The use of social media by emergency officials raises privacy concerns that are not present with broadcast methods of sending alerts and warnings. Official monitoring of social media to better detect or understand unfolding events is of potential value to emergency managers but may also raise privacy concerns. In addition, the networked nature of social media may provide a substantial amount of information about a single individual. For example, based on whom individuals follow on Twitter, one could infer where they live and work and where their children attend school. In addition to privacy challenges, liability and legal concerns will also have to be addressed. Peter Swire, Ohio State University, discussed legal and policy perspectives on privacy challenges. Bryan Ware, Digital Sandbox, discussed the privacy challenges that limit tool use and how privacy protections might be built into application development. Aram Dobalian, VHA Emergency Management Evaluation Center, explored liability issues related to first-responder use of social media.
Swire described two main points of view regarding the government’s monitoring of social media to gain situational awareness during an emergency. One perspective is that because individuals have posted information online and made it readily available to the public, the government should feel comfortable using that information to gain situational aware-
ness and respond to needs during a crisis. The second perspective is that many people find it disconcerting to know that the government is reading and analyzing information posted in social media.1 The monitoring raises several questions: How long will such information be stored? What else will it be used for? Will individual dossiers be created that may potentially lead to limitations on an individual’s freedoms?
Swire observed that the Fourth Amendment to the U.S. Constitution, with its limits on search and seizure by the government, helps shape understanding of what is public. Essentially, probable cause or a warrant is needed to enter an individual’s house or vehicle.
By contrast, the Fourth Amendment does not limit the government’s ability to follow people on a public street or to read information published in a newspaper, a precedent that might be extended to cover government monitoring of public social media communications. Interestingly, in the context of another circumstance involving new technology and its privacy implications, the January 2012 Supreme Court decision in United States v. Jones placed limits on the definition of “in public.” The court issued a unanimous opinion that a warrant was needed to place a GPS tracking device on an automobile even though the vehicle in question was traveling in public spaces. The majority of justices emphasized that physically attaching something to a car was a factor in the decision; other justices questioned whether “in public” is enough to make surveillance acceptable.
Another Fourth Amendment consideration relevant to social media is consent—individuals can consent to a search or seizure. When people make information available to the public through social media, does this action mean that consent has been given? A related question is under what circumstances people give consent. Facebook user settings provide an example of the lack of clarity surrounding the concept of consent. Several papers have discussed how Facebook users have trouble understanding their privacy settings.2 Users often believe that postings are not available to the public when in fact they might be.
1 Concerns about government use of information can, observed Swire, be attributed at least in part to past abuses. For example, it was uncovered after the fact that the FBI had placed many of the delegates at the 1972 Democratic party national convention under surveillance. In the wake of Watergate and other abuses, President Ford’s attorney general issued what would become known as the Levi guidelines to limit the information, including public information, that law enforcement could gather. Concerns about government intrusion also led to passage of the 1974 Privacy Act.
2 Maritza Johnson, Serge Egelman, and Steven M. Bellovin. Facebook and privacy: It’s complicated. Symposium on Usable Privacy and Security (SOUPS), July 2012. Michelle Madejski, Maritza Johnson, and Steven M. Bellovin. A study of privacy setting errors in an online social network. Proceedings of SESOC 2012, 2012. An earlier version is available as Technical Report CUCS-010-11.
Swire also discussed several areas of federal legislation and their possible implications for government monitoring of social media:
• The 1974 Privacy Act regulates how a government system of records is maintained and how information is shared with other federal agencies and individuals. Pursuant to this act, the Department of Homeland Security (DHS) released a System of Records Notice in February 2011 regarding its monitoring of social media.3 Provided that a set of procedures outlined in the regulation is followed, there is no strict constraint on data collection and use.
• State and federal wiretapping statutes place strict limits on government interception of telephone calls. While this constraint does not apply directly to items posted using social media, it highlights how protective the law can be regarding the monitoring of communications that are intended to be private.
• The Stored Communications Act applies to records held by a third party. Although a subpoena to the third party is required, there is a medium level of strictness around the collection of this information.
• Legislation regarding so-called pen registers concerns the collection of pen register information—who an individual calls, texts, or emails—but not the content of the communication. Although a judicial order is needed, the standard for receiving an order is fairly low. Routing information has not been considered particularly sensitive but is fairly useful to law enforcement. In addition, friends’ lists on Facebook are by default public.
The state of the law regarding government access to and use of location information available from mobile devices or social media is still being examined in the courts. The lower courts are currently split on whether a warrant is needed to track an individual’s cellular phone. This is a particularly sensitive area because cellular devices can track the location, time, and date of a person’s activities, potentially revealing a broad picture of an individual’s life.
Finally, Swire observed, although certain surveillance or monitoring activities may be legal, they may not be desirable as a matter of government policy. Indeed, the Department of Homeland Security (DHS) has recognized this concern and has itself imposed limitations on its monitoring activities. DHS monitors some public officials and traditional, new, and social media; the restriction is that individuals are not tracked. These
3 Department of Homeland Security. Publicly Available Social Media Monitoring and Situational Awareness Initiative System of Records. FR Doc. No. 2011-2198, 2011. Available at http://www.gpo.gov/fdsys/pkg/FR-2011-02-01/html/2011-2198.htm.
limitations were included in DHS’s System of Records Notice, which makes these rules binding. Nevertheless, at a recent hearing in the House of Representatives, Congress criticized DHS’s approach to social media.4
Bryan Ware described the “See Something, Say Something” (S4) campaign and other efforts to encourage the public to report potential threats, and used them to illustrate how privacy considerations can constrain the development and deployment of applications and tools that enable the public to provide information on potential threats.
The S4 program, which is run out of DHS’s Office of Public Affairs, is intended primarily to increase the public’s awareness of safety issues, and only secondarily to collect information. Accordingly, it does not provide a mechanism for making reports, other than the 911 emergency phone number that is ubiquitous in the United States. Each public safety organization has a unique reporting phone number or other reporting mechanism.
Although there would seem to be considerable scope for accepting reports from smart phone applications and other forms of social media, Ware observed that their adoption was being held back in part by concern about privacy and civil liberties. For example, Ware’s firm, Digital Sandbox, Inc., developed an S4 reporting tool for mobile devices that was never deployed owing to unresolved privacy issues. Although the S4 program was thus ultimately not successful, the experience provides valuable lessons for future endeavors.
Another system, Threat and Risk Incident Management, also built by Digital Sandbox, Inc., was developed to provide capabilities similar to those of the S4 application and was deployed during the 2012 Super Bowl. The system, built to be used during the 10 days of Super Bowl activities, combined several information sources—911 calls, event activities and locations, field reports from trained personal, and very limited monitoring of social media. Although the system could have been used to collect citizen reports (such as pictures taken with a smart phone), its use was limited to trained personnel, again because of privacy concerns. Monitoring of social media was limited; for example, Twitter feeds were searched only for certain terms in certain areas, and Twitter users’ names and associated URLs were not collected. Despite these constraints, Ware
4 Subcommittee on Counterterrorism and Intelligence. DHS Monitoring of Social Networking and Media: Enhancing Intelligence Gathering and Ensuring Privacy. February 16, 2012. Washington, D.C. Available at http://homeland.house.gov/hearing/subcommittee-hearing-dhs-monitoring-social-networking-and-media-enhancing-intelligence.
said that the tool proved very useful because it provided emergency managers an integrated view of potential events and also made this information available to officials on their mobile devices.
Aram Dobalian explored the use of social media for emergency response, including both informal and formal and paid and volunteer responders, focusing first on a set of legal issues related to the use of social media for emergency response. He observed that the case law in this area is very limited, but that there are some relevant legal perspectives that can be applied, including the tort of negligence, duty of care, and Good Samaritan laws:
• Tort of negligence. There are four basic elements to the tort of negligence: duty, breach, causation, and damages. These form the basis, for example, for most medical malpractice claims and might be most relevant to first responders and social media use. Negligence states that “a failure to provide the care that a reasonably prudent responder would provide under the same or similar circumstances might be the basis for liability.” For negligence to be found, there first must be a certain duty or responsibility that is owed by the responder to the victim. Second, that duty has to be breached in some form. Third, as a result of that breach, the victim must be further injured or harmed.
• Duty of care. In most cases, bystanders have no duty or responsibility to provide aid to an injured individual.5 However, courts and statutes have created several exceptions. One is that if someone begins to provide aid to an individual in distress, that person must continue to provide aid at least until someone more qualified can provide the aid—the rationale for the requirement being that once someone starts, others are less likely to step in to provide assistance. In the context of social media, this stance suggests that a first responder who reads a social media post requesting assistance incurs obligations once he or she communicates an intent to provide assistance.
A second exception is that if someone creates a situation that causes harm, that person has the duty to mitigate damage caused. In the context of social media, messages that, for example, led to a stampede could create liability.
A third exception is when the rescuer has a caretaker or other special
5 In two states, Vermont and Minnesota, laws do require that assistance be provided. Vermont imposes a fine, and Minnesota treats failure to provide aid as a misdemeanor, although the obligation can typically be met by calling 911.
relationship (including teacher-student, business-customer, and provider-patient) to the victim. A special relationship may also be created if the rescuer starts to provide advice on, say, how to treat injuries. However, there is very little case law that is relevant in this particular area. There may be some similarities as well to teledelivery of health services, but again there is still very little case law regarding remote diagnosis and treatment.
• Good Samaritan laws. These laws shield individuals from liability when they offer assistance provided that they act rationally, in good faith, and in accord with whatever relevant training they may have—and when their assistance is not being provided in conjunction with their employment. The intent of such laws is to encourage bystanders to provide assistance without fear of incurring liability. Jurisdictions vary in their application of these laws to people with medical or other specialized training, and some apply only when victims are in imminent danger. Also, the laws do not apply to those who work in an emergency response-related profession if they are being paid at the time to provide aid. When they are acting as volunteers, how the laws apply is less clear-cut.
Because social media interactions readily span jurisdictions, their use in disasters raises issues that also arise with telemedicine. There are, for example, unresolved questions about the circumstances under which health care professionals can provide advice or care to someone located in a state where the professional is not licensed. There are also questions about what the standards of care should be when advice is provided remotely, without an opportunity for a physical examination.
Social media interactions also raise privacy questions because information transmitted over social media may be public or semipublic, yet a health care provider may have obligations under the Health Insurance Portability and Accountability Act (HIPAA) or other privacy laws6 that are difficult to meet under those circumstances.
Given all of these challenges, it is perhaps not a surprise that emergency managers have not been able to put formal systems in place that use social media for emergency response, commented Dobalian. However, there is at least one example of such a service—the United Hatzalah in Israel, which coordinates a group of approximately 1,700 volunteers who are trained in first aid and have GPS-enabled smart phones. A smart phone application notifies the nearest responder to attend to an event— with a goal of responding within 90 seconds to a Twitter message or
6 Department of Health and Human Services. Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations. 2005. Also see “Disclosures in Emergency Situations” under Frequently Asked Questions at http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_in_emergency_situations/index.html.
other post signaling the event, well before an ambulance normally would arrive.7 If the United States were to create an analogous volunteer-based system, the legal issues outlined above would have to be considered, observed Dobalian. And, Dobalian commented, if social media were to be used for professional emergency response, a number of questions would have to be addressed, such as the following:
• How would requests via social media be validated?
• How would the architecture for such a system resemble and differ from existing 911 telephone systems?
• What levels of staffing and skills would be needed to effectively monitor social media for requests for assistance?
• How would the information available to dispatchers be different from that available to a 911 operator, and what would the implications be for what resources were dispatched and what advance instructions were given?
Observations on privacy and legal issues associated with social media offered by workshop panelists and participants in the discussion that followed the panel session included the following:
• Messages that do not contain a verified identity will often suffice as a source of information when events are being monitored or the public’s response is being assessed, and people may be more comfortable remaining anonymous when their communications are monitored by the government. However, people’s attempts to remain anonymous are complicated because a user’s network may provide clues to his or her identity.
• The distinction between personal identifiable information and other information about people is rapidly eroding as researchers have come to understand that fairly innocuous attributes can pinpoint individuals. Are there other techniques or approaches that can be used to disguise a person’s identity?
• There is a distinction between impersonal trust (trust in institutions) and interpersonal trust (trust in other individuals). During a crisis, trust has interesting dynamics—both impersonal and interpersonal trust can be eroded, or one may serve as a substitute for the other. How are these dynamics altered by the use of social media during a disaster?
• The U.S. Department of Health and Human Services released new regulations regarding medical privacy in the aftermath of Hurricane
Katrina that allow health care providers to better share patient information as necessary to provide treatment in an emergency. Health care providers can also share patient information as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for an individual’s care. Could these guidelines serve as a more general model for how to relax privacy restrictions during emergencies? Could new HIPAA guidelines regarding de-identified health data provide a helpful starting point?
• Copyright issues, especially with respect to photographs, may create an additional challenge to the use of social media, although copyright protects expression rather than the underlying data or idea. If photographs were used simply to identify patterns, this use of data would not create a copyright problem.