With his usual nudge-and-wink, Matt Drudge invites us to be dismayed that “BIG SIS” — his moniker for Janet Napolitano — is “Monitoring Web Sites for Terror and Disaster Info.” Drudge links to a story saying that DHS will be monitoring social media like Twitter, as well as websites like Drudge, to keep abreast of events during the Winter Olympics. The source of the story is a twelve-page “Privacy Impact Assessment” issued by DHS.
This isn’t the first Privacy Impact Assessment (PIA) on DHS’s use of social media. A few weeks earlier, DHS wrote a similar assessment of using social media during Haitian rescue operations.
I am indeed dismayed, but not for Drudge’s reasons. True, it’s disappointing that neither the Volokh Conspiracy nor www.skatingonstilts.com is deemed worthy of government monitoring. But what’s really dismaying is that DHS and its Privacy Office felt obliged to labor over two separate and painfully obvious privacy assessments just to do things that you and I would do by simply firing up our browsers.
The Olympics PIA says in the first paragraph that DHS “is only monitoring publicly available online forums, blogs, public websites, and message boards.” Which should pretty much end the discussion. The government ought to be able to read the papers or watch TV or look at blogs just like anyone else. Or so you’d think. But no, the PIA drones on and on, offering thirty variations of “Hey, this stuff is public” as it assesses the “privacy impact” of, uh, surfing the web. And so we get painfully obvious applications of irrelevant privacy principle like this:
“7.1 What are the procedures that allow individuals to gain access to their information?
Social media are public websites. All users have access to their information through their user accounts. Individuals should consult the privacy policies of the services they subscribe to for more information.”
Did we really need the federal government to tell us that?
The biggest problem with this policy, though, isn’t the “well, duh” response it inspires. DHS apparently went into a defensive crouch about the whole program. The PIA is full of unnecessary and risky efforts to appease privacy zealots.
First, the PIAs expire quickly (the Olympics PIA expires after thirty days, Haiti after ninety), which suggests that DHS is planning on issuing a new PIA every time it wants to look at social media for a new event or disaster. The problem with that policy isn’t just that the waste of time and electrons. The policy is also likely to slow the use of social media in the first hours of an event, when they’d be most useful. For example, the PIA for Haiti social media monitoring was issued on January 21 – nine days after the earthquake struck. Tweets from the rubble were probably getting a little stale by then (though we can hope that DHS did the monitoring first and the PIA later).
Worse, DHS says it won’t collect or share any personally identifiable data (PII), even if the information is included in the tweets. It reassures us that “any PII related to the posting will be redacted.” Does that mean that a tweet saying, “Henri Rideau is buried alive under the rubble at his home, 124 Rue Cayenne” will only be distributed after someone takes the time to bowdlerize it to read, “— is buried alive under the rubble at —”?
I’m sure Henri will thank DHS for protecting his personally identifiable information.
If someone else digs him out.
The PIA also assures us that DHS won’t read posts on sites that require a user name and login. This is also a wildly overbroad “protection” for privacy. It applies even if the site is entirely open to the public, apparently, since Facebook is not listed. In fact, the last time I looked, the Washington Post required a login, too, and it too is left off the list. But maybe DHS can wait for the dead tree edition before it gets any disaster news broken by the Post.
Is there really a difference between public posts and Facebook updates that are shared with everyone on Facebook? If your mobile phone is set to send messages as Facebook updates rather than tweets, the government will never know you’re in trouble, thanks to this incoherent effort to appease the privacists.
DHS deserves some credit for actually understanding the value of social media in a crisis, but its self-inflicted limitations will either prevent imaginative use of social media or will guarantee violations when these unnecessary limits are set aside as a sensible response to some breaking crisis. And that will predictably lead to new Drudge headlines: “Developing … BIG SIS violated privacy rules hundreds of times in ‘emergency’ monitoring of Americans …”
In the long run, I guess, dumb privacy policy is its own punishment.