Focusing public attention on emerging privacy and civil liberties issues

Privacy and Government Contracts with Social Media Companies

Top News

Background

On March 25, 2009, Federal Computer Week reported that the Government Services Administration (GSA) signed agreements with social networking and cloud computing service providers, including Flickr, YouTube, Vimeo and Blip.tv concerning federal agencies' use of Web 2.0 services. The GSA often enters into contracts on behalf of multiple federal agencies in an effort to promote efficiency in government contracting. The news report stated that a coalition of agencies have been working with private corporations to develop terms of service for federal agencies' participation in social media companies. The article cited a GSA official as stating that some of the areas of concern involved liability limits, endorsements and freedom of information. On April 10, 2009, Federal Computer Week further reported that the GSA signed an agreement with Facebook that allows federal agencies to use the social-networking website. However, the GSA official declined to provide details about the agreements. Federal Computer Week stated that the GSA negotiated the agreements because service providers were reluctant to negotiate agreements with individual agencies.

The Department of State has deployed a Facebook page with links to pictures hosted on Flickr and also provides links to other State Department web pages. In addition, the State Department Facebook page links to official government website resources concerning questions to the agency, employment opportunities, and information directed at youth.

Freedom of Information Act Request

On April 30, 2009, EPIC filed a Freedom of Information Act request with the General Services Administration requesting (1) all agreements between federal agencies and social networking services, cloud computing services, and/or vendors of other similar services; (2) all records, including memoranda and legal opinions, concerning the application of the Privacy Act of 1974 and the Freedom of Information Act to social networking services, cloud computing services, and/or other similar services, and (3) all instructions, policies and/or procedures concerning the collection, storage, transmission, and use of information about users of social networking or cloud computing services by federal agencies.

In response to EPIC's request, the GSA released several contracts between the federal government and web 2.0 companies. The documents included agreements with Blip.tv, Blist, Google (YouTube), Yahoo (Flickr), and MySpace. EPIC also obtained amendments to agreements with Facebook, Slideshare.net, Vimeo.com, and AddThis.com. The contracts do not address the privacy obligations of social media companies. The GSA letter to EPIC explained that "no specific Web 2.0 guidance currently exists," and provided EPIC with training slides from a presentation.

The Contracts

The nine agreements obtained by EPIC consistently state the Government's obligation to comply with federal law. Some of the contracts, such as those involving MySpace, SlideShare.net, Flickr, Vimeo.com, AddThis.com, Blip.tv, and BLIST explicitly note obligations to comply with privacy or freedom of information laws. Notably, the Facebook and Google/YouTube contracts do not affirmatively express the Agency's obligations to comply with these laws.

The contracts with the GSA consistently omit statements concerning Web 2.0 service providers' obligations to protect privacy. Most privacy policies state how a website processes information that it may acquire from visitors either through cookies or through submitted forms. It is intended as a disclaimer of liability and does not provide any protection in and of itself. Given the fact that the data collection practices of federal agencies and their contractors are routinely subject to the federal Privacy Act, this omission is significant.

Several of the contracts articulate specific privacy obligations that the government must undertake. In the MySpace contract, for example, the contract states that content submitted by the GSA "does not and will not infringe upon any . . . rights of privacy under the laws or regulations of any governmental, regulatory, or judicial authority." The contract with Flickr stipulates that "the content you submit does not and will not infringe upon any . . . rights of privacy under the laws or regulations of any governmental, regulatory, or judicial authority, foreign or domestic." The contract with Blist implores the GSA not to post, upload or transmit "private information of any third party, including, without limitation, addresses, phone numbers, email addresses, social security numbers and credit card numbers."

The contracts also explicitly grant some Web 2.0 companies the right to infringe on privacy rights. For example, the Blist contract states that, "to ensure the Integrity and operation of Company's business and systems, Company may access and disclose any information it considers necessary or appropriate, including, without limitation, user profile information (i.e. name, email address, etc.), IP addressing and traffic information, usage history, and posted User Content." Blip.tv's contract with the GSA notes that it "will record information about your use of the site that may include your IP address and the pages and videos you have visited. This information may be shared with other users and our patterns in an aggregate form that is designed to not be individually identifiable."

However, as EPIC has noted, de-identification of aggregate data is not always possible. Historically, identification through aggregated data has been subject to abuse. The Department of Homeland Security sought information from the US Census about Muslim Americans in the United States after 9/11. Census data was used during the Second World War to identify and then displace Japanese Americans.

Two of the Web 2.0 service provider contracts limit the use of persistent cookies. For example, AddThis explicitly agreed to not serve any cookies on domains that end with .gov or .mil. The Blip.tv contract contains a similar provision, stating that "Blip understands that you intend to place no persistent cookies in your embedded players...Blip will provide a method to disable discrete portions of software that may place persistent cookies on user's machines."

However, none of the other contracts limit the adoption of persistent identifiers that could be served on government websites through the use of Web 2.0 technologies. In fact, the Google/YouTube contract explicitly authorizes the use of persistent cookies when it states that "[p]rovider acknowledges that, except as expressly set forth in this Agreement, Google uses persistent cookies in connection with that YouTube Video Player. To the extent that any rules or guidelines exist prohibiting the use of persistent cookies in connection with the Provider Content applies to Google, Provider expressly waives those rules or guidelines as they may apply to Google" (emphasis added).

None of the other six contracts mention persistent cookies, despite the current OMB guidelines that limit the use of persistent cookies on government websites. Absent a provision to the contrary, the implication is that most sites will continue to use persistent cookies.

Two of the contracts contain provisions that imply rights of confidentiality that could be interpreted as contrary to FOIA provisions. The Facebook contract states that the "Terms of Use are considered by Facebook to be confidential information, and, to the extent permitted by law, Government Entity will maintain the same in strict confidence and not disclose the same to any third party..."

The Google/YouTube contract provides for even broader rights of confidentiality, stating that the "parties shall not disclose to any third parties Confidential Information disclosed by one party to the other under this Agreement." The GSA also "agrees that any disclosure of information pursuant to the Freedom of Information Act or other law, regulation or compulsory process requiring disclosure will not, to the extent lawfully permitted, include any Confidential Information."

The contracts permit social media companies to serve advertising on government sites under certain circumstances. Facebook, for example, "will not guarantee that it can block the display of commercial advertisements off of Government Facebook pages." The contract goes on to state that "[y]our sole remedy for Facebook's failure to implement such blocking technology shall be for you to terminate your use of pages."

Google's contract with the GSA, meanwhile, states that "Google retains the right to place advertisements on and in connection with the YouTube Video Player and Google Services...." The only exception to this is triggered when "Google determines that its use of Provider Content, or any part thereof, may create liability for Google" (emphasis added).

Although Blip.tv states that it will not use persistent cookies, it does collects data for advertising purposes through a "demographic data collection system..." Blip.tv states "through this system, which asks questions about personal preferences, Blip.tv may transmit some of your answers to its advertising partners at the time advertisements are served to you. We do this in order to deliver the most relevant advertisements possible." Nevertheless, advertising within Blip.tv is said to be "opt-in," and it "will not run advertisements in-stream or directly adjacent to user videos without the opt-in of the user who uploaded the video."

News:

Links:

Resources