8611.USPACOM PIAs and Social Media 28 Dec 2010 Final

Report
DoD IT Privacy Impact Assessments/
Emerging Technologies and Privacy
USPACOM FREEDOM OF INFORMATION ACT
(FOIA) & PRIVACY ACT (PA) CONFERENCE
11 – 13 January, 2011
Gary J. Evans
Office of the DoD CIO
703-699-0108
Privacy in the News
Human error
Budget and resources
Changing business processes
IT systems
Flash storage media
Records management
Teleworking
Hard drives
Hackers
Blogs
Disposal of storage media
Official and unofficial forms
Contractor services
Web portals and shared drives
Insider threat
Spreadsheets
Email
Malicious software
Data mining
3
Social Media
http://www.facebook.com/video/video.php?v=141629337756&ref=share
Uses of Social Media
•
Public Affairs Outreach
•
Situational Awareness
•
Law Enforcement/Intelligence
•
Collaboration and Information Sharing
•
War fighters communicating with families
6
7
8
9
Social Media Types
• Social media where users and public users may have an account to
use applications tailored to the specific website. This social media
includes, but is not limited to, Facebook, MySpace, Ustream,
LinkedIn, and GovLoop
• Video and Image websites users may have an account to post but
public users may not be required to have an account to see the
video or image. In order for public users to comment, they may need
an account. This social media includes, but is not limited to,
YouTube, Flickr, Picasa, Blip.tv, and Ustream
• Blogs and similar websites users may have an account to post but
public users may not be required to have an account to see the blog.
In order for public users to comment, they may need an account.
This includes, but is not limited to, Twitter, Google Blogger, and
Wordpress
Responsible and Effective Use of
Social Media
• Directive-Type Memorandum (DTM) 09-026 – Responsible
and Effective Use of Internet-based Capabilities 25 Feb 10
– Effective immediately, the DTM states that the default for the DoD
non-classified network (the NIPRNET) is for open access so that all
of DoD can use new media
– Directs open and consistent access across the board
– Commanders at all levels and heads of DoD components will
continue to keep networks safe from malicious activity and take
actions, as required, to safeguard missions
– Service members and DoD employees are welcome and
encouraged to use new media to communicate with family and
friends — at home stations or deployed — but do it safely
• For more info go to: (http://socialmedia.dod.gov)
• Implementation guidance is in development
– SNS sites, web mail, etc
NOTHING IS FREE!!!
12
Growth in FaceBook
Accounts
•
Comparison period between 14 June through 08 December, 2010
FaceBook
14 June
8 July
8 December
Army
336
395
783
Navy
139
228
342
USMC
76
73
176
USAF
110
120
181
661
816
1482
Highlights of OMB Guidance
M-10-23
• This Memorandum requires Federal agencies to take specific steps to
protect individual privacy whenever they use third-party websites and
applications to engage with the public.
Scope :
• This Memorandum applies to any Federal agency use of third-party
websites or applications to engage with the public for the purpose of
implementing the principles of the Open Government Directive.
• The guidance also applies when an agency relies on a contractor (or
other non-Federal entity) to operate a third-party website or application
to engage with the public on the agency’s behalf.
Highlights of M-10-23 – Social Media
•
PIA is required if Agency makes PII available to the agency.
•
Make PII Available. When any agency action causes PII to become
available or accessible to the agency, whether or not the agency solicits
or collects it.
•
This is can include activities commonly referred to as “friend-ing,” “following,”
“liking,” joining a “group,” becoming a “fan,” and comparable functions.
•
PIA can cover multiple websites or applications that are functionally
comparable and practices are substantially similar.
•
If an agency’s use of a website or application raises distinct privacy
risks, the agency should prepare a PIA that is exclusive to that website
or application.
Examples of PIAs on Social Media
•
DHS - Use of Social Networking Interactions and Applications
Communications/Outreach/Public Dialogue
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_socialnetworkinginteractions.pdf
•
DHS – Publicly Available Social Media Monitoring and Situational
Awareness Initiative
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ops_publiclyavailablesocialmedia.pdf
•
DHS - Department of Homeland Security Our Border Network (Privacy
Specific Risk PIA) http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_ning.pdf
•
DOJ - Privacy Impact Assessment for Third-Party Social Web Services
http://www.justice.gov/opcl/docs/opa-webservices-pia.pdf
Adapted PIA Questions
•
•
•
•
•
•
•
•
What is the specific purpose of the component’s use of the third-party
website or application?
List any PII that is likely to become available to the component through
public use of the third-party website or application
What is the component’s intended or expected use of PII?
With whom will the component share PII?
Describe whether and how the component will maintain PII, and for how
long
Describe how the component will secure PII that it uses or maintains
Describe what other privacy risks exist and how the component will mitigate
those risks
Describe whether the component’s activities will create or modify a “system
of records” under the Privacy Act
PII Breach Media
Improving here, but only takes one
Still # 1
And complacency …..
Example PII Breaches
Secure at the Conference?
Example PII Breaches
In Plain Sight
The Convenience
Example PII Breaches
Laptops in Luggage
Eyes on Laptop
PII Breach Media
Copiers and printers are a problem
Sent to recipients “without a need
to know” / unencrypted.
The Cost of A PII Breach
• The most significant cost to an organization results from lost
confidence and trust by our sailors, marines, government civilians
and public
– for a company that translates into customer turnover and loss of
brand equity
– impacts employee morale, ability to recruit new hires and job
satisfaction
• Potential class action law suits and or criminal prosecution
• Mailings, call center costs and credit monitoring
• Expenses associated with identity theft
Phishing
Phishing is the process of attempting to acquire sensitive
information such as usernames, passwords or financial account details by
masquerading as a trustworthy entity in an electronic communication.
 This is a growing activity within the DON.
 They generally ask you to click a link back to a spoof web site. Doing so could
subject you to the installation of key logging software or viruses.
 They use fear to motivate you to respond – “your account has been temporarily
suspended due to recent fraudulent activity, we need you to verify your account
information…”
 Never open emails from unknown sources or institutions soliciting:





Passwords
Credit card information
ATM/Debit Card number
Social Security Number
Bank/financial account number
 If in doubt about validity of the email, call their customer service number.
 Notify your network administrator. For NMCI go to:
https://www.homeport.navy.mil/support/articles/report-spam-phishing/
25
IRS Phishing Statistics
Privacy Do’s
•
•
•
•
Encrypt all emails containing PII
Reduce human error
Reduce the use of SSN
Ensure IA controls are in place on document
repositories such as Sharepoint
Privacy Don’ts
• Do not place PII on Internet public-facing
websites or shared drives
• Do not collect PII that is not needed for business
• Do not send documents containing PII to
personal email addresses (e.g., yahoo, hotmail)
• Do not download PII to personal computers,
USB drives, or any removable media unless the
devices are approved and encrypted.
Be Careful Out There!!!
29
The Threat is Real
The Scoop Deck blog shed light on a Dec. 2009 AlQaeda call for their members to monitor what we say
about ourselves, our units and our families online in
order to gather intelligence.
“Information on every U.S. Naval unit
should be quietly gathered… their ranks,
what state they are from, their family
situation, and where their family
members live…
…search for the easiest ways of striking
these ships…. Do not underestimate the
importance of any piece of information,
as simple as it may seem….”
WHAT THEY WANTED:
The call wasn’t just about unit missions,
location, troop manning, weapons, movement and route. They asked for
members’ names, ranks, home state, family situation and family names.
Questions
Are there any
S

similar documents