DoD IT Privacy Impact Assessments/ Emerging Technologies and Privacy USPACOM FREEDOM OF INFORMATION ACT (FOIA) & PRIVACY ACT (PA) CONFERENCE 11 – 13 January, 2011 Gary J. Evans Office of the DoD CIO 703-699-0108 Privacy in the News Human error Budget and resources Changing business processes IT systems Flash storage media Records management Teleworking Hard drives Hackers Blogs Disposal of storage media Official and unofficial forms Contractor services Web portals and shared drives Insider threat Spreadsheets Email Malicious software Data mining 3 Social Media http://www.facebook.com/video/video.php?v=141629337756&ref=share Uses of Social Media • Public Affairs Outreach • Situational Awareness • Law Enforcement/Intelligence • Collaboration and Information Sharing • War fighters communicating with families 6 7 8 9 Social Media Types • Social media where users and public users may have an account to use applications tailored to the specific website. This social media includes, but is not limited to, Facebook, MySpace, Ustream, LinkedIn, and GovLoop • Video and Image websites users may have an account to post but public users may not be required to have an account to see the video or image. In order for public users to comment, they may need an account. This social media includes, but is not limited to, YouTube, Flickr, Picasa, Blip.tv, and Ustream • Blogs and similar websites users may have an account to post but public users may not be required to have an account to see the blog. In order for public users to comment, they may need an account. This includes, but is not limited to, Twitter, Google Blogger, and Wordpress Responsible and Effective Use of Social Media • Directive-Type Memorandum (DTM) 09-026 – Responsible and Effective Use of Internet-based Capabilities 25 Feb 10 – Effective immediately, the DTM states that the default for the DoD non-classified network (the NIPRNET) is for open access so that all of DoD can use new media – Directs open and consistent access across the board – Commanders at all levels and heads of DoD components will continue to keep networks safe from malicious activity and take actions, as required, to safeguard missions – Service members and DoD employees are welcome and encouraged to use new media to communicate with family and friends — at home stations or deployed — but do it safely • For more info go to: (http://socialmedia.dod.gov) • Implementation guidance is in development – SNS sites, web mail, etc NOTHING IS FREE!!! 12 Growth in FaceBook Accounts • Comparison period between 14 June through 08 December, 2010 FaceBook 14 June 8 July 8 December Army 336 395 783 Navy 139 228 342 USMC 76 73 176 USAF 110 120 181 661 816 1482 Highlights of OMB Guidance M-10-23 • This Memorandum requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. Scope : • This Memorandum applies to any Federal agency use of third-party websites or applications to engage with the public for the purpose of implementing the principles of the Open Government Directive. • The guidance also applies when an agency relies on a contractor (or other non-Federal entity) to operate a third-party website or application to engage with the public on the agency’s behalf. Highlights of M-10-23 – Social Media • PIA is required if Agency makes PII available to the agency. • Make PII Available. When any agency action causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. • This is can include activities commonly referred to as “friend-ing,” “following,” “liking,” joining a “group,” becoming a “fan,” and comparable functions. • PIA can cover multiple websites or applications that are functionally comparable and practices are substantially similar. • If an agency’s use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application. Examples of PIAs on Social Media • DHS - Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_socialnetworkinginteractions.pdf • DHS – Publicly Available Social Media Monitoring and Situational Awareness Initiative http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ops_publiclyavailablesocialmedia.pdf • DHS - Department of Homeland Security Our Border Network (Privacy Specific Risk PIA) http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_ning.pdf • DOJ - Privacy Impact Assessment for Third-Party Social Web Services http://www.justice.gov/opcl/docs/opa-webservices-pia.pdf Adapted PIA Questions • • • • • • • • What is the specific purpose of the component’s use of the third-party website or application? List any PII that is likely to become available to the component through public use of the third-party website or application What is the component’s intended or expected use of PII? With whom will the component share PII? Describe whether and how the component will maintain PII, and for how long Describe how the component will secure PII that it uses or maintains Describe what other privacy risks exist and how the component will mitigate those risks Describe whether the component’s activities will create or modify a “system of records” under the Privacy Act PII Breach Media Improving here, but only takes one Still # 1 And complacency ….. Example PII Breaches Secure at the Conference? Example PII Breaches In Plain Sight The Convenience Example PII Breaches Laptops in Luggage Eyes on Laptop PII Breach Media Copiers and printers are a problem Sent to recipients “without a need to know” / unencrypted. The Cost of A PII Breach • The most significant cost to an organization results from lost confidence and trust by our sailors, marines, government civilians and public – for a company that translates into customer turnover and loss of brand equity – impacts employee morale, ability to recruit new hires and job satisfaction • Potential class action law suits and or criminal prosecution • Mailings, call center costs and credit monitoring • Expenses associated with identity theft Phishing Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or financial account details by masquerading as a trustworthy entity in an electronic communication. This is a growing activity within the DON. They generally ask you to click a link back to a spoof web site. Doing so could subject you to the installation of key logging software or viruses. They use fear to motivate you to respond – “your account has been temporarily suspended due to recent fraudulent activity, we need you to verify your account information…” Never open emails from unknown sources or institutions soliciting: Passwords Credit card information ATM/Debit Card number Social Security Number Bank/financial account number If in doubt about validity of the email, call their customer service number. Notify your network administrator. For NMCI go to: https://www.homeport.navy.mil/support/articles/report-spam-phishing/ 25 IRS Phishing Statistics Privacy Do’s • • • • Encrypt all emails containing PII Reduce human error Reduce the use of SSN Ensure IA controls are in place on document repositories such as Sharepoint Privacy Don’ts • Do not place PII on Internet public-facing websites or shared drives • Do not collect PII that is not needed for business • Do not send documents containing PII to personal email addresses (e.g., yahoo, hotmail) • Do not download PII to personal computers, USB drives, or any removable media unless the devices are approved and encrypted. Be Careful Out There!!! 29 The Threat is Real The Scoop Deck blog shed light on a Dec. 2009 AlQaeda call for their members to monitor what we say about ourselves, our units and our families online in order to gather intelligence. “Information on every U.S. Naval unit should be quietly gathered… their ranks, what state they are from, their family situation, and where their family members live… …search for the easiest ways of striking these ships…. Do not underestimate the importance of any piece of information, as simple as it may seem….” WHAT THEY WANTED: The call wasn’t just about unit missions, location, troop manning, weapons, movement and route. They asked for members’ names, ranks, home state, family situation and family names. Questions Are there any S