Social-media bans miss the mark

Three reasonable steps could help agencies avoid categorical bans that undermine security and collaboration

White House spokesman Robert Gibbs recently noted that Twitter is blocked on White House computers. Later, news upstart Mediaite discovered that the new media team at the Old Executive Office Building could indeed access Twitter, but others on the White House staff do not necessarily share the same privileges.

The story serves as a cautionary tale for the rules governing social-media tools for the thousands of employees who work for the federal government.

Often without explanation or transparency, different agencies and even offices within agencies have different policies about the use of social-media platforms on the Web. Even when public affairs employees are allowed to use tools such as Twitter and YouTube to communicate, they are sometimes blocked by different authorities at work. So, in a gray area, they employ workarounds with personal laptop PCs, iPhones and the like.

Such internal contradictions cannot last long. As the average workforce age decreases and lines between the professional and personal increasingly blur, employees will demand greater access to such sites. Administrators might have legitimate reasons for blocking some of those sites, but the hodgepodge of rules is often confusing, which possibly makes the overall situation worse. I propose two arguments for not blocking most social-media sites on most government computers.

First, blocking social-media sites does little for safety and security. Saying that Twitter is blocked typically means that the domain Twitter.com is rendered inaccessible from a government computer. But there are simple mechanisms for alternatively accessing the underlying software. Twitter.com can be accessed from TweetGrid.com, YouTube.com from videos.google.com and so forth. Official computers can access the same sites through different portals, or employees might turn to nearly ubiquitous personal devices such as BlackBerrys to use social media during work hours — all of which is harder to monitor.

Second, blocking sites does little for government efficiency, transparency and citizen engagement. True, when used poorly, sites such as Twitter and YouTube are a distraction and a time sink. But the same can be said about phones, e-mail and even the cafeteria. When used responsibly, social media provides real-time information about critical news, helps employees working on similar topics within the government find one another, helps people better understand how technology is influencing overseas incidents such as the Iranian election protests, and serves countless other worthwhile functions. Blanket social-media bans let information fall through the cracks rather than getting it to people who could use it.

The government should take three reasonable steps. First, government information assurance analysts need to determine what security risks various social-media Web sites pose to the government. They should be assigned to categories such as "Use only on nonmilitary computers" or "Not for government system use."

Second, policies must be transparent, consistent and well-publicized throughout government — no double standards.

Third, employees and contractors must be educated about the positive and negative aspects of using social-media Web sites just as they are about other elements of cybersecurity and other government procedures.

Those three steps should counteract potentially less secure employee workarounds and go a long way toward a more open, transparent and participatory government.

Featured

Reader comments

Tue, Aug 25, 2009

This article seems to address a component of an overall policy as if it were the entire policy. I choose not to believe that policy makers would establish a complete security policy based solely on what could only be identified as a necessary component of said policy. This is analogous to stating "need-to-know" levels are not necessary since the levels can not be enforced.

Tue, Aug 25, 2009

With respect, each of the three step recommendations take time to implement, particularly the latter. Operating under the principle of least privillege still applies to social media. Also, some of the simple mechanisms mentioned are "not so simple" when an organization uses a quality web-content filtering solution, although I agree that putting up walls still may lead to some using personal devices, it doesn't make it right. With respect to the statement of "double standards", allowing access for one group of individuals within one agency but not another may not be a double-standard. The standard should be a business need is present; if one group hasn't articulated their own business need, then it's not up to an agency's information assurance division to be mind-readers.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above