GAO's Web 2.0 Proposals Could Stifle Digital Innovation

Agencies need to understand online social interactions beyond the number of Twitter followers or Facebook likes.

The report points out many important issues and I agree that it is immensely important that government agencies have information security and privacy protection systems in place that prevent data breaches and leakages of user information to third parties.
A new GAO report released Tuesday finds that existing laws and regulations don't adequately reflect privacy needs in the changing technology landscape. The report highlights specifically that agencies using Web 2.0 and data mining tools need to find ways to protect private information. The key findings address:
  • Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act’s protections only apply to personal information when it is considered part of a “system of records” as defined by the act. However, agencies routinely access such information in ways that may not fall under this definition.
  • Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
  • Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
Agencies using Web 2.0 and data mining tools are instructed to take the following steps:
  • Assess the privacy implications of a planned information system or data collection prior to implementation;
  • Ensure the implementation of a robust information security program; and
  • Limit the collection of personal information, the time it is retained, and who has access to it, as well as implementing encryption.

Nevertheless, the implications of the report’s requests for the use of Web 2.0 applications and especially innovative data mining tools reach beyond privacy protection issues and might have unintended consequences. Many of the social media directors I talked to in the past two years have reported an important challenge in their use of social media tools: Measuring and analyzing the impact of their social media interactions.
So far very few agencies actively measure and analyze their online interactions. This is mainly due to the previously existing cookie policy, resulting in learned routines to not capture user data, and the existing survey restrictions that require agencies to go through a lengthy approval process before they can ask citizens for feedback.
While I am very much in favor of protecting personal information, such as health data, personal browser histories outside of government websites, I see a lot of value in developing appropriate measures and routines to capture digital interactions.

Government needs to be able to understand online social interactions beyond the pure quantitative numbers of followers on Twitter or likes on Facebook – which are most of the time publicly observable. Instead, I believe agencies should have routines in place to understand how issues related to their mission are publicly discussed, how information is snowballing through online social networks, and ultimately be able to draw conclusions about their impact.
Again, the report has important implications for agencies for reviewing their privacy policies and implementation of these policies. However, I hope that it won’t restrict innovation in social media analytics and won’t prevent agencies from understanding how well they are doing online and to what extend their digital interactions are fulfilling the agency’s mission.
A list of existing rules and regulations relevant to use the use of Web 2.0 technologies in the U.S. federal government is available on and on my blog.