Embed Size (px)
Citation preview
DoD IT Privacy Impact Assessments/ Emerging Technologies and Privacy
USPACOM FREEDOM OF INFORMATION ACT (FOIA) & PRIVACY ACT (PA) CONFERENCE
11 – 13 January, 2011
Gary J. EvansOffice of the DoD CIO
703-699-0108
Privacy in the News
3
Web portals and shared drives
Blogs
Hackers
Human error
Insider threat
Official and unofficial forms
Malicious software
Records management
Disposal of storage media
IT systems
Contractor services
Data mining
Teleworking
Spreadsheets
Hard drives
Flash storage media
DAR encryption implementation
Budget and resources
Changing business processes
http://www.facebook.com/video/video.php?v=141629337756&ref=share
Social Media
Uses of Social Media
• Public Affairs Outreach
• Situational Awareness
• Law Enforcement/Intelligence
• Collaboration and Information Sharing
• War fighters communicating with families
6
7
8
9
Social Media Types
• Social media where users and public users may have an account to use applications tailored to the specific website. This social media includes, but is not limited to, Facebook, MySpace, Ustream, LinkedIn, and GovLoop
• Video and Image websites users may have an account to post but public users may not be required to have an account to see the video or image. In order for public users to comment, they may need an account. This social media includes, but is not limited to, YouTube, Flickr, Picasa, Blip.tv, and Ustream
• Blogs and similar websites users may have an account to post but
public users may not be required to have an account to see the blog. In order for public users to comment, they may need an account. This includes, but is not limited to, Twitter, Google Blogger, and Wordpress
Responsible and Effective Use of Social Media
• Directive-Type Memorandum (DTM) 09-026 – Responsible and Effective Use of Internet-based Capabilities 25 Feb 10– Effective immediately, the DTM states that the default for the DoD
non-classified network (the NIPRNET) is for open access so that all of DoD can use new media
– Directs open and consistent access across the board– Commanders at all levels and heads of DoD components will
continue to keep networks safe from malicious activity and take actions, as required, to safeguard missions
– Service members and DoD employees are welcome and encouraged to use new media to communicate with family and friends — at home stations or deployed — but do it safely
• For more info go to: (http://socialmedia.dod.gov) • Implementation guidance is in development
– SNS sites, web mail, etc
12
NOTHING IS FREE!!!
Growth in FaceBook Accounts
• Comparison period between 14 June through 08 December, 2010
FaceBook 14 June 8 July 8 December
Army 336 395 783
Navy 139 228 342
USMC 76 73 176
USAF 110 120 181
661 816 1482
Highlights of OMB Guidance M-10-23
• This Memorandum requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public.
Scope :
• This Memorandum applies to any Federal agency use of third-party websites or applications to engage with the public for the purpose of implementing the principles of the Open Government Directive.
• The guidance also applies when an agency relies on a contractor (or other non-Federal entity) to operate a third-party website or application to engage with the public on the agency’s behalf.
Highlights of M-10-23 – Social Media
• PIA is required if Agency makes PII available to the agency.
• Make PII Available. When any agency action causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it.
• This is can include activities commonly referred to as “friend-ing,” “following,” “liking,” joining a “group,” becoming a “fan,” and comparable functions.
• PIA can cover multiple websites or applications that are functionally comparable and practices are substantially similar.
• If an agency’s use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application.
Examples of PIAs on Social Media
• DHS - Use of Social Networking Interactions and Applications Communications/Outreach/Public Dialogue http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_socialnetworkinginteractions.pdf
• DHS – Publicly Available Social Media Monitoring and Situational Awareness Initiative
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_ops_publiclyavailablesocialmedia.pdf
• DHS - Department of Homeland Security Our Border Network (Privacy Specific Risk PIA) http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_dhs_ning.pdf
• DOJ - Privacy Impact Assessment for Third-Party Social Web Services http://www.justice.gov/opcl/docs/opa-webservices-pia.pdf
Adapted PIA Questions
• What is the specific purpose of the component’s use of the third-party website or application?
• List any PII that is likely to become available to the component through public use of the third-party website or application
• What is the component’s intended or expected use of PII? • With whom will the component share PII? • Describe whether and how the component will maintain PII, and for how
long• Describe how the component will secure PII that it uses or maintains• Describe what other privacy risks exist and how the component will mitigate
those risks• Describe whether the component’s activities will create or modify a “system
of records” under the Privacy Act
PII Breach Media
Improving here, but only takes one
Still # 1
And complacency …..
Example PII Breaches
Secure at the Conference?
Example PII Breaches
In Plain Sight The Convenience
Example PII Breaches
Laptops in Luggage Eyes on Laptop
PII Breach Media
Copiers and printers are a problem
Sent to recipients “without a need to know” / unencrypted.
The Cost of A PII Breach
• The most significant cost to an organization results from lost confidence and trust by our sailors, marines, government civilians and public – for a company that translates into customer turnover and loss of
brand equity– impacts employee morale, ability to recruit new hires and job
satisfaction• Potential class action law suits and or criminal prosecution• Mailings, call center costs and credit monitoring• Expenses associated with identity theft
25
Phishing is the process of attempting to acquire sensitive information such as usernames, passwords or financial account details by masquerading as a trustworthy entity in an electronic communication.
This is a growing activity within the DON. They generally ask you to click a link back to a spoof web site. Doing so could
subject you to the installation of key logging software or viruses. They use fear to motivate you to respond – “your account has been temporarily
suspended due to recent fraudulent activity, we need you to verify your account information…”
Never open emails from unknown sources or institutions soliciting: Passwords Credit card information ATM/Debit Card number Social Security Number Bank/financial account number
If in doubt about validity of the email, call their customer service number. Notify your network administrator. For NMCI go to: https://
www.homeport.navy.mil/support/articles/report-spam-phishing/
Phishing
IRS Phishing Statistics
Privacy Do’s
• Encrypt all emails containing PII• Reduce human error• Reduce the use of SSN• Ensure IA controls are in place on document
repositories such as Sharepoint
Privacy Don’ts
• Do not place PII on Internet public-facing websites or shared drives
• Do not collect PII that is not needed for business• Do not send documents containing PII to
personal email addresses (e.g., yahoo, hotmail)• Do not download PII to personal computers,
USB drives, or any removable media unless the devices are approved and encrypted.
29
Be Careful Out There!!!
The Scoop Deck blog shed light on a Dec. 2009 Al-Qaeda call for their members to monitor what we sayabout ourselves, our units and our families online inorder to gather intelligence.
“Information on every U.S. Naval unitshould be quietly gathered… their ranks,what state they are from, their familysituation, and where their familymembers live……search for the easiest ways of strikingthese ships…. Do not underestimate theimportance of any piece of information,as simple as it may seem….”
WHAT THEY WANTED: The call wasn’t just about unit missions,location, troop manning, weapons, movement and route. They asked formembers’ names, ranks, home state, family situation and family names.
The Threat is Real
Questions
Are there any
S
