Institutions stonewall public records requests over Facebook, Twitter accounts

April 23, 2020

This week, FIRE released a survey of 224 public universities and colleges that we created using public records requests to explore how these government actors use Facebook’s content filtering tools — and the user-blocking tools on both Facebook and Twitter —to silence speech on their official social media pages.

In addition to revealing the pervasive use of tools that allow these institutions to automatically delete specific words, the survey served as a useful stress test of public institutions’ commitment to transparency. Our request here sought a few very specific and easily accessible records that also had the potential to be embarrassing. 

The good news is that the vast majority of institutions responded, which is, in FIRE’s experience, unusual. In fact, 88% of institutions ultimately provided records, although some required convincing. For example, and to its credit, the leadership of Rhode Island College believed that the state’s public records law didn’t require it to share records, but agreed that transparency is important and produced their records anyway. 

A fair number of institutions, however, found novel reasons to refuse to share information on what words or users they block on Facebook or Twitter. 

Silence, please, in the security theater

Perhaps the most absurd of these excuses was that of Michigan State University, an institution noteworthy for its resistance to transparency. MSU refused to produce these records, invoking exceptions to Michigan’s Freedom of Information Act that included a provision developed in the wake of the September 11, 2001, terrorist attacks. These exceptions allow government officials to restrict access to information about “security measures . . . relat[ing] to the ongoing security of the public,” records of “measures designed to protect the security or safety [or] confidentiality, integrity, or availability of information systems,” or records that would “identify . . . a person that may . . . become a victim of a cybersecurity incident. . . .” 

As we pointed out at the time, this was an absurd — although not unexpected — use of counterterrorism and security exceptions to thwart access to records that might evidence ongoing censorship:

Of course, if telling people what words can’t be posted on a Facebook page is a security risk, then nearly 200 institutions would have jeopardized public safety and security by sharing their blacklists with us. Obviously that’s not the case: Telling people what can’t be posted doesn’t enable them to post those words. These are not blueprints to nuclear plants or the secret plans to defend against a military invasion by Canada.

Freedom (of information) isn’t free

While almost every institution provided records for free, some sought to charge fees for access to a few pages of records. Some of these were insubstantial and reflected the actual cost to produce the records — $5.00 here or $12.00 there. 

Others were exorbitant. Portland State University was the most egregious, first requesting $1,331.18 — after granting FIRE a 20% discount from $1,663.97 — for what turned out to be 61 pages of records. The university reasoned that it would take some 33 hours of staff time to research each blocked user to determine whether or not he or she had been a student, as privacy laws might require their names to be redacted. After FIRE suggested that Portland State skip the research and simply redact the names of every individual, the university agreed to charge a relatively meager $49.76.  

When you really think about it, what is a “record,” anyway?

Some institutions refused to produce anything, arguing that Facebook and Twitter records aren’t really records. The University of Missouri argued that Missouri law “does not require” it to “create a document where such a document does not already exist” but instead “provides a mechanism for the public to obtain copies of existing records,” so the university declined “to create such reports.” Utah’s Weber State University reached the same conclusion.

This interpretation of public records laws is a confusion about their purpose and how it applies to digitized records. Public records laws were best understood as allowing access to specific, existing documents — like a deed, a report, or a signed contract. They weren’t intended to require an agency to go collect information and print it onto a new document. But as information becomes digitized, agencies have balked at requests that seek records that haven’t yet been printed, or that can’t easily be analogized to a written page.

That interpretation, however, ignores that public records requests are about access to information, not strictly the pages on which it is printed. That information is stored in electronic form doesn’t make it any less a record. As a result, courts across the country have distinguished between access to information and requests that require the manipulation of data or the creation of information that does not already exist in some form. Unfortunately, the University of Missouri ignored and Weber State University rejected our requests for reconsideration.

Tellingly, every other institution in Missouri and Utah interpreted their respective state laws as encompassing electronic records.

Nebraska is, like its terrain, uniform

While some institutions within a particular state interpreted their laws inconsistently, Nebraska’s institutions were united in refusing to produce records. 

The University of Nebraska system responded collectively when asked for records concerning the Lincoln, Kearney, and Omaha institutions. The university agreed to share records of the users it blocked from posting on its Facebook pages or interacting with its Twitter accounts, but refused to provide a copy of the words it blocked from being posted there. It claimed that the list of words was “not a record” but instead “settings information” consisting of “design or setup information.” If there’s a difference between a list of users and a list of words prohibited from a website, we’re not sure what it is, and the University of Nebraska declined to elaborate.

Similar to the “it’s not really a record” argument, several Nebraska institutions — Metropolitan Community College and Southeast Community College — collaborated on making the argument that they weren’t really in “possession” of the record or that the record wasn’t one “belonging” to them. Although they created the records by starting social media accounts and could access or alter that information at any time of the day or night, these institutions claimed that it was Facebook and Twitter, not them, who had the records. But one interesting aspect of the internet is that it allows more than one person to have the same record at the same time. If a public institution can avoid its open records laws by storing its records online, it would turn the internet’s function from increasing transparency to facilitating opacity. 

G-g-g-ghosts??

Some institutions adopted the strategy that if you don’t move, nobody can see you. The Community College of Baltimore County, for example, repeatedly failed to acknowledge our request until we sent them a letter via certified mail, said it was reviewing our request, then fell silent again. Similar scenes played out at Barton Community College in Kansas and Normandale Community College in Minnesota. But ghosting is, counter-intuitively, not an exercise in transparency.

Fortunately, most institutions complied with their obligations under public records laws. You can see what we learned by reading our full report.