Web 2.0 Technologies And Privacy Security Considerations

Session # T- 7

Web 2.0 Technologies and Privacy/Security Considerations Sandy England & Joseph Salama

Agenda • Web 2.0 technologies • Opportunities and Challenges • Policy/Legal/ Privacy/Security Issues – Privacy Act – E-Government Act & FISMA • Web 2.0 Potential Issues and Concerns • Conclusion Source: http://dccblawg.blogspot.com/2007/11/legal-implications-of-web-20.html

2

Introduction • Our targeted users are attracted to social networking communities that foster userdriven content • How can we leverage social networking to extend our reach and message? • Web 2.0 brings a new set of challenges - privacy, data security, and legal issues Source: http://www.cooltownstudios.com/images/web2.0.jpg

3

What is Web 2.0? • From Wikipedia: – Web 2.0 is a living term describing changing trends in the use of World Wide Web technology and web design that aims to enhance creativity, information sharing, collaboration, and functionality of the web – Web 2.0 concepts have led to the development and evolution of web-based communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies http://en.wikipedia.org/wiki/Web_2.0

4

What is Web 2.0? • Community – Users organize themselves and work in partnership with common goals • Active participation – Users move from passive role (reading) to active role (authoring) • The Wisdom of Crowds: – Individual users add value – Aggregate data into a collective thought – Applications get better/smarter the more people use them

5

Web 2.0 By Example Web 1.0  DoubleClick  Ofoto  Akamai  Britannica Online  Personal websites  Page views  Screen scraping  Publishing  Systems  Directories (taxonomy)  Stickiness  Domain name speculation 

Web 2.0 Google AdSense Flickr BitTorrent Wikipedia Blogging Cost per click Web services Participation Wikis Tagging ("folksonomy") Syndication Search engine optimization http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html

6

Web 2.0 Technologies

7

Web 2.0 Components

Source: http://www.personalizemedia.com/web-00-to-50-spheres-of-influence/

8

Web 2.0 Framework

Source: http://www.rossdawsonblog.com/weblog/archives/2007/05/

9

Web 2.0 Technologies • User-Generated Content (e.g. FlickR and YouTube) • Web Content Sharing (e.g. Digg) • Social Bookmarking (e.g. Del.icio.us) • Blogs • Wikis • AJAX • Etc.

Source: http://edtechtrek.blogspot.com/2008_03_01_archive.html

10

User-Generated Content • Users upload and share personal videos (e.g. YouTube) and pictures (e.g. FlickR) • Organize media through tagging of themes, channels, collections, sets, etc. and allow commenting • How could we do it? – Enable peer-to-peer mentoring and support – Share tips, stories, how they overcame obstacles – Their lessons become sources of inspiration and motivation for others

11

Blogs • Publish articles and info about any subject • Share information and discuss topics • An effective communication tool • Can be updated at virtually zero cost • Organize content with meta-data, categorizations, and labels

12

Wikis • Speed and flexibility: Wiki means "fast" in Hawaiian • Effective tool for collaborative authoring • Allows users to create and edit pages • Breaks away from structured hierarchies to share information • The collective intelligence becomes a creative genius

13

Web 2.0 Opportunities • Collaborate more easily: – Internally (employees) – Externally (partners and customers) • Allow citizens to have greater input • Enable citizens to help each other – peer to peer collaboration • Create communities, which in turn create creative solutions to problems – Aggregate constituent wisdom: “The whole is smarter than the one”

14

Web 2.0 Challenges • Web 2.0 can enhance the delivery of public services and citizens’ engagements with government • However, a number of challenges prevent us from diving head first into Web 2.0 – – – – – –

Privacy issues Control of Content Anonymous postings (yes or no?) User Trust - can change content of others Vandalism Plagiarism and Copyright infringement

• Balancing our role as responsible officials:

– To protect citizens in this online world – To respect the First Amendment’s protection of free speech

15

Web 2.0 Challenges (cont.) • “Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information… (consistent with)…the risk-based policy for cost-effective security established by the Computer Security Act of 1987.” OMB Circular A-130

16

Privacy/Security Considerations • Laws, mandates, policies, and processes that require agencies to protect the use of data collected from citizens – Privacy Act – System of Records – Information Clearance – E-Gov Act and FISMA • Confidentiality, Integrity, and Availability of Information

– OMB Circular A-130, Appendix III … and many more …

17

Privacy Concerns • A full 93% of children ages 12-17 are online! • 55% of online teens use social networks • 55% of teens have created an online profile • 48% of teens visit social networking sites daily • 22% visit several times a day • 66% of teens with profiles say that their information is not visible to all Internet users

Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007) Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007) Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)

18

Privacy Concerns (cont.) • 63% of teens with profiles believe a motivated person could eventually identify them from the information they publicly provide on their profiles • 7% of online teens say they have been contacted by a stranger – either through “friend” requests, spam email, or comments posted on a blogging or photo sharing site – who made them feel scared or uncomfortable

Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007) Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007) Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)

19

Privacy Goals • Guiding Policies and Processes – System of Record Notification (SORN) Process – Information Clearance (IC) Process • Guiding Principles: – Don’t collect PII data unless truly necessary – Randomly generate IDs which can’t be mapped back to user names – Ensure user account information is invisible – Disallow lookups so strangers cannot iterate through IDs to see public information

20

Liability • Liability laws addressing complex new divisions of responsibility in online relationships between government, businesses and citizens • Is there liability for providing an application that enables stalking and other violations? – Need comprehensive Terms & Conditions of Use – Hide profile data by default – Easy to use privacy settings

21

Intellectual Property • YouTube/Google facing legal action from Viacom for allowing copyrighted material to be uploaded to the video sharing site • Universal initially attacked MySpace for illegal sharing of music before developing a branded virtual jukebox that users can post to their profile • Signing off a blog post with image of your favorite cartoon character may infringe copyright laws • Yet … copyright law has faced these challenges since the beginning of the Internet

22

Legislative and Policy Drivers  E-Government Act, Public Law 107-347 (Title III) Federal Information Security Management Act of 2002 (FISMA)  OMB Circular A-130 (Appendix III) Management of Federal Automated Information Resources  OMB Memorandum M-06-16 Protection of Sensitive Information

23

FISMA Requirements • FISMA directed that federal standards be created to address the specification of minimum security requirements for federal information and information systems by: – Conducting security categorization of the information and information systems based on risk levels – Authorization of system processing prior to operations and periodically thereafter

24

FISMA Requirements (cont.) • All Federal agencies are responsible for ensuring appropriate security controls • FISMA applies to information and information systems used by the agency, contractors, and other organizations and sources • Require agencies to certify their systems to operate • Security certification is the assessment of those security controls

25

Security Accreditation • Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control • Challenges Federal managers to implement the most effective security controls possible • Is the official management decision given by a senior agency official to authorize operation • The senior agency official is usually the highest level executive in each organization within the agency

26

Security Accreditation (cont.) • By accrediting an information system, an agency official explicitly accepts the risk and responsibility for the security of the system • The agency official is fully accountable for any adverse impacts to the agency if a breach of security occurs • Thus, responsibility and accountability are core principles that characterize security accreditation

27

Official Information Dissemination • All efforts to provide official government information to external stakeholders • Includes various types of media, such as video, paper, web, etc. (NIST SP 800-60 rev2, section C.2.6.2)

• FISMA in a nutshell: – Categorization – Certification – Accreditation – Authorization

28

Security Categorizations • Security Objectives: – Confidentiality – Integrity – Availability • Impact levels: – Low – Moderate – High

Confidentiality • Information Dissemination Type for Confidentiality: – The loss of confidentiality results in the unauthorized disclosure of information • Recommended Confidentiality Impact Level for Web 2.0 Applications – Low

30

Integrity • Information Dissemination Type for Integrity: – The loss of integrity results in the unauthorized modification or destruction of information (e.g., modified web pages, electronic mail, etc.) • Recommended Integrity Impact Level for Web 2.0 Applications – Low

31

Availability • Information Dissemination Type for Availability: – The loss of availability results in the disruption of access to or use of information or information system • Recommended Availability Impact Level for Web 2.0 Applications – Low

32

Web 2.0 is NOT the Issue • Adverse Events can affect operations and/or public confidence in a Federal agency • Security controls can be put into place to mitigate these risks • Examples: ― Web filtering software for blocking malicious behaviors (e.g., scanning inbound content and inbound binary files) ― Strip / rewrite HTML and JavaScript code ― Lock down of browsers to disable scripting ― Implement virtualization ― Promote user awareness of Web-related risks ― Create and enforce acceptable use policies

33

Concerns/Recommendations • Content Control ― Requires trusting third parties with content ― Many uses of Web 2.0 may not make sense for agencies that interact directly with the public and wish to maintain tight control over content

• Personally Identifiable Information ― Discuss security, legal, and privacy concerns and determine strategy and approach ― Develop privacy & acceptable use policies/processes for the dissemination of official information type via Web 2.0 ― Plan ahead for clearance process ― Develop policies for management of data

34

Concerns/Recommendations • Interlinked Platforms ― Difficult to remotely administer ― Less control of security ― May be affected by attacks aimed at other web sites or that are hosted by external provider ― Securing public web servers in accordance with NIST Special Publication 800-44 Version 2 cannot be imposed on interlinked computing platforms not owned by the Federal government ― Nearly impossible and/or cost prohibitive to “certify and accredit” interlinked computing platforms in accordance with FISMA

35

Getting Started • Educate the organization on Web 2.0 • How it can help the organization meet fastevolving objectives? • Align clear priorities for online collaboration with organizational objectives • Initiate a pilot project • Evaluate technology strategy and compatibility

Source: William D. Eggers - Global Public Sector Research Director, Deloitte

36

Getting Started (cont.) • Create policies that maximize benefits of adopting Web 2.0 in organization • Measure results by establishing key performance indicators that measure the strategy’s effectiveness • Embrace a culture of collaboration and continually evolve how interaction happens with stakeholders inside and outside of government

Source: William D. Eggers - Global Public Sector Research Director, Deloitte

37

Questions?

Contact Information We appreciate your feedback and comments. We can be reached at: Joseph Salama, ED Chief Information Security Officer Phone: 202-245-6069 Email: [email protected] Sandy England, FSA Enterprise Portal Manager Phone: 202-377-3537 Email: [email protected] 39