What a Social Media Check for Visas Would Require

There’s a bunch of fevered commentary arising out of the report that Tashfeen Malik, one of the perpetrators of the San Bernardino attack, espoused extremism on Facebook before she entered the country. Otherwise sane members of Congress are submitting legislation calling for the government to review social media before granting a visa.

Here’s why that’s dumb.

First, let’s look at whether the State Department really could have found Malik’s posting before granting her a K1 visa. As CNN reported, Malik hadn’t actually been plotting jihad in the open, as much of the reporting on this suggests.

Tashfeen Malik advocated jihad in messages on social media, but her comments were made under a pseudonym and with strict privacy settings that did not allow people outside a small group of friends to see them, U.S. law enforcement officials told CNN on Monday.


The New York Times reported on Sunday that U.S. immigration officials conducted three background checks on Malik when she emigrated from Pakistan but allegedly did not uncover social media postings in which she said she supported violent jihad and wanted to be a part of it.

According to the law enforcement officials, because Malik used a pseudonym and privacy controls, her postings would not have been found even if U.S. authorities had reviewed social media as part of her visa application process.

A U.S. official told CNN shortly after the San Bernardino attack that the United States only recently began reviewing the social media activity of visa applicants from certain countries. The date that these types of reviews began is not clear, but it was after Malik was considered, the source said.

So to get to the posts in question, someone would have had to match her pseudonym to a known identifier of hers, access her private communication, and then translate it from Urdu.

The NSA (though not State) actually has the ability to do that. They’d probably find her pseudonym either the way the FBI reportedly did, by giving Facebook her known email which they’d find was tied to that account, or they’d stick known identifiers (including name, email, credit card with which she paid her visa fee) into a tool the NSA has for correlating identities.

This process would be helped, of course, if DHS’ online visa application system was working, because that would not only increase the chances you’d get a working email for the applicant, but it would also give you at least one IP address you could also correlate on. But the effort to do that has become the worst kind of boondoggle, with a billion dollars spent and just one online form working. So this whole process would be started with less certainty attached to any online identifier.

The NSA also has the ability to read private posts — on Facebook at least. Given that at the time Malik applied for her visa she was neither a US person (I’m still not certain whether she would have been treated as a US person just with a fiance visa, on application for a Green Card, or on receipt of one), nor in the country, NSA could have used PRISM (with the added benefit that it would provide a bunch more identities to check).

Of course, you’d also want to check non-US social media, like Telegram (which ISIS has reportedly been using) and Vkontakte (which the Tsarnaev brothers used). That’s going to be harder to do.

Finally, you’d have to translate any posts Malik wrote from Urdu to English. While an initial translation could be done by machine, to understand any subtleties of the posting, you’d need to get a human translator to do the work, and even for key languages like Urdu and Arabic, the government has far too few translators.

So you could do such a check, at least for US-based social media, but you’d have to involve the NSA.

Now consider the resource demands of doing this. There are upwards of 450,000 immigrant visas issued each year.  There are another 750,000 student and temporary work visas, both categories of which are closer to a typical terrorist profile than a fiance visa (that doesn’t include exchange visitors and a range of other kinds of work visas).

Last year, the government targeted 92,000 people under Section 702, which you’d have  to use to get just private (not encrypted) communications. So you’d have to do an order of magnitude more PRISM searches every year to thoroughly check the social media of just the most obvious visa applicants. You’d either have to vastly expand NSA’s workstaff — and require key social media providers, like Facebook, to do the same just to stay ahead of compliance requests — or you’d have to pull them off of investigating targets about which they have some reason to be interested already.

Of course, if you did that — if you passed a law requiring all immigrants and long term visa applicants to be checked — then you’d make it far easier for people to evade detection, because you’d be alerting the few people who’d want to evade detection that you would check their accounts. They could then move to social media, like Telegram, that the US would have a harder time checking, and encrypt their messages.

Moreover, you’d be making this great effort at a time when much more obvious problems (such as that online form!) haven’t been fixed. Most importantly, since 9/11, it has been a top priority to track the exits of short term visitors (including those people with visa waivers), and the government still hasn’t managed that yet. If you want to make America more safe, you’d be far better served finally fixing that problem than reading a million people’s secret social media posts.

3 replies
  1. bloopie2 says:

    What a clear exposition of the situation, thank you. I clicked your link to the online immigration forms boondoggle, and found this statement: “DHS officials acknowledge the setbacks but say the government is well on the way to automating the immigration service, which processes about 8 million applications a year. The department has scrapped the earlier technology and development method and is now adopting a new approach relying in part on cloud computing.”
    Cloud computing, eh? Isn’t that easier to hack than “non-cloud computing”? Know anyone who might want to do that, may be some foreigners want to come to the US? So, maybe they need to encrypt? The government is very good at that, isn’t it?
    Reminds me of the old Dagwood comic strip, in which Blondie tells Dagwood, “A fat lady got stuck in the revolving door at Tudbury’s today. … They put in another fat lady and revolved her out.” It never ends, does it?

  2. POVSEA says:

    Great write up. Thank you. Unfortunately now Sen. Cotton and Sen. McConnell want to expand NSA past pre-USA Freedom Act levels because of Malik’s social media postings. The two don’t correlate and shouldn’t be linked.

  3. haarmeyer says:

    Actually, none of those obstacles are as insurmountable as the one that Congress doesn’t actually dictate to the departments how they should do their visa reviews, except perhaps for Guantanamo detainees. It would be challenged.

    Such a major change is essentially a form of immigration reform, and a massive one, so Congress would have to contend with how it wanted to explain that to its constituents, and Congress would soon find out during the period when they were debating the bill, that they would get a lot of reasons why not to do this kind of change before it got to a vote. A vote on something like this is therefore just a show.

    As for whether or not the various agencies could do all of this, it isn’t anywhere near a hard as it seems. And dragging in intelligence services to do it wouldn’t be a change at all, it would just go from optional to mandatory. Currently, even the most benign visa categories have an option by the CIA to delay the visa while they do a background check. Any of them at all, from tourist visa to O(1) to Refugee. These agencies would immediately lobby the Congress if they thought Congress was coming in to micromanage. Telling them to start regularly looking at social media is one thing, requiring it for every CIA checked visa is another, requiring it for countries on a list is another, and requiring for all of them still another. That last one would never be anything but grandstanding.

Comments are closed.