sorts of bad actors. I saw
it as a Federal prosecutor. Social media is now used by
individuals who share pictures with family and friends, but it
is also used by terrorists or other kinds of criminals
operating everything from frauds to other kinds of bad acts.
I understand the importance of following leads wherever it
may take investigators. So if there are leads on a social media
or social network such as Twitter or Facebook, it may be
appropriate to follow them, so long as the Government activity
is consistent with the long-standing protections against
improper intrusions into protected areas of personal privacy.
Following leads means collecting intelligence, because,
ultimately, no terrorism or criminal investigation can be
effective without good intelligence. I understand and support
intelligence collection within the rules of the law.
In addition to following leads, social media provides a
forum for the Government to have situational awareness of
breaking events--something I know you spend a great deal of
time--terrorist attacks, natural disasters--where the
Department of Homeland Security is responsible for providing
real-time situational awareness and information sharing across
the Federal Government and down to the State and local
enforcement level, to first responders as well, in the event of
a terror attack or a natural disaster. For example, my good
friend on the committee, Mr. Long, who experienced tornadoes in
his district, may have an appreciation of the need for real-
time communication, sort of the virtual 9-1-1.
But, conversely, the Government can use tools to
communicate with people about disasters to enhance situational
awareness among the citizenry. In these cases, intelligence
collection and dissemination is a win-win for the Government
and the people.
But a few weeks ago, it was reported that the Department of
Homeland Security has instituted a program, and I quote: ``to
produce short reports about threats and hazards using publicly
available information.'' As I said, I support that. However, in
what I view as something that we have to determine whether it
crosses the line, these reports also revealed that DHS has
tasked analysts with collecting intelligence on any media
reports, ``that reflect adversely on the U.S. Government and
the Department of Homeland Security, including both positive
and negative reports on FEMA, CBP, ICE, among others.''
In one example, DHS used multiple social networking blogs,
including Facebook and Twitter, three different blogs, and
reader comments in newspapers to capture the reaction of
residents to a possible plan to bring Guantanamo detainees to a
local prison in Standish, Minnesota.
In my view, collecting and analyzing, disseminating private
citizens' comments could have a chilling effect on individuals'
privacy rights and people's freedom of speech and dissent
against their Government. I fully recognize that if an
individual willingly uses Facebook, Twitter, or the comments
section of a newspaper website, they, in effect, forfeit their
right to an expectation of privacy. However, other private
individuals reading your Facebook status updates is different
than the Department of Homeland Security reading them,
analyzing them, and possibly disseminating and collecting them
for future purposes. My guess is that the average American has
no problem with other private individuals reading their
voluntary on-line writings and postings in open forums but may
feel a bit of unease knowing the Federal Government may be
doing the same.
I fully recognize these are very complex and nuanced
issues, and that is why we are holding today's hearing. I look
forward to hearing from today's witnesses on how they are
collecting intelligence to keep us safe and aware, yet also
ensuring personal individual privacy.
The Chair now recognizes the Ranking Minority Member of the
subcommittee, the gentlewoman from California, Ms. Speier, for
any comments that she may have.
Ms. Speier. Thank you, Mr. Chairman. I would like to
associate my comments with yours. I think that they were
outstanding and really place a good frame on the discussion we
are going to have today.
I would also like to thank the witnesses who will be
testifying today.
You know, the explosion in the use of social media has
changed communication as we know it. With just the touch of a
button, millions of people can post and receive information
through Twitter, Facebook, blogs, and text messaging in an
instant. In just the short time that we have been sitting here
in this hearing, there have been over 3 million comments that
have been posted to Facebook and a half a million tweets that
have been sent.
Over the past year, we have seen the impact of using social
media first-hand. Last year, the Arab Spring was driven by
potesters who organized and communicated largely via social
media. We have also seen the power of social media here in the
United States over the past few months as protesters organize
via Twitter and Facebook for the Occupy Wall Street movements
throughout the country. We have seen bills before Congress
stopped in their tracks by the power of social media.
This growing universe of social networking presents great
challenges and opportunities to the mission at the Department
of Homeland Security as it works to keep our Nation safe.
Through this hearing, we hope to learn how the Department of
Homeland Security is harnessing the power of social media. Is
it possible that DHS could use social media to communicate
emergency recovery and response information to the general
public? Can this information be generated quickly? How would
such technology have improved the response to disasters like
Hurricane Katrina? What about the case of a man-made disaster
or a mass evacuation like we saw last year in the nuclear
meltdown in Japan? Could Twitter and instant messaging be used
to let people know where to evacuate and what to avoid?
The vast amounts of publicly available data also present a
potentially great resource for open-source information
collection. In 2010, we saw alert citizens report suspicious
activities in Times Square that led to the arrest of Faisal
Shahzad. Could similar public reporting be done using social
media? How can DHS fully exploit the benefits and opportunities
of social media without impeding on the civil rights and civil
liberties of those who choose to use social media? Can DHS
actively and effectively monitor social media in an open and
above-board way without being accused of spying on lawful
activities?
Last month, the press reported widely on a case where a
couple from England was prevented from entering the United
States because of a tweet. Was this an overreaction? Could or
should a mere tweet or posting prevent a person from boarding a
plane or entering the United States?
I am looking forward to learning from the witnesses exactly
how DHS uses social media and what DHS is doing to make sure
that in its use of social media it is not being perceived as
being a Big Brother. I want to learn from the witnesses what
privacy protections are in place with regard to DHS's using
social media and how the individual components are being
trained on these protections.
Further, I am very interested to find out today how the
Department can even handle the sheer volume of open-source
postings that may be found on any of the various social
networking websites. Further, if the Department begins to use
social media as open-source tools, as the Office of
Intelligence and Analysis Under Secretary has indicated, how
will its analysts be trained to continue to respect the civil
liberties of those that choose to use social media?
Social media could possibly be an integral tool in
recognizing and preventing emerging threats. However, there has
to be some specific systems in place that can manage this
information while continuing to respect civil rights and civil
liberties. I look forward to hearing what steps are being taken
in this area.
I yield back.
Mr. Meehan. Thank you, Ranking Member Speier, for your
observations, which I, as well, share.
We are also pleased to have in attendance the Ranking
Member of the committee. The gentleman from Mississippi, Mr.
Thompson, is with us. As is the custom of the subcommittee
where there are moments when we are graced with the presence of
those Ranking and senior members, we give to them the
opportunity to make an opening statement if they wish. So, at
this minute, the Chair would recognize Mr. Thompson for any
comments that he might have.
Mr. Thompson. Thank you very much, Mr. Chairman, for your
gracious introduction. I would like to thank you and the
Ranking Member for holding this hearing today. I would also
like to thank the witnesses for their testimony also.
Social media outlets provide the general public with new
avenues of discovering, reading, and sharing news, information,
and other forms of content. With an increasing number of people
relying on this form of technology as a primary information-
gathering resource, social media has supplemented, and in some
cases replaced, traditional media outlets as a source of news
and information.
Social media allows DHS to quickly and efficiently
disseminate accurate and useful information to hundreds of
thousands of people simultaneously. For instance, prior to a
natural disaster such as a hurricane or a flood, State and
local officials can use SMS to convey evacuation warnings and
notices to people living in affected areas. After a disaster,
the same means can be used to direct people to FEMA. Both the
Majority and Minority of this committee have a Twitter page.
I think we all agree that social media outlets are useful.
However, usefulness alone is not the only criteria we value.
Rapid deployment of accurate information, combined with the
ability of the average citizen to interact with public
officials, will ultimately increase DHS's trust and
accountability. To ensure that accountability and trust are
embraced as a value, DHS must employ proper safeguards,
including guidelines on information-gathering activities and a
clear policy on creating a profile or data-mining. If
information-gathering activities should occur, clear protocols
that adhere to the Constitution and the Privacy Act must be
developed to direct such activities. The public must be
confident that interacting with DHS on a website or blog or
Facebook will not result in surveillance or a compromise of
Constitutionally-protected rights.
Further, the use of social media must not replace
traditional methods of information distribution. When used
appropriately, social media is an efficient and effective way
to communicate with people. If used improperly by a Federal
agency, public trust and confidence will be compromised or
forever destroyed.
Given the high stakes involved, DHS cannot afford to make a
mistake. I trust that in your efforts to navigate the
Department's journey in the world of social media, you will
work closely with the committee and keep us informed of your
activities. We look forward to being your GPS.
With that, I yield back.
Mr. Meehan. Thank you, Mr. Chairman, for that sense of
direction.
We will stop it there. Other Members of the committee are
reminded that opening statements may be submitted for the
record.
We are pleased to have a distinguished panel of witnesses
before us today on this very, very important topic.
The first is Ms. Mary Ellen Callahan. She was appointed the
chief privacy officer and the chief Freedom of Information Act
officer by Department of Homeland Security Secretary Napolitano
in March 2009.
Created by Congress in 2002, the Department's privacy
officer is the first statutorily mandated privacy office in any
Federal agency, whose mission is to preserve and enhance
privacy protections for all individuals, to promote the
transparency of Homeland Security operations, and to serve as
the leader in the Federal privacy community. Ms. Callahan is
responsible for evaluating Department-wide programs, systems,
and technologies, and rulemaking for potential privacy impacts,
and for providing mitigation strategies to reduce any privacy
impact.
Prior to joining the Department, Ms. Callahan was a partner
with the law firm of Hogan & Hartson, where she specialized in
privacy and data security law. She serves as vice chair of the
American Bar Association's Privacy and Information Security
Committee of the Antitrust Division. Now as chief privacy
officer, she co-chairs both the CIO Council's Privacy Committee
and the Information-Sharing Environment Privacy Guidelines
Committee.
Thank you for being here today, Ms. Callahan.
I would also like to recognize Mr. Richard Chavez, who is
the director of Office of Operations Coordination and Planning
at the Department of Homeland Security.
He provides counsel directly to the Secretary of Homeland
Security on a wide range of operational issues, to include
prevention, protection, mitigation, response and recovery
operations, continuity of operations, and planning. He leads an
office of approximately 550 people who are responsible for
monitoring the security of the United States on a daily basis
and providing National situational awareness and developing the
National common operating picture.
His office provides vital decision support information to
the Federal interagency, Governors, homeland security advisors,
law enforcement, private-sector, and critical infrastructure
operators in all States and territories and more than 50 urban
major areas Nation-wide.
Mr. Chavez has over 30 years of Government experience,
serving with DHS and the Department of Defense as an Air Force
officer and a senior civilian in the Office of the Under
Secretary of Defense for Policy.
Before I recognize you for your comments, I have before me
on the table a report from the Electronic Privacy Information
Center. I ask unanimous consent to insert in the record a
statement from EPIC.
Hearing no objection, so ordered.
[The information follows:]
Statement of Marc Rotenberg, President, and Ginger McCall, Staff
Counsel, The Electronic Privacy Information Center (EPIC)
Thank you, Mr. Chairman, for the invitation to submit this
statement for the record for this hearing on ``DHS Monitoring of Social
Networking and Media: Enhancing Intelligence Gathering and Ensuring
Privacy'' to be held on February 16, 2012 before the House Subcommittee
on Counterterrorism and Intelligence. We ask that this statement be
included in the hearing record.
EPIC thanks you and Members of the subcommittee for your attention
to this important issue. The DHS monitoring of social networks and
media organizations is entirely without legal basis and threatens
important free speech and expression rights. Your decision to hold this
hearing will help protect important American rights.
The Electronic Privacy Information Center (EPIC) is a non-partisan,
public interest research organization established in 1994 to focus
public attention on emerging privacy and civil liberties issues. EPIC
works to promote Government accountability and transparency
particularly with respect to activities that implicate Constitutional
rights and fundamental freedoms. EPIC has been analyzing law
enforcement monitoring of social networks and on-line media for several
years. In early 2011, EPIC submitted comments to the Department of
Homeland Security on the agency's proposal to undertake monitoring of
social network and news organizations.\1\ EPIC has also pursued several
Freedom of Information requests to obtain relevant documents so that
the Members of your committee and the public would have the opportunity
to meaningful assess the agency's activities.
---------------------------------------------------------------------------
\1\ EPIC, Comments of the Electronic Privacy Information Center to
the Department of Homeland Security ``Systems of Records Notice'' DHS-
2011-0003, March 3, 2011, available at: http://epic.org/privacy/
socialmedia/Comments%20on%20DHS-2011-0003-1.pdf.
---------------------------------------------------------------------------
i. epic obtained documents that reveal that the dhs is monitoring
social network and media organizations for dissent and criticism of the
agency
In April 12, 2011, EPIC submitted a Freedom of Information Act
(``FOIA'') request to the Department of Homeland Security (``DHS'')
seeking agency records detailing the media monitoring program. The
request sought the following documents:
All contracts, proposals, and communications between the
Federal Government and third parties, including, but not
limited to, H.B. Gary Federal, Palantir Technologies, and/or
Berico Technologies, and/or parent or subsidiary companies,
that include provisions concerning the capability of social
media monitoring technology to capture, store, aggregate,
analyze, and/or match personally-identifiable information.
All contracts, proposals, and communications between DHS and
any States, localities, Tribes, territories, and foreign
governments, and/or their agencies or subsidiaries, and/or any
corporate entities, including but not limited to H.B. Gary
Federal, Palantir Technologies, and/or Berico Technologies,
regarding the implementation of any social media monitoring
initiative.
All documents used by DHS for internal training of staff and
personnel regarding social media monitoring, including any
correspondence and communications between DHS, internal staff
and personnel, and/or privacy officers, regarding the receipt,
use, and/or implementation of training and evaluation
documents.
All documents detailing the technical specifications of
social media monitoring software and analytic tools, including
any security measures to protect records of collected
information and analysis.
All documents concerning data breaches of records generated
by social media monitoring technology.\2\
---------------------------------------------------------------------------
\2\ EPIC FOIA Request, Apr. 12, 2011, available at: http://
epic.org/privacy/socialnet/EPIC-FOIA-DHS-Social-Media-Monitoring-04-12-
11.pdf; see also Olivia Katrandjian, DHS Creates Accounts Solely to
Monitor Social Networks, ABC News, Dec. 28, 2011, available at: http://
abcnews.go.com/US/dhs-creates-fake-accounts-monitor-social-networks/
story?id=15247533#.-
TzvuuONSQ3o.
---------------------------------------------------------------------------
When the agency failed to comply with FOIA's deadlines, EPIC filed
suit on December 23, 2011. As a result of this lawsuit, DHS disclosed
to EPIC 285 pages of documents, including statements of work,
contracts, and other agency records related to social network and media
monitoring.\3\
---------------------------------------------------------------------------
\3\ DHS Social Media Monitoring Documents, available at: http://
epic.org/foia/epic-v-dhs-mediamonitoring/EPIC-FOIA-DHS-Media-
Monitoring-12-2012.pdf; see e.g. Charlie Savage, Federal Contractor
Monitored Social Network Sites, The New York Times, Jan. 13, 2012,
available at: http://www.nytimes.com/2012/01/14/us/federal-security-
program-monitored-public-opinion.html; Jaikumar Vijayan, DHS Media
Monitoring Could Chill Public Dissent, EPIC Warns, Computerworld Jan.
16, 2012, available at: http://www.computerworld.com/s/article/9223441/
DHS_media_monitoring_could_chill_public_dissent_EPIC_warns; Ellen
Nakashima, DHS Monitoring of Social Media Concerns Civil Liberties
Advocates, Washington Post, Jan. 13, 2012, available at: http://
www.washingtonpost.com/world/national-security/dhs-monitoring-of-
social-media-worries-civil-liberties-advocates/2012/01/13/
gIQANPO7wP_story.html.
---------------------------------------------------------------------------
These documents reveal that the agency had paid over $11 million to
an outside company, General Dynamics, to engage in monitoring of social
networks and media organizations and to prepare summary reports for
DHS.\4\ According to DHS documents, General Dynamics will ``Monitor
public social communications on the internet,'' including the public
comment sections of NYT, LA Times, Huff Po, Drudge, Wired's tech blogs,
ABC News.\5\ DHS also requested monitoring of Wikipedia pages for
changes \6\ and announced its plans to set up social network profiles
to monitor social network users.\7\
---------------------------------------------------------------------------
\4\ EPIC, DHS Social Media Monitoring Documents at 1.
\5\ EPIC, DHS Social Media Monitoring Documents at 127, 135, 148,
193.
\6\ EPIC, DHS Social Media Monitoring Documents at 124, 191.
\7\ EPIC, DHS Social Media Monitoring Documents at 128.
---------------------------------------------------------------------------
DHS required General Dynamics to monitor not just ``potential
threats and hazards,'' ``potential impact on DHS capability'' to
accomplish its homeland security mission, and ``events with operational
value,'' but also paid the company to ``Identify[] reports that reflect
adversely on the U.S. Government, DHS, or prevent, protect, respond or
recovery Government activities.''\8\
---------------------------------------------------------------------------
\8\ Attachment 1; EPIC, DHS Social Media Monitoring Documents at
51, 195.
---------------------------------------------------------------------------
Within the documents, DHS clearly stated its intention to ``capture
public reaction to major Government proposals.''\9\ DHS instructed the
media monitoring company to generate summaries of media ``reports on
DHS, Components, and other Federal Agencies: Positive and negative
reports on FEMA, CIA, CBP, ICE, etc. as well as organizations outside
the DHS.''\10\
---------------------------------------------------------------------------
\9\ EPIC, DHS Social Media Monitoring Documents at 116.
\10\ EPIC, DHS Social Media Monitoring Documents at 183, 198.
---------------------------------------------------------------------------
In one DHS-authored document, titled ``Social Networking/Media
Capability Analyst Handbook'' the agency presented examples of good
summary reports and flawed summary reports. One report held up as an
exemplar was titled ``Residents Voice Opposition Over Possible Plan to
Bring Guantanamo Detainees to Local Prison-Standish MI.''\11\ This
report summarizes dissent on blogs and social networking cites, quoting
commenters who took issue with the Obama administration's plan to
transfer detainees to the Standish Prison.
---------------------------------------------------------------------------
\11\ EPIC, DHS Social Media Monitoring Documents at 118.
---------------------------------------------------------------------------
These documents clearly show an agency program that aims to
document legitimate on-line dissent and criticism. The agency has not
established any legal basis for this program.
News media reports indicate that the Department of Homeland
Security is not the only agency engaging in this sort of monitoring.
Recent news stories confirm that the Federal Bureau of Investigation
has also been developing a similar social network and media monitoring
program.\12\
---------------------------------------------------------------------------
\12\ Marcus Wohlson, FBI Seeks Digital Tool to Mine Entire Universe
of Social Media, Chicago Sun Times, Associated Press, Feb. 12, 2012,
available at: http://www.usatoday.com/USCP/PNI/Nation/World/2012-0213-
PNI0213wir-FBI-social-media_ST_U.htm.
---------------------------------------------------------------------------
ii. there is no legal basis for the dhs' social network and media
monitoring program
The agency has demonstrated no legal basis for its social network
and media monitoring program, which threatens important free speech and
expression rights.
Law enforcement agency monitoring of on-line criticism and dissent
chills legitimate criticism of the Government, and implicates the First
Amendment. Freedom of Speech and Expression are at the core of civil
liberties and have been strongly protected by the Constitution and the
U.S. courts.\13\ Government programs that threaten important First
Amendment rights are immediately suspect and should only be undertaken
where the Government can demonstrate a compelling interest that cannot
be satisfied in other way.\14\ Government programs that note and record
on-line comments, dissent, and criticism for the purpose of subsequent
investigation send a chilling message to on-line commenters, bloggers,
and journalists--``You are being watched.'' This is truly what George
Orwell described in 1984.
---------------------------------------------------------------------------
\13\ See e.g. United States v. Stevens, 130 S. Ct. 1577, 1585, 176
L. Ed. 2d 435 (2010) (holding that the ``First Amendment itself
reflects a judgment by the American people that the benefits of its
restrictions on the Government outweigh the costs'').
\14\ See e.g. NAACP v. Button, 83 S.Ct. 328 (1963); Citizens United
v. Fed. Election Comm'n, 130 S. Ct. 876 (2010).
---------------------------------------------------------------------------
As EPIC has stated in prior comments to DHS, the agency's social
network and media monitoring program would also violate the Privacy
Act.\15\ The Privacy Act requires agencies to:
---------------------------------------------------------------------------
\15\ EPIC, Comments of the Electronic Privacy Information Center to
the Department of Homeland Security ``Systems of Records Notice'' DHS-
2011-0003, March 3, 2011, available at: http://epic.org/privacy/
socialmedia/Comments%20on%20DHS-2011-0003-1.pdf.
``establish appropriate administrative, technical, and physical
safeguards to insure the security and confidentiality of records and to
protect against any anticipated threats or hazards to their security or
integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information is
maintained.''\16\
---------------------------------------------------------------------------
\16\ 5 U.S.C. � 552a(e)(10) (2010).
The DHS program, as described in the agency's own documents, would
involve collecting information, including Personally Identifiable
Information (``PII''). While the agency acknowledges that PII are
covered under the Privacy Act and seeks to limit some collection, the
documents obtained by EPIC also reveal that there are several
exceptions to the ``no PII'' rule, including allowances for collection
of PII of anchors, newscasters, or on-scene reporters who . . . use
traditional and/or social media.\17\ This would allow the agency to
build files on bloggers and internet activists, in violation of the
Privacy Act.
---------------------------------------------------------------------------
\17\ DHS Social Media Monitoring Documents at 107.
---------------------------------------------------------------------------
The Privacy Act imposes limitations on the dissemination of
personal information collected by an agency. As EPIC has noted in its
comments the DHS, the agency's social network and media monitoring
program permits the collection and disclosure of information that
contravenes the text and purpose of the Privacy Act.\18\ DHS has
indicated that it plans to regularly relay the records to Federal,
State, local, Tribal, territorial, foreign, or international government
partners.\19\ The DHS Chief Privacy Officer (``CPO'') has stated that
the records would be transferred both by ``email and telephone'' to
contacts inside and outside of the agency.\20\ The CPO has also stated
that ``[n]o procedures are in place'' to determine which users may
access this system of records.\21\
---------------------------------------------------------------------------
\18\ EPIC, Comments of the Electronic Privacy Information Center to
the Department of Homeland Security ``Systems of Records Notice'' DHS-
2011-0003, March 3, 2011, available at: http://epic.org/privacy/
socialmedia/Comments%20on%20DHS-2011-0003-1.pdf.
\19\ EPIC, Comments of the Electronic Privacy Information Center to
the Department of Homeland Security ``Systems of Records Notice'' DHS-
2011-0003, March 3, 2011, available at: http://epic.org/privacy/
socialmedia/Comments%20on%20DHS-2011-0003-1.pdf; DHS Social Media
Monitoring Documents at 139, 207.
\20\ Department of Homeland Security, Privacy Impact Assessment for
the Office of Operations Coordination and Planning Publicly Available
Social Media Monitoring and Situational Awareness Initiative, 8, Jan.
6, 2011.
\21\ Department of Homeland Security, Privacy Impact Assessment for
the Office of Operations Coordination and Planning Publicly Available
Social Media Monitoring and Situational Awareness Initiative, 10, June
22, 2010, DHS Social Media Monitoring Documents at 156, 145.
---------------------------------------------------------------------------
DHS' program also fails to comply with Privacy Act requirements
that agencies make ``reasonable efforts to assure that records are
accurate, complete, timely, and relevant for agency purposes'' prior to
their dissemination outside of the Federal Government. DHS has readily
admitted that its social media monitoring initiative explicitly relies
on unverified sources of information to construct the records that DHS
will then disseminate to State, local, Tribal, territorial, foreign, or
international government partners. As the DHS CPO has stated, ``[u]sers
may accidentally or purposefully generate inaccurate or erroneous
information. There is no mechanism for correcting this.''\22\ The
agency unlawfully shifts responsibility for verifying the agency's
information onto the social media users the agency plans to follow:
``the community is largely self-governing and erroneous information is
normally expunged or debated rather quickly by others within the
community with more accurate and/or truthful information.''\23\
---------------------------------------------------------------------------
\22\ DHS Social Media Monitoring Documents at 156, 145.
\23\ DHS Social Media Monitoring Documents at 156, 145.
---------------------------------------------------------------------------
As EPIC has previously stated in comments to DHS, the collection of
information about individuals obtained from social networks and the
monitoring of media organizations falls outside of the agency's
statutory authority. The agency has failed to cite any statutory
provision that would indicate that Congress gave the DHS authority to
engage in intelligence collection, let alone to violate the
Constitutional rights of individuals using the internet to express
criticisms of the agency or the U.S. Government. In fact, the one
statutory provision cited by the agency only allows the DHS Secretary
to ``access, receive, and analyze law enforcement information,
intelligence information, and other information from agencies of the
Federal Government, State and local government agencies and private
sector entities.'' (Emphasis added). It does not authorize the agency
to initiate a program to gather or collect that information itself. The
only relevant provision that does mention gathering narrows the term to
``incident management decision making.''
Hence, DHS' monitoring and gathering of social network and media
information is not within the agency's delegated duties. DHS monitoring
of stories or individuals that ``report adversely'' on the agency (or
the Government more broadly) is even further outside of its delegated
duties. The agency has failed to establish any legal basis for this
program.\24\
---------------------------------------------------------------------------
\24\ The Attorney General has established elaborate Guidelines for
domestic investigations. The Attorney General Guidelines for Domestic
FBI Investigations, available at www.justice.gov/ag/readingroom/
guidelines.pdf. While EPIC does not necessarily endorse the standards
set out in the DIOG, we note that they require at a minimum a predicate
that justifies a Federal investigation. Expressing criticism of the
Government or a particular Federal agency alone can simply never be the
basis for a Federal investigation under the Attorney General
Guidelines.
Circumstances Warranting Investigation
A predicated investigation may be initiated on the basis of any
of the following circumstances:
a. An activity constituting a Federal crime or a threat to
the National security has or may have occurred, is or may be occurring,
or will or may occur and the investigation may obtain information
relating to the activity or the involvement or role of an individual,
group, or organization in such activity.
b. An individual, group, organization, entity, information,
property, or activity is or may be a target of attack, victimization,
acquisition, infiltration, or recruitment in connection with criminal
activity in violation of Federal law or a threat to the National
security and the investigation may obtain information that would help
to protect against such activity or threat.
c. The investigation may obtain foreign intelligence that
is responsive to a foreign intelligence requirement.
Id. at 21. See, generally, EPIC, ``The Attorney General
Guidelines,'' available at http://epic.org/privacy/fbi/
---------------------------------------------------------------------------
iii. epic's recommendations
The problems described above are significant and far-reaching. An
agency that was established to help protect the United States against
future foreign attacks is now deploying its significant resources to
monitor political opposition and the work of journalists within the
United States. It has no legal basis to do so, and in pursuing the
monitoring of social networks and media organizations for activities
that ``reflect adversely'' on the agency and the U.S. Government, it
has transformed its purpose from protecting the American public to
protecting simply itself.
We specifically recommend that the subcommittee take the following
steps to address the immediate risks to Constitutional liberty:
Require that the DHS immediately and permanently cease the
practice of monitoring social networks and media organizations
for the purpose of identifying political and journalistic
activities that ``reflect adversely'' on the agency or the
Federal Government.
Require that the DHS suspend the social network and media
organization monitoring program until safeguards are put into
place which will ensure oversight, including annual reporting
requirements.
Require that other agencies, including the Federal Bureau of
Investigation, which have developed or are in the process of
developing similar programs provide publicly available, annual
reports to Congress that set out in the detail the legal
standard for this activity and describe how Constitutional
rights will be safeguarded.
iv. conclusion
EPIC respectfully requests that the subcommittee take the steps
outlined in this statement, including requiring the immediate and
permanent end to DHS' practice of monitoring for dissent; adopting
guidelines for greater oversight of the DHS' social network and media
monitoring program, and imposing the same oversight requirements on
similar social network and media monitoring programs at other agencies.
Thank you for your consideration of our views. We would be pleased
to provide any further information the Committee requests.
Mr. Meehan. Now, for all panelists, I know you gave us some
detailed testimony in written form. If you could do your best
to summarize your submitted testimony, we would appreciate
that.
I now welcome back Ms. Callahan and recognize her first for
her testimony.
Thank you.
STATEMENT OF MARY ELLEN CALLAHAN, CHIEF PRIVACY OFFICER,
DEPARTMENT OF HOMELAND SECURITY
Ms. Callahan. Thank you very much, sir.
Good morning. Chairman Meehan, Ranking Member Speier,
Ranking Member Thompson, and Members of the committee, thank
you for this opportunity to discuss the Department of Homeland
Security's uses of social media and the privacy protections my
office has embedded into all of these uses.
As described in our written testimony, communications and
social media provide important benefits to the American public
and to the Department. With that said, as the Chairman and the
Ranking Member acknowledged, there is a great deal of personal
information that, although publicly available, is not necessary
for the Department to see or use.
Let me be clear: DHS recognizes the use of social media by
Government actors must occur with appropriate privacy, civil
rights, and civil liberties protections. For this reason, DHS
has created Department-wide standards designed to protect
privacy in each category of its use.
There are essentially three uses of social media by the
Department of Homeland Security: First, external communications
and outreach between the Department and the public; second,
awareness of breaking news and events and situations related to
homeland security, known as situational awareness; and third,
when DHS has the appropriate authorities to use social media
for operational use such as law enforcement and investigations.
In each category, the Department has established standards that
are designed to incorporate privacy protections ex ante, to
create uniform standards across the components and Department,
and to be transparent about the scope of our activities.
The Department utilizes the opportunity social networking
presents to provide the public with robust information. For
example, DHS has a presence on many of the major social
networking platforms. FEMA, of course, is well-known for
utilizing social media effectively for education and in
emergencies.
DHS established Department-wide standards for use of social
media for communications and outreach purposes through the
development and publication of two Privacy Impact Assessments,
known as PIAs. All DHS profiles and communications via social
media must adhere to these PIAs.
As my colleague Mr. Chavez will describe, the Office of
Operations Coordination and Planning has a statutory
responsibility to provide situational awareness and establish a
common operating picture for the Federal Government. The
Privacy Office and Operations work together closely and develop
detailed standards and procedures associated with reviewing
social media, launched three pilots, and then did a privacy
compliance review of those pilots. Together, the National
Operations Center and the Privacy Office designed a holistic
set of privacy protections to be implemented whenever social
media is being reviewed for situational awareness, and then
memorialized them in a publicly available PIA in June 2010.
Several months later, as part of a mandated privacy
compliance review, my office determined that the PIA should be
updated to allow for the collection and dissemination of
personally identifiable information in a very limited number of
situations. After January 2011, limited personally identifiable
information on a few categories of individuals may be collected
only when it lends credibility to the report or facilitates
coordination. The categories are essentially: Public figures
who make public statements or are part of an event; or people
who are in potential life-or-death circumstances.
The first weekend that personally identifiable information
was allowed to be collected and disseminated was the weekend
that Congresswoman Giffords was shot in Arizona. Learning
immediately who was the impacted Member of Congress was very
useful for the Department, for the Federal Government, and
facilitated rapid coordination.
There may also be situations where particular programs
within the Department or its components may need to access
material on social media or individual profiles in support of
authorized missions such as law enforcement. Given the breadth
of the Department's mission and the fact that access,
collection, and use of social media or other publicly available
information is governed by specific legal authorities rather
than Department-wide standards, the Department takes a
different approach to embedding privacy protections into this
type of social media, implementing privacy protections through
a policy and management directive.
The Department is finalizing a management directive for
privacy protections in the operational use of social media,
which will systematize the previous component policies, be
enforceable throughout the Department, and will identify the
authorities, restrictions, and privacy oversight related to the
use of social media for operational purposes. The directive
will also provide instructions on how to embed privacy
protections into the operational use of social media and in
each investigation performed by Departmental personnel.
Essentially, the standard is, if you can't do it off-line, you
can't do it on-line.
In light of the scope and availability of information,
including personal information, found in social media, the
Privacy Office intends to continue to monitor the Department's
use of social media in all three categories. The Department has
established a comprehensive compliance regime. It is every
employee's responsibility to adhere to those standards, and the
Privacy Office will seek to confirm that compliance in order to
protect the public's trust in the Department's use of social
media.
Thank you, sir.
[The joint statement of Ms. Callahan and Mr. Chavez
follows:]
Joint Prepared Statement of Mary Ellen Callahan and Richard Chavez
Chairman Meehan, Ranking Member Speier, and Members of the
subcommittee, we appreciate the opportunity to be here today to discuss
the Department of Homeland Security's (DHS) use of social media, and
the privacy protections the DHS Privacy Office has put into place.
Social media are web-based and mobile technologies that turn
communication into an interactive dialogue in a variety of on-line
fora. It may be appropriate for the Government, including DHS, to use
social media for a variety of reasons. The President has challenged his
administration to use technology and tools to create a more efficient,
effective, and transparent Government.\1\ DHS recognizes that the use
of social media by Government actors must occur with appropriate
privacy, civil rights, and civil liberties protections; whether DHS is
disclosing its information and press releases via social media
platforms like Twitter and Facebook, reviewing news feeds for
situational awareness, or researching identified, discrete targets for
legitimate investigatory purposes. Accordingly, DHS has created
Department-wide standards designed to protect privacy, civil rights,
and civil liberties in each category of its use.
---------------------------------------------------------------------------
\1\ President Barack Obama, Memorandum on Transparency and Open
Government (January 21, 2009), available at http://www.gpoaccess.gov/
presdocs/2009/DCPD200900010.pdf; OMB Memorandum M-10-06, Open
Government Directive (December 8, 2009), available at http://
www.whitehouse.gov/omb/assets/memoranda_2010/m10-06.pdf.
---------------------------------------------------------------------------
There are three general ways in which DHS utilizes social media,
and each has associated privacy protections:
External communications and outreach between the Department
and the public;
Awareness of breaking news of events or situations related
to homeland security, known as ``situational awareness;'' and
Operational use, when DHS has the appropriate authorities,
such as law enforcement and investigations.
In each category, the Department has established and enforces
standards that incorporate privacy protections ex ante, create uniform
standards across the components and Department, and are transparent
with regard to the scope of our activities.
external communications and outreach
Consistent with the President's 2009 Memorandum on Transparency and
Open Government, the Office of Management and Budget's (OMB) Open
Government Directive \2\ and OMB's Memorandum M-10-23, Guidance for
Agency Use of Third-Party Websites and Applications,\3\ the Department
uses the social networking medium to provide the public with robust
information through many channels. For example, DHS currently has a
presence on many of the major social networking platforms, including
Facebook, Twitter, and YouTube. In addition, FEMA launched a FEMA app
for smartphones that contains preparedness information for different
types of disasters. Similarly, the Transportation Security
Administration has MyTSA Mobile Application, which enables the
traveling public access to relevant TSA travel information, such as
types of items that may be carried through TSA security checkpoints, or
estimated wait times.
---------------------------------------------------------------------------
\2\ See supra note 1.
\3\ http://www.whitehouse.gov/sites/default/files/omb/assets/
memoranda_2010/m10-23.pdf.
---------------------------------------------------------------------------
In 2009, the Department established a Social Media Advisory Group,
with representatives from the Privacy Office; Office of General
Counsel; Chief Information Security Officer; Office of Records
Management; and Office of Public Affairs to ensure that a variety of
compliance issues including privacy, legal, security, and records
management issues are addressed as DHS uses social media. This group
governs and provides guidance on social media initiatives related to
external communications and public outreach by reviewing
recommendations from Components and offices and evaluating Terms of
Service agreements and Terms of Use policies. The group also developed
a social media use plan, while working to ensure compliance issues are
addressed and resolved before the first Department use of a particular
application of social media.
DHS also established Department-wide standards for use of social
media for communications and outreach purposes through the creation,
and development of, two Privacy Impact Assessments (PIAs). The PIAs
address two types of uses of social media within the communications/
outreach category: (1) Interactive platforms where the Department has
official identities, using those profiles to provide information about
the Department and its services, while having the ability to interact
with members of the public such as allowing them to post comments on
the official Department page or profile;\4\ and (2) unidirectional
social media applications encompassing a range of applications, often
referred to as applets or widgets, that allow users to view relevant,
real-time content from predetermined sources, such as podcasts, Short
Message Service (SMS) texting, audio and video streams, and Really
Simple Syndication (RSS) feeds.\5\
---------------------------------------------------------------------------
\4\ http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia-
dhs_socialnetworkinginter-
actions.pdf.
\5\ http://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_dhswide_unidirectionalsocial- media.pdf.
---------------------------------------------------------------------------
The PIAs analyze the Department's use of social media and
networking for communications purposes, if and how these interactions
and applications could result in the Department receiving personally
identifiable information (PII), and the privacy protections in place.
The PIAs describe the information the Department may have access to,
how it will use the information, what information is retained and
shared, and how individuals can gain access to and correct their
information. For example, official DHS accounts across social media and
networking websites and applications must be identified by the
component or Department seal as well as an anonymous, but easily
identifiable user name account displaying a DHS presence, such as ``DHS
John Q. Employee.'' Both the communications and outreach PIAs also
include periodically-updated appendices that identify the specific
Department-approved profiles and applications. In addition, the PIAs
contain provisions that Department-approved profiles are subject to
Privacy Compliance Reviews by the DHS Privacy Office.
situational awareness
The Office of Operations Coordination and Planning (OPS), National
Operations Center (NOC), has a statutory responsibility (Section 515 of
the Homeland Security Act (6 U.S.C. � 321d(b)(1))) to provide
situational awareness and establish a common operating picture for the
Federal Government, and for State, local, Tribal governments as
appropriate, in the event of a natural disaster, act of terrorism, or
other man-made disaster, and (2) ensure that critical terrorism and
disaster-related information reaches Government decision-makers.
Traditional media sources, and more recently social media sources, such
as Twitter, Facebook, and a vast number of blogs, provide public
reports on breaking events with a potential nexus to homeland security.
By examining open-source traditional and social media information,
comparing it with many other sources of information, and including it
where appropriate into NOC reports, the NOC can provide a more
comprehensive picture of breaking or evolving events. To fulfill its
statutory responsibility to provide situational awareness and to access
the potential value of the public information within the social media
realm, in 2010, the NOC launched the first of three pilots using social
media monitoring related to specific natural disasters and
international events.
Beginning with the pilots, the reason the NOC utilizes social media
tools is to identify breaking or evolving incidents and events to
provide timely situational awareness and establish a more complete
common operating picture. The NOC views information from a variety of
sources to include open-source reporting and a variety of public and
Government sources. The NOC synthesizes these reports for inclusion in
a single comprehensive report. These reports are then disseminated to
DHS components, interagency partners, and State, local, Tribal,
territorial, and private-sector partners with access to the NOC's
common operating picture. The content of the reports may be related to
standing critical information requirements, emerging events potentially
affecting the homeland, or special events such as the Super Bowl or the
United Nations General Assembly.
Prior to implementing each social media pilot, the Privacy Office
and the Office of Operations Coordination and Planning developed
detailed standards and procedures associated with reviewing information
on social media websites. These standards and procedures are documented
through a series of pilot-specific PIAs.\6\
---------------------------------------------------------------------------
\6\ The NOC and the Privacy Office developed three PIAs in the
pilot stage of the NOC Media Monitoring Initiative: Haiti Social Media
Disaster Monitoring Initiative, January 21, 2010, available at http://
www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ops_haiti.pdf; 2010
Winter Olympics Social Media Event Monitoring Initiative February 10,
2010, available at http://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_ops_2010winterolympics.pdf; and April 2010 BP Oil Spill
Response Social Media Event Monitoring Initiative, April 29, 2010,
available at http://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_ops_bpoilspill.pdf.
---------------------------------------------------------------------------
The NOC pilots occurred during the 2010 Haiti earthquake response,
the 2010 Winter Olympics in Vancouver, British Columbia; and the
response to the April 2010, Deepwater Horizon Gulf Coast oil spill. For
each of these pilots, the NOC utilized internet-based platforms to
provide situational awareness and develop a common operating picture
directly related to the response, recovery, and rebuilding efforts in
Haiti by reviewing information on publicly-available on-line fora,
blogs, public websites, and message boards.
Following the three discrete social media monitoring pilots by the
NOC, the Privacy Office did a thorough (and public) Privacy Compliance
Review of the NOC's implementation of the PIAs' privacy protections.\7\
The Privacy Office's review found that the NOC's social media
monitoring activities did not collect PII, did not monitor or track
individuals' comments, and complied with the stated privacy parameters
set forth in the underlying PIAs.
---------------------------------------------------------------------------
\7\ http://www.dhs.gov/xlibrary/assets/privacy/privacy-privcomrev-
ops-olympicsandhaiti.pdf. Three Privacy Compliance Reviews have been
completed and published by the Privacy Office, available at: http://
www.dhs.gov/files/publications/gc_1284657535855.shtm.
---------------------------------------------------------------------------
Given the positive assessment of the three pilots, OPS and the
Privacy Office designed a holistic set of privacy protections to be
implemented whenever information made available through social media is
being reviewed for situational awareness and establishing a common
operating picture. In June 2010, the Department released its Publicly
Available Social Media Monitoring and Situational Awareness Initiative
PIA, incorporating these protections.\8\ This PIA describes how the NOC
uses internet-based platforms that provide a variety of ways to review
information accessible on publicly-available on-line fora, blogs,
public websites, and message boards. Through the use of publicly-
available search engines and content aggregators, the NOC reviews
information accessible on certain heavily-trafficked social media sites
for information that the NOC can use to provide situational awareness
and establish a common operating picture, all without monitoring or
tracking individuals' comments or relying on the collection of PII,
with very narrow exceptions, discussed below.
---------------------------------------------------------------------------
\8\ http://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_ops_publiclyavailablesocial- media.pdf.
---------------------------------------------------------------------------
The NOC does not: (1) Actively seek PII except for the narrow
exceptions; (2) post any information on social media sites; (3)
actively seek to connect with internal/external social media users; (4)
accept internal/external personal users' invitations to connect; or (5)
interact on social media sites. The NOC is, however, permitted to
establish user names (consistent with the criteria established in the
communications and outreach PIAs) and passwords to form profiles and
follow relevant Government, media, and subject matter experts on social
media sites as described in the June 2010 PIA; and to use search tools
under established criteria and search terms that support situational
awareness and establishing a common operating picture.
As part of the publication of the June 2010 PIA, the Privacy Office
mandates Privacy Compliance Reviews every 6 months. After conducting
the second Privacy Compliance Review, the Privacy Office determined
that this PIA should be updated to allow for the collection and
dissemination of PII in a very limited number of situations in order to
respond to the evolving operational needs of the NOC. After January
2011, this PII on the following categories of individuals may be
collected when it lends credibility to the report or facilitates
coordination with Federal, State, local, Tribal, territorial, and
foreign governments, or international law enforcement partners:
(1) U.S. and foreign individuals in extremis, i.e., in situations
involving potential life or death circumstances;
(2) Senior U.S. and foreign government officials who make public
statements or provide public updates;
(3) U.S. and foreign government spokespersons who make public
statements or provide public updates;
(4) U.S. and foreign private-sector officials and spokespersons who
make public statements or provide public updates;
(5) Names of anchors, newscasters, or on-scene reporters who are
known or identified as reporters in their posts or articles, or
who use traditional and/or social media in real time to provide
their audience situational awareness and information;
(6) Current and former public officials who are victims of
incidents or activities related to homeland security; and
(7) Terrorists, drug cartel leaders, or other persons known to have
been involved in major crimes of homeland security interest,
(e.g., mass shooters such as those at Virginia Tech or Ft.
Hood) who are killed or found dead.\9\
---------------------------------------------------------------------------
\9\ The most recent PIA update (authorizing these narrow PII
categories collection) was finalized January 6, 2011, and is available
at: http://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_ops_publiclyavailablesocialmedia_update.pdf.
---------------------------------------------------------------------------
For this narrow category of individuals, DHS may only collect the
full name, affiliation, position or title, and publicly-available user
ID, when it lends credibility to the report. DHS determined that this
information improves the efficacy and effectiveness of the social media
monitoring initiative without an unwarranted invasion of privacy of
individuals in each of these categories. For this narrow category of
individuals the PII is only stored in the narrative report in which it
is used, and is not tracked for any other reason. DHS published a
System of Records Notice \10\ that describes the creation of these
seven exceptions for the collection of PII and narrowly tailored, how
much information can be collected, and how the information can be used.
Furthermore, the Privacy Office is commencing its semi-annual Privacy
Compliance Review in late February to ensure that the NOC continues to
adhere to the privacy protections identified in the PIA.
---------------------------------------------------------------------------
\10\ http://edocket.access.gpo.gov/2011/2011-2198.htm.
---------------------------------------------------------------------------
operational use
There may be situations where particular programs within the
Department or its components may need to access material on social
media or individual profiles in support of authorized missions. Given
the breadth of the Department's mission, and the fact that access,
collection, and use of social media and other publicly-available
information is governed by specific legal authorities, rather than
Department-wide standards, the Department has taken a different
approach in embedding privacy protections into Department use of social
media for operational purposes, with authority-based requirements
implemented through policy and Management Directives. For example,
components of DHS such as U.S. Customs and Border Protection, U.S.
Immigration and Customs Enforcement, Federal Protective Service,
Federal Air Marshals Service, U.S. Coast Guard, and U.S. Secret Service
have the authority to engage in law enforcement activities which may
include the use of on-line and internet materials. Other DHS offices
and components may be authorized to utilize social media for specific
law enforcement purposes such as investigating fraud. The Office of
Intelligence and Analysis also has some overt collection authorities
for intelligence purposes which may include the use of on-line and
internet materials.
DHS has established objective criteria by which those investigatory
components can access publicly-available information. DHS components
cannot review individuals' information unless they have appropriate
underlying authority and supervisory approval. Moreover, Office of
Operations Coordination and Planning and Office of Intelligence and
Analysis have additional specific policies on the use of social media
for operational purposes. One of DHS' responsibilities is to confirm
our work is being done under the appropriate legal framework for
Federal law enforcement activities. However, with increased access to
individuals' personal information posted on the internet and social
media sites, these DHS components have been reminded that they must
also be conscious of privacy considerations.
At DHS, we work every day to strike a balance between our need to
use open-source internet and social media information for all purposes,
but particularly law enforcement and investigatory purposes to further
our mission, while protecting First Amendment rights, Fourth Amendment
rights, and privacy.
In 1999, the Department of Justice issued guidelines for Federal
law enforcement agents that outline on-line investigative principles
that are applicable, but do not explicitly reference, social media. In
2011, the Office of the Director of National Intelligence issued
guidelines that outline how intelligence community professionals should
use technology, including social media. Both guidelines address the
following topics: Obtaining information from publicly-available media
under the same conditions that apply to obtaining information from
other sources generally open to the public; passively observing and
logging real-time electronic communications on media open to the public
under the same circumstances in which these activities could be
undertaken when attending a public meeting; and retaining the contents
of a stored electronic message, such as on-line traffic, if that
information would have been retained had it been written on paper.
Moreover, Federal law enforcement agents communicating on-line with
witnesses, subjects, or victims must disclose their affiliation with
law enforcement when DHS guidelines would require such disclosure if
the communication were taking place in person or over the telephone--
they may communicate on-line under a non-identifying name or fictitious
identity if DHS guidelines and procedures would authorize such
communications in the physical world.\11\ Finally, Federal law
enforcement agents may not access restricted on-line sources absent
legal authority permitting entry into a private space. Until a
Department-wide Management Directive on using social media for
operational purposes is finalized, the Secretary has instructed all
components to adhere to the DOJ or ODNI guidelines as appropriate.
---------------------------------------------------------------------------
\11\ See, e.g., On-line Investigative Principles for Federal Law
Enforcement Agents (Department of Justice, 1999) and Civil Liberties
and Privacy Guidance for Intelligence Community Professionals: Properly
Obtaining and Using Publicly Available Information (Office of the
Director of National Intelligence, 2011).
---------------------------------------------------------------------------
In light of the varying authorities and responsibilities within the
Department, instead of having a Privacy Impact Assessment with general
standards (such as for communications and situational awareness
purposes), the Department is developing a Management Directive for
Privacy Protections in Operational Use of Social Media. The Management
Directive will be enforceable throughout the Department, and will
identify the authorities, restrictions, and privacy oversight related
to use of social media for operational purposes. The Management
Directive will also provide instructions on how to embed privacy
protections into the operational use of social media and each
investigation performed by Department personnel. The Privacy Office has
already investigated one component's use of social media for
investigatory purposes; its conclusions are informing the Management
Directive.
Consistent with the Department's approach to embed privacy
protections throughout the life cycle of Department activities, the
Privacy Office will conduct a Privacy Compliance Review or assessment
of the Department's adherence to the social media Management Directive
approximately 6 months after the Directive is implemented.
conclusion
In light of the scope and availability of information including PII
found in social media venues, the Privacy Office intends to continue to
monitor the Department's use of social media in all three categories--
communications and outreach, situational awareness, and operational
use--to ensure privacy protections are built-in and followed.
Mr. Meehan. Thank you, Ms. Callahan.
Now I recognize Mr. Chavez for his testimony.
STATEMENT OF RICHARD CHAVEZ, DIRECTOR, OFFICE OF OPERATIONS
COORDINATION AND PLANNING, DEPARTMENT OF HOMELAND SECURITY
Mr. Chavez. Good morning, Chairman Meehan, Ranking Member
Speier, and Members of the subcommittee. I also would like to
thank you for inviting me here today to talk to you about the
National Operations Center use of social media monitoring to
provide real-time or near-real-time situational awareness of
potential occurring events or incidents that may impact the
safety, security, and resilience of the homeland.
As stated in Section 515 of the Homeland Security Act, as
amended, the National Operations Center is the principal
operations center for the Department of Homeland Security and
shall provide situational awareness and a common operating
picture for the entire Federal Government and for State, local,
and Tribal governments as appropriate in the event of a natural
disaster, act of terrorism, or other man-made disaster, and
ensure that critical terrorism and disaster-related information
reaches Government decision-makers.
In order to fulfill these statutory responsibilities, the
National Operations Center, also known as the NOC, gathers
reports from multiple sources, to include open-source media
reporting. Media reporting is often the first indication of a
potential incident. For this reason, the NOC utilizes and
incorporates media reporting into its incident reports. The
primary focus of our reporting is on what is happening, and not
who is reporting the event.
As previously stated, the NOC gathers reports from a
variety of sources and synthesizes them into one single
comprehensive incident report that is distributed again to the
DHS leadership, DHS components, and other Federal, State,
local, Tribal, territorial, and non-governmental and private-
sector partners for action as appropriate.
The after-action assessments relating to the Government's
response during Hurricane Katrina highlighted the importance of
real- and near-real-time information from media reporting to
enable a more timely response during a dynamic catastrophic
event. In 2006, following Hurricane Katrina, the NOC began
assessing the incorporation of media reporting for major media
networks into incident reports to provide responders with real-
time information. To date, incorporating media reporting into
the NOC's incident reports has enabled our partners to have
greater awareness during events and incidents.
Here is a real-world example of how the NOC incorporates
media reporting. In early January 2012, the media in Charlotte,
North Carolina, was first on scene reporting damage after
severe weather erupted across multiple counties near Charlotte.
The media reports were combined with reporting from State and
local sources. The end result, again, was a more timely
incident report that provided specific and comprehensive
information to our partners, enabling them to make informed
decisions.
The NOC incorporates media reporting into incidents across
the full spectrum of Homeland Security operations: Prevent and
protect, respond and recover.
Another real-world example of how NOC incorporates media
reporting into its incident reports also occurred in early
January 2012. The incident occurred in Austin, Texas. The media
in Austin posted incident information about evacuation of a
high school after a suspicious device was seen in a vehicle on
campus. The media reported that, according to county sheriff's
office spokesmen, sheriff's deputies were responding to an
explosive device in a car. Through additional Government
reporting, the NOC learned that the scene was secured and that
no explosive device was found by law enforcement officials.
Again, I would like to emphasize that it is the ``what,''
not the ``who,'' that is relevant for NOC reporting purposes.
The NOC adheres to strict enforcement of privacy guidelines
with regard to media reports. The NOC, in coordination with the
DHS Office of Privacy, evaluates processes and incident reports
on a recurring basis to ensure our privacy guidelines are being
complied with.
Again, thank you for the opportunity to speak with you
today, and I am happy to answer any questions you may have.
Mr. Meehan. Well, thank you for your testimony, Mr. Chavez.
As I said in my opening statement, I am concerned about
some of the news reports and materials related to DHS
monitoring of social media and the networks. So I will now
recognize myself for a few minutes of questioning.
The testimony has been revealing in the sense of giving us
the overall perspective. I think all of us appreciate the
ability for the Governmental entities to broadcast through the
various pieces so people know about what you are doing.
Mr. Chavez, you talked a lot about, sort of, media
monitoring. There is an expectation on the part of many of
those who are reporters and otherwise, they know they are
putting their product out so that it can be reviewed. So I
think we can go past those kinds of things.
We also appreciate, as I said in my opening statement,
about the opportunity to avail ourselves in real time of
breaking information that can be communicated in certain ways
that are now available so that there is the ability to keep
those that need to make the decisions up on the latest
information.
But you are sensitive--we are here today because where we
are trying to find is where that line is where the public
citizen--it is not just the expectation of privacy, because we
know they are communicating in public fora or even quasi-public
fora. But we are talking now about monitoring on-line
information in blogs, in websites, in message boards. Some of
these have, you know, the indicia of, sort of, quasi-privacy
communities, so to speak.
So my real question for you is to help us understand what
you are doing to assure that individual communication is not
leading to individuals being identified by the Government and
what you are doing to assure that we are not creating a
chilling effect so that somebody in a community who is
concerned about a particular issue will be more reluctant to
write a letter to the editor, to post something on a blog.
I will close my opening comments--and I know you have come
prepared to answer these, but we are all very concerned about a
couple of the circumstances that have happened. Most
specifically, what looks as if it is a directive within the
contract you have with a private contractor who is employed to
help you disseminate or gather information. It is identifying
media reports that reflect adversely on the U.S. Government,
DHS, or prevent, protect, respond, or recovery activities. So,
in effect, we are asking somebody to go out and let us know
what people are saying that is negative about us. This appears
to be what was asked for in the contract with General Dynamics.
So I would like you to tell me what it is that we are doing
to assure that private commentary is not being misused and what
we can do to assure that the activities of monitoring are not
going to create some kind of a chilling effect on individuals'
willingness and readiness, not only to comment, but, frankly,
to make comments which may be critical of the Government.
Ms. Callahan.
Ms. Callahan. Thank you, sir.
With regard to the privacy protections that the Department
has implemented specifically with regard to situational
awareness, to be very clear, as Mr. Chavez said, it is the
``what,'' not the ``who,'' that is being identified and that we
are concerned with.
As you are aware, my office not only mandated privacy
compliance reviews every 6 months to make sure that indeed we
are just focusing on the event, on the situation, to know what
is going on, and not worried about the individual; in addition
to that, the National Operations Center has very robust
auditing capability, that they go and review both the sites
that are being done, how long they are on it, and what
information is being implemented into the report.
We take these issues very seriously, sir. We absolutely
understand and agree that these are----
Mr. Meehan. Who is directing what is being monitored?
Ms. Callahan. Mr. Chavez.
Mr. Chavez. The key words, I guess, or the mechanism that
we use to identify information that is coming across the media,
whether it be social or the traditional media that is out
there, again, these are key words associated with events that
have happened in the past and also with the equities of the
Department of Homeland Security, again, looking at the safety,
security, and resilience missions that are out there.
So, as you said in your opening statement, I believe, that
there are any number of blogs going on at any one time and a
plethora of information that is flowing through there, there is
no way we could look at all of it. So we use the tools, again,
with these keyword searches that are commercially available for
looking at search items, particularly, again, keywords, that we
can pull out of there and look at, again, what the situation is
that is evolving.
Mr. Meehan. But you are looking at keywords, but my
question is, are there circumstances under which--who is the
one that is waking up in this vast array of information out
there? Because the limited number of people that you have
working for you, unquestionably, without some sense of
direction, they could be spending limitless time, in effect,
floating on a sea without any kind of product that is produced.
So there has to be some sense of direction. Where does the
line get drawn with regard to overlooking, sort of, general
words out there versus looking at specific incidents, specific
issues, and identifying people, as happened in Michigan?
Mr. Chavez. There are guidelines for sites that the
individuals within the Media Monitoring Center can monitor.
Again, those sites are submitted for approval through the
Privacy Office, and they are strictly adhered to by the
individuals who are actually looking at the information that is
coming across there and gathering them for us.
So there is a series of checks and balances.
Ms. Callahan. If I can, sir, in order to be transparent
about this, in the Privacy Impact Assessment we have a list of
the representative keywords. The Privacy Office reviews that
list every 6 months and makes sure that we stay within it. The
list is ``disaster,'' it is, you know, ``flood,'' ``tornado,''
and things like that.
With regard to individuals, as I indicated in my oral
testimony, we don't collect information on individuals. We do
not monitor them with regard to any First Amendment activity.
But individuals may be the first person at the scene, and so
they may go and report there has been a train derailment in
Michigan. We do not then go and say that, ``Mary Ellen Callahan
reported a train derailment.'' We then corroborate it with
another source that is identified----
Mr. Meehan. My time has expired, so I am hoping some others
will pick this up.
We know about the disasters. I don't think we are worried
about the disasters. What we are worried about are the
individual circumstances where there may be issues out there. I
point back again to the Michigan circumstance where there was a
controversial decision by the Government, and DHS played a role
in assessing community response to that incident. That wasn't a
natural disaster; that was an incident that was created by the
Government, and the Government then was monitoring the
community response.
That is where I want to--who is going to make the
decisions? Who is making the protections against circumstances
under which the Government is playing a role in not just
analyzing but filtering back, recording, and reporting about
things that people in the community have said about
Governmental activity?
Ms. Callahan. I would be happy to answer the Standish
question whenever the Members have given me the time to do so.
Mr. Meehan. Thank you so much.
I will turn it over to the Ranking Member, Ms. Speier.
Ms. Speier. Thank you, Mr. Chairman.
I am deeply troubled by the document that has just been put
into the record by EPIC.org. While you have probably not had
the opportunity yet to review it, Mr. Chairman, I would like to
request that after they do review it, that they report back to
this committee and provide us with answers to the questions
raised. But I am going to start with a couple of them.
They made a FOIA request back in April. DHS ignored it.
Then EPIC filed a lawsuit on December 23, 2011, when the agency
failed to comply with the FOIA deadlines. As a result of filing
the lawsuit, DHS disclosed to EPIC 285 pages of documents.
So I am just making note of that. You shouldn't stonewall.
When a FOIA request is made, you should comply with it within
the deadlines. No entity should be required then to file a
lawsuit. So I am just putting you on notice about that.
But what is interesting about what they have pointed out is
that, while you say there is no personally identifiable
information in this contract that General Dynamics has, in fact
they point out that there are some exceptions to the no-PII
rule. One of them allows for the collection of personally
identifiable information of anchors, newscasters, or on-scene
reporters who use traditional and/or social media. This would
allow the agency to build files on bloggers and internet
activists, in violation of the Privacy Act.
I find that outrageous. I would like to ask you to amend
the contract with General Dynamics to exempt that kind of
information from being collected.
Ms. Callahan. First, ma'am, with regard to the FOIA
response, I completely agree. It did not meet my standards in
terms of the timeliness of the response, and I have taken
action to look into why it was delayed. That was unacceptable,
and I completely concur with your statement.
With regard to the reporters, to clarify, the reporter's
information is collected--and, as noted in my written
testimony, the only information we collect on the reporters, if
at all, is the name, their affiliation, their title, if any,
and their publicly available identification. We are only
collecting the information if it adds to the credibility of the
report or allows coordination.
So it is very rare that we actually collect any information
about the reporters. But it could be a circumstance where you
link to a reporter's blog who is at a news site. For example,
in Michigan and the train derailment, if the person posted it
on his personal blog, we may be authorized to link to it. We
would not be authorized to collect it or use it for a
personal--an individual, but only if the reporter is relevant
and adds credibility to the report itself.
Furthermore----
Ms. Speier. I am----
Ms. Callahan [continuing]. To clarify, ma'am, just to
clarify, the reporter information is only stored in that
report. We are not cutting across the different reports. We are
not saying how many different reporters do it. It is
information that is publicly available, and it is not
associated with their opinions but instead with the situation
or the event that is occurring.
Ms. Speier. I am suggesting to you that it is irrelevant,
you do not need it, and you should suspend that part of the
contract.
Now, this document also suggests that you are capturing
public reaction to major Government proposals. Now, again, if
this is, in fact, true, if this is part of the contract, I
believe that should be suspended as well. This is not a
political operation; it should not be a political operation.
Capturing public reaction to major Government proposals is not
something you should be doing.
Ms. Callahan. I completely agree with you, ma'am. I 100
percent agree with you, which is why the report that they point
to on page 118 in the FOIA report actually was never a live
report. It was never disseminated by the National Operations
Center. It would not have met the privacy standards that are in
the five publicly available Privacy Impact Assessments we have
done. Furthermore, it is an example of an early August 2009
example of what could be possible. We, together with the
National Operations Center, agreed that that is well outside
the scope.
In fact, if you look at the document, it is within a very
early, February 2010, training manual as an identification of a
weekly report, because it is a compilation of other elements.
If you look at the previous pages, you can see that they
identify, like, ``This is not acceptable,'' ``This is not
appropriate,'' ``Redact the personally identifiable
information.''
That Standish, Michigan, report is one that only appears--
actually, the only place it exists in the Department is in my
files because of the privacy compliance review we did before
launching the initiative. It is----
Ms. Speier. All right. My time is about to expire, so let
me suggest the following. EPIC makes three recommendations at
the end of their report. They recommend you cease collecting
information on journalists' activities, that you suspend the
social network and media organization monitoring program until
safeguards are put in place, and that you comply with providing
Congress with an annual report that sets out in detail the
legal standards for this activity. I, for one, wholeheartedly
agree with their recommendations.
Mr. Chairman, I actually think we should have EPIC and
others in the privacy community come and testify. I am deeply
troubled by what we have heard so far this morning.
The fact that you agree with me but yet much of this
conduct continues is deeply troubling.
I yield back.
Mr. Meehan. Thank you, Ranking Member Speier.
At this point in time, I would like to turn it over to the
gentleman from Mississippi, the Ranking Member of the
committee, Mr. Thompson, for questions he may have.
Mr. Thompson. Thank you very much, Mr. Chairman.
Ms. Callahan, will you provide the committee with a copy of
the FOIA information that you provided to EPIC?
Ms. Callahan. Of course. Absolutely, sir.
Mr. Thompson. Thank you.
Also, will you provide us with your analysis of why the
FOIA request went unresponded to and what did you do in that
situation but also what will you do going forward so that other
requests won't be treated so cavalierly?
Ms. Callahan. Absolutely, sir.
Mr. Thompson. Mr. Chavez, do we create log-ons to monitor
individuals in this process?
Mr. Chavez. Actually, we do not monitor individuals at all.
What we are looking for, again, as I talked about, the
keywords. Within the keywords you won't find anyone's name.
Like, say, they are all verbs, those types of things that we
are looking for. So, no, we don't create log-ins for
individuals to do that, and we are not looking or monitoring
individuals.
Mr. Thompson. Are there any times that you take down names
of individuals?
Mr. Chavez. Again, given the seven criteria that we have
for life-saving, those type of circumstances, are the only time
that we would collect the names, use the PII.
Mr. Thompson. Who makes that determination?
Mr. Chavez. That is part of our training course that we do
for the individuals who are doing the media monitoring. We look
at those processes. Again, they are audited twice a year. The
most recent one was just done in November.
Mr. Thompson. Who is ``we'' doing the training?
Mr. Chavez. Actually, the National Operations Center, in
coordination with the Privacy Office.
Mr. Thompson. All right. How does this interface with the
General Dynamics contract?
Mr. Chavez. Those are the individuals who are doing the
media monitoring for us.
Mr. Thompson. So let me get this straight. DHS is training
a private contractor to do the media monitoring?
Mr. Chavez. Part of it, yes, on their privacy rules and
those types of things, indeed, we are.
Mr. Thompson. Why are we training private contractors?
Mr. Chavez. Well, to collect--their skill set, to collect
the information we are. But what they don't come with is,
again, the DHS guidance that we have to give them.
Mr. Thompson. I thought private contractors generally had
an expertise that we didn't have internally as an agency, and
we would go outside to pick that capacity up. But now what you
just said is for some reason we are training the outside people
to do the internal work.
Mr. Chavez. It is not overall training. Again, they do have
those skill sets that they use. What we add from the
Department, again, are those checks that we use to ensure,
again, that the privacy guidelines are complied with. That is
the part of the training that we do, and that is it.
Mr. Thompson. Well, explain to me what skill sets General
Dynamics, with an $11 million contract, would have outside of
DHS's capabilities.
Mr. Chavez. Well, what they offer, again, is the 24/7
monitoring of those sites. They are skilled technicians in
surfing the web and also doing an analysis of the information
that they get when they do get hits on websites and producing
synopsized reports that, again, comply with the privacy
guidelines that are out there, and pushing those out to us so
we can send those out to our partners.
Mr. Thompson. So your testimony is we don't have the skill
sets at DHS to monitor websites?
Mr. Chavez. We do. Right now, again, we have that as part
of one of our contracts that is out there.
Mr. Thompson. Is it a sole source contract?
Mr. Chavez. No, it is not.
Mr. Thompson. Well, will you provide the committee with the
procurement document? How long has it been out there?
Mr. Chavez. I will get back with you on that. I will give
you the full details on it.
Mr. Thompson. Was the original contract for the $11 million
a sole source contract?
Mr. Chavez. I do not know. I will have to check on that for
you, sir.
Mr. Thompson. How long have you been working with the
agency?
Mr. Chavez. Two years.
Mr. Thompson. How long has this General Dynamics contract?
Mr. Chavez. In the 2 years I have been there.
Mr. Thompson. So you inherited the General Dynamics
contract?
Mr. Chavez. Yes, sir.
Mr. Thompson. All right. Well, please get it to me.
The questions raised by the EPIC insertion, as well as what
everyone has commented, raise significant issues around
safeguards. Mr. Chairman, I think you would help a lot of
people if at some point we could, as Ranking Member Speier
suggested, maybe bring those individuals and others who might
have an interest before the committee to talk about it.
I yield back.
Mr. Meehan. Thank you, Mr. Ranking Member. We appreciate
your presence here today on the subcommittee.
The Chairman now recognizes the gentleman from Minnesota,
Mr. Cravaack.
Mr. Cravaack. Thank you, Mr. Chairman.
Thank you for coming here today and briefing us.
I think what everybody is really concerned about here is
our Constitutional rights. Because we in the United States, we
have this great document called the Constitution, and we have
to walk this fine line of data attainment to protect the United
States but to, at the same time, make sure that we have
safeguards in place that we have freedom of speech, which we
value highly.
So, with that said, what safeguards are in place that when
the DHS does collect and distribute personally identifiable
information, PIIs, outside a specific narrow event such as a
life-or-death situation, can you kind of expand upon that a
little bit?
Then with that said, what would be the penalty associated
with distributing that information illegally? Have there been
any cases where that has occurred?
Is there a report currently going from General Dynamics to
you, to Congress that would also, when these people are
identified, that Congress is aware of that?
So, with that, Ms. Callahan, could you start off?
Ms. Callahan. Absolutely, sir. Thank you very much for that
question.
As I have described and Mr. Chavez has described, the only
personally identifiable information that can be collected are
these seven very narrow categories: Public officials or in a
public event or making a public statement or life-or-death, as
you pointed out.
As part of the review by the National Operations Center,
every week they go and check to make sure no personally
identifiable information is provided. I review each of the
media monitoring that I receive as part of the ordinary course
of business, just to see if they continue to comply with the
privacy protections that we describe in our five publicly
available Privacy Impact Assessments and privacy compliance
reviews. We then do these semi-annual reviews of the entire
system to look at all the processes therein.
Prior to me authorizing any personally identifiable
information, there were, to my recollection, two circumstances
where public officials were named in the circumstance--for
example, President Obama. There was no circumstance with regard
to individuals who are not in a public capacity who have been
named.
Actually, that example of having a public official like the
President is why we agreed to have those seven very narrow
categories that could be disclosed. Again, identifying
Gabrielle Giffords as the target of the attack in Arizona
actually helped coordinate the response more quickly, because
we had that authorization.
With regard to the penalty, if, indeed, that had taken
place, there would be significant penalties. There would be
training and possibly taking them off the job if, indeed, there
was a recidivist behavior. We have not yet seen that.
With regard to a report from General Dynamics, I don't know
of that, but I do know that we have been doing these semi-
annual privacy compliance reviews, which are available on our
website, for exactly the reason that everyone has identified:
To make sure that we are following the privacy protections that
we have identified and that we are not monitoring, reviewing,
or collecting First Amendment-protected speech.
Mr. Cravaack. Mr. Chavez, do you have any comment on that,
as well?
Mr. Chavez. No, that is exactly it. Again, we follow the
guidelines that the Privacy Office sets forth. We do audit on a
regular basis the individuals who are doing those types of
things. We have a series of individuals that are reviewing the
data, again, to make sure that the PII is not inappropriately
passed on, displayed, or stored.
Mr. Cravaack. Okay.
I would like to dovetail on what the Ranking Member said.
Why did you pick General Dynamics, for example, to be the
contractor for monitoring social sites and not keep it in-
house, so to speak?
Mr. Chavez. Sir, again, that was before my time. That is
the contract I inherited. But I can get you the information on
that.
Mr. Cravaack. Okay. Who in DHS issued the directive for
this establishment of this committee? You know, I agree, you
have to get resource information and intelligence anywhere you
can possibly get them, for various reasons. But who initiated
the directive to initiate this social networking?
Mr. Chavez. DHS did, again, before my time, right after
Hurricane Katrina. Again, with the advantages of looking at the
media to get a more timely response, see what is going on,
provide greater situational awareness, the decision was made to
monitor the social--or the media monitoring, traditional media.
Then later on it evolved into the social media.
Mr. Cravaack. Okay. One of the things that did kind of
raise a red flag for me is reports on DHS components and other
Federal agencies, positive or negative reactions to certain
Federal organizations. Who gave that directive?
Ms. Callahan. As I understand, sir, that is part of the
General Dynamics contract. As was said, it predates Mr. Chavez.
The purpose of that is not to keep track of what they are
negatively saying, but for operational purposes to understand
whether or not the Department is candidly meeting its
standards. If, indeed, there is a long line as TSA, we don't
care who is in the long line, but if someone tweets and says
there is a long line, we then convey that information to TSA.
It is part of the operational awareness that the National
Operations Center does.
Mr. Cravaack. Okay. My time has expired. I do have an issue
with that, but I will yield back at this time. So thank you.
Mr. Meehan. Thank you. Thank you, Mr. Cravaack.
So, at this moment, the Chair will recognize the gentleman
from--it is ``Missoura'' where you are from, right, not
``Missouri''?
Mr. Long. Right. You bet.
Mr. Meehan. Mr. Long.
Mr. Long. Thank you, Mr. Chairman.
Mr. Chavez, what can the agency point to as your legal
basis for your social network and media monitoring program,
which a lot of us I think today have expressed concerns
threaten important free speech and expression rights? What
legal basis can you point us to that either this activity could
even be concerned with----
Mr. Chavez. It was, again, Section 515 of the Homeland
Security Act, as amended, to provide situational awareness and,
again, that common operating picture.
Mr. Long. That is the legal basis for it?
Mr. Chavez. Yes, sir, that is the legal basis.
Mr. Long. Okay.
Ms. Callahan, I, as a lot of us today, are very concerned
about the chilling effect on our core First Amendment rights to
political speech and free speech in general. Are there--what
can you point us to? Are there protections to ensure that only
necessary personal data is used and retained no longer than
necessary to protect against accidental or deliberate misuse?
Ms. Callahan. I, too, sir, am very concerned about the
First Amendment and want to make sure that that is wholly
protected with regard to this activity. We spent 9 months
designing this program and have detailed it in the public
Privacy Impact Assessments and compliance reviews.
The standard by which we operate is, again, not the ``who''
but the ``what is taking place.'' What is the event that is
going on? If an individual alerts us to that event, then that
is the first report, but not the exclusive report.
The way, sir, that we have the privacy protections embedded
into the program is to make sure that no personally
identifiable information is collected or disseminated unless it
meets those seven categories.
Mr. Long. No what information?
Ms. Callahan. Personally identifiable information.
Mr. Long. Okay.
Ms. Callahan. No personally identifiable information is
collected except for those public figures or in a life-or-death
circumstance. The National Operations Center goes and very
robustly audits that, and then we go in every 6 months to make
sure that, indeed, the representations are correct.
The personally identifiable information, the very narrow
topics--which, again, are public figures making public
statements or part of an event, or a life-or-death
circumstance--are stored only in the report. We are not doing a
table or an analysis of each of the different reports. They are
only stored in that.
In fact, I published a System of Records Notice, which is
required under the Privacy Act. It was not necessary for me to
do this; the general System of Records Notice for operations
would have covered this activity. But for transparency
purposes, when I finally authorized the use of personally
identifiable information, we published that System of Records
Notice to go and say, these are the seven categories that we
are doing--public figures at public events, or life-or-death
circumstances--in order to be very clear about what we are
doing with information and, candidly, sir, what we are not
doing with information.
Mr. Long. So, in your mind, you are convinced that what you
are doing is consistent with existing DHS policy?
Ms. Callahan. Consistent with DHS policy, consistent with
the Privacy Act, and consistent with the First Amendment, yes,
sir.
Mr. Long. Okay.
I have another question for you, Ms. Callahan. As the
public becomes aware of Government activity monitoring social
media to gain rapid understanding of events, what are the risks
of people or groups trying to affect those events, I guess--
say, people with bad intentions using the different platforms
of social media to manipulate the Government understanding to
their advantage? What can be done to guard against this
problem?
Ms. Callahan. My colleague Mr. Chavez may also have some
thoughts about that. But I think that, because we don't rely on
just one individual source but we actually confirm the sources
and look for making sure that we have multiple sources
identifying, for example, the train wreck in Michigan, would be
one element.
Also, to confirm, the National Operations Center, the
situational awareness, is not attempting to investigate or
confirm the validity of the event, just that an event has been
reported.
Mr. Chavez.
Mr. Chavez. Ms. Callahan is absolutely right. No single
source of information ever provides us with a complete picture.
Oftentimes we use multiple sources--or, all the time we use
multiple sources of information to corroborate information that
we are getting in.
So it is all part of the big picture. In order to get the
big picture, again, in this environment, we look to multiple
sources that are out there, not a single source, to corroborate
that information that is being produced.
Mr. Long. How does that affect people trying to I guess put
a different spin or take advantage of----
Mr. Chavez. There is always that--yes, there is always that
deception.
Mr. Long. That was kind of my question.
Mr. Chavez. If it doesn't match up with the preponderance
of information coming in that is counter to the information we
are receiving, then we can pretty much write off that. Plus we
are not investigating that information, we are turning that
over to the appropriate law enforcement or Government agency to
look at what is happening again and is it really happening.
Mr. Long. Okay. I have no time to yield back, but if I did,
I would.
Mr. Meehan. Well, thank you, Mr. Long. Thank you for your
questions. I am going to exercise the prerogative to ask a
couple of follow-up questions and certainly would make that
opportunity available to anybody who would like to as well or
not.
Ms. Callahan, you spent some time talking about the
circumstances in Michigan and about some protections. I know
you haven't stated it today I spent time going through your
written testimony and other sorts of things. I know you
suggested that this is an anomalous circumstance. This is being
identified as an event that happened, but maybe the statement
would be but it wouldn't happen today. You have a moment, tell
me how you have cured that kind of a circumstance and how we
would not have a repeat where there is an incident that occurs
in which the Government begins to be looking for the
information that was disseminated, collected, and disseminated
in Michigan.
Ms. Callahan. Yes, thank you, sir. To clarify slightly,
that information was never disseminated, it was never a live
report, it does not meet the standards of the privacy impact
assessments and would not have actually been done. It was an
early example of what could possibly be done. Together with the
National Operations Center, we both agreed that we don't care
about First Amendment speech, we don't care about the events.
Mr. Meehan. Well, you do care. What you are trying to say
is that is not what you are inquiring about?
Ms. Callahan. We care about the events, not the First
Amendment elements. Right, we care about the events. Candidly
even in that example, Guantanamo Bay and the transition of any
prisoners from Guantanamo Bay is actually not within the
Homeland Security mission. So it wouldn't even have met that
threshold question. That is the current threshold standard that
we implemented since January 2010, making sure it is a Homeland
Security mission and an event and a situation. So for those two
that is kind of a threshold point. We then would not--as I
said, no element of First Amendment protected speech is
collected, disseminated, or analyzed.
We also make sure that--as I said, I review the media
monitor reports when I receive them to make sure that they
continue to be compliant, that we are only reporting on the
what and not the who. So I think all of these multiple levels
are an example of why that Standish, Michigan, to give an
example, is an anomaly. It is obsolete, and it only is in the
handbook that was done, that is 2 years old, and was quickly
replaced once we started to work on the pilots and to fine-tune
to make sure that we can provide situational awareness and
protect privacy.
Mr. Meehan. Let me go back then to prospectively where we
may be looking at other kinds of events, as you say the who,
not the what. Now I know there were attempts to look at things
like the Olympics, there was an effort to track information
that may be related to that. I can foresee a number of other
events, conventions, are you going to be monitoring activity
around conventions?
Ms. Callahan. Again, I turn it over to Mr. Chavez, but we
do monitor National security special events to make sure. For
example, we monitored the Super Bowl. But again it is not about
the who, but the what. How are the roads moving, how are the
processes, are there any suspicious activities?
Mr. Meehan. You are not calling in the plays for Bill
Belichick, are you?
Ms. Callahan. I abstain on which--who I was supporting in
the Super Bowl, but it is the what, it is the event.
Mr. Chavez. Holistically we are monitoring the whole
Homeland Security enterprise, not just the events. We are
looking for the same, again, keywords criteria that would
indicate any type of action----
Mr. Meehan. You keep saying keywords. What I am trying to
get to is who begins the process of identifying what should be
analyzed. I guess the what, not the who, but who is it that is
saying to go after the what. I don't know where this has begun.
Mr. Chavez. Right. It is not the National Operations
Center. Again the National Operations Center is the messenger.
Mr. Meehan. Who is giving the direction? I want your
analysts to look into X. Where does that come from?
Mr. Chavez. That again does not come from the National
Operations Center.
Mr. Meehan. I know it doesn't.
Ms. Callahan. So if I can just step back for a second, sir.
The National Operations Center is to provide situational
awareness for the entire Homeland Security enterprise. The way
that we implemented the Social Media Initiative was to provide
these keywords that you can use on publicly commercially
available software that you can basically refine, no see
individual Tweets, but see what is trending and what is
happening and if there are elements. The keywords, as I said,
are disclosed in my privacy impact assessment.
Mr. Meehan. But when your analysts start work in the
morning, do they just pick up a keyword book and start going
out looking for----
Ms. Callahan. No, it is programmed in all the time, is what
I was going to say. It is programmed in all the time. We don't
modify the keywords, disaster, flood, tornado, train wreck,
derailment, those sorts of things.
Mr. Meehan. You keep talking to me about incidents that are
disasters, and I get that. We are going to put that aside. Part
of the mission here was to monitor activities that may be--we
are Homeland Security, we are worried about the potential that
there could be someone acting in some capacity that would
threaten our homeland and cause harm to the American citizens.
I get that, too. We are also worried about the fine line in
which people may be talking about things they don't like about
their Government, it is legitimate protest. So where are there
activities that are taking place that it could be a
collaboration of individuals from outside the country that are
meeting at a convention all over the world. Does somebody say,
hey, let's watch what is happening there. I need to know where
this process begins, who's telling people to track the what?
Mr. Chavez. The individual Government agencies we provide,
we will call them our customers, are the ones who determine
whether or not the data is actionable or not, whether or not to
pursue a follow-up, each of those executing their own
authorities to do the investigations to collect intelligence in
those type things. Often again the reports we provide through
the social media monitoring are a supplement to getting the
information to these organizations.
Mr. Meehan. So it might be a legitimate investigative
agency that has the capacity to in their own right but using
legitimate investigative tools and protections, they are asking
you to get secondary publicly available information that fills
a gap or something of some sort?
Mr. Chavez. Most definitely. Again once the reports come in
we very seldom get the direction from an outside organization
to look for specific things because under their own authorities
they can drill down farther than the National Operations Center
can on information that was provided.
Mr. Meehan. Where does the top of the line come from; is
this a career professional that makes these decisions or public
appointee in the DHS who may be overseeing what is being looked
at?
Mr. Chavez. Let me take an example of the intelligence
field with their skill sets they have in the enterprise. There
are individuals, both political appointees and senior
officials, that again take a look at the information they have
and decide whether or not to take action on to pursue
investigations to open up whatever, again under their
authorities, they can do to defend the homeland and produce
that information in these reports.
Ms. Callahan. If I could summarize, sir. The Situational
Awareness Initiative we have been talking about is essentially
breaking news, here is what is happening. To your point, if
indeed someone receiving a report of breaking news and they
have the underlying authority to investigate it, then they go
off on their own track and the operations nor does the Privacy
Office know they are doing it separate and apart from we are
going to do audits and reviews of social media when the
management directive is final. So they are breaking news and
then other there are other authorities in the Department and
also throughout the Federal Government.
Mr. Meehan. Final question. Breaking news, the Attorney
General just decides he is going to try Guantanamo detainee in
New York City. There is a lot of news about that now. Is it
possible that you would be contacted by somebody who said
follow what is happening, report to us what the reaction is to
that?
Mr. Chavez. In the history of the time I have been at the
National Operations Center, no, sir, that has not happened.
Mr. Meehan. What would be your protection against that kind
of request? How to you tell a political appointee who is high
up in the administration that is not appropriate for us to
monitor?
Mr. Chavez. It is not only appropriate, it is not under our
authority. It is illegal to do that.
Mr. Meehan. Well, that is a good answer to any kind of a
political appointee. At this point I have gone well over my
time.
Mr. Thompson.
Mr. Thompson. Yes, I do. Ms. Callahan, you talked about
taking 9 months to put this program together.
Ms. Callahan. Yes, sir.
Mr. Thompson. Did you vet the program with any outside
stakeholders or was it strictly an internal process?
Ms. Callahan. Actually, sir, with regard to the situational
awareness I discussed it in my quarterly meeting with advocates
that takes place, I believe after the initiative launched but
before it became a program, so during the three pilot phrases.
In addition, one of my staff testified in front of my FACA
committee, the Data Privacy and Integrity Advisory Committee
early in the process. In fact in December I had hoped to have
one of Mr. Chavez's colleagues testify in front of the Data
Privacy and Integrity Advisory Committee, but unfortunately--he
was there, he was prepared to testify about this very issue
because of the importance of the issue but we ran out of time.
But yes, we have discussed this publicly and gotten advice on
it.
Mr. Thompson. Well, I am concerned that given what I am
picking up that there are a lot of people who have interest in
privacy and this whole area that has not been included in the
discussion. What I would like for to you do is provide us with
those organizations or individuals who you have collaborated
with over that 9 months to develop this program.
Ms. Callahan. To be clear, sir, I did not discuss this
outside the Department until it was launched as a pilot under
the Haiti earthquake, but then I did discuss it, as I said, in
several advocate meetings, that I have quarterly advocate
meetings with advocates and we did discuss it publicly in the
FACA committee. But we are happy to provide you that
information. Yes, sir.
Mr. Thompson. Whoever the advocate, whoever attended, how
broad that attendance is, all that, just please get it to us.
Ms. Callahan. Absolutely.
Mr. Thompson. The other concern I have is taken off of from
what the Chairman was talking about, is the notion of
identifying political and journalistic activities that reflect
adversely on the agency or the Federal Government. Ms. Chavez,
it is your testimony that you don't do this?
Mr. Chavez. Indeed, we don't do that. What we do do again
is if there are long lines at the airport, at the screening
centers, those types of things, those would come up to us, and
we would pass it on to the appropriate DHS component for action
again through corroboration, is this really happening, what is
happening and what we need to do to fix that. But identifying
individuals again or an individual that is making that would be
irrelevant to us. There is something happening, go check it
out.
Mr. Thompson. Well, okay. I will go back to the General
Dynamics contract again. Obviously some of us are troubled by
it. Why would you ask them to look at the Drudge Report or New
York Times or L.A. Times?
Mr. Chavez. We don't focus again on any one media source.
There are many that are out there. It all goes back to the
information that they are providing, not the provider of that
information.
Mr. Thompson. So they are the only source of--so in other
words, they have this expertise that they can look at the blogs
and read the newspapers better than the Department if that is
what you want to do?
Mr. Chavez. Well, you have to look at it also. We are not
in here currently watching television or looking at the media
reports that are coming in. We all have a vested interest in
this Homeland Security. So what we are providing is a service
where we are looking at individual action or actions that could
be happening around the United States and elsewhere that again
we see and push that information out to the Federal Government
and our State and local partners, the entire homeland security
enterprise, to let them know that something is happening. They
may already see it and be acting on it, in which case we would
receive information from those agencies on here is what is
currently going on with this also.
Mr. Thompson. Ms. Callahan, to your knowledge are there any
other branches of the Federal Government who are doing similar
kind of programs?
Ms. Callahan. I don't have a comprehensive knowledge of
this, but I do know that National Operations Center has a
unique statutory responsibility to provide situational
awareness to the Federal Government. So I am not aware that
anyone else is doing that given the NOC's authorities.
Mr. Thompson. FBI, DOD, nobody to your knowledge?
Ms. Callahan. I believe they are operating within their own
authorities consistent with what I discussed with the Chairman.
Mr. Thompson. I just asked you.
Ms. Callahan. I don't know, sir, sorry.
Mr. Thompson. So you don't know--you designed the program
without any review of whether or not another agency is doing
it?
Ms. Callahan. As I said, sir, I believe the NOC's statutory
authority is unique.
Mr. Thompson. No, no, no, just answer the question.
Ms. Callahan. I do not have any other knowledge.
Mr. Thompson. You said it took 9 months to put the program
together, and I just want to know as part of your due diligence
did you check and see whether or not another agency within the
Federal Government was doing something just like this. I would
assume that the FBI would be doing something like this, I would
assume that DOD would be doing something like this, just given
their mission. If you say you don't know, I don't think that is
the right answer from a due diligence standpoint.
Ms. Callahan. I can check with my staff, and maybe Mr.
Chavez is aware of what other people are doing in this. We are
trying to be very transparent about what we are doing and
perhaps the other departments have not necessarily taken that
tack.
Mr. Chavez. I am not aware of anyone else that is doing the
social media monitoring at again the unclassified level. The
intelligence community with their skill craft may, but no, I
don't.
Mr. Thompson. I yield back, Mr. Chairman.
Mr. Meehan. Thank you, Mr. Thompson. It appears to me as we
have been going through this issue I have got the very
difficult recognition that as I chastise my children about
spending significant time on Facebook, they are now going to be
saying to me, well, dad, it can be a career.
At this point let me turn it over to the gentleman from
Minnesota for a few follow-up questions.
Mr. Cravaack. Thank you, Mr. Chairman. Does DHS use any
other contractors to monitor to the best of your knowledge?
Mr. Chavez. Right now, no, we don't, sir.
Mr. Cravaack. Is there any plans to?
Mr. Chavez. Right now we have got all we need with, again,
the services being provided.
Mr. Cravaack. Just kind of dovetailing what the Ranking
Member was saying, one of the things I read is that you want to
capture public reaction to major Government proposals. You are
monitoring positive or negative reports on FEMA, CIA, ICE.
Mr. Thompson. Would the gentleman yield?
Mr. Cravaack. Yes, sir, I will yield.
Mr. Thompson. I asked you a question about the General
Dynamics contract. You told me there was an RFP out right now.
That was your answer to me on social monitoring. You look back
to the gentleman, you said it wasn't sole source, it was open.
That was your answer to me then.
Mr. Chavez. It is a firm fixed contract, not sole source.
Mr. Thompson. But you said there is an RFP out right now.
Mr. Chavez. RFP. I am sorry, I am not familiar.
Mr. Thompson. Request for proposal. We talked about the
General Dynamics contract. We asked about it. Your conversation
talked about whether or not it was sole sourced or it was open,
and you indicated that we are going out looking for another
contract right now.
Mr. Chavez. No. If I did, sir, I apologize, sir. I stand
corrected. It is a firm, again, fixed contract and again not
sole sourced.
Mr. Thompson. How long is this fixed for?
Mr. Chavez. Actually, I don't have that information. I
don't have the fixed.
Mr. Thompson. Thank you. Thank you for yielding.
Mr. Cravaack. Yes, sir. I will reclaim my time. Going back,
it was mentioned some of the--you know, FEMA, CIA, CBP, ICE--
these are organizations that are outside of DHS. Now if
somebody--if there was an organization outside of DHS
requesting this information, would you provide it to them?
Mr. Chavez. We don't normally get, again, requests for
information. We just take it from the media and push it to the
organizations that are out there because they have their own
information authorities, gathering authorities and those types
of things that they use. So they use our media monitoring
reports to supplement what they have already got.
Mr. Cravaack. The thing I am really having problems with I
guess is the Government proposals, reactions to Government
proposals and then feeding that information to different
organizations within the Government. You are using a public
sector source that may be used for private individual
attainment of information for other reasons then that would
benefit the public. That is what I am concerned with and how
would you go about preventing this from occurring?
Mr. Chavez. That specific purpose of the media monitoring I
have never encountered. Again, the only kind of evaluation, if
you will, of the departments or other Government agencies is
just, as I said, there is a service that is being provided,
that again there is a hold-up at the airports, as Ms. Callahan
said also, but to go out and solicit that information or to
collect it. I have not seen this in my tenure at DHS.
Mr. Cravaack. Well, now this hearing has occurred, I think
you have a higher profile. But my question would be what are
the checks and balances in there from ensuring that this is not
used for private initiatives?
Mr. Chavez. Again, with the information that comes in it is
reviewed by a number of individuals throughout the National
Operations Center and Operations Coordination and Planning to
ensure that the compliance with the PIIs out there and the
distribution lists also are pre-approved so that it doesn't get
out to sectors, again so we don't compromise proprietary
information and those types of things.
Mr. Cravaack. Can you give me an example of what kind of
information you have been gleaning thus far in regard to
Government proposals?
Mr. Chavez. I am not aware of any information we have
gathered on Government proposals.
Mr. Cravaack. Okay. All right. Say I am ICE or say I am
those who would be interested in the gun walking down in Mexico
and I want to get information in regards to what is the public
reaction to this. Say I am an organization, I am just trying to
use broad general terms so we don't have to get into another
area, a realm. How would you go about that request?
Mr. Chavez. Again, that would not be a request that was
appropriate or a function of the National Operations Center.
Given our, again, authority under the Homeland Security Act for
a situational awareness or operating picture, we are not a
pollster, we don't again solicit for opinion. We are putting
down actual incidents that are happening at any one time.
Mr. Cravaack. Okay, I am the Attorney General, I am asking
for this information.
Mr. Chavez. Okay.
Mr. Cravaack. What are you going to tell him?
Mr. Chavez. Again, that is not the appropriate mission or
within our authorities for the National Operations Center to
gather that information. There are other organizations within
in the Federal Government who do have the authority to gather
that information more thoroughly, again, than we do.
Mr. Cravaack. Mr. Chavez, you are telling the Attorney
General that I cannot acquire this information, this is a vital
need for American security.
Mr. Chavez. It would be outside the skill set of what we
actually do. We are not the source for that. So I would not be
afraid to tell the Attorney General that we are not the
organization that does that.
Mr. Cravaack. You are an Air Force officer, aren't you?
Mr. Chavez. Yes, sir.
Mr. Cravaack. Hooray. With that, I yield back.
Mr. Meehan. Mr. Long, do you have follow-up questions?
Mr. Long. Well, you know that, sure. Thank you, and to my
friend from Minnesota Mr. Chavez may be better known after this
hearing but I just checked Twitter and we are not yet a
trending topic on there.
The longer I sit here I think the more confused I get. The
title of what we are supposed to be talking about today is
``Department of Homeland Security Monitoring Social Networking
and Media: Enhancing Intelligence Gathering and Ensuring
Privacy.'' We are all kind of in agreement on that?
Ms. Callahan. Yes, sir.
Mr. Chavez. Yes, sir.
Mr. Long. Of course we had a classified briefing yesterday
and I came away from that thinking what we were trying to do is
protect the homeland and watch for events that may affect the
security of citizens here in this country. But yet today I keep
hearing about breaking news, which Twitter is pretty good for
that. So either one of you can answer this if you want. I
appreciate you being here today, but what is your charge? I
have a disconnect with the breaking news, trying to follow that
up. I mean that is history, breaking news has happened.
Prevention and protecting the citizens while ensuring their
Constitutional rights is a whole different can of worms. So
both of you can answer this: What is your charge? What do you
visualize your job and the agency job as far as--am I
completely off-base that we are supposed to be trying to
protect the homeland while ensuring privacy, as they say?
Ms. Callahan. You are correct that that is our mission.
That is the point of this hearing. I think the disconnect
perhaps is that, as I pointed out in my oral testimony, there
are three uses of social media. We have been focusing on the
second, which is the situational awareness, which is the
breaking news element, to know there is an event that could
impact the homeland.
The third element, which is the operational use you spoke
to the under secretary yesterday, about when we would do it
consistent with our authorities for law enforcement or other
investigatory purposes using social media if there was a
predicate, some sort of reasonable suspicion or elements for
that. That is kind of the third element on the prevention side.
Mr. Chavez and I have been speaking a lot about the situational
awareness, which is the second of the three uses that the
Department uses social media for.
Mr. Chavez. The National Operations Center again is part of
the bigger picture out there. We are one of the tools that
again the agencies use to again monitor the homeland and those
types of things, again that they do under their own authority.
So to put the intelligence piece in there with the Nation
Operations Center, we are providing through the National
Operations Center another piece of information that again those
individuals who can use intelligence under their authorities or
enhance their operations as with ICE, as was brought up in the
other departments or components of DHS, that is what they do
with it. We provides one piece of the information, the total
information that is out there that they can use and that source
again is the media portion of that.
Also, because the intelligence and all those other
communities that are out there looking at it, again may not see
something happening because they are executing a mission that
is out there. What we do again is provide that service that
something is happening, turn it over to the appropriate
Government agency, to include State----
Mr. Long. That is all after the fact, correct?
Mr. Chavez. Indeed. There are other organizations that
again that are looking at the prevention piece and looking,
doing assessments to determine what threats may be coming at
us. We are dealing with the here and now.
Mr. Long. I am sure there is something I am missing because
I can't believe that we would go to all this effort to look
into breaking news.
Ms. Callahan, another question for you to wrap up. I am
going to try this, can you describe the Department's on-going
privacy and civil liberty protection oversight process that is
in place now to ensure citizens' Constitutional rights are not
violated during the execution of the Department's social media
monitoring?
Ms. Callahan. Yes, sir. Thank you very much for that
question. The Congress has been very generous with my oversight
authority, and as I have described earlier, we have been doing
mandated, required privacy compliance reviews that we publish
on the website. To be clear about what is going on with regard,
we are doing these reviews every 6 months, in fact February we
started again.
We are also authorized to do investigations into individual
types of use of social media, as I said kind of that third
category in an operational sense. We are finalizing a
management directive to make sure that everyone complies with
privacy protections across the board with regard to
investigations and operational use. In there we are requiring
audits every 3 months, as well as specific investigation by my
office. So we take this issue very seriously and we try to be
as diverse and robust in working with the Office of Civil
Rights and Civil Liberties in all three categories in which the
Department uses it--communication, situational awareness, and
operational use.
Mr. Long. During those 3-month and 6-month checkups are you
finding things that are of concern to you about people's
Constitutional rights?
Ms. Callahan. We have not. No, with regard to the
situational awareness, the second use that the Department uses,
the National Operations Center has been very consistent with
the public-private protections that we have identified.
Mr. Long. Thank you all for being here today and I yield
back.
Ms. Callahan. Thank you, sir.
Mr. Meehan. Thank you, Mr. Long. I want to express my
appreciation to the panel for being with us here today. I think
we have begun an important discussion, and there is
appreciation of the difficult charge that you share with some
of the other agencies here who not only protect our homeland
but American interests around the world. I am grateful for your
service in that capacity.
I think all Americans appreciate the huge challenge of
fulfilling the responsibility of having the imagination to
appreciate what could happen and connecting the dots real-time,
all of things we are asking you to do to prevent another issue
of terrorism here on American soil, but we also appreciate that
you are one of the real protectors of the individual's rights
to privacy, what it means to be an American, and this is a
delicate and difficult area that I think we have to continue to
explore. I am asking you to continue to use your diligence and
most assuredly to assure that there isn't inappropriate
interference politically, especially inappropriate political
interference in which somebody takes your mission and uses it
for another purpose, and that every effort be made to safeguard
the rights, the privacy rights of individuals.
We may have another opportunity to follow up on things we
did not get into because, as I say, I appreciate what you are
doing at the DHS level. I am cognizant in my own State of
Pennsylvania of the historic context in which State-run but
related fusion centers and otherwise have conducted these same
kind of inquiries, and that information found its way not just
to Governmental entities but to private contractors, private
businesses who were using it for their own purpose. So this
whole question of, you know, who is collecting what
information, what are we doing to safeguard it and what are we
doing to assure that at some appropriate time it disappears.
There is a lot here. I know it is part of your job. I thank
you for the work that you are doing, but we are going to
continue to ask these tough questions because it is vital to
the protection of the most fundamental thing we have, which is
our Constitutional rights as American citizens to privacy and
to be free from inappropriate Governmental intrusion.
Thank for your work and thank you for your testimony. The
Members of the committee may have additional questions for
witnesses. If they do, we will ask you to respond in writing. I
know there are some things that were asked that you go back and
do your best to be responsive to the questions that the
committee did ask. The hearing record will remain open for 10
days.
So without objection the committee stands adjourned.
[Whereupon, at 11:35 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Letter Submitted to Chairman Patrick Meehan From Mary Ellen Callahan
and Richard Chavez
March 1, 2012.
The Honorable Patrick Meehan,
Chairman, U.S. House of Representatives, Committee on Homeland
Security, Subcommittee on Counterterrorism and Intelligence,
Washington, DC 20515.
Dear Representative Meehan: Thank you for the opportunity to
testify before you and your subcommittee on February 16, 2012 about
Department of Homeland Security (DHS) review of publicly available
social media websites. DHS remains fully committed to providing the
subcommittee with all of the information it requires on this topic. We
ask that our letter, along with the enclosed attachment, be
incorporated into the official record for the February 16, 2012 hearing
before your subcommittee.
At the hearing, questions were raised regarding contract language
that appeared to permit the use of social media websites to track First
Amendment-protected speech by collecting information on public dissent
or disagreement on Government activities. As detailed in our written
testimony DHS does not now, and has never collected or used, social
media reporting for such purposes. We will modify the existing contract
and all DHS documentation to clarify and align guidance language with
the Privacy Impact Assessments (PIAs).
To further illustrate this point, this week Director Chavez issued
the enclosed memorandum to the National Operations Center (Attachment
1) stating that the Office of Operations Coordination and Planning and
the Privacy Office are currently reviewing the 2011 Media Monitoring
Analyst's Desktop Binder to ensure alignment with the PIAs. Although
the media monitoring efforts are in accordance with the privacy
guidelines outlined in the PIAs it is important that all documentation
relating to media monitoring be similarly aligned. The Privacy Office
will complete its fourth Privacy Compliance Review in mid-March 2012
and this alignment will be part of the review.
Director Chavez's memorandum to the National Operations Center also
reiterates the privacy guidelines that have been in place since the
start of this program: Collection of personally identifiable
information from social media websites is permitted only in specific
circumstances and is limited to the categories described in our written
testimony and in the January 6, 2011 PIA. The information that is
collected may be retained only in the report that is generated, and is
not cross-referenced or tracked in any other way.
We appreciate the subcommittee's interest in our efforts in this
regard. We would be happy to meet with subcommittee staff or Members
individually the week of March 5, 2012 to provide you with any further
information or discussion of these issues you may require. NOC media
monitoring reports are also available for your review.
Sincerely,
Mary Ellen Callahan,
Chief Privacy Officer, U.S. Department of Homeland Security,
Richard Chavez,
Director, Office of Operations Coordination and Planning, U.S.
Department of Homeland Security.
MEMORANDUM FOR: National Operations Center
FROM: Richard Chavez, Director, Office of Operations Coordination and
Planning
SUBJECT: Media Monitoring Guidance Reminder
As part of the fourth Privacy Compliance Review that is scheduled
to occur in mid-March 2012, the National Operations Center (NOC), in
coordination with the DHS Privacy Office, will review the 2011 Media
Monitoring Analyst's Desktop Binder, any associated standard operating
procedures, and the existing media monitoring support services contract
to ensure conformity with all Publicly Available Social Media
Monitoring and Situational Awareness Initiative Privacy Impact
Assessments (PIAs) and to ensure the scope and purpose of the NOC Media
Monitoring Capability (MMC) are accurately reflected and recommend
clarifications and updates to the language if necessary. In the
interim, the NOC will continue to use the PIAs as the authoritative
source to guide the program.
The NOC MMC should continue to limit the review, use, collection,
and dissemination of non-personally identifiable information and the
seven narrow categories of personally identifiable information to
information that affect the operations of the Department of Homeland
Security (memorialized in the January 2011 PIA). No First Amendment-
protected speech relating to dissent or disagreement with the
Department and its activities should be reviewed, used, collected, or
disseminated.
The MMC can review, use, collect, and disseminate information
intended to provide guidance on DHS programs and initiatives that
inform the general public. An example would be the Transportation
Security Administration's PreCheck program. The MMC can also review,
use, and collect information related to oversight reports about DHS
components such as DHS Inspector General Reports or Government
Accountability Office Reports.
The MMC cannot review, use, collect, or disseminate information
related to individuals' positive or negative opinions or reports on the
Department, but for the narrow circumstance where the MMC reviews and
informs the relevant Component of an operational issue adversely
impacting the Component. Examples of these issues include security
violations at airports or ports of entry. In this narrow operational
circumstance, no personally identifiable information can be collected,
stored, or disseminated to the relevant Component.
______
Questions Submitted by Ranking Member Bennie G. Thompson for Mary Ellen
Callahan and Richard Chavez
Question 1. Please explain the circumstances under which DHS might
collect information on journalists.
Answer. DHS does not collect information on journalists (other than
recording the name of the author when saving a particular article so as
to ensure proper attribution, or including a individual journalist's
name that is part of that journalist's social media internet link). As
described below, DHS collects information on events.
In support of its statutory mission to provide situational
awareness and a common operating picture for the Federal Government and
for other homeland security enterprise partners, the National
Operations Center (NOC) within the DHS Office of Operations
Coordination and Planning reviews publicly available traditional and
social media postings to gain an enhanced awareness of rapidly emerging
or evolving incidents and events concerning homeland security,
emergency management, and National health. If a journalist posts a
report on a publicly available social media site about a breaking news
incident relevant to homeland security, the NOC's media monitoring
analysts may use the information posted to build a report that is
distributed to DHS leadership and other homeland security partners
including Federal interagency, State, local, Tribal, and territorial
government entities. The NOC may include reporters' names and
affiliations in the reports as described below.
The NOC includes a particular journalist's name with recorded media
in accordance with the guidelines set forth in the Publicly Available
Social Media Monitoring and Situational Awareness Initiative Privacy
Impact Assessment (PIA) (dated June 22, 2010) and its January 6, 2011
update. As stated in the PIA update and the February 1, 2011 System of
Records Notice, personally identifiable information on seven narrow
categories of individuals may be collected when it lends credibility to
the report or facilitates coordination with Federal, State, local,
Tribal, territorial, foreign, or international government partners. In
such instances DHS will only collect the following limited pieces of
information from journalists: Names, titles, and organizational
affiliation of anchors, newscasters, or on-scene reporters who are
known or identified as reporters in their post or article or who use
traditional and/or social media in real time to keep their audience
situationally aware and informed. Frequently with breaking news on
social media, the individual journalist's name or names of other key
individuals will be part of the story's internet link. In order to
disseminate these publically available links, the NOC must include the
personally identifiable information contained in the link address.
Removing the PII from the link address will render the link, and thus
the story, unusable.
All National Operations Center (NOC) social media initiative PIAs
are available to the public at www.dhs.gov/privacy.
Question 2. Please explain how DHS came to report on information
related to citizens' opinions on moving Guantanamo Bay Detainees to
Standish, MI, and whether this is an appropriate use of social media by
DHS.
Answer. The DHS Office of Operations Coordination and Planning
(OPS) never reported on potential plans to move detainees to Standish,
MI. During the development of the Media Monitoring capability, OPS
developed a Social Networking/Media Capability Analyst Handbook also
known as a Desktop Binder. The purpose of the Desktop Binder was to
serve as a desk reference for media monitoring analysts. In an early
draft version of the Desktop Binder, an example was created based on
actual information related to citizens' opinions regarding moving
Guantanamo Bay Detainees to Standish, MI. This document was part of a
``weekly report example,'' not an actual report in a very early, and
obsolete version of the Desktop Binder. This version of the Desktop
Binder was created while OPS was still in the midst of developing its
media monitoring processes, and before the media monitoring reports
were ever distributed. This example has been removed from the Desktop
Binder, and this information was never released through the situational
awareness reporting channels.
To maintain a capability focused on reviewing incident and event
information, OPS trains analysts to review information in compliance
with the parameters set forth in the Privacy Impact Assessments (PIAs).
During the report production process, reports are reviewed multiple
times to ensure PII is not inadvertently included. Reports are reviewed
at least twice, once by the analyst generating the report and then
again by the analyst's counterpart. Each report is then checked by the
media monitoring lead prior to dissemination. All reports distributed
during each 24-hour period are checked by a media monitoring capability
senior reviewer, and the media monitoring capability's quality control
leads conduct weekly reviews of all distributed reports to ensure any
inadvertent PII inclusions are identified and corrective action is
taken. As described previously, the Privacy Office conducts Privacy
Compliance Reviews every 6 months to ensure OPS is complying with the
PIAs.
Question 3. Please explain the terms of the contract and the
rationale for contracting with General Dynamics to conduct social media
situational awareness reporting.
Answer. To fulfill the National Operations Center's (NOC) statutory
responsibility to provide situational awareness, the NOC examines
publicly available traditional and social media, compares it with many
other sources of information, and includes it where appropriate into
NOC reports. At the time the contract was awarded, the Office of
Operations Coordination & Planning (OPS) did not have available Federal
employees to complete this task. OPS procured contracted services to
fulfill this function. Additionally, OPS has not ascertained if this
service will be required on a permanent basis, making it more
economical to utilize contractor services in the interim.
OPS is continuing to assess current performance to determine the
most efficient and effective mechanism for performing the media
monitoring function in light of operational needs and budgetary
direction.
The Media Monitoring contract was competed for and awarded to
General Dynamics Advanced Information Systems (GDAIS) on May 27, 2010,
under the GSA Mission Oriented Business Integrated Services (MOBIS)
contract vehicle. The Period of Performance (POP) for this contract is
July 1, 2010 through December 31, 2014, and the total contract value is
$11.3 million. The contract includes tasks to monitor open sources for
incidents relating to potential and emerging threats and hazards to the
homeland.
In accordance with the Federal Acquisition Regulation, the award to
GDAIS was based on the Evaluation Team's review and assessment of the
qualifications of multiple vendors that submitted a quotation in
response to the Request for Quotation (RFQ). The Evaluation Team made a
recommendation to the Source Selection Authority (SSA) that GDAIS
offered the best value quote for fulfilling the Department's social
media situational awareness reporting requirement. After a thorough
review of the Evaluator's assessment which included an evaluation of
the strengths, weaknesses, and risks of the quotes received, the SSA
determined that GDAIS would provide superior performance of the
Government's objectives, and was the most technically competent
contractor that had submitted a quotation.
Question 4. Please describe the way that DHS solicited feedback
from the privacy community regarding DHS' use of social media.
Answer. In addition to the five Privacy Impact Assessments (dealing
with the three pilots, the program, and the update to include seven
narrow categories of personally identifiable information) and three
Privacy Compliance Reviews, the DHS Privacy Office has engaged in
dialogue with the privacy community regarding DHS' use of social media
in a number of ways. These include several quarterly advocate outreach
meetings (Privacy Information for Advocates), Chief Privacy Officer
Testimony before the Data Privacy and Integrity Advisory Committee
(DPIAC) in public meetings, DHS Privacy Office staff testimony before
the DPIAC, and inter-agency and intra-agency discussions. The Privacy
Impact Assessments and other documentation are available at
www.dhs.gov/privacy.
The Chief Privacy Officer invites privacy organizations and privacy
advocates (who have requested to participate) to quarterly
informational meetings during which the Chief Privacy Officer provides
updates on DHS privacy issues. To date, 24 distinct organizations have
requested invitations. The quarterly Privacy Information for Advocates
meetings allow the Chief Privacy Officer and privacy advocates to
discuss privacy issues that impact DHS and individuals. In 2010 and
2011, Chief Privacy Officer Mary Ellen Callahan spoke in depth about
DHS's use of social media and the situational awareness initiative at
four of the quarterly meetings. Additionally, the March 2012 Privacy
Information for Advocates meeting provided an opportunity to update
advocates on the social media situational awareness initiative at
length, including discussing examples, as well as clarifying
misconceptions.
The DPIAC was established by the Secretary of Homeland Security as
a discretionary committee under the Federal Advisory Committee Act to
provide advice to the Secretary and to the DHS Chief Privacy Officer,
upon request, on policy, programmatic, operational, administrative, and
technological issues within DHS that relate to personally identifiable
information, as well as data integrity and other privacy-related
matters. Committee members are individuals from the private sector,
academia, non-governmental organizations, and State government who have
expertise in privacy, security, and emerging technologies.
The DPIAC holds several public meetings throughout the year to
receive updates from the DHS Privacy Office, learn more about how DHS
components have implemented privacy, and gain information on specific
DHS programs that have privacy implications. In 2010 and 2011, Chief
Privacy Officer Mary Ellen Callahan provided public testimony on the
development, progression, and modification of the social media
situational awareness initiative at four of these meetings.
Additionally, DHS Privacy Office staff publicly testified at DPIAC
meetings on the social media situational awareness initiative. In
September 2010, one of the Associate Directors for Privacy Compliance
testified on the development of Privacy Compliance Reviews generally,
and how public Privacy Compliance Reviews focusing on the social media
situational awareness initiative function. In March 2011, another
Associate Director for Privacy Compliance publicly testified on the
social media situational awareness initiative, focusing on the addition
of the seven narrow categories of personally identifiable information
that would be collected. Finally, in December 2011, staff from the
National Operations Center (NOC), which runs the social media
situational awareness initiative, was scheduled to publicly testify on
the social media situational awareness initiative and the associated
Privacy Compliance Reviews. However, the testimony was postponed due to
extended deliberations by the DPIAC on pending recommendations from the
committee to the Department. Information about DPIAC, and the publicly
available meetings, can be found at www.dhs.gov/privacy.
Throughout 2010-2012, the DHS Privacy Office also provided
information about DHS' use of social media, whether for public
communications and outreach, situational awareness, or operational use,
to interagency privacy groups, including the Innovation and Emerging
Technologies Subcommittee of the CIO Council Privacy Committee. These
briefings were provided as examples of ways to embed privacy
protections in Government use of social media generally, including
developing Privacy Impact Assessments and System of Records Notices as
necessary.
In addition to providing information via interagency fora, in 2011,
the DHS Privacy Office hosted an intra-agency privacy compliance
meeting where staff from the National Operations Center updated DHS
Component Privacy Officers on the social media situational awareness
initiative and corresponding Privacy Compliance Reviews, as well as
fielded questions from the Component Privacy Officers about the
initiative.
Question 5. Please explain who/what determines what the NOC looks
at and searches for on social media sites.
Answer. The Senior Watch Officer (SWO) within the National
Operations Center (NOC), as guided by the Privacy Impact Assessments
(PIAs), determines the NOC's search parameters. There are 13 broad
Items of Interest (IOI) that focus analysts' efforts when searching
publicly available social media sites. The IOI categories provide a
general framework for the NOC's searches. The following are the
categories:
(1) terrorism (includes media reports on the activities of
terrorist organizations in the United States and abroad);
(2) weather/natural disasters, emergency management (includes all-
hazard reports, such as reports on hurricanes, tornadoes,
flooding, and earthquakes);
(3) fire (includes reports on the ignition, spread, response, and
containment of wildfires, industrial fires, and explosions);
(4) trafficking/border control issues (includes reports on the
trafficking of narcotics, people, weapons, and goods into and
out of the United States);
(5) immigration (includes reports on apprehension of illegal
immigrants and border control events or incidents);
(6) HAZMAT (includes reports on chemical, biological, and
radiological hazardous materials discharges);
(7) nuclear (includes reports terrorist attempts to obtain nuclear
materials, security incidents at nuclear facilities, and
potential threats to nuclear facilities);
(8) transportation security (includes reports on security breaches
and incidents or threats involving rail, air, road, and water
transit);
(9) infrastructure (includes reports on attacks or failures in
transportation networks, telecommunications networks, energy
grids, utilities, domestic food and agriculture, Government
facilities, and financial infrastructure);
(10) National and international security (includes reports relating
to threats against American citizens, political figures,
military installations, embassies, and consulates);
(11) National and international health concerns (includes reports
on outbreaks of infectious diseases and recalls of food or
other items dangerous to public health);
(12) public safety (includes reports on public safety incidents,
building lockdowns, bomb threats, mass shootings, and building
evacuations); and
(13) cybersecurity (includes reports on cybersecurity matters such
as cyber attacks, computer viruses, and the use of technology
for terrorism purposes).
There were originally 14 IOI categories. IOI 14 was ``Reports on
DHS, Components, and other Federal agencies: Includes both positive and
negative reports on FEMA, CIS, CBP, ICE, etc. as well as organizations
outside of DHS.'' This IOI has been subsequently eliminated in order to
prevent misunderstandings about the intended use of this information.
Analysts conduct searches using publicly available streaming media
and news-based search engines. These tools allow analysts to search by
keyword or a collection of terms. The keywords and terms that inform
searching are pre-loaded onto the publicly available search tools. The
core social media websites utilized by the NOC are listed in Appendix A
of the January 6, 2011 Privacy Impact Assessment that is available to
the public via www.dhs.gov/privacy. The core search terms, or keywords,
utilized by the NOC are listed in Appendix B of the same publicly
available document.
�