The GAO Report on “Challenges in Use of Web 2.0 Technologies” (GAO-10-872T) of July 22, 2010 defines social media as inclusive of Web logs (known as “blogs); social-networking sites (such as Facebook and Twitter; video-sharing Web sites (such as YouTube; “wikis,” which allow individual users to directly collaborate; “podcasting,” which allows users to download audio content; and “mashups,” which are Web sites that combine content from multiple sources. GAO based its findings on reviews of the Department of Homeland Security (DHS), General Services Administration (GSA), and National Archives and Records Administration (NARA) but not from an examination of DoD requirements.
DoD personnel using social media face persistent threats targeting to messages received as well as sent. Under the Federal Information Security Management Act (644 USC 3544(a)(1)) DoD is responsible for the security of all information collected or maintained, which includes social media. When the *@mil.gov or a message from NIPRNET identifies someone on a social media site as a DoD employee or contractor they may be providing information that may be exploited in a cyber attacks. Therefore, OSD policy must provide guidance how to safeguard social media communications.
Privacy Act Issues
The Privacy Act of 1974 applies to the control of the collection, use and disclosure of personal information. The GAO makes it clear that the Privacy Act applies to social media using systems owned and operated by the government. Government personnel have no privacy in such cases, though their information is protected.
If government personnel uses a third party service (such as Facebook or Twitter) over which there is no government control, the Privacy Act does not apply. However, a government Agency must be able to make a “… determination what information to collect…” about information that is exchanged in this way and what rules apply to the disclosure of personal information.
Records Management Issues
Does the information exchanged through social media technologies constitute federal records pursuant to the Federal Records Act (44 U.S.C.§ 3301)? In the case of content created with interactive software on sites owned by government all transactions constitute Agency records and managed accordingly. When social media transactions take place through third party services the recording and retention of such records is ambiguous and is subject to Agency interpretation whether any information is at risk. In the case of DoD the most likely answer is that all NIPRNET communications trough sites not controlled by the government would have to be labeled as DoD records.
Freedom of Information Issues
The GAO has been unable to address the question whether social media communications are open to FOIA requests. Whether social media transactions qualify as DoD records is determined whether DoD controls these exchanges. This is a matter determined by the courts, though the key criteria are whether DoD has relinquished control or not.
The GAO report has raised four issues that affect the policies how to deal with social media in DoD. Though security, privacy, records and FOIA are addressed in an inconsistent manner the security issue overrides all. National security interests must be placed ahead of other considerations.
From the standpoint of DoD the use of social media qualifies as DoD business whenever conveyed over the NIPRNET through the public Internet.