FBI Provides Chicago Police With Fake Online Identities for “Social Media Exploitation” Team

Internal documents also reveal that police can take over informants’ social media accounts and pose as them online.

Demonstrators live-stream a protest via smartphones in Uptown neighborhood of Chicago, the United States, June 1, 2020.
Demonstrators livestream a protest via smartphones in the Uptown neighborhood of Chicago on June 1, 2020. Photo: Javage Logan/Getty Images

Brian Campbell couldn’t sleep. It was May 31, 2020, and demonstrations sparked by the murder of George Floyd were spreading around the world. Before going to bed, the Chicago Police Department officer had come across a tweet that appeared to show the destruction of his force’s property. “Man in Joker mask ignited a police squad car today in Chicago’s protest,” it read. “Managed to capture a few pictures.” The tweet had been republished by Law Enforcement Today, in a post that claimed, “The ‘peaceful’ protests resulted in anything but peace.” One photo in the tweet showed the masked man with his hand near the gas tank of a police car. Another showed the car in flames. The man stood in the foreground, his arms spread open wide, the Joker’s outsized grin frozen on his face. The images confirmed a worldview in which police were victims rather than aggressors. Campbell stayed awake obsessing over them.

What he did next would become important for a little-known CPD task force overseen by the Federal Bureau of Investigation. Called the Social Media Exploitation, or SOMEX, team, the task force had been set up to help the FBI find informants and intelligence using information gleaned from social sites. The Intercept and Chicago-based transparency groups obtained more than 800 pages of emails and other documents about the team through public records requests. These show that the team’s officers were given broad leeway to investigate people across platforms including Facebook, Twitter, Instagram, and Snapchat, using fake social media accounts furnished by the FBI, in violation of some platforms’ policies. Campbell’s work would be held up as a model for the team.

“Found This POS”

Across the United States, federal and local authorities were combing social sites for scraps of information, disseminating alarmist notices about “revolutionary anti-capitalist” gatherings, suburban candlelight vigils, and children’s peace marches. Campbell thought maybe he could identify the man in the Joker mask. In the comments beneath the tweet, people had noted the man’s unusual tattoos: scrawled across his neck was the word “PRETTY.” At 5:09 a.m., the police officer believed he had found a match. Campbell emailed the Crime Prevention and Information Center, or CPIC, a Chicago-area fusion center set up for sharing intelligence among police and federal agencies. “Did a little digging and found this POS,” he wrote, using an abbreviation for “piece of shit.” He did not say how.

Campbell determined that the man in the tweet was Chicago resident Timothy O’Donnell. A few hours later, his tip was turned into a Suspicious Activity Report, or SAR, and entered into the FBI’s eGuardian system, through which law enforcement agencies share threats. Soon after, officers searched O’Donnell’s apartment. In a bedroom they found a Joker mask.

O’Donnell was charged with arson. In February, following nearly two years in custody, he pleaded guilty to the lesser charge of civil disorder. A 2021 report by Chicago’s Office of Inspector General found that the night of the fire, police had kettled protesters in an area with many department vehicles, potentially contributing to the damage. “He was a target, really simply, because he had a mask on his face,” said O’Donnell’s attorney, Michael Leonard, who said that surveillance camera footage shows dozens of other people trying to damage the police car. “This was about the guy in the Joker mask because he was seen in photos, and that’s sexy from a police standpoint.”

Supervisors celebrate after a CPD officer uses social media to identify a man suspected of lighting a police car on fire.

Screenshot: The Intercept/Illinois Freedom of Information Act

Documents back up the claim that Chicago police were keen to work with sensational social media imagery. In the hours after Campbell sent in his tip, congratulatory emails pinged through the department. The context surrounding his email to CPIC suggests that Campbell had done his research while off-duty, which would have been a violation of department policy. But supervisors focused on his success. “Nice use of social media,” wrote a lieutenant. Although Campbell belonged to another part of the department, his sleuth work was celebrated by the SOMEX task force supervisors.

“This is a great job! Awesome work,” emailed a sergeant, later adding, “This is what I was talking about using our SOMEX teams for.”

By any measure, the week that followed George Floyd’s murder by a white police officer was an intense moment in Chicago’s — and U.S. — history. Thousands of people took to the city’s streets to peacefully demonstrate against police violence, marching along Lake Shore Drive and gathering outside the Trump Hotel. Despite ample warning, the Office of Inspector General report found, Chicago’s police were unprepared. When they did react, their response was chaotic and excessively violent, with officers variously hiding their badge numbers, turning off their body cameras, blasting people with pepper spray at close range, bantering about shooting people who were fleeing police in the head, and telling an arrestee that they would be raped in jail.

The SOMEX team’s reaction was also troubling. Ostensibly, the team’s mission was to provide both the FBI and the CPD with useful intelligence. But the documents show what the SOMEX officers did instead: flag potential damage of police cars, investigate the social media connections of people who had made threats online, and cull videos for the department’s YouTube channel. In a few instances, they also circulated posts about upcoming demonstrations, including an event called Northside Protest for Black Lives.

SOMEX team supervisors did not apparently see this as a failure, though. Documents show that in the protests and their aftermath, commanding officers spotted an opportunity to prove the recently established task force’s worth. They had officers trawl social media for posts that appeared to show arson or destruction of police property, with an eye toward finding footage for so-called seeking to identify videos – basically, “Wanted” videos — to be disseminated on the YouTube channel. They also deepened partnerships with surveillance tech outfits, including Amazon Ring.

Taken together, the documents are a rare window into the daily work of secretive social media investigators, whose ranks have grown within both local police departments and the FBI. They show Chicago police merging open-source intelligence, or information available to the public, with invasive online undercover work and granular data procured using surveillance tech. They also raise troubling questions at a moment when courts and civil liberties advocates are challenging the reach of powerful new policing tools.

“This is surveillance in the digital age,” said Matthew Guariglia, an historian and policy analyst with the Electronic Frontier Foundation, which for years has tracked the use of fake social media accounts by police and federal agencies. The pressure to identify threats and preserve “Wanted” videos raises the specter of police assuming guilt by association, he noted. “The real fear is that people who have done nothing wrong are going to be punished and face reprisals for just being in proximity.”

Freddy Martinez, a founder and organizer with the police accountability nonprofit Lucy Parsons Lab, noted that CPD has a poor track record of interpreting the meaning of online posts. Lucy Parsons Lab found that the department has surveilled residents who were simply grieving for loved ones who had died due to violence in the city. “There’s a lot of context that is lost online, and it makes it challenging to discern motive,” he said. “Is this a meme, is this a reference to something online? Social media monitoring is a tool that lends itself to potential abuse because it flattens that context into a thin window.”

The documents show that SOMEX officers have broad leeway to investigate people using online aliases. According to the special order that established the task force in 2019, the FBI can provide officers with fake accounts or “alias identities.” Elsewhere, the document says that fake profiles must use “uniquely created” photos — presumably images generated by AI. Officers are even allowed to take full control of informants’ online identities and, with permission, pose as them in their social media investigations.

A 2019 CPD special order, obtained by Transparency Chicago, establishing the SOMEX Team.

The order defines social media broadly to include dating sites, delivery apps, online shopping, and “any and all online communication sites known and unknown which collect user data.” It says that the FBI helps oversee the team’s day-to-day work, noting, “The FBI will detail personnel to assist in the implementation of the SOMEX Team.” The emails obtained by The Intercept suggest that during the George Floyd protests, some of the task force’s plans were in fact relayed to the FBI.

“I’ve never seen an internal police department policy that seems to abdicate authority to the FBI like this,” said Michael German, a former undercover FBI agent and a fellow with the Brennan Center for Justice. “These types of policies rarely come into public view this way.” But in general, he noted, the FBI has a long-standing interest in monitoring social media. “We know that they’re collecting massive amounts of information about people based on no suspicion of wrongdoing.”

The FBI also uses the term “SOMEX” at the national level. It recently inked a $27.6 million contract for software for social media surveillance, the Washington Post reported in April. The contract covers 5,000 licenses to use Babel X, a software made by surveillance tech company Babel Street that allows users to search social media within bounded geographic areas. The call for bids that preceded the contract says it is “intended to satisfy the gaps in the FBI’s SOMEX capabilities.”

The FBI had sought software that could retrieve data within eight minutes of it being posted “from as many websites as possible, in a low-footprint and/or anonymous manner” and retain it for at least a year, according to the tender document. The bureau outlined plans for the software to be used by employees logging in with “generic accounts which do not indicate name or affiliation of the users.”

The FBI also has a Social Media Exploitation Team within the National Threat Operations Center in Clarksburg, West Virginia, that “addresses online threats to life from social media associated with unknown subjects, victims, and locations,” according to the 2020 annual report of the FBI’s Criminal Justice Information Services Division.

To what degree that national SOMEX team works with the Chicago task force is unclear. The Intercept also could not determine whether the FBI has similar task forces with other police departments, as is the case with the FBI’s Joint Terrorism Task Forces. A bureau spokesperson did not respond to a list of detailed questions about the Chicago SOMEX task force and the national SOMEX team, instead sending a statement: “The FBI works with its federal, state, local, tribal and territorial law enforcement partners in task forces across the country in order to detect, investigate, and disrupt federal crimes and threats to national security and to protect the American people. In every instance, the FBI’s investigative activity complies with Department of Justice guidelines, applicable laws and the United States Constitution. The FBI does not investigate or collect information on solely First Amendment protected activity.”

From the Chicago Police Department, The Intercept obtained SOMEX emails from May-June 2020 and November 2021. The SOMEX team order was obtained by Transparency Chicago, and the SAR that Campbell sent to the fusion center was obtained by the Policing in Chicago Research Group at University of Illinois at Chicago. All of the documents were released following public records requests.

According to the order, Chicago’s SOMEX officers can interact with people online using fake profiles or assumed identities only after submitting a written request. But police are permitted to use fake profiles to “friend” targets and like posts under a broader range of conditions.

CPD declined to comment. Campbell did not respond to requests for comment sent to his department email.

Conventional undercover work is also prone to abuse. But when police go undercover in real life, says Rachel Levinson-Waldman, deputy director with the Brennan Center’s liberty and national security program, “They have one persona. That persona has to be fairly well developed. It has to be really consistent. They can’t show up at a meeting on one side of town as one person and then go to a meeting on the other side of town as another person.” Fake online profiles are “a force multiplier,” she said. “You can sit at your desk and gin up a lot of covert identities.”

And in some circumstances, officers on the SOMEX team are allowed to take their fake online personae into the real world, to interact with targets in person.

Guariglia, of Electronic Frontier Foundation, said the SOMEX documents reminded him of the 1908 G.K. Chesterton novel ‘‘The Man Who Was Thursday,” about an anarchist council that turns out to be primarily comprised of undercover cops. “I can imagine one Chicago activist whose twelve Facebook friends are all different agencies’ undercover identities,” he said.

Police officers guarding the Trump International Hotel & Tower hold back protesters during a rally and march to remember the May 25 killing of George Floyd by a Minneapolis police officer, in the Loop Saturday, May 30, 2020, in Chicago, Ill. (John J. Kim/Chicago Tribune/Tribune News Service via Getty Images)

Police officers guarding the Trump International Hotel & Tower hold back protesters during a rally and march to remember the May 25 killing of George Floyd by a Minneapolis police officer, in the Loop on May 30, 2020, in Chicago.

Photo: John J. Kim/Tribune News Service via Getty Images

“A Great Mission”

As protests against police violence grew, CPD’s response remained scattered. Officers would later describe it as “whack-a-mole.” But on May 30, the day that O’Donnell was photographed wearing a Joker mask, CPD leaders hatched a half-hearted plan. They told officers across the department to ready their riot gear. “All RDOs are canceled,” read an email from a lieutenant, referring to regular days off. Going forward, shifts would stretch to 12 hours. Even the SOMEX team’s digital investigators had to prepare. “In uniform,” wrote Sgt. Patrick Kinney, a former homicide detective who serves as one of the team’s supervisors, to his officers. “Make sure you have your helmets and batons.”

Kinney saw a bright side to the demonstrations: They were an opportunity to show the value of his team’s digital investigations. The task force officers had begun archiving social media footage showing potential destruction of property. “I think this will be a great mission for the SOMEX and help to highlight their need,” Kinney wrote to other commanding officers about the effort.

A SOMEX team sergeant discusses archiving social media footage during the George Floyd protests.

CPD Bureau of Detectives Chief Brendan Deenihan had meanwhile given Kinney and other supervisors an additional goal. He wanted their teams to each cull two “Wanted” videos per week from social media. Even as Kinney privately worried about pushback from overworked officers, he tried to convince his team that the quota would be easy to meet. “This only works and becomes less cumbersome if everyone does their due diligence and enters possible videos into the list,” he wrote. “For example, if you pull video for and [sic] shooting and the video captures the suspect or a vehicle used enter it onto the list. … This is not a heavy lift.”

Kinney did not respond to requests for comment sent to his department email.

The SOMEX team is housed within CPD’s Bureau of Detectives. As of May 2021, according to a roster obtained by Transparency Chicago, the SOMEX task force had 15 officers, in addition to the commanding officers. But its work overlaps with that of the department’s two Area Technology Centers, data-driven policing centers that local news outlets report were set up with funding from hedge fund billionaire Ken Griffin.

Related

Oracle Boasted That Its Software Was Used Against U.S. Protesters. Then It Took the Tech to China.

CPD has been surveilling social media for over a decade, as The Intercept previously reported. It has even monitored social media use in public schools, an investigation by ProPublica and WBEZ Chicago found. The department has had a procedure for approving covert accounts since at least 2014, according to a document obtained by the American Civil Liberties Union of Illinois in a public records lawsuit. “Young Black and brown people who are heavily policed are aware that cops use fake accounts,” said Maira Khwaja, who directs public impact strategy and outreach for Chicago’s Invisible Institute, a nonprofit investigative group. “There are always jokes on how to detect that someone’s a cop online — like someone asking obviously about drugs.” In Memphis, police have been accused of snooping on Black Lives Matter activists and their friends using a fake persona improbably named Bob Smith.

Fake profiles violate Facebook’s authenticity policy, and on occasion police departments have gotten into trouble for using them. Following attention from the press and the Electronic Frontier Foundation, Facebook changed its law enforcement guidelines and asked two police departments to stop using fake profiles. But abuses remain, on Facebook and on other platforms. In April, the Minnesota Department of Human Rights released a report criticizing the Minneapolis Police Department for not having a policy “to ensure that covert accounts are being used for legitimate investigative purposes, and not, for instance, to send messages to City Council Members criticizing them.”

The SOMEX task force appears to be an attempt to formalize CPD online undercover work. Documents show that the FBI keeps records of the fake identities it assigns to officers, giving them tracking numbers called Confidential Alias Numbers.

Roy L. Austin Jr., vice president and deputy general counsel for civil rights at Facebook’s parent company Meta, said there are no exceptions to Facebook’s authenticity policy, even for the FBI. “It is absolutely a violation of our policies to create a fake account, for any reason, no matter who you are,” he said. “ We require everyone, including law enforcement authorities, to use their authentic names on Facebook and we make this policy clear in our Community Standards. It is our intention to make sure that people can continue using our platforms free from unlawful surveillance by the government or agents acting in inauthentic ways.”

But documents make clear that CPD’s SOMEX officers routinely use fake Facebook profiles.

In March 2019, SOMEX officers repeatedly used Facebook aliases in the investigation of actor Jussie Smollett, who was accused of fabricating his own assault. Files from Smollett’s case that were unsealed by the Circuit Court of Cook County show that SOMEX officers assumed fake identities even for routine searches. An intelligence report from the case describing research on Facebook, Instagram, and Snapchat, for example, says that a detective “logged on to the Internet through a non-attributable computer, utilizing departmental approved covert account AC08, with the Internet Protocol (IP) address of [REDACTED] which resolved to Chicago, IL.”

The documents show that SOMEX officers can also take over the accounts of informants, or what the department euphemistically calls “social media assets.” The department has a form that informants fill out to grant police use of their online identity. The form gives police full account access, even allowing CPD to change an informant’s password so that they cannot log into their account. “I find that totally astonishing,” said Levinson-Waldman, of the Brennan Center.

A CPD form that informants fill out granting police full access to their social media accounts.

Screenshot: The Intercept/CPD

Following the January 6 attack on the U.S. Capitol, FBI Director Christopher Wray claimed that the bureau had failed to act swiftly because it lacked the ability to fully monitor social media. “What we can’t do on social media is, without proper predication and an authorized purpose, just monitor ‘just in case’ on social media,” he told Congress last summer, in response to a question from Rep. Alexandria Ocasio-Cortez, D-N.Y. He added, “Now, if the policies should be changed to reflect that — that might be one of the important lessons learned coming out of this whole experience. But that’s not something that currently the FBI has either the authority or certainly the resources frankly to do.”

“That is false,” said German, the former FBI agent, who noted that FBI agents have been able to do online research without any criminal predicate since 2002. (According to a recent U.S. Government Accountability Office report, social media companies also tipped off the FBI to potential violence at the Capitol.) “Whenever they are criticized for failing to protect Americans, rather than allow an investigation of how they’re using or misusing the authorities they have, FBI blames it on a lack of authority, because that makes it easier for a policymaker to say, ‘OK, we’ll give them new authority,’” he said. Following Wray’s pitch, the bureau released the call for bids for SOMEX software, though the contract followed on FBI use of other social media surveillance software.

Chicago Mayor Lori Lightfoot, too, has claimed that police need more resources for social media surveillance. In August 2020, she announced the creation of a second social media team: a 20-person unit within CPIC, the fusion center, tasked with keeping round-the-clock tabs on social sites to identify potential property damage. “As we’ve seen over these past few months, social media platforms have repeatedly been used to organize large groups of people to engage in illegal activity,” she said.

Mayor Lori Lightfoot chats with Chicago Police Department First Deputy Superintendent Anthony Riccio after a news conference in Chicago on Thursday afternoon, June 11, 2020, about a group of Chicago police officers in the congressman's campaign office while looters hit nearby stores. More than a dozen officers and supervisors from the Chicago Police were captured on video "lounging" inside a congressional campaign office on the city's South Side as people vandalized and stole from nearby businesses while protests and unrest spread across the city in late May, Mayor Lori Lightfoot said Thursday. (Ashlee Rezin Garcia/Chicago Sun-Times via AP)

Mayor Lori Lightfoot chats with Chicago Police Department First Deputy Superintendent Anthony Riccio after a news conference in Chicago on June 11, 2020.

Photo: Ashlee Rezin Garcia/Chicago Sun Times via AP

But the emails show just how many fancy tools police in Chicago already had at their disposal. During the George Floyd protests, an Amazon Ring account representative gave Kinney’s officers a virtual presentation on how to use a police interface in Ring’s Neighbors, an app that combines the neighborhood vigilantism of Nextdoor with linked surveillance devices. Afterward, Kinney emailed the representative, asking that he add one officer to the service. “Thanks for going over the platform today,” he wrote. “My team expressed how excited they are to use it.” (Ring has come under fire elsewhere for aiding police during the protests; in Los Angeles, for example, the company helped police seek Ring footage of the demonstrations from customers of the home camera system.) A Ring spokesperson said that CPD was “activated” on the Neighbors police interface in September 2020 and that the emails obtained by The Intercept “are part of the standard onboarding process.”

Emails from November 2021, meanwhile, show that Area Technology Centers officers, including some on the SOMEX team, used GeoTime, a geolocation tool made by Uncharted Software, and that they were exploring joining Flock Safety’s automated license plate reader and camera network after the company offered them free accounts.

One incident from the George Floyd protests shows how SOMEX investigations could easily ensnare the innocent. On May 28, 2020, CPD learned of a man who had threatened to kill police and burn down a precinct. According to the Office of the Inspector General report, the threat had been identified by the fusion center, CPIC, on “open source social media” and had caught the attention of Lightfoot, who asked what was being done. A SOMEX officer checked the man’s Facebook accounts. One account was private, and a second account had last been updated in 2017. Other social sites turned up little. “There is nothing on his Instagram page either,” wrote the investigator. “Only five posts and nothing related to the police department.” The officer, who is unnamed in the emails obtained by The Intercept, went on to dig into the man’s social media contacts: “I took the liberty in observing public posts made by his friends.”

An email from a SOMEX team officer explaining they had investigated the social media contacts of a man who had threatened police.

Screenshot: The Intercept/Illinois Freedom of Information Act

That sort of logic is troubling, said Guariglia. “Your tweets could end up under police scrutiny — which obviously opens you up for potential reprisals or retribution for your political opinions — just because a friend of yours attended a protest.”

Emails from the first week of the George Floyd protests show that officers amassed a large volume of content. They captured so much social media footage, in fact, that Kinney complained that they were running out of storage.

Of the SOMEX team work described in available documents from that week, the unmasking of the Joker appears to be the only research that resulted in criminal charges. But officers did achieve one goal: The Chicago Police Department published over a dozen “Wanted” videos on its YouTube channel. The videos zoom in on people’s faces. Overlaid, in red, is text that reads, “If you see these individuals do not approach. Call 911.”

Documents published with this article:

Chicago Police Department SOMEX George Floyd protests emails — a great mission

Chicago Police Department SOMEX team ATC emails — Ring

Chicago Police Department SOMEX team George Floyd protests emails — worries about pushback

Chicago Police Department SOMEX team George Floyd protests emails — capturing videos for YouTube

Chicago Police Department SOMEX team emails — RDOs are canceled

Chicago Police Department SOMEX team ATC 11-2021 emails

Jussie Smollett Chicago Police Department SOMEX report 

Chicago Police Department SOMEX George Floyd Protests — Examining Social Networks

Chicago Police Department Social Media Policies 2014-2015

CPIC fusion center – Suspicious Activity Report 2020-00044 – George Floyd protests 

Join The Conversation