Protecting government data from vendor ad scanning

I have always been a strong proponent of the cloud. The cost savings and efficiencies it brings to the federal government are significant, and we need to fully leverage these benefits. That said, we cannot continue to implement complex IT services like the cloud without fully understanding the extent to which vendors use sensitive government data – particularly for advertising purposes. 

Google’s April 30th announcement

A recent announcement by Google suggests that the company has not been entirely forthright about how it monetizes data since the launch of its Google Apps for Government suite. In a company blog post on April 30th, Google noted that it had, “…permanently removed all ads scanning in Gmail for Apps for Education, which means Google cannot collect or use student data in Apps for Education services for advertising purposes.” The post went on to note that they are also “making similar changes for all our Google Apps customers, including Business, Government and for legacy users of the free version.” While this announcement is a step in the right direction for student data privacy, the reference to its business and government products raises a host of significant issues. The announcement was disappointing, and reminded me of the important role department and agency CIOs play in ensuring that government data is used appropriately and lawfully.

Questions to consider

Based on the wording of this announcement, the scanning of government data appears to have been occurring. While Google’s announcement was squarely focused on the education space, it also explicitly calls out government users, which raises questions that deserve answers regarding how and if the company has used federal government data. With that said, the following questions should be asked by federal CIOs:

  • If government data is not being scanned for advertising purposes, then why would there be a need to turn such services off or stop the practice altogether? 
  • What will happen to the data that the company has already collected from the government?  Will data continue to be monetized for advertising purposes?
  • Will the government get this data back? Who owns it, if they do not?

Call to action

The first potential solution is to activate federal Inspector Generals (IGs) on this issue, as it is not sufficient to raise the issue without providing concrete solutions or increased transparency. To that end, we should strongly consider having each agency IG, under the authority of the Federal Information Security Management Security Act (FISMA), evaluate how cloud vendors are using government data and issue a report to the public on its findings. 

In accordance with government statutes and policies, I strongly believe that agency CIOs must address their responsibilities related to information management including records management, privacy and security when they are looking at securing, procuring and drafting cloud contracts. This includes:

  • Clauses prohibiting unauthorized data use: Written assurances from cloud vendors ensuring these practices will not take place is recommended. All cloud service providers must ensure that their services use data exclusively in ways that are contractually sanctioned.
  • A system to measure efficacy: A system for reporting on the efficacy of agency information security programs by augmenting existing audit and/or evaluation programs to validate the written assurances from cloud providers.

Earlier this year, I co-authored a paper outlining these recommendations at length. There are also many articles in the public domain that suggest that cloud vendors need to be more transparent with regard to how they store, use and monetize public sector data – especially vendors with roots in advertising.

The bottom line is that government entities do not typically require cloud contractors to follow any specific recommendations or guidelines, and this needs to change. Realizing the full benefits of the cloud to achieve better services at lower costs should be our goal, and ensuring that vendors are properly utilizing government data should be a critical part of the process. 

Evans has spent 28 years in the federal government and most recently was a presidential appointee as the administrator for E-Government and Information Technology at the Office of Management and Budget (OMB). She oversaw the federal IT budget of nearly $71 billion which included implementation of IT throughout the federal government. She currently serves as national director for the US Cyber Challenge (USCC) the nationwide talent search and skills development program focused specifically on the cyber workforce.