Facebook and Instagram deny access to tools used for surveillance

Facebook and Instagram have turned off the data faucet for surveillance.

On Monday, Facebook, which owns Instagram, announced that it had updated its rules to clearly explain that developers can’t “use data obtained from us to provide tools that are used for surveillance”.

Rob Sherman, Facebook’s deputy chief privacy officer, said in the post that the goal is to make the company’s policy “explicit”. He framed it as the most recent enforcement action against developers “who created and marketed tools meant for surveillance, in violation of our existing policies”.

Developers have indeed created social media-mining surveillance tools in violation of Facebook’s policy, but they seem to have done it with Facebook’s blessing. And it’s not just Facebook and Instagram – Twitter has also fed data to surveillance companies.

In October, the American Civil Liberties Union (ACLU) published a report about police monitoring of activists and protesters with one particular app – called Geofeedia – that had been tapping into Twitter, Facebook and Instagram APIs to create real-time maps of social media activity in protest areas. Those maps have been used to identify, and in some cases arrest, protesters shortly after their posts became public.

In the aftermath of the ACLU report, the companies cut off the data streams they’d been sending the Geofeedia app for five years.

But by then, the ACLU’s report had already made clear that Geofeedia hadn’t been scraping data without permission from Twitter, for one.

As far as Facebook goes, in an email from May 2016, a Geofeedia representative touted a “confidential legally binding agreement” with the company.

The ACLU also discovered that Instagram had provided Geofeedia access to its API, which is a stream of public Instagram user posts. This data feed included any location data associated with the posts by users. Instagram terminated the access in September last year.

Facebook also provided Geofeedia with access to a data feed called the Topic Feed API – a tool intended for media companies and brand purposes – that allowed Geofeedia to obtain a ranked feed of public posts from Facebook that mention a specific topic, including hashtags, events, or specific places. Facebook terminated that access on the same day as Instagram, on September 19 last year.

Twitter didn’t provide access to its “firehose” but had an agreement, via a subsidiary, to provide Geofeedia with searchable access to its database of public tweets. In February 2016, Twitter added additional contract terms to try to further safeguard against surveillance. But ACLU records showed that as recently as July last year, Geofeedia was still touting its product as a tool to monitor protests. After learning of this, Twitter sent Geofeedia a cease and desist letter.

More recently, in February, police mined Facebook for data on inauguration protesters.

Police in Washington state last week also obtained a warrant to search a Facebook community page associated with the protest against the Dakota Access pipeline. The warrant, which the ACLU is challenging, is seeking what the group says is “private, sensitive information about people’s political views and opinions, images of political actions, and personal information, including locations”.

The ACLU has praised Facebook/Instagram’s policy reform, adding: “Written policies must be backed up by rigorous oversight and swift action for violations.” Nicole Ozer, technology and civil liberties director at the ACLU of California, had this to say:

Now more than ever, we expect companies to slam shut any surveillance side doors and make sure nobody can use their platforms to target people of color and activists.