Michele Grasso is a Sicilian drug dealer -- a fugitive who had evaded arrest since 2010. He had seemingly mastered the art of flying under police radar, until he made a simple mistake: He posted pictures of himself on his Facebook page, grinning in front of a wax model of U.S. President Barack Obama at London's famous Madame Tussauds museum. He also helpfully included the name and a photograph of the pizzeria where he was working, leading him to be snagged by British police this year. Grasso is now back in Italy, in prison.
Social media is profoundly affecting the work of security and law enforcement, even more than the invention of the telephone over a century ago. As more of us transfer details of our lives -- our whereabouts, interests, political views, friends, and so on -- online, it inevitably involves and interests the agencies tasked with keeping us safe. Facebook has been used to try to hire hit men, groom targets of pedophiles, violate protective orders, and steal identities. Al Qaeda's Somali affiliate, al-Shabab, runs a Twitter account while pirates operating in the Gulf of Aden use blogs, Twitter, and Facebook to plan and coordinate their attacks. In late 2010, British police reportedly received more than 7,000 calls from the public concerned with crimes linked to Facebook.
British law enforcement agencies are also developing more powerful methods to patrol this area of cyberspace. Some police forces are believed to be testing various types of automated social media collection and analysis tools to help criminal investigations and gauge the "temperature" -- the background levels of resentment and grievance -- of communities they work with. London's Metropolitan Police now has a social media hub to spot early signs of riots or demonstrations during this summer's Olympics. The United States is getting in on the game as well: This year, the FBI was seeking companies to help it build up social media monitoring apps for much the same purpose. Dozens of crimes -- most more complex than Grasso's indiscretions -- have already been solved by accessing social networks.
But law enforcement's involvement in the communications revolution carries risks as well as rewards. A number of ethical, legal, and operational challenges have yet to be resolved, and they threaten to derail the whole affair. In "#Intelligence," a recent paper for the British think tank Demos, we describe two conditions that must be met before law enforcement extends its work into the world of social media. Unfortunately, the laws and norms to satisfy these conditions remain embryonic even as monitoring technologies grow more pervasive.
Take condition one: There should be a broadly proportionate relationship between the degree of intrusion into someone's private life, and the necessity and authorization for that intrusion. But both Britain's Regulation of Investigatory Powers Act and the U.S. Patriot Act are more than a decade old -- signed into law before the existence of Facebook, YouTube, or Twitter. These pieces of legislation recognize citizens' fundamental but qualified right to privacy, and they define the occasions when and process by which this right can be transgressed.
The problem is that the meaning of "private," in the world of social media, is less obvious than a decade ago -- more a series of shifting shades of gray. This leads to obvious operational problems. Is entering a Facebook group covertly the same sort of intrusion as infiltrating an offline group? Is collecting tweets similar to listening and recording a person shouting in public? What are the mechanisms by which these steps can be accomplished, and when do they represent a violation of citizens' privacy? In truth, no one really knows.
A recent U.S. Supreme Court decision (United States v. Jones) carries significant ramifications on these questions. The court decided that the use of GPS tracking devices without a warrant breached the Fourth Amendment, which bars unreasonable searches and seizures. A car on a public highway is not necessarily private -- anyone can see it and potentially follow it -- but the court determined that Jones would reasonably have expected his movements to be private and not subject to government monitoring. This "expectation of privacy" test was a complex enough question in Jones's case, and it is only more contentious when it comes to social media, where public expectations of privacy are varied, confused, and constantly in flux.
The Jones decision is also important because of the potential of mass surveillance that technology now allows. As Justice Sonia Sotomayor noted in her concurring opinion on the Jones ruling, "[B]ecause GPS monitoring is cheap in comparison to conventional surveillance techniques and, by design, proceeds surreptitiously, it evades the ordinary checks that constrain abusive law enforcement practices: 'limited police resources and community hostility.'" But GPS monitoring is nothing compared with what law enforcement can learn from social media -- in fact, it is labor intensive next to what an individual police officer can learn about someone by spending a few minutes online. In Britain, a fairly senior police officer is required to authorize directed surveillance. None is required for Googling suspects.