For years, Instagram, Twitter, and Facebook have provided data to a company marketing social media surveillance tools to police, according to a newly published investigation by the ACLU of Northern California. Geofeedia used the company’s APIs to create real-time maps of social media activity in protest areas, maps which were subsequently used to identify, and in some cases arrest, protestors shortly after their posts became public. All three services have terminated Geofeedia’s access to the relevant APIs.
The ACLU’s report includes direct evidence the tool was used to monitor unrest after the death of Freddie Gray in Baltimore, in the form of a testimonial provided by Geofeedia to an unnamed police department. As protests escalated, police and Geofeedia representatives monitored social media posts in real time, in some cases running photos through a facial recognition systems to locate protestors with outstanding warrants.
"They planned to do a lot of damage."
The testimonial describes one specific case at a local high school, where students planned to walk out of class to join the crowds. "We were able to turn around and alert local police, who intercepted the kids — some of whom had already hijacked a metro bus — and found their backpacks full of rocks, bottles, and fence posts," Baltimore police Sergeant Andrew Vaccaro says in the testimonial. "They planned to do a lot of damage."
Geofeedia demonstrated similar capabilities in a public demo compiled around the Ferguson protests. Notably, the resulting map makes no distinction between posts by protestors and credentialed press, drawing all relevant posts into the same graphic. All the data included in the map is drawn from publicly available metadata — specifically images, geolocation data, and screen names available on Instagram’s public feed. Still, it’s easy to see how such a tool could be used by police to identify and retain data on protestors at an otherwise impossible scale.
In another demo on YouTube, the tool is used to populate live posts from "a rally related to the conflict in Israel" near Geofeedia’s Chicago office.
Notably, that system seems to violate a number of clauses in the platforms’ various developer policies. Twitter’s Developer Agreement includes a specific rule against using the provided data to "investigate, track or surveil Twitter’s users." Similarly, Facebook’s policy says developers may not "sell, license, or purchase any data obtained from us or our services" or "put Facebook data in a search engine or directory" without the company’s express permission. Instagram’s policy is less explicit about forbidding tracking or data collection, but does give the service permission to restrict access to the API at its discretion.
Instagram and Facebook both terminated Geofeedia’s API access on September 19th, after being contacted by the ACLU. Twitter sent the company a cease and desist letter, and said this morning that Geofeedia no longer had commercial access to Twitter’s database.
Still, it’s not clear how vigorously any of the companies enforced those policies in Geofeedia’s case. The company had been operating for five years with little difficulty before the ACLU’s investigation. Instagram data was drawn directly from the main API, apparently raising few red flags at the company. Notably, Geofeedia did not have direct access to Twitter’s Firehose data, but performed database searches through an intermediary.
In the case of Facebook, Geofeedia’s posts were pulled from the Topic Feed API, a system that lets developers see a ranked feed of public posts on a given trending topic. Released in 2014, the API was originally developed as a tool for media organizations and marketers to find posts driving the conversation around popular topics. But when the Trending Topic in question was a protest or other public unrest, it was easy for police to use that same system to locate protestors.
According to Facebook, Geofeedia’s access to the API was terminated because the company was not using the data for media or brand purposes.
"[Geofeedia] only had access to data that people chose to make public," a Facebook representative said in a statement referring to both Facebook and Instagram. "Its access was subject to the limitations in our Platform Policy, which outlines what we expect from developers that receive data using the Facebook Platform."
"If a developer uses our APIs in a way that has not been authorized," the representative continued, "we will take swift action to stop them and we will end our relationship altogether if necessary."
Together with Color of Change and the Center for Media Justice, the ACLU has called for Facebook and Twitter to change their API policies to prevent similar systems from being used in the future. "[These companies] should not provide user data access to developers who have law enforcement clients and allow their product to be used for surveillance," the groups said in joint letters to Facebook and Twitter.
Reached for comment, Geofeedia CEO Phil Harris provided the following statement, reproduced in full:
Geofeedia is a software platform that aims to provide important, real-time publicly available information to a broad range of private and public sector clients, including corporations, media and journalism groups, marketing and advertising firms, educational companies, cities, schools, sports teams, and the aviation sector. In each of these areas, Geofeedia is committed to the principles of personal privacy, transparency and both the letter and the spirit of the law when it comes to individual rights.
Our platform provides some clients, including law enforcement officials across the country, with a critical tool in helping to ensure public safety while protecting civil rights and liberties. Notably, our software has also been used in response and recovery efforts – from the Boston Marathon to the effects of Hurricane Matthew that we saw this past weekend – to assist millions of people affected by both manmade and natural events.
Geofeedia has in place clear policies and guidelines to prevent the inappropriate use of our software; these include protections related to free speech and ensuring that end-users do not seek to inappropriately identify individuals based on race, ethnicity, religious, sexual orientation or political beliefs, among other factors. That said, we understand, given the ever-changing nature of digital technology, that we must continue to work to build on these critical protections of civil rights. Geofeedia will continue to engage with key civil liberty stakeholders, including the ACLU, and the law enforcement community to make sure that we do everything in our power to support the security of the American people and the protection of personal freedoms.Update 9:02pm ET: Updated with statement from Geofeedia.