Facebook bars developers from using data feeds for spying tools

Facebook and Instagram have publicly changed their terms and conditions to tell developers they can't use public user data feeds to develop tools that can be used for surveillance

Facebook bars developers from using data feeds for spying tools
Credit: Shutterstock/Wikimedia/Stephen Sauer

Law enforcement officials are interested in software tools that can scan social media feeds for information that could be used to track and monitor potential criminals. To deter developers from building such tools, Facebook and Instagram have updated their policies explicitly banning developers from using user data from their platforms.

“Developers cannot ‘use data obtained from us to provide tools that are used for surveillance.’ Our goal is to make our policy explicit,” Facebook’s deputy chief privacy officer Rob Sherman wrote in a post announcing the company’s latest update to terms and conditions.

Sherman said the updated policy was the result of months of work with advocacy organizations including the American Civil Liberties Union of California, Color of Change, and the Center for Media Justice. Last October, the ACLU of California warned that Geofeedia, a company which makes social media monitoring software, was using data from Twitter, Facebook, and Instagram to help track protesters in Baltimore and elsewhere. Geofeedia had access to the Instagram API, which included any location data associated with user posts; Facebook’s Topic Feed API, which provides a ranked feed of public Facebook posts mentioning a specific topic, including hashtags, events, and places; and Twitter’s database of public tweets. Law enforcement authorities could use the software to see what people were posting regarding #BlackLivesMatter, where they were going, and who they were communicating with.

Shortly after the report, Facebook and Instagram terminated Geofeedia’s access to the APIs and Twitter severed the data relationship completely with the Chicago-based company. 

“Protect the information you receive from us against unauthorized access, use, or disclosure. For example, don’t use data obtained from us to provide tools that are used for surveillance,” Facebook wrote in the updated policy.

Facebook’s decision appears timely, as it looks like the United States Department of Homeland Security is interested in software that could automatically scan social media platforms to identify suspicious individuals. An Office of the Inspector General report from February found the U.S. Citizenship and Immigration Services (USCIS) had run a pilot program back in December 2015, and again in April and August 2016, to manually and automatically screen visa applicants’ social media profiles for any potential clues to problematic activity. The report found that automated social media screening was not a “viable option” and manual review “was more effective at identifying accounts.”

While it’s possible to assign agents to regularly monitor social media platforms, automation would help process large volumes of data and ensure key clues aren’t missed. In the report, DHS Office of Intelligence and Analysis noted that “neither the private sector nor the U.S. Government possessed the capabilities for large-scale social media screening.” DHS has restarted the testing program in January and identified 275 software tools that can be used for scanning.

It’s not a big jump to assume that DHS will soon start asking contractors to build such a platform—if it hasn’t already.

However, the well-intentioned policy changes won’t have much of an impact. The policy changes apply only to software, and the government would still be able to demand user data via its National Security Letters or through any of its covert surveillance programs. While Facebook has automated and manual processes to ensure developers follow its rules, government contracts are lucrative, and developers may decide to find a way around the rules.

Facebook’s policy change doesn’t address the other ubiquitous tracking problem—the one by advertisers and third-party marketing platforms—as commercial entities still have access to public feeds used to monitor trends and other public happenings.

Developers who may wind up working on tools that can monitor social media activity should be aware of the explicit language in the terms and conditions regarding what they are allowed to do with the data.