When Does Social Media Snooping Go Too Far?

Depending on the context, you may think that reviewing somebody’s social media activities should be considered a form of intelligence gathering. In another context it is being nosey, and in yet another context it will be an invasion of privacy. The boundaries are blurred, but it is inevitable that investigators and others engaged to fight crime will be inclined to obtain as much potentially useful information as they can. That begs a question about when those with a legitimate reason to gather intelligence need to have limits on what they do, especially when so many people are presenting information about themselves using social media.

Social media is particularly prone to blurring the boundaries because different networks give users different kinds of choices about how they limit who sees their activity. Whilst it would be hard to argue against a fraud investigator gathering information that their target has already shared with everybody, what if the investigator needs to pose as a friend in order to get what they want? What if the target’s privacy settings state that their activities are shared with friends of friends?

These questions are not purely academic. One of the most popular articles that Commsrisk has ever published is about gathering information from the internet and then using artificial intelligence to assess an individual’s personality. So whilst anti-fraud professionals advise members of the public not to share so much personal information our industry is simultaneously developing the tools to automatically interrogate social media accounts and use the data to make decisions about how to treat current and prospective customers.

There have already been clashes on the borders of what is permissible. For example, insurance business Admiral was prevented from selling policies influenced by a customer’s Facebook posts when the social media giant claimed this would violate their privacy rules. More recently, Facebook banned political data analysts Cambridge Analytica after learning of the misuse of user data ostensibly collected for a personality prediction app developed by an academic at the University of Cambridge. The academic passed the data to Cambridge Analytica, in violation of Facebook’s terms. The app was then taken down, but the ban on Cambridge Analytica has since been imposed because the data has not been deleted as promised.

Meanwhile, some marketing operations are using AI to selectively feed content to so-called ‘micro-influencers’, people who will help to boost sales by recommending products and services to their followers. This supply of tailored content is meant to be a win-win where the popularity of micro-influencers will be boosted because they can relay the most topical news and advice, but it also means the micro-influencer’s history must be trawled through to determine what content should be aimed at them. This might then lead to a feedback loop where fake influencers game systems to receive the benefits that come with appearing much more popular than they really are.

The difficulty in determining what is appropriate is perhaps best proven by the differing policies of various US government functions. This article by Steve Miller for RealClearInvestigations examines the inconsistencies in how the US government snoops on social media. For example:

Most law enforcement agencies and the Internal Revenue Service consider Twitter and Facebook as public spaces they can surveil on a hunch and without limit. People who engage in peaceful protest, for example, often attract prying eyes to their social media accounts.

The Social Security Administration, on the other hand, forbids such snooping even if it might confirm strong suspicions of disability fraud.

There are arguments that there should be no reluctance to gather information so long as no law is being broken.

“Unless there are things that are password-protected, unless there is a crime involved, I can’t see [social media postings] being off limits,” said Ilya Shapiro, a senior fellow in Constitutional Studies at the Cato Institute. “I don’t know of a law that’s stopped government from looking at public information online.”

On the other hand, there can be legal dangers in relying on what was found on social media.

“Very few employers are doing this,” said John Page, vice president of sales for Quick Search, a background search firm in Dallas. “It’s a slippery slope. You have to be 100 percent sure and able to verify that someone is the person doing the posting. There are legal consequences for making a mistake.” Meanwhile, private sector employers are aware of the dangers of cruising the social media.

And even if the identity of the individual has been established, social media analysis can still come to the wrong conclusion. In one case, police investigated a man who tweeted an image of a policeman in a sniper’s crosshairs, with the words “Public Enemy” written beneath. However, what the police saw…

…was the logo of the rap band Public Enemy; the “policeman” was instead a black man. And the alleged agitator was the state attorney general’s director of civil rights, Erious Johnson, who sued the state for racial profiling and settled for $205,000.

Governments make up the rules. Police enforce them. It is telling that even governments and police can be unsure about how much they should draw upon a person’s social media history. Telcos often manage risks by adopting a simplistic compliance-led attitude; if nobody tells them there is a law against what they want to do, then they assume they are free to do it. But snooping on social media can lead to unanticipated downsides. So whilst telcos will be drawn to the potential to improve decision-making by reviewing a person’s social media activities, it will probably take time before consensus emerges on what is acceptable practice, and where the snooping should stop.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.