FOIA Cases
EPIC v. DHS (Media Monitoring Services)
US District Court for the District of Columbia
EPIC v. DHS, No. 18-1268 (D.D.C. filed May 30, 2018), was a lawsuit to obtain records about—and to block the development of—a Department of Homeland Security system designed to monitor journalists. In April of 2018, the DHS began seeking a contractor to develop “Media Monitoring Services” (MMS), a suite of digital tools that would have continuously tracked and analyzed media coverage and stored large volumes of personally identifiable information about journalists, bloggers, and social media users. The system would have collected and retained personal data such “locations, contact information, employer affiliations, and past coverage.”
The DHS’s proposed media monitoring tools posed significant risks to privacy and threatened to chill the exercise of press freedoms. Within days of the agency’s announcement, EPIC filed a Freedom of Information Act request seeking the Privacy Impact Assessment that the DHS was required by law to produce before developing any monitoring tools. When the agency failed to process EPIC’s request, EPIC filed suit on May 30, 2018. In response to EPIC’s lawsuit, the DHS admitted that it had not, in fact, conducted a Privacy Impact Assessment. The DHS also disclosed records to EPIC showing that the agency bypassed its own privacy officials and ignored the privacy and First Amendment threats posed by the Media Monitoring Services program.
On July 11, 2019, the DHS acknowledged that it had suspended the Media Monitoring Services program as a result of EPIC’s case. As part of a settlement with EPIC, the agency also agreed to complete required Privacy Impact Assessments before collecting personal data in the future.
Background
Media Monitoring Services
On April 3, 2018, the Department of Homeland Security published a solicitation for “media monitoring services” (MMS). The agency sought a contractor to provide “traditional and social media monitoring and communications solutions,” including “media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.”
The DHS’s Statement of Work for the project called for three primary media monitoring capabilities. First, the agency sought the ability to “track online, print, broadcast, cable, radio, trade and industry publications, local sources, national/international outlets, traditional news sources, and social media.” This would have included the capacity to monitor over “290,000 global news sources” in over “100 languages” and to “create unlimited data tracking, statistical breakdown, and graphical analysis on any coverage on an ad-hoc basis.”
Second, the DHS sought “Media Intelligence and Benchmarking Dashboard Platform” to conduct “real-time monitoring” and analysis of media coverage. This platform would have enabled DHS to “analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, [advertising value equivalency], top posters, influencers, languages, momentum, [and] circulation.” The platform would have included the ability to “build media lists based on beat, location, outlet type/size, and journalist role.” The DHS also sought the development of a mobile app and email alerts to monitor media coverage.
Third, the DHS sought the creation of an internal “media influencer database,” which would collect and retain the locations, contact information, employer affiliations, and past coverage of untold numbers of “journalists, editors, correspondents, social media influencers, bloggers, etc.” The database would have been searchable in multiple languages by “keywords, concepts, [and] Boolean search terms.”
The DHS’s announcement that it was developing a suite of media monitoring tools drew widespread criticism due the threat the project posed to privacy and press freedoms. Michelle Fabio, writing in Forbes, warned that the DHS’s planned use of MMS was “enough to cause nightmares of constitutional proportions, particularly as the freedom of the press is under attack worldwide.”
The DHS’s Obligations Under the E-Government Act
Under Section 208 of the E-Government Act of 2002, any agency that “develop[s] or procur[es] information technology that collects, maintains, or disseminates information that is in an identifiable form” is required to complete a Privacy Impact Assessment (PIA) before doing so. Specifically, the agency must “(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means.”
A Privacy Impact Assessment must be “commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information.” The PIA must specifically address “(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured.”
The DHS’s media monitoring tools would have collected and stored personally identifiable information from individuals referred to in the media coverage tracked by the DHS. The DHS’s media influencer database would have also included personally identifiable information about journalists, bloggers, and social media users. Because the DHS began “developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form” and “a new collection of information that . . . includes [] information in an identifiable form permitting the physical or online contacting of a specific individual,” the agency was required to conduct and publish an applicable PIA in advance.
The DHS’s Failure to Publish a Privacy Impact Assessment
On April 13, 2018, EPIC submitted a Freedom of Information Act (FOIA) request to the DHS seeking:
1. The required Privacy Impact Assessment conducted for the April 3, 2018solicitation for “Media Monitoring Services,”
2. Any associated agency records including but not limited to policy guidelines, memoranda, email communications, and Privacy Threshold Analysis related to “Media Monitoring Services,” and
3. All awarded contracts for “Media Monitoring Services.”
On May 30, 2018—after the agency had unlawfully failed to fulfill EPIC’s FOIA request within the time allowed by law—EPIC filed suit in the U.S. District Court for the District of Columbia. EPIC explained that the DHS had violated both the FOIA and the E-Government Act by neglecting to disclose a Privacy Impact Assessment and related records. On July 11, 2018, the DHS responded to EPIC’s complaint and acknowledged that the agency had failed to complete any PIA related to Media Monitoring Services. On October 11, 2018, the DHS disclosed 73 pages of records (some partially redacted) to EPIC while asserting that 157 other pages were exempt from disclosure in full.
On July 11, 2019, the DHS acknowledged that it had suspended the Media Monitoring Services program as a result of EPIC’s case. As part of a settlement with EPIC, the agency also agreed to complete required Privacy Impact Assessments before collecting personal data in the future.
EPIC’s Interest
EPIC has long highlighted the obligation of federal agencies to conduct and publish a Privacy Impact Assessment before any new collection of personal data, and EPIC has brought numerous successful cases seeking the release of PIAs. In EPIC v. DHS, No. 11-2261 (D.D.C. filed Dec. 20, 2011), EPIC obtained a PIA and related records concerning a prior effort by the DHS to track social media users and journalists. In EPIC v. FBI, No. 14-1311 (D.D.C. filed Aug. 1, 2014), EPIC obtained unpublished PIAs from the Federal Bureau of Investigation concerning facial recognition technology. And in EPIC v. DEA, No. 15-667 (D.D.C. filed May 1, 2015), EPIC learned that the Drug Enforcement Administration had failed to produce PIAs for the agency’s license plate reader program, a telecommunications records database, and other systems of public surveillance.
More recently, in EPIC v. Presidential Advisory Commission on Election Integrity, No. 17-1320 (D.D.C. filed July 3, 2017), EPIC challenged the failure of the Presidential Advisory Commission on Election Integrity to undertake and publish a PIA prior to the collection of state voter data. EPIC’s suit led the now-defunct Commission to suspend its data collection and delete voter information that had been illegally obtained.
FOIA Documents
On October 11, 2018, the DHS disclosed 73 pages of records to EPIC (many of them partially redacted) concerning Media Monitoring Services. The records revealed that the DHS bypassed the agency’s own privacy officials in developing MMS and ignored the threats that the system posed to privacy and press freedoms.
For example, despite the agency’s obligation to conduct a Privacy Impact Assessment before developing a system that collects personal data, top DHS privacy officials appeared unaware that a media monitoring project was being launched. On April 6, 2018, a senior privacy official at the DHS’s National Protection and Programs Directorate (NPPD) wrote to other agency personnel about the MMS program. Although the DHS had published the MMS Statement of Work three days earlier, the privacy official seemed unsure if that document was even authentic:
I wanted to make you both aware that I’ve seen a few news organizations (Forbes and Bloomberg) carrying a story claiming DHS is compiling a database of journalists and media influencers in what appears to be an NPPD Statement of Work (SOW) posted on FedBizOps.gov.
On April 9, 2018—six days after the agency published the Statement of Work—an official from the central DHS Privacy Office expressed similar surprise about the existence of the MMS program:
Per the article below, we noticed that NPPD has put out a Statement of Work to gather and monitor the public activities of media professionals and influencers. PRIV found this interesting given the work the OPS NOC Media Monitoring Capability does & the privacy perimeters within which they work. Could you shed some light on this topic?
Meanwhile, the Director of the DHS Office of Legislative Affairs had to write to other senior agency officials to confirm whether press accounts of the program were accurate.
The records obtained by EPIC also show that Rep. Bennie G. Thompson (D–MS) wrote to the agency to express grave concerns about the MMS program and the agency’s poor handling of public opposition:
As you may be aware, the RFI [for Media Monitoring Services] has raised a great deal of concern among some journalists and the public. Unfortunately instead of assuaging that concern with information, DHS’ press secretary maligned those asking questions about the RF1 as “tin foil hat-wearing, black helicopter conspiracy theorists,” which was inappropriate and unhelpful. Indeed, DHS’ response only exacerbated the concerns of those troubled by the RFI, including myself.
…
While there may be a legitimate purpose for certain media monitoring services, to date the Department has failed to provide one. Moreover, it has not provided specific information about how media monitoring services will advance its mission and how it will protect data about journalists and other media influencers from misuse or falling into the wrong hands.
Tyler Q. Houlton, the DHS spokesman referenced in Rep. Thompson’s letter, published a defensive op-ed in USA Today in support of the MMS program. In the records obtained by EPIC, Houlton dismissed USA Today as “the coloring book of newspapers” and stated that the paper “wouldn’t be able to handle” any “in-depth operational arguments.”
The DHS asserted that another 157 pages of records responsive to EPIC’s request were exempt from disclosure under the FOIA.
- EPIC’s FOIA Request (April 13, 2018)
- DHS Acknowledgement Letter (April 13, 2018)
- DHS Final Determination Letter (October 11, 2018)
- DHS Final Production (October 11, 2018)
- FEMA Final Production (October 18, 2018)
Legal Documents
EPIC v. DHS, No. 1:18-cv-01268-KBJ (D.D.C. filed May 30, 2018)
- EPIC Complaint (May 30, 2018)
- DOJ Answer (July 11, 2018)
- Stipulation of Settlement and Dismissal (July 11, 2019)
Other Documents
- Section 208 of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899
- Draft Statement of Work for Media Monitoring Services (2018)
News
- Michelle Fabio, Department Of Homeland Security Faces Lawsuit Over ‘Harmless’ Journalist Database, Forbes (June 12, 2018)
- Anna Giaritelli, DHS sued over plans to monitor media coverage, Washington Examiner (June 12, 2018)
- Shayna Posses, DHS Slapped With Suit Over Media-Monitoring Tools, Law360 (May 31, 2018)
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate