Widespread Use of Yammer Social Network at VA Ran Afoul of Agency Rules, Watchdog Says

Mark Van Scyoc/Shutterstock.com

Department CIO implicated in a probe of unapproved and insecure uses of the social network’s free version.

Updated Aug. 21 to include comment from VA

A well-meaning effort by Department of Veterans Affairs leaders to fuel productivity and cooperation through workflow tool Yammer ran afoul of department regulations and at times devolved into agency bashing and the potential for data breaches, according to an internal probe.

Steph Warren, the former VA chief information officer, endorsed a free version of Yammer in 2013, even though use of the business social network was unapproved under VA rules. He had been a registered VA Yammer user since May 2011.

In June 2013, Warren even hosted an open chat session on Yammer. He began by stating: “Before I take questions, I want to stress that I am committed to strengthening transparency as we work together to become the best and most secure IT product and service delivery organization,” according to a redacted copy of the probe that was released Thursday.

The investigation examined the department's unapproved and insecure use of Yammer, a popular collaboration forum. Anyone with an email address ending in "va.gov" could participate in the online community, including employees and contractors 

Many companies pay for an enterprise version of the service that allows tighter regulation of interoffice communications. The Obama administration has negotiated a terms of service agreement with Yammer for a service compatible with federal policies, but it is not necessarily applicable to every agency.

At VA, officials said they did not believe the advantages of administrative controls and central monitoring were worth the $30 cost per user at the time.

As of Aug. 3, about 50,000 VA email addresses were registered on Yammer, with half of those being active VA Yammer members.

Any user potentially could upload sensitive information -- a risk that became reality in at least one instance.

A member replied to another user’s post, “Please DELETE the .pdf with the IP address IMMEDIATELY! IP addresses are VA protected information and may NEVER be posted in a public place – even if only VA public. If necessary to put in an email the email should be encrypted. This is a security violation. Thank you!” The file was deleted within 24 hours.

VA guidance states that employees "should never download or share files, videos, or images to a VA computer through social networking sites," Assistant IG for Investigations Quentin Aucoin said in the probe.

Another problem with Yammer, for the government, is the ability to create private "group" pages so managers cannot screen or regulate the content of posts. Investigators were only able to examine public groups during the recent audit.

The 584 members of one public group, titled "GEEK Jokes," posted some off-color analysis and advice, including a photo article called “10 Tricks to Appear Smart in Meetings,” an illustrated photograph titled “What your style of beer says about you” and an illustration of a lunch group with text depicting this conversation: “Isn’t weed just for reggae, Like, if you want it to sound good?”

One employee, in clear violation of VA guidelines, posted a visual with screenshots detailing what he thought was a way to circumvent the department's email encryption technology. 

“Figured out how to copy the [Personal Identity Verification (PIV) Public Key Infrastructure (PKI)] Certificate to windows if a card is lost or not working[;] all the email encrypted with the certificate can still be accessed without the card,” a note describing the attachment read.

Investigators tried out the instructions and found that the process actually did not work.

Some exchanges inside the social network denigrated VA culture and policies, at a time when the department is suffering backlash amid allegations of excessive patient waits and claims backlogs: 

Here's the exchange highlighted by the IG: 

User 1: I’m beginning to suspect the reason for a lot of VA backlogs is the constant need to create new and even more complex passwords, seemingly every five minutes.

User 2: Now VOIP phones require a 12 character password and change every 90 days. Was there a risk assessment done that determined there is a high threat of someone logging into my phone?

User 3: When in doubt let’s go to the Extremes!...The mentality is Shoot First, Aim later…

The business version of the tool can be policed to avoid such rants. An administrator can also delete users who are no longer authorized employees and moderate conversations, for example.

The investigation was based on interviews with Veterans Health Administration Technology Director William Cerniuk, contractors and other employees, as well as a review of emails, Yammer posts and federal policies, among other public documents. 

“The free [version] was good enough," Cerniuk told investigators, when asked why the department didn't pay for the upgrades that would have allowed administrators greater control over the social network, according to the report.  

He acknowledged the paid model provided better security. The enhanced version "would give us the ability to manage our network directly and own it as an administrator," he said, according to the report.

Cerniuk told investigators he was concerned employees might upload information to the site that included personally identifiable information or protected health information. He did his best to examine uploads, “but obviously that’s not part of my overall job. So it’s very difficult for me to take that on as a full responsibility.”

Cerniuk was one of the first three employees to register for Yammer access and said his staff began using Yammer in early 2012.

The Office of Public and Intergovernmental Affairs, the final approving authority for all VA social media sites, such as Yammer, apparently did not sign off, however.

Megan Maloney, the office's director of digital media engagement, said the office had “not approved terms of service for the use of Yammer within the VA system,” according to the report. She said that “in order for [Yammer] to be an official VA social media channel, we need to have VA negotiated terms of service. We have negotiated nearly a dozen terms of service in the last 2 years. Yammer is not one of them.”

Reacting to a draft report, VA Chief of Staff Rob Nabors said in a July 28 letter that department officials will address the issues raised by internal investigators.

Official will determine "whether and within what parameters VA Yammer should be approved for VA use,” he said.

In addition, officials will consider appropriate administrative actions against specific VA employees who involved in the inappropriate Yammer use, "including but not limited to administrative investigations, disciplinary actions, and/or training,” Nabors said.

It is expected the Yammer matters will be handled by Oct. 1, IG officials said.

When Nextgov asked VA officials for an update on the department's use of Yammer, officials on Thursday evening said they are still considering next steps.

"We will work diligently to address the issues their report raised," a VA spokesman said in an emailed statement. "The department is reviewing whether and within what parameters VA Yammer should be approved for VA use and explore options for clarifying the parameters of appropriate use of Web-based collaboration technologies through updated policy issuances, training, and communication strategies."

As for administrative actions against personnel, VA is also still deciding what to do. "The department is reviewing all available evidence with respect to inappropriate use of VA Yammer by specific VA employees to determine appropriate administrative actions," the statement said.

(Image via Mark Van Scyoc/ Shutterstock.com)

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.