08 Feb Symposium on Fairness, Equality, and Diversity in Open Source Investigations: Internet Vigilantism or Justice for Mass Atrocities? The Legal and Ethical Dimensions of Collecting Information From Private Groups on Social Media
[Raquel Vazquez Llorente is the Head of Law and Policy, Technology Threats & Opportunities at WITNESS. The views and opinions expressed in this article are those of the author alone.]
Information available on the internet can open a window into international crimes and human rights violations occurring in countries otherwise closed to investigators. Social media platforms have become unforeseen repositories of the worst moments of humanity, with evidence on display on their digital walls. While the bulk of this information may be classified as open source, valuable evidence linking perpetrators to their crimes may increasingly lie behind private groups or channels that require requesting access or applying for membership. This “grey area” of open source investigations brings new legal, ethical and security challenges to civil society groups collecting this type of content. This post draws from a debate that has taken place in other communities carrying out similar work (academia, journalism and law enforcement), and offers recommendations to help guide future conversations. Far from being prescriptive, the goal is to invite a closer questioning of emerging open source investigative techniques, with the purpose of advancing our thinking on the ethical dimensions of data collection for justice and accountability, and support those entering this complex area of practice.
Infiltrating a private group is not a straightforward activity, and there are multiple scenarios that organizations should consider. Depending on the purpose and size of the group or channel, investigators may have to employ different levels of deception to gain access to a private group. These closed forums may require a referral by an existing member, answering a certain number of personal questions prior to joining, or explaining why a user would like to become part of the network. However, it is not uncommon for the “application” process to be perfunctory, with users given access to the group with limited or no screening at all. Additionally, most of these actions are generally performed by investigators under a virtual dummy account or false identity. These “fake accounts” permit an individual to observe exchanges between other users and carry out other actions such as interacting with sources, all under a pseudonym and a profile that does not match the reality of who’s behind that account.
For the members of a closed group, privacy expectations are contextual, and may partly depend on how access is granted, or the size of the group. For instance, private groups in Telegram are not searchable, and only the creator or the admin can add people to it–however links to the group are sometimes circulated publicly in other social media platforms or websites, or among other closed groups. Facebook does not cap numbers for a private group and, for situations like Ukraine, many groups can reach the population of a small city. The visibility of some of the group details, such as name and description, may be open to anyone, or restricted to current, invited and former members. Some groups may start as public, and become private over time.
This multiplicity of scenarios can be challenging to navigate for civil society organizations conducting open source investigations–especially when, in many situations, it can be hard to know in advance the specific end goal of a project. After all, it is not unreasonable to think that a private group whose visibility is open to anyone, has tens of thousands of members, and only requires one click to become a member, is no different than a post on a public Twitter feed. In the physical world, this could be the equivalent of going into a nightclub staffed by a bouncer at the entrance. Now, where do we draw the line? Is observing the scene and trying to overhear conversations acceptable? How about asking general questions about the environment or customer base, without stating why that information is of interest, for instance, as long as they are not directly relevant to a specific case? What about coming closer to a group of people maintaining a conversation, to the point that it can be recorded? How does this change if the researcher has changed their appearance, or further, adopts a different persona for their interactions with other clubbers?
Online Exceptionalism: How the End of An Investigation Shapes its Means
These questions are also far from settled in the online environment. Academic institutions, and the social sciences in particular, have long been concerned by the ethical aspects of Internet research, particularly when it involves continued observation of an online community’s behavior. The guidance can vary disparately across institutions and academic disciplines, and it can range from merely adopting the minimally required data protection measures, to stricter rules of engagement that mandate the researcher to disclose to the group their identity, purpose of the research and data being gathered. Similarly, journalists at the forefront of mis and disinformation reporting have been reflecting on their own practices for years, with some of the most detailed, clear and useful advice coming from this field.
Generally, these civil society-led investigations are similar to those carried out by law enforcement or public authorities. However, in most countries civil society organizations conducting criminal investigations lack specific checks and balances, while the regulation of covert operations by public authorities have been the subject of scrutiny and reform across many jurisdictions, and increasingly incorporate provisions on the use of digital tools. If only because of high profile scandals have led to calls to strengthen the oversight of police practices, like in the UK, official investigations have a stricter operational framework. This said, if the level of deception is limited to creating virtual dummy accounts, without any interaction with other users or undercover work, and the groups infiltrated do not have a strict membership process, law enforcement may accept the information collected by a civil society organization–provided other precautions are in place, for instance, whether there hasn’t been a payment for the information received, or if there’s chain of custody (the requirements may vary across jurisdictions, with some having more leniency). Traditionally, many of these non-official investigators have a prior relationship with police forces or prosecution units, in occasions being signed as informants; or conduct this work under the supervision or instruction of a lawyer, who reviews the parameters of the investigation and has been instructed by a client.
For civil society organizations that are conducting investigations under their own auspices, in particular those who may not legally represent a victim, the terrain can be harder to navigate, particularly given the absence of an oversight body they can resort to test for the legality, necessity and proportionality of their practices–this being the most common test official authorities are held against. In addition, many civil society organizations gathering data from private groups conduct this activity for multiple purposes that can on occasions be at odds with each other. For instance, public naming and shaming or “red notice” announcements may erode fundamental human rights we have long fought for, such as the presumption of innocence, or foster a culture of Internet vigilantism. On the other hand, infiltrating private groups may also uncover crucial evidence of mass atrocities. This can lead to an approach of “online exceptionalism”, by which we justify practices that would be deemed illegal or unethical if other actors were to carry them out, but are acceptable when pursued by NGOs or private investigators that operate almost exclusively in the virtual plane and are considered as serving a “greater good”.
Ethics as a Moving Target: Recommendations for Funders and Civil Society Investigators
Civil society organizations conducting open source investigations to research or expose human rights abuses will find themselves in situations that are fluid and require assessments that are both cautious and agile. As Gabriela Ivens from Human Rights Watch puts it, “half of my work boils down to working out if we can do something, the other half is working out if we should”. The following questions can help guide internal conversations for an organization that may be evaluating whether to collect information from private social media groups or websites. More extensive reasoning can be found in First Draft News Essential Guide to Closed Groups, Messaging Apps and Online Ads, the Berkeley Protocol on Digital Open Source Investigations, and HRBDT’s Guide for Human Rights Organizations.
- What’s the goal of the investigation?
- Has the link to the private group been shared in public?
- Where does the funding for this project come from? Are there any guidelines from the funder?
- Is there another way to obtain this information?
- Does the researcher reasonably believe that the information exists only in that private group?
- Is there a significant public interest in the information, or an expectation that there will be?
- What are the risks to the organization and its staff, members of the private group, and future investigations?
- Is there a way to join the private group by not disclosing any information, or staying deliberately vague about the researcher and the purpose for joining?
- If the researcher gains access to the private group, will they contribute in any way, or limit themselves to observe and collect information?
- Once the information from a private group has been collected and preserved, how will the organization use it?
If the goal of an organization is primarily to build or contribute to a criminal investigation, they must understand the boundaries within which their lawyers or researchers can gather data, else they risk rendering it unusable beyond lead evidence. Some jurisdictions, like the US, UK and Canada, contemplate the use of civilian criminal investigators. However, in most instances these are jobs that require training and are embedded in police units. Many of the investigations led by civil society organizations would be more akin to the Spanish “acusación popular” (popular accusation), which allows any citizen or legal entity not only to be party to a criminal proceeding, even if they have not been affected or suffered any damage from the crime; but also to bring a case to trial without a prosecutor (although this is limited only for some crimes and certain circumstances). Popular accusation has played an important role in the arrest of former Chilean dictator Augusto Pinochet and in the prosecution of public authorities for widespread abuses in the context of countering Basque terrorism. Yet this remains unique in Europe, and is not without controversy. Civil society should look at these examples across jurisdictions for further guidance.
Even if organizations are not seeking to contribute to legal proceedings, being aware of the laws and regulations of the jurisdiction they are operating in and taking measures to comply with them should be a first step. For instance, in terms of collecting information obtained from private groups, many jurisdictions have long established guidelines addressing when a conversation between private parties can be recorded. More generally, the GDPR consolidates the different regulations, laws and guidelines across the EU and provides strong privacy protections, giving to organizations a shared foundation for thinking about how to collect and preserve information they may have obtained during the course of their investigative activities. It also includes in its Article 85 an exemption from some of the legal requirements that would otherwise apply to the processing of personal data, when compliance with GDPR would impede journalistic purposes.
When answering the questions above, organizations should also consider outlining clearly the circumstances and parameters concerning how the work will be done. For instance, whether private groups can only be infiltrated as part of a litigation project and with instruction from lawyers. Some of the questions above align with the GDPR’s test of what constitutes “legitimate interest” for entities that control or process personal data. Connected to this, and as a general practice, organizations should try to predict, as much as possible, the products to which the data collected be fed into, and constantly re-evaluate their activities as the investigation progresses. More importantly, when reporting publicly, organizations should seriously reflect about the need and purpose for disclosing details on individuals or communities. After all, one person’s popular justice may be another’s doxxing.
Donors financing projects considering this type of open source investigative techniques play a crucial role in upholding ethical standards. To start with, they should provide clear guidance on whether there are any red lines when using their resources for investigative work. This is particularly relevant to institutional donors and foundations which may already have similar internal guidelines. For organizations that have a distributed workforce with high levels of autonomy, flexible staffing arrangements (for instance if they work with volunteers), or a lack of in-house lawyers or strong internal policies and procedures, funders could also push for the creation of ethical committees or panels that can help predict and navigate complex scenarios prior to engaging in a project and as they arise during the course of an investigation.
Just because a practice is lawful, it doesn’t mean it is a good idea. Lacking a legal regime that is specifically addressed to civil society organizations who move across journalistic, academic and legal practices, ethical frameworks for decision making should be an important component in civil society’s investigations.