Privacy and Government Contracts with Social Media Companies

• Background |
• Freedom of Information Act Request |
• The Contracts |
• News |
• Links |
• Resources

Top News

• White House Updates Privacy Policy, Maintains Anonymous Access But Also Data Retention: A revised privacy policy for the White House will go into effect on April 18, 2014. Users will continue to be able to access information posted on the White House web site anonymously, though personal information will be required for some services. The data retention practice has not changed nor has the policy for the disclosure of personal data to other entities. According to the White House privacy policy, "Information you choose to share with the White House (directly and via third party sites) may be treated as public information." The White House had previously proposed a "Plan to Protect Privacy in the Internet Age by Adopting a Consumer Privacy Bill of Rights", though the policy does not reflect this approach. In the first report ever published on online privacy, "Surfer Beware: Personal Privacy and the Internet," EPIC said web sites should "support anonymity while developing policies and practices to protect information privacy." EPIC had also urged the White House to establish Privacy Act safeguard for the use of social media services. EPIC For more information, see EPIC: Privacy and Government Contracts with Social Media Companies. (Mar. 24, 2014)
• White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites: The White House has announced a new "Clear Notice and Personal Choice" policy for the use of Web Measurement and Customization Technologies for government web sites. The policy is remarkable in that there does not appear to be any legal basis to allow federal agencies to routinely disclose personal information of citizens to private companies. The policy is accompanied by new Guidance for Agency Use of Third-Party Websites and Applications. The White House also announced a National Strategy for Trusted Identities in Cyberspace. EPIC had urged the White House to uphold Privacy Act obligations in use of web 2.0 services. For more information, see EPIC - Privacy and Government Contracts with Social Media Companies. (Jun. 28, 2010)
• EPIC Forces Disclosure of Government Contracts with Social Media Companies, Privacy Terms Missing: In response to an EPIC Freedom of Information Act Request, the Government Services Administration released several contracts between the federal government and web 2.0 companies, including agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that “no specific Web 2.0 guidance currently exists,” but provided EPIC with Training Slides that raise privacy issues. The GSA Agreement with Google actually states that, “to the extent any rules or guidelines exist prohibiting the use of persistent cookies in connection with Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google.” Some of the agreements also permit companies to track users of government web sites for advertising purposes. For more information see EPIC Social Network Privacy, EPIC Facebook, and EPIC Cloud Computing. (Aug. 12, 2009)

Background

On March 25, 2009, Federal Computer Week reported that the Government Services Administration (GSA) signed agreements with social networking and cloud computing service providers, including Flickr, YouTube, Vimeo and Blip.tv concerning federal agencies' use of Web 2.0 services. The GSA often enters into contracts on behalf of multiple federal agencies in an effort to promote efficiency in government contracting. The news report stated that a coalition of agencies have been working with private corporations to develop terms of service for federal agencies' participation in social media companies. The article cited a GSA official as stating that some of the areas of concern involved liability limits, endorsements and freedom of information. On April 10, 2009, Federal Computer Week further reported that the GSA signed an agreement with Facebook that allows federal agencies to use the social-networking website. However, the GSA official declined to provide details about the agreements. Federal Computer Week stated that the GSA negotiated the agreements because service providers were reluctant to negotiate agreements with individual agencies.

The Department of State has deployed a Facebook page with links to pictures hosted on Flickr and also provides links to other State Department web pages. In addition, the State Department Facebook page links to official government website resources concerning questions to the agency, employment opportunities, and information directed at youth.

Freedom of Information Act Request

On April 30, 2009, EPIC filed a Freedom of Information Act request with the General Services Administration requesting (1) all agreements between federal agencies and social networking services, cloud computing services, and/or vendors of other similar services; (2) all records, including memoranda and legal opinions, concerning the application of the Privacy Act of 1974 and the Freedom of Information Act to social networking services, cloud computing services, and/or other similar services, and (3) all instructions, policies and/or procedures concerning the collection, storage, transmission, and use of information about users of social networking or cloud computing services by federal agencies.

In response to EPIC's request, the GSA released several contracts between the federal government and web 2.0 companies. The documents included agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that "no specific Web 2.0 guidance currently exists," and provided EPIC with training slides from a presentation.

The Contracts

The nine agreements obtained by EPIC consistently state the Government's obligation to comply with federal law. Some of the contracts, such as those involving MySpace, SlideShare.net, Flickr, Vimeo.com, AddThis.com, Blip.tv, and BLIST explicitly note obligations to comply with privacy or freedom of information laws. Notably, the Facebook and Google/YouTube contracts do not affirmatively express the Agency's obligations to comply with these laws.

The contracts with the GSA consistently omit statements concerning Web 2.0 service providers' obligations to protect privacy. Most privacy policies state how a website processes information that it may acquire from visitors either through cookies or through submitted forms. It is intended as a disclaimer of liability and does not provide any protection in and of itself. Given the fact that the data collection practices of federal agencies and their contractors are routinely subject to the federal Privacy Act, this omission is significant.

Several of the contracts articulate specific privacy obligations that the government must undertake. In the MySpace contract, for example, the contract states that content submitted by the GSA "does not and will not infringe upon any . . . rights of privacy under the laws or regulations of any governmental, regulatory, or judicial authority." The contract with Flickr stipulates that "the content you submit does not and will not infringe upon any . . . rights of privacy under the laws or regulations of any governmental, regulatory, or judicial authority, foreign or domestic." The contract with Blist implores the GSA not to post, upload or transmit "private information of any third party, including, without limitation, addresses, phone numbers, email addresses, social security numbers and credit card numbers."

The contracts also explicitly grant some Web 2.0 companies the right to infringe on privacy rights. For example, the Blist contract states that, "to ensure the Integrity and operation of Company's business and systems, Company may access and disclose any information it considers necessary or appropriate, including, without limitation, user profile information (i.e. name, email address, etc.), IP addressing and traffic information, usage history, and posted User Content." Blip.tv's contract with the GSA notes that it "will record information about your use of the site that may include your IP address and the pages and videos you have visited. This information may be shared with other users and our patterns in an aggregate form that is designed to not be individually identifiable."

However, as EPIC has noted, de-identification of aggregate data is not always possible. Historically, identification through aggregated data has been subject to abuse. The Department of Homeland Security sought information from the US Census about Muslim Americans in the United States after 9/11. Census data was used during the Second World War to identify and then displace Japanese Americans.

Two of the Web 2.0 service provider contracts limit the use of persistent cookies. For example, AddThis explicitly agreed to not serve any cookies on domains that end with .gov or .mil. The Blip.tv contract contains a similar provision, stating that "Blip understands that you intend to place no persistent cookies in your embedded players...Blip will provide a method to disable discrete portions of software that may place persistent cookies on user's machines."

However, none of the other contracts limit the adoption of persistent identifiers that could be served on government websites through the use of Web 2.0 technologies. In fact, the Google/YouTube contract explicitly authorizes the use of persistent cookies when it states that "[p]rovider acknowledges that, except as expressly set forth in this Agreement, Google uses persistent cookies in connection with that YouTube Video Player. To the extent that any rules or guidelines exist prohibiting the use of persistent cookies in connection with the Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google" (emphasis added).

None of the other six contracts mention persistent cookies, despite the current OMB guidelines that limit the use of persistent cookies on government websites. Absent a provision to the contrary, the implication is that most sites will continue to use persistent cookies.

Two of the contracts contain provisions that imply rights of confidentiality that could be interpreted as contrary to FOIA provisions. The Facebook contract states that the "Terms of Use are considered by Facebook to be confidential information, and, to the extent permitted by law, Government Entity will maintain the same in strict confidence and not disclose the same to any third party..."

The Google/YouTube contract provides for even broader rights of confidentiality, stating that the "parties shall not disclose to any third parties Confidential Information disclosed by one party to the other under this Agreement." The GSA also "agrees that any disclosure of information pursuant to the Freedom of Information Act or other law, regulation or compulsory process requiring disclosure will not, to the extent lawfully permitted, include any Confidential Information."

The contracts permit social media companies to serve advertising on government sites under certain circumstances. Facebook, for example, "will not guarantee that it can block the display of commercial advertisements off of Government Facebook pages." The contract goes on to state that "[y]our sole remedy for Facebook's failure to implement such blocking technology shall be for you to terminate your use of pages."

Google's contract with the GSA, meanwhile, states that "Google retains the right to place advertisements on and in connection with the YouTube Video Player and Google Services...." The only exception to this is triggered when "Google determines that its use of Provider Content, or any part thereof, may create liability for Google" (emphasis added).

Although Blip.tv states that it will not use persistent cookies, it does collects data for advertising purposes through a "demographic data collection system..." Blip.tv states "through this system, which asks questions about personal preferences, Blip.tv may transmit some of your answers to its advertising partners at the time advertisements are served to you. We do this in order to deliver the most relevant advertisements possible." Nevertheless, advertising within Blip.tv is said to be "opt-in," and it "will not run advertisements in-stream or directly adjacent to user videos without the opt-in of the user who uploaded the video."

News:

• GSA Signs Agreement With Web 2.0 Providers, Federal Computer Week, March 25, 2009.
• GSA Signs Agreement With Facebook, Federal Computer Week, April 10, 2009.

Links:

• EPIC's GSA FOIA Request
• GSA's cover letter to EPIC's FOIA request
• GSA Training Slides
• GSA Amendment to Facebook Terms of Service
• GSA Amendment to SlideShare Terms of Service
• GSA Amendment to Vimeo Terms of Service
• GSA Amendment to AddThis Terms of Service
• Contract between GSA - Blip Networks, Inc.
• Contract between GSA - Blist, Inc.
• Contract between GSA - Google, Inc. (YouTube)
• Contract between GSA - Yahoo! Inc. (Flickr)
• Contract between GSA - MySpace, Inc.
• Facebook - U.S. Department of State
• EPIC - Social Network Privacy
• EPIC - Facebook Privacy
• EPIC - Cloud Computing
• EPIC - Cookies
• EPIC - Comments to the Office of Management and Budget on Revision of White House Cookie Policy
• EPIC - Privacy and Consumer Profiling

Resources

• Trail Re-identification: Learning Who You are From Where You Have Been, Malin, B., Sweeney, L. and Newton, E. Carnegie Mellon University, School of Computer Science, Data Privacy Laboratory Technical Report, LIDAP-WP12, February 2003.
• The Privacy Jungle: On the Market for Data Protection in Social Networks