Session # T- 7

Web 2.0 Technologies and Privacy/Security Considerations

Sandy England & Joseph Salama

Agenda

• Web 2.0 technologies• Opportunities and

Challenges• Policy/Legal/

Privacy/Security Issues– Privacy Act– E-Government Act &

FISMA• Web 2.0 Potential Issues

and Concerns• Conclusion

2

Source: http://dccblawg.blogspot.com/2007/11/legal-implications-of-web-20.html

3

Introduction

• Our targeted users are attracted to social networking communities that foster user-driven content

• How can we leverage social networking to extend our reach and message?

• Web 2.0 brings a new set of challenges - privacy, data security, and legal issues

Source: http://www.cooltownstudios.com/images/web2.0.jpg

4

What is Web 2.0?

• From Wikipedia:– Web 2.0 is a living term describing changing

trends in the use of World Wide Web technology and web design that aims to enhance creativity, information sharing, collaboration, and functionality of the web

– Web 2.0 concepts have led to the development and evolution of web-based communities and hosted services, such as social-networking sites, video sharing sites, wikis, blogs, and folksonomies

http://en.wikipedia.org/wiki/Web_2.0

5

What is Web 2.0?

• Community– Users organize themselves and work in

partnership with common goals• Active participation

– Users move from passive role (reading) to active role (authoring)

• The Wisdom of Crowds:– Individual users add value– Aggregate data into a collective thought– Applications get better/smarter the more people

use them

6

Web 2.0 By Example

Web 1.0 DoubleClick

Ofoto Akamai

Britannica Online Personal websites

Page views Screen scraping

Publishing Systems

Directories (taxonomy) Stickiness

Domain name speculation

Web 2.0 Google AdSense Flickr BitTorrent Wikipedia Blogging Cost per click Web services Participation Wikis Tagging ("folksonomy") SyndicationSearch engine optimization

http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html

Web 2.0 Technologies

7

Web 2.0 Components

8

Source: http://www.personalizemedia.com/web-00-to-50-spheres-of-influence/

Web 2.0 Framework

9

Source: http://www.rossdawsonblog.com/weblog/archives/2007/05/

10

Web 2.0 Technologies

• User-Generated Content (e.g. FlickR and YouTube)

• Web Content Sharing (e.g. Digg)• Social Bookmarking (e.g.

Del.icio.us)• Blogs • Wikis• AJAX• Etc.

Source: http://edtechtrek.blogspot.com/2008_03_01_archive.html

User-Generated Content

• Users upload and share personal videos (e.g. YouTube) and pictures (e.g. FlickR)

• Organize media through tagging of themes, channels, collections, sets, etc. and allow commenting

• How could we do it?– Enable peer-to-peer mentoring and support– Share tips, stories, how they overcame obstacles– Their lessons become sources of inspiration and

motivation for others

11

12

Blogs

• Publish articles and info about any subject

• Share information and discuss topics

• An effective communication tool

• Can be updated at virtually zero cost

• Organize content with meta-data, categorizations, and labels

13

Wikis

• Speed and flexibility: Wiki means "fast" in Hawaiian

• Effective tool for collaborative authoring

• Allows users to create and edit pages

• Breaks away from structured hierarchies to share information

• The collective intelligence becomes a creative genius

14

Web 2.0 Opportunities

• Collaborate more easily:– Internally (employees) – Externally (partners and customers)

• Allow citizens to have greater input• Enable citizens to help each other – peer to peer

collaboration• Create communities, which in turn create creative

solutions to problems– Aggregate constituent wisdom: “The whole is

smarter than the one”

15

Web 2.0 Challenges

• Web 2.0 can enhance the delivery of public services and citizens’ engagements with government

• However, a number of challenges prevent us from diving head first into Web 2.0– Privacy issues– Control of Content– Anonymous postings (yes or no?)– User Trust - can change content of others– Vandalism– Plagiarism and Copyright infringement

• Balancing our role as responsible officials:– To protect citizens in this online world– To respect the First Amendment’s protection of free speech

16

Web 2.0 Challenges (cont.)

• “Protect government information commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information… (consistent with)…the risk-based policy for cost-effective security established by the Computer Security Act of 1987.”

OMB Circular A-130

Privacy/Security Considerations

• Laws, mandates, policies, and processes that require agencies to protect the use of data collected from citizens– Privacy Act– System of Records– Information Clearance– E-Gov Act and FISMA

• Confidentiality, Integrity, and Availability of Information

– OMB Circular A-130, Appendix III… and many more …

17

Privacy Concerns

• A full 93% of children ages 12-17 are online!

• 55% of online teens use social networks

• 55% of teens have created an online profile

• 48% of teens visit social networking sites daily

• 22% visit several times a day

• 66% of teens with profiles say that their information is not visible to all Internet users

18

Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007)Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007)

Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)

Privacy Concerns (cont.)

• 63% of teens with profiles believe a motivated person could eventually identify them from the information they publicly provide on their profiles

• 7% of online teens say they have been contacted by a stranger – either through “friend” requests, spam email, or comments posted on a blogging or photo sharing site – who made them feel scared or uncomfortable

19

Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007)Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007)

Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)

Privacy Goals

• Guiding Policies and Processes– System of Record Notification (SORN) Process– Information Clearance (IC) Process

• Guiding Principles:– Don’t collect PII data unless truly necessary– Randomly generate IDs which can’t be mapped

back to user names– Ensure user account information is invisible– Disallow lookups so strangers cannot iterate

through IDs to see public information

20

Liability

• Liability laws addressing complex new divisions of responsibility in online relationships between government, businesses and citizens

• Is there liability for providing an application that enables stalking and other violations?– Need comprehensive Terms & Conditions of Use– Hide profile data by default– Easy to use privacy settings

21

Intellectual Property

• YouTube/Google facing legal action from Viacom for allowing copyrighted material to be uploaded to the video sharing site

• Universal initially attacked MySpace for illegal sharing of music before developing a branded virtual jukebox that users can post to their profile

• Signing off a blog post with image of your favorite cartoon character may infringe copyright laws

• Yet … copyright law has faced these challenges since the beginning of the Internet

22

2323

Legislative and Policy Drivers

E-Government Act, Public Law 107-347 (Title III) Federal Information Security Management Act of 2002 (FISMA)

OMB Circular A-130 (Appendix III) Management of Federal Automated Information Resources

OMB Memorandum M-06-16 Protection of Sensitive Information

24

FISMA Requirements

• FISMA directed that federal standards be created to address the specification of minimum security requirements for federal information and information systems by:– Conducting security categorization of the

information and information systems based on risk levels

– Authorization of system processing prior to operations and periodically thereafter

25

FISMA Requirements (cont.)

• All Federal agencies are responsible for ensuring appropriate security controls

• FISMA applies to information and information systems used by the agency, contractors, and other organizations and sources

• Require agencies to certify their systems to operate • Security certification is the assessment of those

security controls

26

Security Accreditation

• Required by OMB Circular A-130, Appendix III, security accreditation provides a form of quality control

• Challenges Federal managers to implement the most effective security controls possible

• Is the official management decision given by a senior agency official to authorize operation

• The senior agency official is usually the highest level executive in each organization within the agency

27

Security Accreditation (cont.)

• By accrediting an information system, an agency official explicitly accepts the risk and responsibility for the security of the system

• The agency official is fully accountable for any adverse impacts to the agency if a breach of security occurs

• Thus, responsibility and accountability are core principles that characterize security accreditation

28

Official Information Dissemination

• All efforts to provide official government information to external stakeholders

• Includes various types of media, such as video, paper, web, etc. (NIST SP 800-60 rev2, section C.2.6.2)

• FISMA in a nutshell:– Categorization– Certification– Accreditation– Authorization

Security Categorizations

• Security Objectives:– Confidentiality– Integrity– Availability

• Impact levels: – Low– Moderate– High

30

Confidentiality

• Information Dissemination Type for Confidentiality:– The loss of confidentiality

results in the unauthorized disclosure of information

• Recommended Confidentiality Impact Level for Web 2.0 Applications– Low

31

Integrity

• Information Dissemination Type for Integrity:– The loss of integrity results in the

unauthorized modification or destruction of information (e.g., modified web pages, electronic mail, etc.)

• Recommended Integrity Impact Level for Web 2.0 Applications– Low

32

Availability

• Information Dissemination Type for Availability:– The loss of availability results in the

disruption of access to or use of information or information system

• Recommended Availability Impact Level for Web 2.0 Applications– Low

33

Web 2.0 is NOT the Issue

• Adverse Events can affect operations and/or public confidence in a Federal agency

• Security controls can be put into place to mitigate these risks

• Examples:―Web filtering software for blocking malicious behaviors

(e.g., scanning inbound content and inbound binary files) ―Strip / rewrite HTML and JavaScript code―Lock down of browsers to disable scripting―Implement virtualization―Promote user awareness of Web-related risks―Create and enforce acceptable use policies

34

Concerns/Recommendations

• Content Control―Requires trusting third parties with content―Many uses of Web 2.0 may not make sense for agencies

that interact directly with the public and wish to maintain tight control over content

• Personally Identifiable Information―Discuss security, legal, and privacy concerns and

determine strategy and approach―Develop privacy & acceptable use policies/processes for

the dissemination of official information type via Web 2.0―Plan ahead for clearance process―Develop policies for management of data

35

Concerns/Recommendations

• Interlinked Platforms―Difficult to remotely administer ―Less control of security ―May be affected by attacks aimed at other web sites or

that are hosted by external provider―Securing public web servers in accordance with NIST

Special Publication 800-44 Version 2 cannot be imposed on interlinked computing platforms not owned by the Federal government

―Nearly impossible and/or cost prohibitive to “certify and accredit” interlinked computing platforms in accordance with FISMA

Getting Started

• Educate the organization on Web 2.0• How it can help the organization meet fast-

evolving objectives?• Align clear priorities for online collaboration

with organizational objectives• Initiate a pilot project• Evaluate technology strategy and

compatibility

36

Source: William D. Eggers - Global Public Sector Research Director, Deloitte

Getting Started (cont.)

• Create policies that maximize benefits of adopting Web 2.0 in organization

• Measure results by establishing key performance indicators that measure the strategy’s effectiveness

• Embrace a culture of collaboration and continually evolve how interaction happens with stakeholders inside and outside of government

37

Source: William D. Eggers - Global Public Sector Research Director, Deloitte

Questions?

39

Contact Information

We appreciate your feedback and comments. We can be reached at:

Joseph Salama,ED Chief Information Security Officer Phone: 202-245-6069Email: Joseph.Salama@ed.gov

Sandy England, FSA Enterprise Portal ManagerPhone: 202-377-3537Email: Sandy.England@ed.gov