Last month Andrew Frame, the CEO of crime reporting and neighborhood watch app Citizen, violated his own app's policies by telling staff to broadcast the personal information of an individual they mistakenly suspected of starting a wildfire, putting a $30,000 dollar bounty on that person's head, and telling workers the company needed to "FIND THIS FUCK," potentially putting this person's safety in danger. Motherboard reported this with multiple sources and caches of internal Citizen documents, including Slack chats from Frame himself.
Both the Apple App Store and Google Play Store have policies that may have been violated during this case, such as posting content in order to humiliate someone publicly and defamatory content. Violating such policies can lead to a platform maintainer removing an offending app. But neither Apple nor Google has said whether this latest bounty hunt violated their policies, despite multiple requests for comment sent over a nearly two week long period by Motherboard. Apple in particular has recently made terms of service changes that at least seem like they may be related to Citizen, but has not given any specifics about why it made these changes.
"LETS GET THIS GUY BEFORE MIDNIGHT HES GOING DOWN," Frame said in an internal Slack conversation, according to chats previously obtained by Motherboard.
"Look for [the person's name]. Look for him. Family members of [the person's name]. He wasn't just brought on this world by himself, we need your help. We need you to help us contact him and identify where he is. We need the scent of his clothing," Prince Mapp, Citizen's head of community, said on the app's livestream trying to solicit information and action from the public. (Motherboard is not publishing the name of the person Citizen falsely accused, though Citizen repeatedly used it both internally and externally.)
Do you work at Citizen, Apple, or Google? Do you have access to internal documents related to this incident? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
On May 27 Motherboard asked Apple and Google whether they were going to review Citizen's status on their app stores in light of Frame's successful push to publish personal information of the individual mistakenly accused of starting the wildfire. Representatives from both companies acknowledged the request for comment and several follow-up emails, but stopped responding around a week ago. Apple did not respond to an additional request for comment sent on Tuesday.
Importantly, the case of Citizen's CEO placing a bounty on someone's head was not a piece of user generated content. In the U.S. apps and social networks are generally not legally responsible for what their users may post, as long as they make good faith efforts to moderate their platforms. In this case, the manhunt and the potential policy violations were made by Citizen itself, not its individual users. At one point during the hunt, a Citizen employee pointed out that the company was violating its own terms of service that prohibit the "posting of specific information that could identify parties involved in an incident," according to the Slack chats. This staffer was ignored in that specific Slack room, and the broadcast continued to specifically name the wrongly accused person and share his photo for hours. In a subsequent all-hands meeting, Frame said he "overrode" the company's own policies that night.
On Monday, well after being asked for comment on the bounty incident and being sent the article containing the Citizen Slack chats, Apple updated its App Store policies to add that "Apps for reporting alleged criminal activity must involve local law enforcement, and can only be offered in countries where such involvement is active." Apple did not respond to a request for comment on Tuesday asking if this change was specifically in response to the Citizen incident.
A large number of Citizen's push notifications to users are based on workers listening to and summarizing police radio audio. Arguably, that may qualify as the involvement of local law enforcement. The Citizen bounty hunt started, however, not from an official source of law enforcement information: Citizen previously said information about the individual came from an on-the-ground "tip" from an LAPD Sergeant, followed by more information from local residents.
On Tuesday Citizen told Motherboard it works to make sure it abides by the respective app stores' policies, and that the relationship with Apple and Google is close. Citizen pointed out it is still available on both stores. The company again said it violated its own policies and that was a mistake it takes ownership of.
Apple previously banned Citizen in 2016, when the app first launched under the name Vigilante.
Subscribe to our cybersecurity podcast CYBER, here.