FTC Twitter Privacy Impact Assessment

8/8/2019 FTC Twitter Privacy Impact Assessment

1/12

Federal Trade Commission

Privacy Impact Assessment

Twitter

Updated: September 2010


2/12

SYSTEM OVERVIEW

The Federal Trade Commission (FTC or Commission) will use Twitter, a microblogging website(i.e., a blog consisting o f short posts or messages), to disseminate information to the public.Currently, the FTC has plans for one specific account ("@FTCgov") created and administered bythe FTC's Office o f Public Affairs (OPA).

The FTC Twitter account will allow the FTC to promote information, tips, and resources toconsumers and organizations that may not be regular visitors to the FTC website. Infonnation("Tweets") posted through the FTC Twitter account will either be content that already exists onFTC.gov or other relevant infonnation from the Bureaus of Consumer Protection, Competition,and Economics, as well as other offices of the FTC. Tweets are limited to 140 characters.Typical Tweets may include, but are not limited to, tips and information, as well as links togames and quizzes, photos, and short videos. Likewise, OP A will approve the content of all FTCTweets, including, but not limited to, press releases, speeches, and information from the Bureausof Consumer Protection, Competition, and Economics, as well as other offices of the FTC.

Through the FTC Twitter account, the Commission will promote FTC resources to the pUblic.Twitter users who indicate that they "follow" the account will receive that information in theirTwitter "stream," which appears as a reverse timeline or compilation o f Tweets on a user' sTwitter profile homepage. In tum, users may share these resources with their network o f Twitterfollowers (generally done so by sending out the same Tweet and giving credit to the FTC'soriginal Tweet, which is called a Retweet, abbreviated as RT) and others can do the same,providing a viral marketing component to the Commission's outreach and education efforts.

The FTC Twitter profile will be public (http://twitter.comlFTCgov), so anyone can visit theFTC's profile page and read the FTC's Tweets, even visitors who are not registered Twitterusers. In contrast, only registered users can post Tweets on Twitter.

I f a registered user posts a Tweet that includes the FTC's account handle (@FTCgov), the Tweetwill appear in the user's profile and home stream as well as the home streams o f all followers.Additionally, that Tweet will show up in the "@FTCgov" stream ofthe FTC's account. I f a userposts a Tweet with @FTCgov at the beginning of the Tweet, it will only show up in the homestreams of users who follow both that user and @FTCgov (as well as the "@FTCgov" mentionsstream). However, all public Tweets (meaning the account is not locked or protected) aresearchable by anyone on Twitter 's website. Public Tweets may also be picked up by othersearch engines (e.g., Bing, Google, Yahoo!) or aggregator sites or applications outside o fTwitter. The FTC cannot delete Tweets sent by other users even if they contain @FTCgov, butthe FTC can block Tweets or other messages (see below) being received from accounts that aredeemed as harassing toward the @FTCgov account. Additionally, "spam" style Twitter accountscan be reported and Twitter will investigate and delete the account if necessary.

Private messages between registered Twitter users are called "Direct Messages". Thesemessages are stored in a "Direct Message folder/page" accessible only to the registered Twitteruser. Only another registered user whom you follow can send you a direct message. OPA does

2


3/12

not ,mticipate receiving (or sending) many direct messages as we intend to follow only a selectnumber of other government agencies on Twitter.

While the FTC may internally review Tweets from Twitter to gauge what consumers are sayingabout the FTC, the agency will not be routinely using Twitter to collect or maintain anyinformation about individuals. However, because users may post information about themselveson Twitter, the use of Twitter potentially raises other privacy concerns and therefore we havecompleted this PIA in an effort to ensure that we have addressed as necessary and appropriateany of those issues, as required by Office o f Management & Budget (OMB) Memorandum M-10-23 (June 25, 2010).

2 INFORMATION COLLECTED AND STORED WITHfN THE SYSTEM

2.1 What information is to be collected, used, disseminated, or maintained by the system?

The FTC does not intend to collect, maintain, or disseminate personally identifIable information(PI!) from individuals who visit or follow the FTC Twitter account. Twitter requires thatindividuals who wish to become registered users provide their flrst name, last name, a validemail address, and a password, with the option to provide additional information. Even thoughsome of this information may be accessible to the FTC, depending on a Twitter user' s privacysettings, the FTC does not intend to collect, disseminate, or maintain any o f this information.The FTC may, however, read, review, or rely upon information that individuals make availableto the public or to the FTC on Twitter, including Tweets that may appear on the proflle page(s)created by the FTC, as authorized or required by law (e.g., if there is evidence o f a lawviolation). Normally, however, the FTC will be reviewing Tweets about the FTC only in aneffort to determine what kind of public attention the FTC is generating online. Any commentsthat the FTC may collect or maintain as part of such review would be collected and/ormaintained without the individual Twitter handle that identifies them. The only exception to useof Twitter handles will be from news agencies and reporters Tweeting about the FTC to be usedinternally for the FTC clips.

Although the FTC does not intend to collect personally identiflable information about those whovisit or follow the FTC Twitter account, users should be aware that the United States Library ofCongress, through separate arrangement with Twitter, is maintaining an electronic archive of allpublic Tweets, and intends to make them publicly available within a six-month window from thedate of the Tweet. The FTC understands that private account information (private profiles ordirect messages) are not part o f the Library o f Congress archive nor wi1llinks or photosassociated with those Tweets. In addition, as noted earlier, a user's public Tweets are also beaccessible to the public through Twitter itself and through other, non-Governmental searchengines, aggregators, and applications.

2.2 \\/hat are the sources o f the information in the system?

Twitter collects PII from individuals who register with them and who may ultimately visit orindicate that they "follow" the FTC Twitter account. The FTC does not, however, intend tocollect, maintain, or disseminate that information.

3


4/12

As noted earlier, the FTC intends to use Twitter to disseminate information that is eithercurrently available on the FTC.gov website or other relevant information from the Bureaus ofConsumer Protection, Competition, and Economics, as well as other offices of the FTC. This ispublicly available information and includes press releases, speeches, tips and infornlation,quizzes, photos, and short videos. The source of this infonnation is the FTC, and not collectedfrom any individual users or visitors through Twitter.

2.3 Why is the information being collected, used, disseminated, or maintained?

As noted above, the FTC does not intend to collect, disseminate, or maintain PIT from individualswho visit or follow the FTC Twitter account. The only exception to use of Twitter handles willbe from news agencies and reporters Tweeting about the FTC to be used internally for the FTCclips.

The FTC and all registered Twitter users will be able to see the names o f those individuals whoindicate that they "follow" the FTC Twitter account, as well as any other infonnation thoseindividuals have decided to make available via their Twitter page. The FTC may read, review,or rely upon infonnation that individuals make available to the public or to the FTC on Twitter,including comments on the pages created by the FTC, as authorized or required by law. Asexplained earlier, Tweets about the FTC may be reviewed and collected internally to highlighttrends online, but, in such cases, no Twitter handles that would identifY individual Twitter userswill be collected or maintained.

2.4 How is the infonnation collected?

As noted above, the FTC does not intend to collect or maintain any PH o f Twitter users that maybe available to the FTC through the site. Tweets mentioning the FTC will be monitored byOPA's Social Media Specialist, who may copy relevant Tweets, without identifYing Twitterhandles, daily to highlight trends about the FTC online. Tweets from some journalists and newsagencies may be collected and inserted into the internal "clips" report for the FTC.

2.5 How will the infonnation be checked for accuracy and timeliness?

OP A will manage the Twitter account and ensure timeliness and accuracy before posting eachTweet. Infonnation that is sent out via Twitter will only be previously approved publicinfonnation as detennined by OP A. Since the FTC does not intend to use Twitter to collect ormaintain any personally identifiable intonnation about Twitter users, and the FTC has no accessto any PH about visitors to Twitter who are not registered users, the FTC has no reason or basisto check the accuracy or timeliness o f any of that infonnation.

2.6 Is the system using technologies in ways that the FTC has not previously employed (e.g.,monitoring software, Smart Cards, etc.)? I f so, how does the use of this technology affectindividuals' privacy?

4


5/12

Creation o f an FTC Twitter account will not require the FTC to use new technologies.Administrators of the account will be able to access it by visiting TwitteLcom using a standardWeb browser and logging in with an email address and a pa')sword.

2.7 What law or regulation permits the collection of this information?

The FTC does not intend to collect, maintain, or disseminate any PH from individuals who visitor follow the FTC Twitter account With respect to the information that the FTC willdisseminate through the account, or any other miscellaneous information that the FTC maycollect through Twitter as described earlier, the FTC Act authorizes the FTC to prevent unfairand deceptive acts and practices in interstate commerce and, in furtherance of this mission, togather, compile, and make information availahle in the puhlic interest. See 15 U.S.c. 45, 46(a),(t).

2.8 Considering the type of information collected and sources of collection, what privacyrisks were identified and how were these risks mitigated?

The types ofPII available to the FTC through Twitter are generally limited in scope (e.g., screenname, information posted by users, no PH about visitors), so the privacy risk is similarly limited.As noted earlier, any comments collected from Twitter will not be associated with a Twitterhandle, to avoid the maintenance by the FTC of any PH about individual Twitter users. The onlyexception will be news agencies and journalists Tweeting about the FTC, in which case, usingtheir Twitter handles adds additional credibility to Tweets.

A separate risk is that the FTC's Twitter account could be used in an unauthorized manner todisseminate PH improperly, even ifthe FTC docs not collect any PH from users or visitorsthrough Twitter. To mitigate the risk of unauthorized dissemination, only a select number ofOPA staff will have administrative access to the account. In addition, the informationdisseminated will be well-vetted before it is posted, to mitigate any risk that information,including PH that is not appropriate for public dissemination will be posted.

There are other privacy risks that are not within the control of the FTC and that the FTC haslimited ability to mitigate. Third party advertisements for example may pose privacy risks in theform o f cookies or malware to those individuals who click on them. The FTC's terms of servicewith Twitter prohibit the appearance of third party advertisements on the FTC Twitter account,however, thus eliminating those risks. Twitter may also track and collect other information ordata about user activities, such as links clicked or viewed, which would be governed by Twitter 'sprivacy policy and would be outside the FTC's control.

There is also a risk that individual users will reveal PH or other sensitive information aboutthemselves or others in their Tweets, including those that may also appear on the FTC's streamor other users' streams. Users may also include links that may adversely affect those who clickon them (such as links to malicious software or to websites marketing a fraudulent businessopportunity). The FTC makes every effort to mitigate this risk by posting a disclaimer in theFTC Twitter account "bio" informing visitors to the FTC Twitter account that they are not at theofficial FTC.gov website, and, where feasible, to warn about Tweets containing suspicious links

5


6/12

or spam Tweets that include the FTC's handle or mention the FTC, which the FTC cannotcontrol or prohibit. The FTC will also advise users that when they are using Twitter thatTwitter's privacy policy applies, not the FTC's. See http://twitter.com/privacy. Under Twitter'sprivacy policy, any information in a user's Tweets is going to be public unless the user has madehis or her profile private.

3 USE AND ACCESS TO DATA TN THE SYSTEM

3.1 Describe how information in the system will or may be used.

The FTC does not intend to collect, use, disseminate, or maintain PH from individuals who visitor indicate that they "follow" the FTC Twitter account.

The FTC and all registered Twitter users will be able to see the names of those individuals whoindicate that they "follow" the FTC Twitter account, as well as any other information thoseindividuals have decided to make available via their Twitter account. The FTC may read,review, or rely upon information that individuals make available to the public or to the FTC onTwitter, including comments on the account created by the FTC, as authorized or required bylaw. As noted earlier, some Tweets may be collectcd for internal use to monitor trends online,but will not be collected in conjunction with a Twitter handle, which could identify individuals.The exception to the use of Twitter handles may be journalists or news agencies Tweeting aboutthe FTC, Likely those Tweets will link back to news stories. Those Tweets will be used as partof the daily clips sent out by the Office o f Public Affairs internally.

The FTC will use Twitter to disseminate information in furtherance of the Commission'sconsumer protection and competition missions. This will be publicly available in1ormation andinclude press releases, speeches, tips and information, quizzes, photos, and short videos.

3.2 Which internal entities will have access to the information?

Twitter collects PH from individuals who register with them and who may ultimately visit orindicate that they "follow" the FTC Twitter account. The FTC does not collect, disseminate, ormaintain this information and no internal FTC entities have access to any information that is notavailable to the general public through Twitter.

Staff from OPA who serve as account administrators (e.g., OPA Director, Social MediaSpecialist, Public Affairs Specialists and Web Content Manager) will have access to the FTCTwitter account. They will be able to edit content on the account, and see the names and pictureso f those individuals who have indicated they "follow" the account as well as anyone who usedthe FTC's Twitter handle in their Tweets or talks about the FTC on Twitter.

3.3 Which external entities will have access to the information?

The information that the FTC makes available on the FTC Twitter account can be accessed byanyone, whether or not they are registered Twitter users or have indicated that they "follow" thepage.

6


7/12

Twitter users determine what information is available about them to other Twitter users and tothe general public (i.e., external entities) in accordance with Twitter's policies and terms of use.The FTC does no t have access to any more inforn1ation than any member of the public aboutother Twitter users and does no t control or have the ability to provide access to any user's PH.

As noted earlier, a user's public profile and Tweets may also be accessible through other publicsearch engines, aggregators and applications, Library of Congress archives, or other publicsources that may incorporate or compile Twitte r content.

4 NOTICE AND ACCESS FO R r ~ O J V I D U A L S

4.1 How will individuals be informed about what information is collected, and ho w thisinformation is used and disclosed?

Because the FTC does not collect any PH from individuals who visit the FTC Twitter account,individuals who seek information about ho w Twitter uses their PII should review Twitter 'sTerms, http://twitter.com/tos, and Privacy Policy, http://twitter.comlprivacy. The FTC's account"bio" will alert users that they are not on an FTC web site, and that Twitter's privacy policiesapply.

4.2 Do individuals have the opportunity and/or right to decline to provide information?

Twitter (not the FTC) determines what information Twitter collects from an individual, andwhether there is an opportunity or right no t to provide that information, in order to obtain anaccount and become a registered user. By contrast, Twitter does no t request or require anypersonal information from an individual who simply visits Twitter and views the FTC's publicTwitter profile or Tweets (or any other public profile or Tweets), although Twitter ma yautomatically maintain their ow n administrative log da ta (e.g., time, date, visitors' InternetProtocol (IP) address) about such visits, as Twitter explains in its privacy policy(http://twitter.comlprivacy), which cannot be declined.

4.3 Do individuals have the right to consent to particular uses of the information? Ifso, ho wwould an individual exercise this right?

See Section 4.2, and Twitter's privacy policy.

4.4 What are the procedures that allow individuals to gain access to their ow n information?

Twitter requires registered users to enter their login ID (i.e., Twitter handle or email address) andpassword at the Twitter home page to gain access to their Twitter account and change or updatetheir account information. The FTC has no control over or involvement in that process, which isoperated and governed solely by Twitter. Twitter has no special procedures for users who wishsimply to view their own Tweets or other information that may be posted on their public profilepages, which can be visited by anyone (whether or not registered with Twitter).

7


8/12

4.5 Discuss the privacy risks associated with the process o f providing individuals access totheir own records and how those risks are mitigated.

Not applicable to the FTC. The privacy risks, if any, that Twitter users assume when

establishing, using and accessing their Twitter accounts are addressed in Twitter's privacy policyand terms of service.

As noted earlier, to mitigate the risk o f unauthorized access to individual accounts, Twitterrequires registered users to login using their Twitter handle or email address and a password.

5 WEB SITE PRIVACY ISSUES

5.1 Describe any tracking technology used by the website and whether the technology ispersistent or temporary (e.g., session cookie, persistent cookie, Web beacon). Currently,persistent tracking technology is not approved for use by the FTC (see 5.2).

Ib e FTC will not use any persistent tracking technology on its FTC Twitter account. Twitterdoes use "cookie" technology to collect additional website usage data, as described in its privacypolicy, and may use both session cookies and persistent cookies in its data collection. The FTCwill post a notice on its pages to ensure that those who visit the FTC Twitter account are notifiedthat Twitter's privacy policy governs, including Twitter's use, i fany, of persistent technology.See http://twitteLcom/privacv.

5.2 If a persistent tracking technology is used, ensure that the proper issues are addressed.

See 5.1. The FTC will not use any persistent tracking technology on its FTC Twitter account.

5.3 Ifpersonal information is collected through a website, page, or online form accessiblethrough the internet, is appropriate encryption used? If not, explain.

Not applicable. The FTC does not intend to collect any PH through its FTC Twitter account.(Any questions about whether Twitter uses encryption when it collects or maintains personalinformation of its users should be directed to Twitter. See also 6.4 below.)

5.4 Explain how the public will be notified o f the Privacy Policy.

The FTC will provide notice to those who visit the FTC Twitter account that Twitter's privacypolicy applies to any information an individual provides. This notice will also provide a link tothe official FTC website as appropriate.

5.5 Considering any website or internet issues, please describe any privacy risks identifiedand how they have been mitigated.

See 2.8. To ensure that only approved content, including any PH, is disseminated through theFTC Twitter account, only a select group OPA staff will have login credentials (username andpassword) that allow them to access the account and make content edits.

8


9/12

5.6 I f the website will collect personal information from children under 13, or be directed atsuch children, explain how it will comply with the Children's Online Privacy Protection Act(COPPA).

The FTC will not collect any P It including PH of children under the age of 13, through itsTwitter account. Likevvise, Twitter's teID1S o f service and privacy policy indicate that theirservice is not for children under 13.

6 SECURITY OF INFORMATION IN THE SYSTEM

6.1 Are all IT security requirements and procedures required by federal law being followedto ensure that information is appropriately secured?

The FTC does not own or control access to Twitter. Individuals who seek infoIDlation aboutTwitter's security controls should review Twitter's privacy policy and/or direct their inquiries to

Twitter.

6.2 Has a Certification & Accreditation been completed for the system or systems supportingthe program?

Not applicable.

6.3 Has a risk assessment been conducted on the system?

Not applicable.

6.4 Does the project employ technology that may raise privacy concerns? If so, pleasediscuss its implementation.

The FTC does not own or control access to Twitter. Individuals who seek information abouthow privacy concerns are addressed in the technology employed by Twitter should reviewTwitter's privacy policy and/or direct their inquiries to Twitter.

6.5 What procedures are in place to deternline which users may access the system and arethey documented?

The FTC does not own or control access to Twitter. The OP A Director will determine which

staff members have access to the FTC Twitter account for the purpose o f disseminatingFTC information. In addition, all account administrators shall be required to sign rules o fbehaviors to acknowledge their understanding o f and agreement to their responsibilities for theproperly using and safeguarding the FTC's account.

6.6 Describe what privacy training is provided to users either generally or specificallyrelevant to the program or system.

9


10/12

OPA staff members with responsibility for postingparticipate in annual privacy and data security

information to the Twitter account will

6.7data?

\Vhat auditing measures and technical

See Section 6.5.

7 DATA RETENTION

are in place to the misuse of

7 1 For what period o f time will data collected by this system be maintained?

FTC does not collect, maintain, or disseminate any PH from individuals who visit its Twitteraccount. As noted previously, the FTC will, however, disseminate information that is currentlyavailable on the FTC website via the FTC Twitter account. Twitter stores that information and itwill remain on the account until the FTC determines that it should deleted.

Individual Twitter users have the ability to delete their individual accounts. When that happens,Twitter's current policy is to delete any comments posted by those individuals, including thosethat may have appeared on the FTC Twitter profile page stream. This is a function of Iwitterand not the FTC. Likewise, the FTC does not have any control over, or ability to delete orremove Tweets or other content that has been captured or retransmitted by other searchaggregators, applications or other sources (e. Library of Congress m-chives).

In the rare instance where the FTC collects the PH that individuals available to the publicthrough Twitter, and where FTC collects other information as described previously in this PIA

coutent of without Twitter handles), it will be maintamcd disposed in

accordance with the record retention schedules applicable to the relevant system into which thePH or other information has been incorporated.

What are the plans for destruction or disposal of the infonnation?

Tweets or other content on the FTC's Twitter profile page will remain publicly available untilthe FTC determines to delete it, or such content is deleted by Twitter because the account o f theindividual who originally posted the comment has been closed by the user. See also Section I

Describe any privacy risks identified in the data retention and disposal o f the information,and describe how these risks have been mitigated.

The FTC does not collect any PH about individuals who merely visit its Twitter account, as nosuch PH is made available to the FTC through Twitter, so there is no PH to retain or destroy. Inthe rare instance where FTC collects the PH that individuals make available to the public throughTwitter, FTC will retain the information in a secure maImer and dispose o f it in a manner thatmakes it impossible to recover. The information that the FTC disseminates through Twitter ispublic and there are no identifiable privacy associated with its retention and disposaL Theprivacy risks that registered llsers assume i f they post PH about themselves or others on Twitter,

10


11/12

and the retention and disposal o f such information by Twitter, is addressed by Twitter 's privacypolicy and terms of service, as noted earlier.

8 PRIV ACY ACT

8.1 Will the data in the system he retrieved by a personal identifier?

Not applicable. The FTC does not intend to collect any PI! about individuals who visit or followits Twitter account and, therefore, the FTC does not intend to include PlI from Twitter in anyagency system that is retrieved by a personal identifier. As explained earlier, any commentspulled from Twitter will normally not include the '[witter handle, thus disassociating users fromtheir remarks. The only exception will be journalists and/or news agencies Tweeting about theFTC will links back to their news articles. In the rare instance where the FTC collects PH madeavailable to the FTC (and the public) through Twitter, it will be maintained in a relevant agencysystem and may, depending on the system, be retrieved by a personal identifier.

8.2 Is the system covered by an existing Privacy Act System of Records notice (SORN)?

See Section 8.1. In the rare instance where the FTC collccts PII through Twitter, and maintainsthat PIT in a system in which it is retrieved by that individual's personal identifier, it will becovered by the applicable SORN(s). See, e.g., FTC I-I (nonpublic investigational and othernonpublic legal program records). See generally < , ~ : ' t c : ~ " , ~ : ~ _ , : ~ ~ ~ - " ~ < ' = ~ ~ c o , = = - ' < c , " , = : : ~(FTC Privacy Act SORNs).

9 PRIVACY POLICY

9.1 Confirm that the collection, use, and disclosure o f the information in this system has beenreviewed to ensure consistency with the FTC's privacy policy.

The FTC confirms that its use of Twitter, as described above, is consistent with its privacypolicy, which is posted on the FTC's official Web site, (Inaccordance with OM S Memorandum M- l 0-23, the FTC is making conforming changes to itsprivacy policy to reflect the agency's use o f Twitter and other social media, as applicable.) TheFTC will proVIde notice to those who visit the FTC's Twitter page that the visitor is not viewingan official website o f the Federal Trade Commission and that Twitter's privacy policy applies toany illfonnation an individual may post or otherwise make available (e.g., through directmessage) to other users or the public, including the FTC. This notice will also provide a link tothe official FTC website.

11


12/12

10 Approval and Signature Page

Prepared for the Business Owners of the System by:

_________________________________ Date: __________

Cecelia PrewettDirector, Office of Public Affairs

Review:

__________________________________ Date: __________Alexander C. Tang, AttorneyOffice of the General Counsel

Date:Marc GromanChief Privacy Officer

__________________________________ Date: _______________Jeff NakrinDirector, Records and Filings

Approved:

Date:Margaret MechChief Information Security Officer

__________________________________ Date:Pat Bak Chief Information Officer

FTC Twitter Privacy Impact Assessment

Documents

Transcript of FTC Twitter Privacy Impact Assessment