In the wake of a report from the American Civil Liberties Union (ACLU) about police monitoring of activists and protesters via social media data, Twitter, Facebook and Instagram have cut off the data streams they’ve been sending to the Geofeedia app.
For about 5 years, Geofeedia has used the companies’ APIs to create real-time maps of social media activity in protest areas. Those maps have been used to identify, and in some cases arrest, protesters shortly after their posts became public.
From an email secured in response to 63 public records requests the ACLU made to 63 California law enforcement agencies:
Geofeed Streamer [a product feature] is unique to Geofeedia and has numerous uses (i.e., Live Events, Protests – which we covered Ferguson/Mike Brown nationally with great success …
In one Geofeedia testimonial, Baltimore Police Department Detective Sergeant Andrew Vaccaro described the aftermath of the death of Freddie Gray, calling it a “watershed moment” for the department in terms of social media surveillance.
The minute his death was announced, we knew we needed to monitor social media data at key locations where protesting was likely, especially at the local police precinct where Gray had been arrested.
In one specific case, relying on Geofeedia’s real-time information and alerts sent via text and email, Baltimore police noticed chatter from a high school from kids who planned to walk out of class and use mass transit to head to a protest.
Police intercepted them – the students had allegedly already hijacked a metro bus – and found their “backpacks full of rocks, bottles and fence posts.”
From Vaccaro’s testimonial:
They planned to do a lot of damage.
After the ACLU reported its findings to the companies, Instagram cut off Geofeedia’s access to public user posts, and Facebook cut its access to a topic-based feed of public user posts.
Twitter suspended Geofeedia’s commercial access to Twitter data on Tuesday.
At least one Twitter commenter wondered why Twitter had to wait for the ACLU to “reveal” that Geofeedia was providing location data on protesters. It’s not as if Geofeedia was scraping it without permission, after all, making Twitter’s decision to shutter it something like the police being “shocked!” to find out that gambling was going on at Casablanca.
As far as Facebook goes, in an email from May 2016, a Geofeedia representative touts a “confidential legally binding agreement” with the company.
The ACLU lists these additional discoveries:
- Instagram had provided Geofeedia access to the Instagram API, a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated this access on September 19 2016.
- Facebook had provided Geofeedia with access to a data feed called the Topic Feed API, which is supposed to be a tool for media companies and brand purposes, and which allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated this access on September 19 2016.
- Twitter did not provide access to its “Firehose,” but has an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets. In February, Twitter added additional contract terms to try to further safeguard against surveillance. But ACLU records show that as recently as 11 July, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.
This isn’t the first time that Twitter’s extended, but then decided to close down, special access to allow surveillance outfits to datamine.
A Facebook rep said in a statement sent to The Verge that it terminated Geofeedia’s access to the API because the company wasn’t using the data for media or brand purposes.
[Geofeedia] only had access to data that people chose to make public. Its access was subject to the limitations in our Platform Policy, which outlines what we expect from developers that receive data using the Facebook Platform.
If a developer uses our APIs in a way that has not been authorized, we will take swift action to stop them and we will end our relationship altogether if necessary.
Geofeedia CEO Phil Harris said in an emailed statement that the company is committed to the principals of personal privacy and has clear policies in place to “prevent the inappropriate use of our software.”
That said, we understand, given the ever-changing nature of digital technology, that we must continue to work to build on these critical protections of civil rights.
Geofeedia will continue to engage with key civil liberty stakeholders, including the ACLU, and the law enforcement community to make sure that we do everything in our power to support the security of the American people and the protection of personal freedoms.
As The Verge’s Russell Brandom notes, the map of Ferguson protests that Geofeedia featured in a public demo doesn’t differentiate between posts from protesters and credentialed journalists: all posts are pulled into the same map.
And while the metadata on that specific map is publicly available, including images, geolocation data, and screen names that are available on Instagram’s public feed, the scale at which police are identifying and retaining data on protesters is beyond what any individual could achieve without special access to social media platforms’ APIs.
From the ACLU’s post:
Because Geofeedia obtained this access to Twitter, Facebook and Instagram as a developer, it could access a flow of data that would otherwise require an individual to “scrape” user data off of the services in an automated fashion that is prohibited by the terms of service… With this special access, Geofeedia could quickly access public user content and make it available to the 500 law enforcement and public safety clients claimed by the company.
In joint letters to Twitter, Instagram and Facebook, the ACLU, together with Color of Change and the Center for Media Justice, is calling on Facebook and Twitter to change their API policies to prevent similar systems from being used for surveillance:
[These companies] should not provide user data access to developers who have law enforcement clients and allow their product to be used for surveillance, including the monitoring of information about the political, religious, social views, racial background, locations, associations or activities of any individual or group of individuals.