Feds Stumble on Social Media Security, Privacy
U.S. government agencies are moving quickly to incorporate social media into their IT programs. For organizations with huge public constituencies, adopting Facebook, Twitter and YouTube as major communication channels makes a lot of sense. However, in the rush to utilize social media, federal agencies have had some misfires in their handling of privacy and security requirements.
Twenty-three of 24 major federal agencies had established accounts on Facebook, Twitter, and YouTube as of April 2011, according to the U.S. General Accountability Office (GAO).
Furthermore, the public has increasingly followed the information provided by federal agencies on those same services. For example, by April of this year, the U.S. Department of State had more than 72,000 users following its Facebook page; the National Aeronautics and Space Administration (NASA) had more than 992,000 Twitter followers, and a video uploaded by NASA on YouTube in December 2010 had more than 360,000 views.
Despite varying features of the three platforms, agencies use social media channels for several common purposes: reposting information already available on an agency website; posting original content not available on agency websites; soliciting feedback from the public; responding to comments; and linking to non-government websites.
Cautious Approach Required
The widespread use of social media technologies also introduces risks. Federal agencies have recorded only "mixed progress," reported GAO, in establishing appropriate policies and procedures in three critical areas:
- managing records;
- protecting the privacy of personal information; and
- ensuring the security of federal systems and information.
"Specifically, just over half of the major agencies using social media have established policies and procedures for identifying what content generated by social media is necessary to preserve in order to ensure compliance with the Federal Records Act, and they continue to face challenges in effectively capturing social media content as records," says Gregory Wilshusen, GAO's director of information security issues, in the agency's June report.
Disappointing Results to GAO
"Without clear policies and procedures for properly identifying and managing social media records, potentially important records of government activity may not be appropriately preserved. In addition, most agencies have not updated their privacy policies or assessed the impact their use of social media may have on the protection of personal information from improper collection, disclosure, or use, as called for in recent Office of Management and Budget (OMB) guidance," Wilshusen continues.
GAO listed three vulnerabilities associated with the use of social media channels by federal agencies: spear phishing; social engineering; and Web application attacks.
GAO issued specific recommendations to 21 of the 23 agencies it analyzed, and here again the results were mixed. About half of the agencies agreed with GAO's findings, while others agreed only in part. Some agencies failed to respond at all.
OMB's "Guidance for Agency Use of Third-Party Websites and Applications," however, offers only a broad approach to social media issues.
"It is high-level guidance, so additional, more detailed guidance would certainly seem to be useful," John di Ferrari, assistant director of GAO's information security section, told CRM Buyer.
The federal Chief Information Officers Council released a set of social media guidelines in 2009, he noted, and later a draft privacy guidance regarding third-party applications, which was sent to OMB for final approval.
However, OMB has not yet acted upon the draft, di Ferrari said.
Providers Role Is Limited
The role of IT providers in assisting federal agencies in privacy and security issues is indirect and not subject to specific procurement requirements.
"The federal government has limited leverage with social media 'vendors' because, generally speaking, there is no contractual relationship involved. The government, like individuals, takes advantage of services that are provided at no cost," di Ferrari said.
Although the General Services Administration (GSA) has negotiated generic "terms of service" for social media services to address a number of legal questions about government use of these services, these generally have not included provisions about privacy and security.
"Facebook, YouTube and Twitter representatives told us they were not taking any special steps to address the security and privacy issues of government agency users," noted di Ferrari.
Facebook declined to comment directly on the GAO report.
"Facebook has worked with GSA and the federal Webmasters Council to ensure that Facebook can be used by the U.S. government. Every major federal agency and department has a presence on Facebook along with thousands of offices, bureaus and military units," Andrew Noyes, manager for public policy communications at Facebook, told CRM Buyer.
"GSA has approved Facebook for use by the U.S. government," he added.
Responding to a query from CRM Buyer on whether Facebook could develop a special protocol to assist federal agencies for a fee, Noyes said that "Facebook takes the security of every Facebook user seriously, including government agencies that use Facebook, and the safety of our systems and users is never something that we will charge money for."
Twitter did not respond to a query from CRM Buyer.
GAO issued the report in response to a request from several members of the U.S. Senate and House, including Sen. Tom Carper, D-Del.
"This report shows that while we've made some progress, there's still room for improvement in the effort to secure data in the federal government, including in the use of social media," Carper told CRM Buyer. "We want to continue to encourage the federal government to embrace technology, including social media, to better serve the public and save taxpayer dollars. But as we encourage this utilization of technology, we also have to strive to maintain the security of information."