Social media monitoring in the UK: the invisible surveillance tool increasingly deployed by government

I. The many faces of social media monitoring

Social media monitoring, also known as social media intelligence (SOCMINT), refers to the techniques and technologies that allow companies or governments to monitor social media networking sites, such as Facebook or X (formerly Twitter). It enables the monitoring of content, such as messages or images posted and other data generated through the use of a social media networking site. This information includes interactions which take place person-to-person, person-to-group, group-to-group, and includes interactions that are private and public.

Social media monitoring can take many forms. It can be done - as most people will - by manually reviewing content as it is posted in public or private groups or pages, or by reviewing the activities or types of content users post. In its most sophisticated iterations, social media monitoring can take place through technologies such as 'scraping', which enable the extraction of the content of a web page and then the consolidation and processing of that information to yield further insights.

While no sophisticated technology is needed to carry out SOCMINT in its simplest form - online access to a social media platform will suffice - tech companies’ offerings have evolved to include technologies which fundamentally rely on social media monitoring at scale.

Clearview’s artificial intelligence (AI) facial recognition technology, for example, relies on an automated image scraper, an automated tool which searches public webpages and collects any images that it detects as containing human faces. This database has ballooned to include 30 billion faces sourced from social media sites without either the site’s or the user’s consent. Clearview’s loose approach to the social media sites’ policies has led to legal action by large platforms, while their unchecked use of social media users’ personal data has been found to be unlawful by five different data protection authorities across Europe, thanks to a challenge taken by PI with other CSOs.

The buck does not stop there. Clearview’s clients include law enforcement agencies, which may use Clearview software by uploading images to see if they return a match against the images held on Clearview’s database. As we pointed out to the UK Information Commissioner’s Office in our complaint against Clearview, the Clearview software would enable the police to effectively identify every single person caught on camera, or at least associate their physical identity with their online presence. A police force could very realistically decide to identify every single individual in a protest crowd and build profiles on them from information gleaned online.

While the use of facial recognition technology by law enforcement may not yet be a globally widespread phenomenon, the use of social media monitoring is gaining further traction elsewhere.

In places such as Colombia, where social media monitoring is used to stifle the right to freedom of expression and freedom of assembly, the dangers of this practice can lead to a widespread chilling effect with large societal impact.

Investigative journalists revealed that the Colombian army had gathered secret dossiers, built on social media monitoring, on over 130 people ranging from politicians to activists, journalists and trade unionists. In 2021, in the aftermath of the pandemic and after widespread protests in Colombia, a specific law enforcement unit used social media monitoring to gather information on protesters. The Attorney General’s Office stated that the activities of this law enforcement unit - known domestically as the PMU-Ciber - were aimed at the “constant monitoring of social networks such as Facebook, Twitter and Instagram as well as any other which would enable [the police] to establish the opinion and trends that may present during the development of a social protest”. You can find out more about this case in a report published by Dejusticia in which they warned about the lack of existing safeguards and regulation of the use of social media intelligence by intelligence agencies.

This issue was raised with the UN Human Rights Committee as part of the review process of Colombia thanks to a joint civil society submission by PI, and its Colombia partners Karisma and Dejusticia. In its concluding observations, the Committee noted with concern the monitoring of social media by the Integrated Cybersecurity Command, a law enforcement body, in the context of social protests.

There have also been reports of social media monitoring by the military in Mexico as part of wider military operations in cyberspace by the "Centro de Operaciones del Ciberespacio”, whose activities are not part of the legal framework in Mexico, raising concerns about how these powers will be used and who they will target.

II. Uncovering the use of SOCMINT in the UK

In this section we outline some of the key developments that PI and others have uncovered in relation to the use of SOCMINT in the UK.

a. Use of SOCMINT in the monitoring of extremism 

The use of social media monitoring in the UK in the counter-terrorism context has a long history.

Ten years ago, the National Domestic Extremism Unit (NDEU) was revealed to hold the personal details of 9,000 campaigners, some of which had been gleaned from online websites. One of the campaigners whose data had been held in the database and who had never been convicted of an offence, was John Catt. His legal challenge eventually reached the European Court of Human Rights, which ruled that the handling of Catt’s personal data by the NDEU breached his right to privacy in that necessity for its continued retention had not been established, and therefore amounted to a disproportionate interference with Article 8.

Despite this case, social media monitoring by the NDEU’s successor, the Extremism Analysis Unit (EAU), continued. In a press release announcing new counter-extremism guidance by the Home Office, Dr Salman Butt was identified as a “hate speaker” based on information gathered by the EAU. Among other legal arguments, Dr Butt challenged the handling of his personal data by the EAU on privacy grounds. The Court of Appeal found no violation of his right to privacy, opining that Dr Butt could not have a reasonable expectation of privacy in relation to the statements deliberately made public by him which he wished to communicate to others (Court of Appeal ruling, [67], [77]).

Dr Butt then made a second petition at the European Court of Human Rights, which is currently pending. A key aspect of the case is whether the material obtained by the EAU from several sources, including social media, does engage the right to privacy. In an intervention, Privacy International argued that social media monitoring should be regarded as a serious interference with the right to respect for private life.

b. Use of SOCMINT by local authorities

The perception that information published on social media channels is fair game for social media monitoring has trickled down from the counter-extremism context to local government apparatus.

The fact that UK local authorities were relying on social media as a source of information was highlighted by the Chief Surveillance Commissioner in his 2014-2015 annual report, where he noted that:

"perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices" (para. 5.42).

In a 2020 investigation, Privacy International found that a significant number of UK local authorities were using 'overt' social media monitoring as part of their intelligence gathering and investigation activities, namely social media monitoring of online content which had no privacy settings applied to it. Social media monitoring was carried out for investigations and intelligence-gathering in a range of areas such as children’s social care, council tax, fraud, licensing, benefits, neighbourhood services, and debt recovery.

Out of 136 local authorities which we sent Freedom of Information Act (FOIA) requests to, over 60% stated they they were carrying out social media monitoring. Concerningly, there were no quality checks performed on the effectiveness of social media monitoring for the purposes for which they were undertaken, nor records made of when social media monitoring activities took place in relation to a particular individual or investigation.

Following these findings, PI wrote to the Investigatory Powers’ Commissioners Office calling for clarification on the lawfulness of the use of social media monitoring and relevant safeguards. Such clarification has not taken place to date.

c. Use of SOCMINT by the UK Department for Work and Pensions

The use of social media monitoring for fraud investigations by the UK Department for Work and Pensions (DWP) has been comparatively more open and formalised.

Alongside other surveillance tactics, the DWP’s staff guide on fraud investigations (Part II) has an entire section on "Open Source Instructions” to help DWP’s staff use publicly available information for fraud investigations.

The consultation of online open sources is subject to internal processes. Where the research is deemed non-intrusive by the DWP - which they consider to include news sites, maps, street views, and auction sites - the DWP directs staff to view the material on networked computers by officers within Counter Fraud and Compliance Directorate (CFCD). Similarly, the DWP requires that a full audit trail of the actions taken during the research or intelligence gathering be kept, including the considerations applied in the decision to undertake open source activity, including the proportionality and necessity of doing so.

Notably, the DWP goes on to recognise potential limits to the actual availability, acknowledging that the fact that social media content is "public”, does not necessarily mean that a person will not have an expectation of privacy in relation to it. Accordingly, officers are prompted to consider the extent of privacy attached to the information.

III. The growing evidence of widespread use of social media monitoring by government departments

Whilst the above is already concerning and remains unregulated, further evidence of such practices and policies is slowly coming to light thanks to the efforts of journalists and civil society.

a. UK Government departments using social media monitoring

In October 2023, an investigation by The Observer revealed that the Department for Education (DfE) was keeping files monitoring the social media activity of at least nine leading educational experts. The material gathered on the experts was revealed to be extensive, with files being as long as 60 pages. A few of the experts targeted sent Data Subject Access requests, which showed that the DfE had kept a record of social media content posted by these experts that was critical of the government, as well as noted the account holders’ interactions with other content, such as “likes”. At least two early childhood experts who had "files” created about them were uninvited from speaking at a government-sponsored event, purportedly on the basis that they had been deemed to be "unsuitable” headline speakers.

A month later, it was further revealed that 15 government departments had been monitoring the social media activity of potential critics and compiling "secret files" in order to prevent them from speaking at public events. These government departments included:

• The Department of Health
• The Department for Digital, Culture, Media & Sport (DCMS)
• The Department for Environment Food and Rural Affairs (DEFRA)
• The Department for Business and Trade

The above findings came only months after PI received responses to FOIA requests made to some of these same government departments, which denied the use of social media monitoring tactics when explicitly asked about them.

The Department for Education told us explicitly that they did not conduct social media monitoring.

DEFRA similarly denied carrying out social media monitoring.

DCMS stated that they did not hold information responsive to the request, and they did not hold information on any related guidance.

b. UK Cabinet Office guidance - the latest justification to exclude critics

While the use of social media monitoring across government departments appears haphazard and uncoordinated at best, this was not always the case. Until July 2023, at least two guidance documents issued by the UK Cabinet Office in 2021 and 2022 enabled government departments to undertake social media monitoring: the Due Diligence and Impartiality Guidance, and the Guidance on learning and events, respectively. The latter guidance has never been made public, though reporting suggests that it also directed civil servants to vet the social media of guest speakers.

The Due Diligence and Impartiality Guidance, addressed to the Civil Service at large, highlights the importance of “retain[ing] impartiality across the Civil Service, avoiding any politicised events or groups impacting on the working life of civil servants”. The Guidance goes on to state the need for vetting processes when dealing with external individuals and organisations, particularly when it comes to speakers invited to government events.

The Due Diligence guidance then sets out a "Due Diligence Framework” and a "Decision-Making Process”. The latter explicitly suggests readers of the guidance conduct research on the individual or organisation before engaging with them, recommending a review of corporate publications, media and news articles, as well as social media commentary. Notably, the guidance recommends the person carrying out the due diligence go back five years and amass a minimum of 5-10 pages of search page results.

Strangely, the guidance calls for the reader to be mindful of the application of the General Data Protection Regulation (GDPR) when “storing” information collected through the due diligence exercise, but does not address the GDPR considerations involved in collecting the data in the first place, and does not mention privacy once.

The instruction given to readers of the policy is clear: if there is any indication that the individual in question is involved in political commentary and campaigning activity that would impact the impartiality of the Civil Service, then they must not be engaged further.

In July 2023, the Minister for the Cabinet Office stated that the Due Diligence guidance and learning and events guidance had been withdrawn while a review and update of the guidance was undertaken. The Minister stated that the new guidance was expected to be re-issued in early autumn. To Privacy International’s knowledge, no such guidance has been made public.

IV. The applicable legal framework for the use of social media intelligence and its lack of clarity

Why does the UK government seem to think accessing people’s social media for a range of purposes in a variety of settings is fair?

The answer partly lies in the legal framework surrounding social media monitoring. Currently, there is no single piece of legislation which specifically regulates social media monitoring as such. Whether or not social media monitoring is regulated depends on whether or not it can be considered to be “directed surveillance”.

The Regulation of Investigatory Powers Act 2000 (RIPA), which applies to "directed surveillance", defines it as surveillance that is covert and undertaken for investigative purposes in a manner that is likely to obtain private information about person.

RIPA further states that surveillance will be covert if and only if it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place. (RIPA, s.26(9)(a)). If surveillance is indeed considered to be covert in nature, and meets the full definition of directed surveillance, RIPA requires for it to be authorised by a designated person prior to being undertaken.

Broadly, the definition of "covert" surveillance - and by extension, the definition of directed surveillance - has been understood in practice to exclude the monitoring of publicly available online content. For example, the Office of Surveillance Commissioners reasoned in their Covert Surveillance of Social Networking Sites guidance that, where privacy settings were available but not applied, the data may be considered open source and an authorisation under RIPA would not usually be required. Conversely, they considered that repeat viewing of "open source" sites may constitute directed surveillance on a case by case basis and this should be borne in mind.

Government departments have built on this understanding. For example, the DWP considers that viewing social media content more than twice may bring the activity within the scope of RIPA.

Local authorities have interpreted current legislation somewhat inconsistently. Blaenau Gwent County stated in their FOIA response that, "the fact that an individual is not told about “surveillance” does not make it covert […] If an Officer decides to browse a suspect’s public blog, website or “open” Facebook page, this will not be regarded as covert.” Conversely, Arun District Council has stated that “casual (one-off) examination of public posts on social networks as part of investigations undertaken is allowable with no additional RIPA consideration. Repetitive examination/monitoring of public posts as part of an investigation must be subject to assessment and may be classed as Directed Surveillance as defined by RIPA”.

More recently, we have observed concerning developments with the Investigatory Powers (Amendment) Act. It is a recently enacted law which weakens safeguards governing how the UK intelligence services collect bulk datasets of personal information (BPDs), potentially allowing them to harvest vast amounts of social media data, amongst other things under a new Part 7A to the IPA. This roll back of safeguards is being justified on the basis that the new 'low privacy' BPDs described in section 7A are purportedly publicly available. According to the Act, a 'low privacy' BPD should be determined by having ‘regard’ to 'circumstances' including 'in particular' factors such as the 'nature of the data', whether the data 'has been made public by the individuals' or they have 'consented to the data being made public', the 'extent to which the data is widely known about', and if it is published or has 'already been used in the public domain'. We are concerned that such databases could involve mass voice prints, images, social media posts or other data from social media posts over time, the use of which raises significant privacy concerns even if the data is initially publicly available.

Following concerns raised by PI, in April 2024 the UN Human Rights Committee noted in its Concluding Observations of the review of the UK’s compliance with the International Covenant on Political and Civil rights its concerns about these amendments to the IPA 2016 and how they have “the potential to lead to overly broad collection of personal data”.

The current position in the UK misses the fact that people don’t typically expect the government to consult their social media. As outlined by the European Data Protection Supervisor (EDPS) social media monitoring “involves uses of personal data that go against or beyond individuals’ reasonable expectations". Further, the EDPS noted that these uses “often result in personal data being used beyond their initial purpose, their initial context and in ways the individual could not reasonably anticipate”.

The UN Human Rights Council has urged caution with regard to social media surveillance. In its General Comment No. 37, it noted the danger of social media monitoring in the protest context, noting that the mere fact that assemblies take place in public does not mean that participants’ privacy is not capable of being infringed.

V. Conclusion

There remains limited publicly available information and transparency from governments on the extent to which social media monitoring takes place - and what we do know is concerning.

The recent high-profile incidents involving the social media monitoring of subject-matter experts in the UK point to a trend by the government to de-platform dissenters, which comes with obvious challenges to civic spaces and democracy.

Aside from those well-documented cases, the vast majority of individuals who are subjected to social media monitoring may not know that this has been the case. At a local authority level, individuals who are the subjects of an ongoing investigation may never learn that their social media has been monitored, and even if they did, the lack of audits and record-keeping on this type of activity - to the extent that it is deemed "overt", and therefore excluded by RIPA - may make it impossible for the authority itself to know with any certainty whether social media monitoring did take place.

The obscurity of social media monitoring raises concerns about the onward use of any personal data gathered, which can take place without the knowledge of the data subjects concerned and virtually evade all scrutiny.

We need an urgent reckoning by governments as to the need and justification for collecting this data, in the UK and beyond. Legislators and regulators must step up to ensure that social media monitoring, to the extent its permissible, is done within a framework that respects privacy, freedom of expression and all our human rights.