EPIC v. DHS (Media Monitoring Services)
EPIC v. DHS, No. 18-1268 (D.D.C. filed May 30, 2018), is a lawsuit to obtain records about—and to block the development of—a Department of Homeland Security system designed to monitor journalists. In April of 2018, the DHS began seeking a contractor to develop "Media Monitoring Services" (MMS), a suite of digital tools that would continuously track and analyze media coverage and store large volumes of personally identifiable information about journalists, bloggers, and social media users. The system would collect and retain personal data such "locations, contact information, employer affiliations, and past coverage."
The DHS's proposed media monitoring tools pose significant risks to privacy and threaten to chill the exercise of press freedoms. Within days of the agency's announcement, EPIC filed a Freedom of Information Act request seeking the Privacy Impact Assessment that the DHS was required by law to produce before developing any monitoring tools. When the agency failed to process EPIC's request, EPIC filed suit on May 30, 2018. In response to EPIC's lawsuit, the DHS admitted that it had not, in fact, conducted a Privacy Impact Assessment. The DHS also disclosed records to EPIC showing that the agency bypassed its own privacy officials and ignored the privacy and First Amendment threats posed by the Media Monitoring Services program. EPIC's case is ongoing.
- EPIC Investigates the Transfer of Personal Data from DHS to Census Bureau: EPIC has submitted urgent Freedom of Information Act requests to the Department of Homeland Security (USCIS and the Office of Immigration Statistics) and the Census Bureau for records about the planned transfer of personal data from DHS to the Census Bureau. After a federal judge in California ruled that adding a citizenship question to the 2020 Census was unconstitutional, the AP reported that DHS would disclose to the Census Bureau personal data, including names, addresses, birth dates, Social Security numbers, and alien registration numbers. The Census Bureau confirmed that the agency was preparing an agreement with DHS to “receive administrative records.” In EPIC v. Commerce, EPIC alleges that the Bureau failed to conduct and publish required privacy impact assessments before making an uninformed decision to collect citizenship data. EPIC is seeking an injunction from the D.C. Circuit, which will hear arguments in the case in May. EPIC's appeal is EPIC v. Commerce, No. 19-5031 (D.C. Cir.). (Mar. 8, 2019)
- DHS Privacy Advisory Committee Finalizes Facial Recognition Report: The DHS Privacy Advisory Committee issued final recommendations on facial recognition use at the border. The report examined transparency, data minimization, data quality and integrity, and accountability and auditing. The report said entrants to the U.S. need notice of their rights and how to exercise those rights. The final recommendations differed only slightly from the draft recommendations. In response to EPIC's comments, the final report included recommendations for increased reporting and research of facial recognition accuracy. However, the DHS report failed to address the lack of legal authorization for the facial recognition program or establish that the program is necessary for national security. (Mar. 6, 2019) More top news »
On April 3, 2018, the Department of Homeland Security published a solicitation for “media monitoring services” (MMS). The agency sought a contractor to provide "traditional and social media monitoring and communications solutions,” including “media comparison tools, design and rebranding tools, communication tools, and the ability to identify top media influencers.”
The DHS's Statement of Work for the project called for three primary media monitoring capabilities. First, the agency sought the ability to “track online, print, broadcast, cable, radio, trade and industry publications, local sources, national/international outlets, traditional news sources, and social media.” This would include the capacity to monitor over “290,000 global news sources” in over “100 languages” and to “create unlimited data tracking, statistical breakdown, and graphical analysis on any coverage on an ad-hoc basis.”
Second, the DHS sought “Media Intelligence and Benchmarking Dashboard Platform” to conduct “real-time monitoring” and analysis of media coverage. This platform would enable to DHS to “analyze the media coverage in terms of content, volume, sentiment, geographical spread, top publications, media channels, reach, [advertising value equivalency], top posters, influencers, languages, momentum, [and] circulation.” The platform would include the ability to “build media lists based on beat, location, outlet type/size, and journalist role.” The DHS also sought the development of a mobile app and email alerts to monitor media coverage.
Third, the DHS sought the creation of an internal “media influencer database,” which would collect and retain the locations, contact information, employer affiliations, and past coverage of untold numbers of “journalists, editors, correspondents, social media influencers, bloggers, etc.” The database would be searchable in multiple languages by “keywords, concepts, [and] Boolean search terms.”
The DHS’s announcement that it was developing a suite of media monitoring tools drew widespread criticism due the threat the project poses to privacy and press freedoms. Michelle Fabio, writing in Forbes, warned that the DHS’s planned use of MMS is “enough to cause nightmares of constitutional proportions, particularly as the freedom of the press is under attack worldwide.”
Under Section 208 of the E-Government Act of 2002, any agency that "develop[s] or procur[es] information technology that collects, maintains, or disseminates information that is in an identifiable form" is required to complete a Privacy Impact Assessment (PIA) before doing so. Specifically, the agency must "(i) conduct a privacy impact assessment; (ii) ensure the review of the privacy impact assessment by the Chief Information Officer, or equivalent official, as determined by the head of the agency; and (iii) if practicable, after completion of the review under clause (ii), make the privacy impact assessment publicly available through the website of the agency, publication in the Federal Register, or other means."
A Privacy Impact Assessment must be "commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information." The PIA must specifically address "(I) what information is to be collected; (II) why the information is being collected; (III) the intended use of the agency of the information; (IV) with whom the information will be shared; (V) what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared; [and] (VI) how the information will be secured."
The DHS’s media monitoring tools will necessarily collect and store personally identifiable information from individuals identified in the media coverage tracked by the DHS. The DHS’s media influencer database will also include personally identifiable information about journalists, bloggers, and social media users. Because the DHS has begun “developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form” and “a new collection of information that . . . includes  information in an identifiable form permitting the physical or online contacting of a specific individual[.]” the agency was required to conduct and publish an applicable PIA in advance.
The DHS's Failure to Publish a Privacy Impact Assessment
On April 13, 2018, EPIC submitted a Freedom of Information Act (FOIA) request to the DHS seeking:
1. The required Privacy Impact Assessment conducted for the April 3, 2018 solicitation for “Media Monitoring Services,”
2. Any associated agency records including but not limited to policy guidelines, memoranda, email communications, and Privacy Threshold Analysis related to “Media Monitoring Services," and
3. All awarded contracts for “Media Monitoring Services.”
On May 30, 2018—after the agency had unlawfully failed to fulfill EPIC's FOIA request within the time allowed by law—EPIC filed suit in the U.S. District Court for the District of Columbia. EPIC explained that the DHS had violated both the FOIA and the E-Government Act by neglecting to disclose a Privacy Impact Assessment and related records. On July 11, 2018, the DHS responded to EPIC's complaint and acknowledged that the agency had failed to complete any PIA related to Media Monitoring Services. On October 11, 2018, the DHS disclosed 73 pages of records (some partially redacted) to EPIC while asserting that 157 other pages are exempt from disclosure in full. EPIC's case is ongoing.
EPIC has long highlighted the obligation of federal agencies to conduct and publish a Privacy Impact Assessment before any new collection of personal data, and EPIC has brought numerous successful cases seeking the release of PIAs. In EPIC v. DHS, No. 11-2261 (D.D.C. filed Dec. 20, 2011), EPIC obtained a PIA and related records concerning a prior effort by the DHS to track social media users and journalists. In EPIC v. FBI, No. 14-1311 (D.D.C. filed Aug. 1, 2014), EPIC obtained unpublished PIAs from the Federal Bureau of Investigation concerning facial recognition technology. And in EPIC v. DEA, No. 15-667 (D.D.C. filed May 1, 2015), EPIC learned that the Drug Enforcement Administration had failed to produce PIAs for the agency’s license plate reader program, a telecommunications records database, and other systems of public surveillance.
More recently, in EPIC v. Presidential Advisory Commission on Election Integrity, No. 17-1320 (D.D.C. filed July 3, 2017), EPIC challenged the failure of the Presidential Advisory Commission on Election Integrity to undertake and publish a PIA prior to the collection of state voter data. EPIC’s suit led the now-defunct Commission to suspend its data collection and delete voter information that had been illegally obtained.
On October 11, 2018, the DHS disclosed 73 pages of records to EPIC (many of them partially redacted) concerning Media Monitoring Services. The records reveal that the DHS bypassed the agency's own privacy officials in developing MMS and ignored the threats that the system poses to privacy and press freedoms.
For example, despite the agency's obligation to conduct a Privacy Impact Assessment before developing a system that collects personal data, top DHS privacy officials appeared unaware that a media monitoring project was being launched. On April 6, 2018, a senior privacy official at the DHS's National Protection and Programs Directorate (NPPD) wrote to other agency personnel about the MMS program. Although the DHS had published the MMS Statement of Work three days earlier, the privacy official seemed unsure if that document was even authentic:
I wanted to make you both aware that I've seen a few news organizations (Forbes and Bloomberg) carrying a story claiming DHS is compiling a database of journalists and media influencers in what appears to be an NPPD Statement of Work (SOW) posted on FedBizOps.gov.
On April 9, 2018—six days after the agency published the Statement of Work—an official from the central DHS Privacy Office expressed similar surprise about the existence of the MMS program:
Per the article below, we noticed that NPPD has put out a Statement of Work to gather and monitor the public activities of media professionals and influencers. PRIV found this interesting given the work the OPS NOC Media Monitoring Capability does & the privacy perimeters within which they work. Could you shed some light on this topic?
Meanwhile, the Director of the DHS Office of Legislative Affairs had to write to other senior agency officials to confirm whether press accounts of the program were accurate.
The records obtained by EPIC also show that Rep. Bennie G. Thompson (D–MS) wrote to the agency to express grave concerns about the MMS program and the agency's poor handling of public opposition:
As you may be aware, the RFI [for Media Monitoring Services] has raised a great deal of concern among some journalists and the public. Unfortunately instead of assuaging that concern with information, DHS' press secretary maligned those asking questions about the RF1 as "tin foil hat-wearing, black helicopter conspiracy theorists," which was inappropriate and unhelpful. Indeed, DHS' response only exacerbated the concerns of those troubled by the RFI, including myself.
While there may be a legitimate purpose for certain media monitoring services, to date the Department has failed to provide one. Moreover, it has not provided specific information about how media monitoring services will advance its mission and how it will protect data about journalists and other media influencers from misuse or falling into the wrong hands.
Tyler Q. Houlton, the DHS spokesman referenced in Rep. Thompson's letter, published a defensive op-ed in USA Today in support of the MMS program. In the records obtained by EPIC, Houlton dismissed USA Today as "the coloring book of newspapers" and stated that the paper "wouldn't be able to handle" any "in-depth operational arguments."
The DHS has asserted that another 157 pages of records responsive to EPIC's request are exempt from disclosure under the FOIA.
- EPIC's FOIA Request (April 13, 2018)
- DHS Acknowledgement Letter (April 13, 2018)
- DHS Final Determination Letter (October 11, 2018)
- DHS Final Production (October 11, 2018)
- FEMA Final Production (October 18, 2018)
EPIC v. DHS, No. 1:18-cv-01268-KBJ (D.D.C. filed May 30, 2018)
- Section 208 of the E-Government Act of 2002, Pub. L. No. 107-347, 116 Stat. 2899
- Draft Statement of Work for Media Monitoring Services (2018)
- Michelle Fabio, Department Of Homeland Security Faces Lawsuit Over 'Harmless' Journalist Database, Forbes (June 12, 2018)
- Anna Giaritelli, DHS sued over plans to monitor media coverage, Washington Examiner (June 12, 2018)
- Shayna Posses, DHS Slapped With Suit Over Media-Monitoring Tools, Law360 (May 31, 2018)