The BlueLeaks Show How Police Use Social Media to Track Protests

From following Facebook events to tracking tactics posted on Twitter, an analysis of leaked law enforcement documents shows how police are using social media to patrol protests.

On June 19, a collective called the Distributed Denial of Secrets (DDoSecrets) published 269 gigabytes of internal law enforcement data from more than 200 offices across the country.

Dubbed the “BlueLeaks,” the collective credited Anonymous with obtaining the material, which is believed to have largely been hacked. Much of the documentation comes from fusion centers—hubs where local, state, and federal officers share information.

While the millions of files span at least a decade, many on social media quickly focused on those tracking the ongoing protests against police brutality. On r/blueleaks, a subreddit created to parse through the data, users shared examples of local law enforcement using Facebook events to track protest organizing and organizers in recent weeks.

Internal documents from two different departments show police creating lists detailing Facebook events in their jurisdictions, including the anticipated number of attendees and even the names of some organizers.

Other posted documents came from national bodies, including the Army Threat Integration Center, which issued an intelligence report about social media posts promoting “how to interfere with the National Guard during riots.”

The report goes on to describe videos that suggest protesters “conceal your identity” and target police tanks with water balloons filled with “sticky liquid.”

The Daily Dot has independently reviewed a number of similar documents from local and federal sources circulating so-called “open source” information, much of it unverified social media claims.

This included conspiracy theories, such as protesters staging piles of bricks to “incite violence.”

“Twitter user claims piles of bricks are being staged around the United States to fuel violent opportunists in major cities,” reads one document. “Source claims that this is a tactic, technique, and procedure (TTP) being used by Antifa.”

Though there was at least one document dedicated to a group on Telegram, the majority of files citing social media posts appeared to be from Facebook and Twitter.

After the leaks, Twitter began shutting down information about the data, permanently suspending the DDoS account and temporarily suspending those who post content from the leak in accordance with its distribution of hacked materials policy.

Anarchist media platform “It’s Going Down” claims it was forced to delete three tweets in order to “unlock” its account after tweeting a screenshot from the leak.

Even before the BlueLeaks, fusion center surveillance was the source of scrutiny and even a lawsuit in Maine. In a New York Times article, Mike Sena, the president of the National Fusion Center Association, told the paper the centers are “not geared toward” tracking protester data.

“Anytime there is a mass gathering of people, special events, or whatever it may be, a fusion center’s role is to make sure that there are no known threats to the people that are attending,” Sena said.

READ MORE: