A contractor for Immigration and Customs Enforcement (ICE) and many other U.S. government agencies has developed a tool that lets analysts more easily pull a target individual’s publicly available data from a wide array of sites, social networks, apps, and services across the web at once, including Bluesky, OnlyFans, and various Meta platforms, according to a leaked list of the sites obtained by 404 Media. In all the list names more than 200 sites that the contractor, called ShadowDragon, pulls data from and makes available to its government clients, allowing them to map out a person’s activity, movements, and relationships.
The news comes after ICE detained Mahmoud Khalil, a prominent Columbia University protester and green card holding legal permanent resident of the U.S., on Saturday with the intention of deporting him. It also comes as Secretary of State Marco Rubio is reportedly launching an AI-fueled “Catch and Revoke” effort to scan the social media accounts for tens of thousands of student visa holders’ social media accounts, looking for what Axios reported as foreign nationals who appear to support Hamas or other designated terror groups.
There is no indication ShadowDragon specifically, or its data tool SocialNet, is part of that program. But ShadowDragon says in marketing material its tools can be used to monitor protests, and claims it found protests around Union Station in Washington DC during a 2023 visit by Benjamin Netanyahu. Daniel Clemens, ShadowDragon’s CEO, previously said on a podcast that protesters should not “be surprised when people are going to investigate you because you made their life difficult.”
Multiple tech companies and websites whose public data ShadowDragon pulls tell 404 Media the contractor may be violating their terms of use around scraping.
“The long list of sites and services that ShadowDragon’s SocialNet tool accesses is a reminder of just how much data is accessible and collected from and about us to provide surveillance services to the government and others,” Jeramie Scott, senior counsel and director the Electronic Privacy Information Center’s (EPIC) Project on Surveillance Oversight, told 404 Media in an email. “SocialNet is just one example of the unchecked surveillance ecosystem that lacks any meaningful transparency, oversight, or accountability that allows the government to circumvent Constitutional and statutory protections to access sensitive personal data,” he added.
Marketing material available online says SocialNet can plot identities and find connections between them; create a map of suspicious activity and follow a suspect’s trail, and “follow the breadcrumbs of your target’s digital life and find hidden correlations in your research.” In one promotional video, ShadowDragon says users can enter “an email, an alias, a name, a phone number, a variety of different things, and immediately have information on your target. We can see interests, we can see who friends are, pictures, videos.”
The leaked list of targeted sites and services include ones from major tech companies such as Apple, Amazon, Meta, Microsoft, and TikTok. It also includes communication tools like Discord and WhatsApp; activity- or hobby-focused sites like AllTrails, BookCrossing, Chess.com, and cigar review site Cigar Dojo; payment services like Cash App, BuyMeACoffee, and PayPal; sex worker sites OnlyFans and JustForFans; and social networks Bluesky and Telegram. Even relatively obscure social networks are included in the list, such as BeReal.
ShadowDragon also pulls data from some sites geared towards specific demographics and highly personal interests, such as the social network for Black people called Black Planet or the fetish site FetLife, which 404 Media previously reported.
The list also includes Roblox. In a recent video on ShadowDragon’s YouTube channel, staff members discussed how children are groomed on Roblox and other platforms or apps geared towards children.
What sort of data is returned when a ShadowDragon customer queries one of these sites depends on each individual service, with some likely returning much more than others.
404 Media has uploaded the list here.
According to U.S. government procurement databases, ShadowDragon’s clients include the State Department, the Army, the Fish and Wildlife Service, the DEA, and, especially, ICE. ICE continued its contract with ShadowDragon as recently as February 24, with the procurement record saying the deal included access to SocialNet.
An ICE statement of work that EPIC obtained through the Freedom of Information Act describes why ICE, and specifically Homeland Security Investigations (HSI), sought out SocialNet in one instance.
“ICE analysts conduct research on readily available public domain open source information that spans beyond US domain websites and require ICE to effectively track and investigate known criminal elements and locations to mitigate the flow of illegal goods and personnel into the United States borders and territories,” the document reads. “SocialNet data is a data subscriptions service that maps social media connections to uncover aliases, associates and gather inferences of lifestyle and physical location of threats. SocialNet performs federated searches and visualizes social media connections to uncover identities, correlations, networks of associates quickly.”
“HSI INTEL must remain diligent in seeking new and improved means of combatting the challenges that face our Law Enforcers and Intelligence Analysts for identifying, tracking, investigating and apprehending criminal entities. SocialNet data adds to HSI INTEL’s ability to successfully meet those mission goals and their public responsibility by leveraging capabilities with proven results for both cyber or physical criminal investigations and social media forensics,” it continues. In this case, the document indicates HSI sought to use SocialNet through Maltego, a commonly-used piece of open source intelligence software.
404 Media previously reported that some of ICE moved to SocialNet because it was retiring the use of another tool called Babel X.
404 Media contacted numerous companies named in the leaked list of services that ShadowDragon pulls data from. Pinterest pointed to its terms of service, which say users will not “scrape, collect, search, copy or otherwise access data or content from Pinterest in unauthorized ways.” Cash App also pointed to its own terms of service which bans the monitoring of any material on any Cash App system, both manually and with automated means.
Responding to Facebook, Instagram, and Threads being included in the list, Meta said in a statement “Unauthorized scraping is against our terms, and we routinely investigate and take action to enforce our terms against unauthorized scrapers when we find they have violated our policies.”
Snap said any scraping violates its terms of service.
LinkedIn said in a statement “We are constantly testing new ways to ensure that control of member data remains in our members’ hands. Unauthorized scraping is not permitted, and our teams at LinkedIn invest in technology and take legal action when necessary to detect and prevent our members’ information from being scraped and used without their consent.”
Chess.com said in a statement “We were not previously aware that ShadowDragon was scraping data from Chess.com. To clarify our position, we do not permit the use of personal information from our users without a valid legal basis and compliance with applicable laws, even if such information is publicly available.”
“If ShadowDragon’s activities are conducted lawfully, with a legitimate legal basis—such as in response to a government order or as part of a legally authorized investigation— we would not object. However, if the data being collected includes personal information and is being used without proper legal authorization, this would not align with our policies,” the statement added.
When asked if ShadowDragon’s activity constitutes scraping and provided with the list of sites, Sandy MacKay, VP of business operations at ShadowDragon, told 404 Media in an email that “ShadowDragon doesn’t log customer inquiries or the resulting data, so we can’t provide information that violates the privacy settings of individual account owners using these platforms, including data they’ve deleted.” In other words, the searches are performed live on sites when the ShadowDragon user requests it. That might arguably still violate some of the companies’ terms of use, however.
In the ShadowDragon podcast where Clemens made his comments about protesters, he added that protesters are “probably not moving the needle at all.” He added “My word of advice for anybody that’s feeling invited into the rage mob of the day, is, hey man, get off social media. Go buy a lake house, get a beach house. Do something. Get in debt and get off social media. Don’t get invited into all this rage.”
When 404 Media previously reported those comments, Clemens said in an email “my comments from the podcast refer to ALL groups, regardless of affiliation or cause. It was a reminder to everyone that everything we do in public, including social media posts, often lacks a legal expectation of privacy, in the same vein as the EFF’s recommendations for protestors.”
ICE did not respond to a request for comment.
