Professional Documents
Culture Documents
Web 2.0 Technologies and Privacy Security Considerations
Web 2.0 Technologies and Privacy Security Considerations
2
Introduction
• Our targeted users are
attracted to social
networking communities
that foster user-driven
content
• How can we leverage social
networking to extend our
reach and message?
• Web 2.0 brings a new set of
challenges - privacy, data
security, and legal issues Source: http://www.cooltownstudios.com/images/web2.0.jpg
3
What is Web 2.0?
• From Wikipedia:
– Web 2.0 is a living term describing changing
trends in the use of World Wide Web technology
and web design that aims to enhance creativity,
information sharing, collaboration, and
functionality of the web
– Web 2.0 concepts have led to the development
and evolution of web-based communities and
hosted services, such as social-networking sites,
video sharing sites, wikis, blogs, and
folksonomies
http://en.wikipedia.org/wiki/Web_2.0
4
What is Web 2.0?
• Community
– Users organize themselves and work in
partnership with common goals
• Active participation
– Users move from passive role (reading) to active
role (authoring)
• The Wisdom of Crowds:
– Individual users add value
– Aggregate data into a collective thought
– Applications get better/smarter the more people
use them
5
Web 2.0 By Example
Web 1.0 Web 2.0
DoubleClick Google AdSense
Ofoto Flickr
Akamai BitTorrent
Britannica Online Wikipedia
Personal websites Blogging
Page views Cost per click
Screen scraping Web services
Publishing Participation
Systems Wikis
Directories (taxonomy) Tagging ("folksonomy")
Stickiness Syndication
Domain name speculation Search engine optimization
http://www.oreillynet.com/pub/a/oreilly/tim/news/2005/09/30/what-is-web-20.html
6
Web 2.0 Technologies
7
Web 2.0 Components
Source: http://www.personalizemedia.com/web-00-to-50-spheres-of-influence/
8
Web 2.0 Framework
Source: http://www.rossdawsonblog.com/weblog/archives/2007/05/
9
Web 2.0 Technologies
• User-Generated Content (e.g.
FlickR and YouTube)
• Web Content Sharing (e.g. Digg)
• Social Bookmarking (e.g.
Del.icio.us)
• Blogs
• Wikis
• AJAX
• Etc.
Source: http://edtechtrek.blogspot.com/2008_03_01_archive.html
10
User-Generated Content
• Users upload and share personal videos (e.g.
YouTube) and pictures (e.g. FlickR)
• Organize media through tagging of themes,
channels, collections, sets, etc. and allow
commenting
• How could we do it?
– Enable peer-to-peer mentoring and support
– Share tips, stories, how they overcame obstacles
– Their lessons become sources of inspiration and
motivation for others
11
Blogs
• Publish articles and info
about any subject
• Share information and
discuss topics
• An effective communication
tool
• Can be updated at virtually
zero cost
• Organize content with
meta-data, categorizations,
and labels
12
Wikis
• Speed and flexibility: Wiki
means "fast" in Hawaiian
• Effective tool for
collaborative authoring
• Allows users to create and
edit pages
• Breaks away from
structured hierarchies to
share information
• The collective intelligence
becomes a creative genius
13
Web 2.0 Opportunities
• Collaborate more easily:
– Internally (employees)
– Externally (partners and customers)
• Allow citizens to have greater input
• Enable citizens to help each other – peer to peer
collaboration
• Create communities, which in turn create creative
solutions to problems
– Aggregate constituent wisdom: “The whole is
smarter than the one”
14
Web 2.0 Challenges
• Web 2.0 can enhance the delivery of public services
and citizens’ engagements with government
• However, a number of challenges prevent us from
diving head first into Web 2.0
– Privacy issues
– Control of Content
– Anonymous postings (yes or no?)
– User Trust - can change content of others
– Vandalism
– Plagiarism and Copyright infringement
• Balancing our role as responsible officials:
– To protect citizens in this online world
– To respect the First Amendment’s protection of free speech
15
Web 2.0 Challenges (cont.)
• “Protect government information commensurate
with the risk and magnitude of harm that could
result from the loss, misuse, or unauthorized access
to or modification of such information… (consistent
with)…the risk-based policy for cost-effective
security established by the Computer Security Act of
1987.”
OMB Circular A-130
16
Privacy/Security Considerations
• Laws, mandates, policies, and processes that
require agencies to protect the use of data collected
from citizens
– Privacy Act
– System of Records
– Information Clearance
– E-Gov Act and FISMA
• Confidentiality, Integrity, and Availability of Information
– OMB Circular A-130, Appendix III
… and many more …
17
Privacy Concerns
• A full 93% of children ages 12-17 are online!
• 55% of online teens use social networks
• 55% of teens have created an online profile
• 48% of teens visit social networking sites daily
• 22% visit several times a day
• 66% of teens with profiles say that their
information is not visible to all Internet users
Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007)
Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007)
Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)
18
Privacy Concerns (cont.)
• 63% of teens with profiles believe a motivated
person could eventually identify them from the
information they publicly provide on their profiles
• 7% of online teens say they have been contacted
by a stranger – either through “friend” requests,
spam email, or comments posted on a blogging or
photo sharing site – who made them feel scared or
uncomfortable
Pew Internet & American Life Project, “Parent and Teenager Internet Use” (Oct. 24, 2007)
Pew Internet & American Life Project, “Teens, Privacy & Online Social Networks” (Apr. 18, 2007)
Pew Internet & American Life Project, “Teens and Online Stranger Contact” (Oct. 14, 2007)
19
Privacy Goals
• Guiding Policies and Processes
– System of Record Notification (SORN) Process
– Information Clearance (IC) Process
• Guiding Principles:
– Don’t collect PII data unless truly necessary
– Randomly generate IDs which can’t be mapped
back to user names
– Ensure user account information is invisible
– Disallow lookups so strangers cannot iterate
through IDs to see public information
20
Liability
• Liability laws addressing complex new divisions of
responsibility in online relationships between
government, businesses and citizens
• Is there liability for providing an application that
enables stalking and other violations?
– Need comprehensive Terms & Conditions of Use
– Hide profile data by default
– Easy to use privacy settings
21
Intellectual Property
• YouTube/Google facing legal action from Viacom for
allowing copyrighted material to be uploaded to the
video sharing site
• Universal initially attacked MySpace for illegal
sharing of music before developing a branded
virtual jukebox that users can post to their profile
• Signing off a blog post with image of your favorite
cartoon character may infringe copyright laws
• Yet … copyright law has faced these challenges
since the beginning of the Internet
22
Legislative and Policy Drivers
E-Government Act, Public Law 107-347 (Title III)
Federal Information Security Management Act of
2002 (FISMA)
23
FISMA Requirements
• FISMA directed that federal standards be created to
address the specification of minimum security
requirements for federal information and
information systems by:
– Conducting security categorization of the
information and information systems based on
risk levels
– Authorization of system processing prior to
operations and periodically thereafter
24
FISMA Requirements (cont.)
• All Federal agencies are responsible for ensuring
appropriate security controls
• FISMA applies to information and information
systems used by the agency, contractors, and other
organizations and sources
• Require agencies to certify their systems to operate
• Security certification is the assessment of those
security controls
25
Security Accreditation
• Required by OMB Circular A-130, Appendix III,
security accreditation provides a form of quality
control
• Challenges Federal managers to implement the
most effective security controls possible
• Is the official management decision given by a
senior agency official to authorize operation
• The senior agency official is usually the highest
level executive in each organization within the
agency
26
Security Accreditation (cont.)
• By accrediting an information system, an agency
official explicitly accepts the risk and responsibility
for the security of the system
• The agency official is fully accountable for any
adverse impacts to the agency if a breach of
security occurs
• Thus, responsibility and accountability are core
principles that characterize security accreditation
27
Official Information Dissemination
• All efforts to provide official
government information to
external stakeholders
• Includes various types of
media, such as video, paper,
web, etc. (NIST SP 800-60 rev2, section C.2.6.2)
• FISMA in a nutshell:
– Categorization
– Certification
– Accreditation
– Authorization
28
Security Categorizations
• Security Objectives:
– Confidentiality
– Integrity
– Availability
• Impact levels:
– Low
– Moderate
– High
Confidentiality
• Information Dissemination
Type for Confidentiality:
– The loss of confidentiality
results in the unauthorized
disclosure of information
• Recommended Confidentiality
Impact Level for Web 2.0
Applications
– Low
30
Integrity
• Information Dissemination Type for
Integrity:
– The loss of integrity results in the
unauthorized modification or destruction
of information (e.g., modified web pages,
electronic mail, etc.)
• Recommended Integrity Impact Level for
Web 2.0 Applications
– Low
31
Availability
• Information Dissemination Type for
Availability:
– The loss of availability results in the
disruption of access to or use of
information or information system
• Recommended Availability Impact Level for
Web 2.0 Applications
– Low
32
Web 2.0 is NOT the Issue
• Adverse Events can affect operations and/or public
confidence in a Federal agency
• Security controls can be put into place to mitigate
these risks
• Examples:
― Web filtering software for blocking malicious behaviors
(e.g., scanning inbound content and inbound binary files)
― Strip / rewrite HTML and JavaScript code
― Lock down of browsers to disable scripting
― Implement virtualization
― Promote user awareness of Web-related risks
― Create and enforce acceptable use policies
33
Concerns/Recommendations
• Content Control
― Requires trusting third parties with content
― Many uses of Web 2.0 may not make sense for agencies
that interact directly with the public and wish to maintain
tight control over content
• Personally Identifiable Information
― Discuss security, legal, and privacy concerns and
determine strategy and approach
― Develop privacy & acceptable use policies/processes for
the dissemination of official information type via Web 2.0
― Plan ahead for clearance process
― Develop policies for management of data
34
Concerns/Recommendations
• Interlinked Platforms
― Difficult to remotely administer
― Less control of security
― May be affected by attacks aimed at other web sites or
that are hosted by external provider
― Securing public web servers in accordance with NIST
Special Publication 800-44 Version 2 cannot be imposed on
interlinked computing platforms not owned by the Federal
government
― Nearly impossible and/or cost prohibitive to “certify and
accredit” interlinked computing platforms in accordance
with FISMA
35
Getting Started
• Educate the organization on Web 2.0
• How it can help the organization meet fast-
evolving objectives?
• Align clear priorities for online collaboration
with organizational objectives
• Initiate a pilot project
• Evaluate technology strategy and
compatibility
36
Getting Started (cont.)
• Create policies that maximize benefits of
adopting Web 2.0 in organization
• Measure results by establishing key
performance indicators that measure the
strategy’s effectiveness
• Embrace a culture of collaboration and
continually evolve how interaction happens
with stakeholders inside and outside of
government
37
Questions?
Contact Information
We appreciate your feedback and
comments. We can be reached at:
Joseph Salama,
ED Chief Information Security Officer
Phone: 202-245-6069
Email: Joseph.Salama@ed.gov
Sandy England,
FSA Enterprise Portal Manager
Phone: 202-377-3537
Email: Sandy.England@ed.gov
39