NATIONAL AGENCY HUD GEOINT Drive Springfield. Virginia 22150 Mr. Michael Best MuckRock DEFT MR 33706 411A Highland Avenue Somerville, MA 02144-2516 RE: Freedom of Information ActiPrivacy Act (FOIAIPA) Request 2017-FOl-0004?i Dear Mr. Best: This letter is in response to your FOIAIPA request. In your letter. you requested: Eiectronic copies of your Agency?s social media monitoring policies, including but not iimited to Privacy impact Assessments. Enclosed with this letter are documents associated with your request. After a careful review of the requested documents, the National Geospatial-lntelligence Agency (NGA) subject matter experts have determined that some information is being withheld because it is protected from release under exemptions and FOIA exemption applies to information exempt by a Federal statute establishing particular criteria for withholding. In this case, the statute that authorizes withholding the names, office symbols, and job titles of NGA employees is 10 U.S.C. 424 FOIA exemption protects information currently and properly classified in the interests of national defense and foreign policy. Executive Order 13526, section 1.4 protects intelligence activities. intelligence sources, methods or If you are dissatisfied with this response to your request, you may appeal our determination in writing. Your appeal should be postmarked within 90 calendar days from the date of this letter. Please enclose a copy of this letter with your appeal referencing Include in your appeal any reasons for reconsideration which you wish to present. Mail your appeal to the National Geospatial-Intelligence Agency, Office of Security FOINPA Requester Service Center, 7500 GEOINT Drive, Mail Stop Springfield, VA 22150. There are no fees associated with the processing of this request and we consider this file to be closed. Should you have any questions, please contact Joe Sheley, FOIA Specialist or Charles Melton, FOIA Program Manager at 5716514141 or via-email, at FOIANGAt?lnoamil. Additionally, the NGA FOIA Public Liaison at (571) 557-7729 is available to you for any concerns or disputes you may have related to your FOIA request. Finally, you may also seek information and resolution regarding your request Mr. Best Page 2 through the Office of Government Information Services (OGIS) at (202) 741-5770 or via email at ogls@nara.gov. Sincerely, Ma Paul R. Polk Of?ce of Corporate Communications Public Release Officer and FOIA initial Denial Authority Enclosure 1. Responsive Documents (14 pages) THE OFFICE OF GENERAL COUNSEL I. ..I If! Jill ff ll'ylr ?furl?Li Lilli-[ill LE AL GUIDE SERIES LEGAL CONSIDERATIONS ON THE PROPER COLLECTION AND USE OF SOCIAL MEDIA INFORMATION This guide addresses Legal considerations pertaining to the collection and use of social media information by or through the National GeDSpatial-lntelligence Agency NGA contractors, and other Federal agencies. It is intended to provide a general overview of legal issues pertaining to the collection, usage and storage of social media. Specific legal questions should be directed to the NGA Office of General Counsel (OGC). January 2012 TABLE OF CONTENTS SUMMARY 1 (U) Definitions 2 (U) Publicly Available Information 3 (U) Authority to Collect and Exploit Publicly Available Social Media Information 4 (U) GEOINT 4 (U) Mission-Related Purpose 5 (U) Undisclosed ParticipatioanC Affiliation: U.S. Person Considerations 6 (U) Licensing Agreements and Terms of Use 8 (U) Copyright Law 9 (U) Retention and Dissemination of Publicly Available Social Media Information Containing U.S. Person Information 10 (U) Retention of Information Used for Domestic Purposes 10 (U) Retention of Information Used for Foreign Intelligence Purposes 10 (U) Dissemination of U.S. Person Information 11 (U) Conclusion 12 SUMMARY This opinion is intended for use by National Geospatial-lntelligence Agency personnel seeking to collect, exploit, retain and disseminate publicly available social media information, including crowd sourcing information, for an official government purpose. It outlines the scope of NGA's authority to use social media and sets forth guidelines to ensure that the use of publicly available social media and crowd sourcing information complies with relevant statutory authority and other legal and policy documents. (U) As a general rule, NGA personnel may collect, exploit, retain and disseminate publicly available social media information for mission-relevant purposes. Personnel should also use social media in accordance with directives and regulations prohibiting undisclosed participation in United States organizations; the social media site's licensing agreement{s) and terms of use; copyright law; and the law and policy regarding the retention and dissemination of U.S. person information. The unique and ever-changing facts of each social media platform will drive this process. Unclear or "gray areas? regarding the use of social media require prior Office of General Counsel review and approval. (U) While this opinion covers the use of social media information for intelligence purposes, it is not meant to cover all possible situations relating to or arising from the collection and use of social media. For instance, this opinion does not cover the use of social media to conduct research for personal professional development. Specific facts and circumstances can affect the legality of any proposed action. Contact OGC for guidance with regard to situations not specifically addressed in this document and prior to use of social media in unclear or "gray areas." (U) Section I of this opinion defines social media and what constitutes publicly available information; Section II explores the scope of statutory authority to collect and use publicly available social media information; Section analyzes the disclosure of intelligence community affiliation when joining or participating in US. organizations; Section IV discusses licensing agreement and terms of service considerations; Section discusses copyright issues; and Section VI addresses the retention and dissemination of U.S. person information. (U) Definitions (U) Social Media and Crowd Sourcing (U) For the purpose of this opinion, the term ?social media" means any web-based technology platform that enables people to communicate and share information and resources through an instantaneous tailored or global distribution. Examples of popular social media platforms include Twitter?, Facebook?, YouTube?? and Flickr??. The term ?social media? also encompasses the content available on social media platforms (specifically referred to herein as ?social media information"). Social media information can include text, audio, video, images, podcasts and other types of multimedia communications. Examples of social media information include Tweets?, images, YouTubeTM videos and Facebook?? wall posts. (U) ?Crowd sourcing? is a subset of social media that involves the sourcing of tasks by one individual or entity to an undefined large group of people (the crowd} through an open call for participation. Crowd sourcing platforms are often structured by their creator to facilitate collaboration and interactive collective work. Examples of crowd sourcing sites include OpenStreetMapsm, ?r?i?ikirlrlaps1M and Wikipediam. Content on crowd sourcing platforms comes in many varieties and is often similar to that which is found on social media sites. (U) The term crowd sourcing as used herein does not contemplate or include the sourcing of tasks by NGA personnel. Such action may, in certain circumstances, constitute the impermissible tasking of human sources (and possibly undisclosed participation). For purposes of this guidance, NGA personnel may use crowd sourcing sites to passively collect information already provided by the crowd, but should consult OGC prior to using crowd sourcing sites in any other way. The law and policy that apply to the collection and use of social media information also apply to crowd sourcing information, so the term ?social media,? where used, will refer to both terms. information that anyone can lawfully obtain by request, purchase, or observation?i) techniques. For example, social media presents a new avenue to collect by: ibiili Mic-i (i i Sec 1.4 entering? groups, interacting with group members an_ from those members or passively collecting publicly available information (OSINT). (U) Though these varied collection methods exist to IC professionals, NGA personnel are restricted to collecting social media that constitutes OSINT, as NGA is not authorized to SEW conduct or HUMINT operations. As such, the term "social media? as used in this opinion only includes information that is collected by open source. Unlike SIGINT or HUMINT, OSINT merely represents another source of information that all It: professionals may use under their agency's existing authorities, laws and regulations, to inform and enhance intelligence production.2 (U) Publicly Available Information Publicly available information is defined as information that is: published or broadcasted for general public consumption; available on-line (or otherwise upon request) to a member of the general public; available to the public by subscription or purchase; lawfully seen or heard by any casual observer; available at a meeting open to the general public; or obtainable by visiting any place or attending any event that is open to the public.3 Examples of publicly available social media information include Tweets?, FacebookTM pages, YouTubem videos, Flickr1M photos and Wikipedia?? entries that are accessible to the general public, either openly on the web or through registration or subscription available to any member of the general public. Some social media sites give users varying privacy settings to implement preferences with respect to what information is public and what information is subject to controlled dissemination. Information marked as subject to controlled dissemination is not considered publicly available because it is not available to the general public upon request. Examples of such information include Facebook1M pages accessible only to certain ?friends? or private Tweets?. NGA personnel should avoid accessing, collecting, exploiting, retaining or disseminating such information. (U) NGA personnel seeking access to social media information on the web must be cognizant of whether or not access to information is via public access or via a personal account. if access is via a personal account and the information is received because the information is directed to the analyst personally, then the information is not necessarily publicly available. For example, an analyst may be able to view a ?friend?s? Facebook1M page through her personal Facebook?" account login, though that page may not necessarily be available to the general public due to the user?s privacy settings. OGC advises that NGA personnel not collect social media information via use of personal social media accounts or .com email addresses, both to avoid this concern and for OPSEC purposes. 2 (U) See discussion at Section ll, infra. 3 (UiiFGHeir See 5240.1-R De?nitions 1.1.2, Procedures Governing the Activities of Components that United States Persons (1982); see atso Civii Liberties and Privacy Guidance for Community Professionals: Property Obtaining and Using Pubiioiy o'i ?We? vaiiabie information (2011} (citing Attorney Generai?s Guideiines for Domestic FBI Operations). 9. (U) Authority to Collect and Exploit Publicly Available Social Media Information NGA is authorized to collect and exploit publicly available social media information as long as the collection and exploitation of this information is consistent with NGA's statutorily-defined GEDINT mission and the activity is not otherwise prohibited by law or regulation.4 Publicly available social media information is a ?source" of information that NGA personnel may collect and exploit within the confines of existing authorities. Further, social media information that can be characterized as OSINT is authorized for collection by Intelligence Community Directive (ICD) 301, which states that ?It: elements shall: Make full-use of [publicly available] information, expertise and capabilities to conduct analysis and inform collection strategies.?5 Additionally, it is the sense of Congress that NGA may ?use [publicly available] intelligence consistent with [its] mission.?6 (U) Congress vested NGA with a specific mission and the authorities necessary to conduct that mission. NGA may not exceed the scope of its mission authority, and thus NGA personnel's collection and use of publicly available social media information must be conducted for mission-related purposes only. (U) NGA's mission is to provide to the Department of Defense the IC, and various U.5. government entities geospatial intelligence for specific, statutorily articulated, mission purposes? The Director of NGA has been vested with authority to manage GEOINT collection across the NSG.8 Only where these criteria are met may NGA personnel collect and use publicly available social media information. (U) GEOINT (U) NGA personnel may only collect and use pubiicly available social media information for the purpose of creating or enhancing GEOINT. GEDINT is defined as: (U) The exploitation and analysis of imagery and geospatial information to describe, assess, and visually depict physical features and geographically referenced activities on the Earth. GEOINT consists of imagery, imagery intelligence, and geospatial information. GEOINT includes the exploitation and analysis of geospatial spatial and temporal data. It employs all ancillary data, signature information, and 4 (U) Prohibitions and other considerations are covered in the remaining sections. 5 (U) 301. Section (2006). (U) Intelligence Reform and Terrorism Prevention Act, Section 1052a (2004) (emphasis added). 7 (U) See 10 U.S.C. 442; 50 U.S.C. 404a; Directive Nations! Agency (2009). a (U) Executive Order 12333, United States Activities, 5; (1981); Intelligence 0, Directive 113, Functionei Managers (zoos); {it . a fused data products, as necessary. Integrated GEDINT products may also include data and information from collateral sources? (U) Geospatial information identifies the geographic location and characteristics of natural or constructed features and boundaries on the earth, including statistical data, and information derived from, among other things, remote sensing, mapping, and surveying technologies; and mapping, charting, geodetic data and related products. 10 (U) Certain publicly available social media information can be used for the purpose of creating GEOINT. For example, TweetsTM specifically those that are geo-tagged with location coordinates {such as GPS), or contain other location information - are geographically referenced activities on earth (someone making a statement in a particular place at a particular time), and have spatial (and possibly temporal} data. These types of Tweets?? are eligible for inclusion in NGA products as long as they relate to one or more of statutorily authorized missions, as discussed below. Notably, publicly available social media information can be used for GEDINT even when it does not contain location coordinates. For example, a publicly available YouTube1M video or Flickrm photo may be used to create and enhance GEOINT when correlated to a specific location on Earth, possibly through analysis of overhead imagery. NGA personnel seeking to use publicly available social media information will need to make a judgment as to whether use of the information is for the purpose of creating or enhancing GEOINT. (U) Mission?Related Purpose (U) In addition to being for the purpose of creating or enhancing GEOINT, the collection and use of publicly available social media information also requires a mission-related purpose. NGA's statutorily authorized missions include national security, safety of navigation, support to military forces, and supporting the GEOINT requirements of the Department of State and other federal agencies.?l1 Thus, collection and use of the publicly available social media information is only permissible if it fits into one of these categories. (unease-i NGA personnel must be able to articulate a specific GEOINT purpose, and mission- related purpose, to accompany the collection and/?or use of publicly available social media information.12 In addition to these requirements, NGA personnel must also consider undisclosed participation issues, each social media site?s Terms of Use, copyright law, and intelligence oversight rules governing the retention and dissemination of U.S. person information. These considerations are discussed below. 9 (U) See 10 use. 437; 5105.60, Part II. '0 (Ll) See it} U.S.C. 46?. 'l (U) See it] use. a 442; so U.S.C. 4D4e. ?2 This is especially critical when NGA personnel target U.S. persons through publicly available social media. Pursuant to 5240.1-R, Procedure 2. collection of U.S. Person information is permissible under the category for publicly available information provided that NGA has a mission-related purpose for do"? Mireille inf?rmation. 5240.1-R Procedure 2. (U) Undisclosed Participation/IC Affiliation: U.S. Person? Considerations (U) With every intelligence activity involving publicly available social media information, NGA personnel must follow the rules on intelligence oversight. Specifically, because most if not all social media platforms operate within the U.S. and! or are comprised of U.S. persons, use of these platforms by NGA personnel may constitute joining or participating in ?United States organizations? 14 under Executive Order 12333 and implementing 5240.1-R. Social media platforms - and particularly ?group" pages within such platforms are generally considered U.S. organizations where they operate in the United States and;r or are primarily comprised of U.S. persons. Pursuant to Presidential Order and regulation, undisclosed participation in U.S. organizations is prohibited. (U) Executive Order 12333, Section 2.9 provides: (U) No one acting on behalf of elements of the intelligence Community may join in or otherwise participate15 in any organization in the United States on behalf of any elements of the Intelligence Community without disclosing such person's Intelligence affiliation to appropriate officials of the organization, except in accordance with procedures approved by the Attorney General [in consultation with the 13 (U) United States Person means a United States citizen, an alien known by the intelligence element concerned to be a permanent resident alien. an unincorporated association substantially composed of United States citizens or permanent resident aliens, or a corporation incorporated in the United States except for a corporation directed and controlled by a foreign government or governments. See E.O. 12333 {3 3.5m; 5240.1-R DL1.1.25. ?4 (U) Organization includes corporations and other commercial organizations, academic institutions. clubs, professional societies, associations, and any other group whose existence is formalized in some manner or otherwise functions on a consistent basis. 5240.1-R 0102.2. United States Organization means all organizations physically located within the geographical boundaries of the United States whether or not they constitute a United States person. Thus, a branch, subsidiary, or office in an organization within the United States, which is physically located outside the United States, is not considered an organization within the United States. 5240.1-R (3102.3. 15 (U) Participation refers to any action undertaken within the structure or framework of the organization involved. Such actions include serving as a representative or agent of the organization; acquiring membership; attending meetings not open to the public, including social functions for the organization as a whole; carrying out the work or functions of the organization; and contributing funds to the organization other than in payment for goods or services. Actions taken outside the organizational framework. however, do not constitute participation. Thus, attendance at meetings or social gatherings that involve organization members, but are not functions or activities of the organization itself. does not constitute ygarlicipation. See 0102.4. (U) E.O. 12333, Section 2.9; see also 5240.1-R 010. of As, The Attorney General approved procedures for DoD?s undisclosed participation rules, which are found in Procedure 10 of 5240.1-R. Procedure 10 limits the use of undisclosed participation for foreign intelligence purposes within the United Statesi? It states that: Undisclosed participation may not be authorized within the United States for the purpose of collecting foreign intelligence from or about a United States person, nor to collect information to assess United States person sources of assistance to foreign intelligence activities. 1 (U) Whether an NGA employee or contractor on behalf is ?participating? in a US organization when using a social media platform depends on the circumstances. In general, NGA personnel should only use social media platforms to engage in passive collection of publicly available information, absent additional required approvals. This means that personnel should refrain from entering a social media site and communicating, interacting with other network members (including ?friending? or blogging), posting comments, soliciting information or participating in any way other than being a ?casual observer.? Passive collection of publicly available social media information amounts to being a ?fly on the wall." (U) Personnel may access social media sites that do not require registration as part of a collection plan. However, any time a social media site requires registration for access, NGA personnel should contact DOC to ensure compliance with intelligence oversight rules, and should also work with Source Research and the Security and Installations Operations Directorate (SI) to assure that proper OPSEC measures have been applied.19 Moreover, NGA personnel should never log-in to their personal social media accounts, or use personal E-mail addresses, to collect any social media information for NGA use. (to 5240.1-R 0103.12. (U) 5240.14: 010.312. *9 (U) Personnel must follow the procedures set forth in the NBA Instruction on Internet Usage. NI EMTUERB. internal Usage (EDGE) (NI also discusses when employees should, and should not. use non?attributable Internet accounts). 0 (U) Licensing Agreements and Terms of Use (U) Prior to collection and use of publicly available social media information, NGA personnel must be familiar with the social media site?s Terms of Use, Terms of Service, licensing agreements, andfor End User Licensing Agreements (collectively, Terms of Use). Terms of Use are licenses to access the social media platform, as well as the information contained on the platform. They provide guidance on how to use a platform, as well as rights of use governing the information on the site. Specifically, Terms of Use may provide guidance about what information is considered public, what information is collected about the user, and how information may be used and disseminated. When reading Terms of Use, personnel should be aware of the following provisions: . (U) Privacy: Many social media platforms outline their privacy policy in either the Terms of Use or a separate Privacy Policy. These terms explain whether information posted to the site is publicly available by default, whether {and how) users may elect their own privacy settings, and whether information will be shared with certain third parties. These terms are a useful tool for NGA personnel, as they assist in determining what information may be considered publicly available. I (U) Ownership: Many social media platforms outline who owns the informationrcontent posted to the site. Knowing who owns this information is an important part of determining who copyrights belong to. . (U) Redistribution and Dissemination: Social media platforms frequently discuss the parameters for redistributing or disseminating content from the site. The Terms of Use may set forth restrictions on the redistribution of publicly available information posted to the social media platform, restrictions on who the information may be shared with, and whether permission from the social media platform is required before redistribution. Terms of Use are most likely to affect redistribution. Whenever possible personnel should use sources that have Terms of Use that expressly permit redistribution of the data or reuse for non-commercial purposes. For example, Open??treetivlaps1M data is published under an open content license, the Creative Commons Attribution-Share Alike 2.0 license. This means you must attribute the data in the manner specified by the author and if you want to publicly display the data you must include the ICC-SA Terms of Use. (U) Terms of Use vary with each site and are often revised on a regular basis. Violating the Terms of Use carries legal implications, so it is important to know what is, and what is not, permissible. If it is unclear whether a proposed collection, or the redistribution of collected information, would violate a website?s Terms of Service, NGA personnel should contact OGC for further guidance before proceeding. (U) Copyright Law (U) information derived from social media platforms may be subject to both Terms of Use and copyright law. When collecting and using publicly available social media information, NGA personnel must ensure compliance with copyright law. A copyright is a bundle of exclusive rights granted to the author of an original work of expression to: make copies of the work; distribute the work; sell, rent, lease, license, or lend the work; make ?derivative? works; perform the work in public, live or by transmission or display the work to the public. Examples of copyrighted works include photographs, computer software, graphics, maps, sound recordings and motion pictures. (U) A copyright may be infringed if there is a violation of the exclusive rights of the copyright owner, such as an unauthorized production or reproduction. NGA personnel must ensure that any reproduction of copyrighted material falls within a legally defensible category, and should consult with DGC for further guidance when it is unclear whether material is copyrighted. For example, personnel must get specific advice on whether copyright information may be used without permission, and guidance on when photographs may be used as part of a national security analysis under a fair use theory. For purposes of general copyright understanding, administrative uses of copyrighted information likely require a license or permission; and national security uses, such as matching a photograph of a building to classified imagery for a classified intelligence analysis, may qualify as a fair use. (U) Retention and Dissemination of Publicly Available Social Media Information Containing U.S. Person Information (U) Any U.S. person information in NGA-obtained publicly available social media information must be retained and disseminated pursuant to Procedures 3 and 4 of Del) 5240.1-R. (U) Retention of Information Used for Domestic Purposes (U) When identifiable U.S. person information is collected through search terms intended to support NGA's domestic missions, such as pursuant to a valid request from a federal agency to provide GEOINT in support of domestic disaster relief, it should be presumed to contain U.S. person information. This presumption continues until the information is in some format that would allow personnel to confirm the existence of US. person information, or identify non- U.S. persons. This information must be marked as containing U.S. person information, kept separate from other information, and made accessible only to those with a valid ?need to know.?20 The information must also be reviewed annually and any information that is not both mission-authorized and publicly available must be purged from NGA systems. (U) Retention of Information Used for Foreign Intelligence Purposes (U) When publicly available social media information is harvested through search terms intended for a foreign intelligence purpose, it may be presumed not to contain U.S. person information. Similar to the above presumption, this presumption continues until the information is in some format that would allow personnel to identify U.S. persons, and U.S. persons are identified. Information harvested in raw format requiring manual input into a spreadsheet, or information acquired from a third party such as TopsyT?Q'I that is not in a sorted spreadsheet format, are examples of information that has been acquired, but not officially ?collected? for intelligence oversight purposes. Information in an intelligible format, such as information sorted in a spreadsheet that would allow personnel to ascertain the existence of U.S. persons (either by GPS location, user name, or user-provided location) is considered ?collected? for intelligence oversight purposes. (U) Once information has been collected (as opposed to harvested), incidentally collected U.S. person information can be retained for a period "not to exceed 90 days, solely for the purpose of determining whether that information may be permanently retained under these 2" (U) 524nm cs. 2? is a real-time social media search engine, which can be used to search TweetsTM and other go, GENWsocral media Information, 0 ,9 A92, 10 procedures.?22 Incidentally obtained U.S. person information that does not meet the criteria for retention cannot be retained and must be purged from NGA systems within the 90 days.23 U.S. person information that can be retained must be marked as containing U.S. person information, kept separate from other information, and made accessible only to those with a valid ?need to know.?24 The information must also be reviewed annually and any information that is not both mission authorized and publicly available must be purged from NGA systems. 25 (U) Dissemination of U.S. Person Information Any U.S. person information that has been collected from publicly available social media for a mission-related purpose can be disseminated as long as "the recipient is reasonably believed to have a need to receive such information for the performance of a lawful governmental function? and is fits within one of the categories articulated in (24.22.26 22 5240.1-R 03.3.4. 23 Unless it can be retained pursuant to any otherjusiifioation found in 5240.1-R 03.3.2. if (U) 5240.1-R 03. Unless it can be retained pursuant to any other justification found in 5240.142 03.3.2. 2'5 (U) 524o1-R 04.2.2. 11 (U) Conclusion (U) NGA personnel are encouraged to collect and use social media information to enhance the GEOINT that NGA provides to its IC and other U.S. government partners. To ensure that the collection and use of such information is legally defensible, personnel are responsible for ensuring that the information: (1) is publicly available; is sought for the purpose of creating (3) is sought to further one of statutorily authorized missions; (4) is collected in accordance with Executive Order 12333 and rules on participation; (5) is collected and used in compliance with the social media site's Terms of Use; is collected and used in compliance with copyright law; and is retained and disseminated pursuant to procedures. (U) The OGC encourages dialogue on this developing activity. The OGC point of contact is- Mission and International Law Division. 12