Privacy Compliance Review of the Social Media Monitoring and Situational Awareness Initiative of 2011 FULL TEXT

with 4 comments

Privacy Compliance Review of the Social Media Monitoring and Situational Awareness Initiative of 2011 FULL TEXT

Privacy Compliance Review

of the

Media Monitoring Initiative

February 7, 2011

 

Office of Operations Coordination and Planning

Department of Homeland Security

(official pdf)

I. SUMMARY

 

The Department of Homeland Security (DHS) Office of Operations Coordination and Planning (OPS), including the National Operations Center (NOC), launched the Social Networking/Media Capability (SNMC) to assist DHS and its components involved in the security, safety, and border control associated with the 2010 Winter Olympics as well as the response, recovery, and rebuilding effort resulting from the earthquake and after-effects in Haiti. This limited purpose was expanded in June to meet the operational needs of the Department. Since then, and to meet its statutory requirements,1 OPS, through SNMC analysts, monitors publicly available online forums, blogs, public websites, and message boards to collect information used in providing situational awareness and establishing a common operating picture.

 

As outlined in the Publicly Available Social Media Monitoring and Situational Awareness Initiative PIA (June 22, 2010), DHS Privacy Office (PRIV) has conducted a Privacy Compliance Review (PCR) on November 30, 2010 based on this PIA and OPS/NOC operational needs. PRIV found OPS/NOC generally in compliance and provided one recommendation for improving accountability. Based on OPS/NOC’s demonstrated compliance with the June 22, 2010 PIA, PRIV and OPS/NOC decided to further broaden the program’s capability to collect additional information, including limited instances of personally identifiable information (PII). As such, a new PIA and SORN were issued on January 7, 2011 and February 1, 2011 respectively and will be the basis for the next PCR.

 

II. SCOPE AND METHODOLOGY

 

On November 30, 2010, DHS PRIV conducted a PCR to review OPS/NOC SNMC analyst activities as they related to the June 22, 2010 PIA. The PCR was attended by OPS and NOC leadership including: Don Triner (Acting NOC Director), Mark Evetts (NOC Deputy Director), Ray Cole (Senior OPS/NOC Advisor), John Kluge (OPS/NOC Attorney/Advisor), and representatives of DHS ISO. The PCR was led by Becky Richards (Director of Privacy Compliance), Eric Leckey (Associate Director for Privacy Compliance), and Christal Hoo (Privacy Compliance Specialist).

The following methodology was developed by DHS PRIV and was the outline used for this PCR:

i. PRIV reviewed Media Monitoring Reports (MMR) starting in June 22, 2010.

ii. PRIV sent out a questionnaire to OPS/NOC in advance of the PCR with specific questions regarding the initiative and the steps taken in advance to ensure adequate privacy protections were in place.

iii. PRIV conducted a visit of the SNMC analyst site and watch desks.2

 

1 Section 515 of the Homeland Security Act (6 U.S.C. § 321d(b)(1)).

2 The SNMC analyst watch is composed of two watch analysts, one assigned to monitor social networking and the

 

iv. PRIV observed the SNMC analysts monitoring publically available websites, social networks, and blogs with the results shown and explained on screen by the SNMC analysts, who then documented findings.

v. PRIV interviewed SNMC analysts and management who use, have access to, and are responsible for accurate reporting of this data.

vi. PRIV discussed in detail the replies to the questionnaire with OPS/NOC leadership as well as posed further questions to OPS/NOC leadership and SNMC analysts and management to address all privacy concerns.

vii. PRIV was provided copies of all SNMC analyst-generated reports as well as the SNMC Analyst Handbook for further review and analysis.

 

III. FINDINGS

 

PRIV found OPS/NOC to be in compliance with the stated privacy parameters set forth in the underlying PIAs and provided the program with one recommendation to improve accountability of its analysis. OPS/NOC is working on implementing that recommendation. Further, from the November 2010 PCR and based on the experience in the summer 2010, PRIV and OPS determined that the Publicly Available Social Media Monitoring and Situational Awareness Initiative PIA (June 22, 2010) should be updated to allow for the collection and dissemination of PII in a limited number of situations in order to respond to the evolving operational needs of DHS and OPS/NOC. The following outlines the requirements of the June 22, 2010 PIA, the findings, and the updates that took effect with the newly published PIA (January 7, 2011) and SORN (February 1, 2011).

 

Collection of Information

Requirement: OPS is permitted to establish user names and passwords to form profiles, but may not: 1) actively seek personally identifiable information (PII); 2) post any information; 3) actively seek to connect with other internal/external personal users; 4) accept other internal/external personal users’ invitations to connect; or 5) interact on social media sites.

Review: With the expansion of the collection of PII in June 2010, PRIV began increased monitoring of the MMRs. Simultaneously, OPS/NOC consolidated the new media and traditional media reporting. In late August, PRIV and NOC/OPS identified a misunderstanding about the inclusion of PII for reports that were sourced from traditional media outlets.

Finding: Prior to September 1, 2010, OPS/NOC included PII in the MMR that were sourced from traditional media sources. OPS/NOC and PRIV discussed this implementation, and OPS/NOC changed its practice so that no PII was included after September 1, 2011. Additionally, OPS/NOC went back to the MMRs from June 22, 2010 to September 1, 2010 and deleted all PII inadvertently collected. PRIV finds that OPS/NOC meets privacy standards with respect to collection of SNMC information.

Use of Information

Requirement: The OPS/NOC will only monitor publicly available online forums, blogs, public websites, and message boards to collect information used in providing situational awareness and a common operating picture.

Review: PRIV reviewed the reports generated since June 22, 2010 and found that the websites listed were all publicly available and further that all use of data published via social media sites was solely to provide more accurate situational awareness, a more complete common operating picture, and more timely information for decision makers in compliance with their statutory mandate.

Finding: PRIV finds that OPS/NOC use of SNMC data is consistent with the stated purpose for the collection.

 

Retention of Information

Requirement: A retention schedule and disposal policy for this initiative must be established and approved by the OPS/NOC records officer and National Archives and Records Administration (NARA).

Review: In compliance with the first PCR, a retention schedule and disposal policy has been established and approved by the OPS/NOC records officer andNARA (NARA #: N1-563-08-23): the NOC will retain information for no more than five years.

Finding: PRIV will continue to monitor that this retention schedule is followed and that only information on the discrete category of individuals listed above is retained for the allotted time.

 

Internal and External Sharing and Disclosure

Requirement: The OPS/NOC will share MMRs with Departmental and component leadership, private sector, and international partners where necessary, appropriate, and authorized by law to ensure that critical disaster-related information reaches government decision-makers. Review: With the expansion of this monitoring initiative to meet DHS operational needs, the MMRs continue to be emailed to federal employees, contractors, and private sector and international partners who have requested and been approved to receive notifications and as

such, are on the distribution list maintained and controlled by the Director of the NOC.

Finding: PRIV finds that the sharing of information and reports generated is sufficiently limited to those who have a need to know and that privacy risks are minimal in that data is gleaned only from publicly accessible websites upon which users have voluntarily posted information.

 

Training and Accountability

Requirement: OPS/NOC must maintain a log social media monitoring Internet-based platforms and information technology infrastructure that SNMC analysts visit under this initiative.

Review: OPS/NOC sources all MMRs and maintains a log of these websites. OPS/NOC does not at this time have individual audit logs of each website an analyst visits. OPS/NOC will liaison with DHS Information Security Office staff to explore audit logging solutions that will provide this capability without adversely affecting system performance in order to ensure that MMC watch standers are not visiting inappropriate sites.

Finding: PRIV found the manual logs to be in compliance with the stated PRIV recommendations.

 

IV. BROADENING OF SCOPE

Based on OPS/NOC’s demonstrated compliance with the June 22, 2010 PIA and consistent with the statutory mission of OPS/NOC, PRIV and OPS/NOC decided to further broaden the program’s capability to collect additional information in a limited number of situations in order to respond to the evolving operational needs of DHS and OPS/NOC. PII on the following categories of individuals may be collected when it lends credibility to the report or facilitates coordination with federal, state, local, tribal, territorial, foreign, or international government partners:

i. U.S.and foreign individuals in extremis situations involving potential life or death circumstances;

ii. Senior U.S. and foreign government officials who make public statements or provide public updates;

iii.U.S.and foreign government spokespersons who make public statements or provide public updates;

iv.U.S.and foreign private sector officials and spokespersons who make public statements or provide public updates; and

v. Names of anchors, newscasters, or on-scene reporters who are known or identified as reporters in their post or article or who use traditional and /or social media in real time to keep their audience situationally aware and informed.

vi. Current or former public officials who are victims of incidents or activities related to Homeland Security

vii. Known terrorists, drug cartel leaders, or other persons known to have been involved in major crimes or terror of Homeland Security interest who are killed or found dead.

 

V. CONCLUSION AND RECOMMENDATIONS

 

PRIV finds that OPS/NOC SNMC analyst activities are in compliance with the PIA and SORN under review by this PCR. OPS/NOC should continue to train its analysts and follow the detailed handbook provided to all analysts. At the next PCR, PRIV will review the measures taken to expand auditing capabilities.

PRIV will conduct the third PCR of the Initiative and of OPS social media monitoring Internet-based platforms and information technology infrastructure in July 2011.

 

VI. PRIVACY COMPLIANCE REVIEW APPROVAL

 

Responsible Official

Chief, Current Operations Office of Operations Coordination and Planning

 

Approval Signature

Original signed and on file with the DHS Privacy Office

Chief Privacy Officer Department of Homeland Security

 

Publicly Available Social Media Monitoring and Situational Awareness Initiative of 2010 FULL TEXT

Written by sovereignthink

2012/01/13 at 11:38 am

Posted in Documents of destruction and tyranny

Tagged with american federal police internet division, dhs internet division, federal police internet division, government Media Monitoring, government Monitoring, media Awareness Initiative, Media Monitoring Initiative MMI, privacy compliance review, privacy review, Publicly Available Social Media Monitoring and Situational Awareness Initiative of 2010 FULL TEXT, Situational Awareness Initiative, Social Media Monitoring