Federal Trade Commission

Privacy Impact Assessment

Twitter

Updated: September 2010

 SYSTEM OVERVIEW

The Federal Trade Commission (FTC or Commission) will use Twitter, a microblogging website
(i.e., a blog consisting of short posts or messages), to disseminate information to the public.
Currently, the FTC has plans for one specific account ("@FTCgov") created and administered by
the FTC's Office of Public Affairs (OPA).

The FTC Twitter account will allow the FTC to promote information, tips, and resources to
consumers and organizations that may not be regular visitors to the FTC website. Infonnation
("Tweets") posted through the FTC Twitter account will either be content that already exists on
FTC.gov or other relevant infonnation from the Bureaus of Consumer Protection, Competition,
and Economics, as well as other offices of the FTC. Tweets are limited to 140 characters.
Typical Tweets may include, but are not limited to, tips and information, as well as links to
games and quizzes, photos, and short videos. Likewise, OP A will approve the content of all FTC
Tweets, including, but not limited to, press releases, speeches, and information from the Bureaus
of Consumer Protection, Competition, and Economics, as well as other offices of the FTC.

Through the FTC Twitter account, the Commission will promote FTC resources to the pUblic.
Twitter users who indicate that they "follow" the account will receive that information in their
Twitter "stream," which appears as a reverse timeline or compilation of Tweets on a user's
Twitter profile homepage. In tum, users may share these resources with their network of Twitter
followers (generally done so by sending out the same Tweet and giving credit to the FTC's
original Tweet, which is called a Retweet, abbreviated as RT) and others can do the same,
providing a viral marketing component to the Commission's outreach and education efforts.

The FTC Twitter profile will be public (http://twitter.comlFTCgov), so anyone can visit the
FTC's profile page and read the FTC's Tweets, even visitors who are not registered Twitter
users. In contrast, only registered users can post Tweets on Twitter.

If a registered user posts a Tweet that includes the FTC's account handle (@FTCgov), the Tweet
will appear in the user's profile and home stream as well as the home streams of all followers.
Additionally, that Tweet will show up in the "@FTCgov" stream ofthe FTC's account. If a user
posts a Tweet with @FTCgov at the beginning of the Tweet, it will only show up in the home
streams of users who follow both that user and @FTCgov (as well as the "@FTCgov" mentions
stream). However, all public Tweets (meaning the account is not locked or protected) are
searchable by anyone on Twitter's website. Public Tweets may also be picked up by other
search engines (e.g., Bing, Google, Yahoo!) or aggregator sites or applications outside of
Twitter. The FTC cannot delete Tweets sent by other users even if they contain @FTCgov, but
the FTC can block Tweets or other messages (see below) being received from accounts that are
deemed as harassing toward the @FTCgov account. Additionally, "spam" style Twitter accounts
can be reported and Twitter will investigate and delete the account if necessary.

Private messages between registered Twitter users are called "Direct Messages". These
messages are stored in a "Direct Message folder/page" accessible only to the registered Twitter
user. Only another registered user whom you follow can send you a direct message. OPA does

2
not ,mticipate receiving (or sending) many direct messages as we intend to follow only a select
number of other government agencies on Twitter.

While the FTC may internally review Tweets from Twitter to gauge what consumers are saying
about the FTC, the agency will not be routinely using Twitter to collect or maintain any
information about individuals. However, because users may post information about themselves
on Twitter, the use of Twitter potentially raises other privacy concerns and therefore we have
completed this PIA in an effort to ensure that we have addressed as necessary and appropriate
any of those issues, as required by Office of Management & Budget (OMB) Memorandum M-
10-23 (June 25, 2010).

2 INFORMATION COLLECTED AND STORED WITHfN THE SYSTEM

2.1 What information is to be collected, used, disseminated, or maintained by the system?

The FTC does not intend to collect, maintain, or disseminate personally identifIable information
(PI!) from individuals who visit or follow the FTC Twitter account. Twitter requires that
individuals who wish to become registered users provide their flrst name, last name, a valid
email address, and a password, with the option to provide additional information. Even though
some of this information may be accessible to the FTC, depending on a Twitter user's privacy
settings, the FTC does not intend to collect, disseminate, or maintain any of this information.
The FTC may, however, read, review, or rely upon information that individuals make available
to the public or to the FTC on Twitter, including Tweets that may appear on the proflle page(s)
created by the FTC, as authorized or required by law (e.g., if there is evidence of a law
violation). Normally, however, the FTC will be reviewing Tweets about the FTC only in an
effort to determine what kind of public attention the FTC is generating online. Any comments
that the FTC may collect or maintain as part of such review would be collected and/or
maintained without the individual Twitter handle that identifies them. The only exception to use
of Twitter handles will be from news agencies and reporters Tweeting about the FTC to be used
internally for the FTC clips.

Although the FTC does not intend to collect personally identiflable information about those who
visit or follow the FTC Twitter account, users should be aware that the United States Library of
Congress, through separate arrangement with Twitter, is maintaining an electronic archive of all
public Tweets, and intends to make them publicly available within a six-month window from the
date of the Tweet. The FTC understands that private account information (private profiles or
direct messages) are not part of the Library of Congress archive nor wi1llinks or photos
associated with those Tweets. In addition, as noted earlier, a user's public Tweets are also be
accessible to the public through Twitter itself and through other, non-Governmental search
engines, aggregators, and applications.

2.2 \\/hat are the sources of the information in the system?

Twitter collects PII from individuals who register with them and who may ultimately visit or
indicate that they "follow" the FTC Twitter account. The FTC does not, however, intend to
collect, maintain, or disseminate that information.

3
As noted earlier, the FTC intends to use Twitter to disseminate information that is either
currently available on the FTC.gov website or other relevant information from the Bureaus of
Consumer Protection, Competition, and Economics, as well as other offices of the FTC. This is
publicly available information and includes press releases, speeches, tips and infornlation,
quizzes, photos, and short videos. The source of this infonnation is the FTC, and not collected
from any individual users or visitors through Twitter.

2.3 Why is the information being collected, used, disseminated, or maintained?

As noted above, the FTC does not intend to collect, disseminate, or maintain PIT from individuals
who visit or follow the FTC Twitter account. The only exception to use of Twitter handles will
be from news agencies and reporters Tweeting about the FTC to be used internally for the FTC
clips.

The FTC and all registered Twitter users will be able to see the names of those individuals who
indicate that they "follow" the FTC Twitter account, as well as any other infonnation those
individuals have decided to make available via their Twitter page. The FTC may read, review,
or rely upon infonnation that individuals make available to the public or to the FTC on Twitter,
including comments on the pages created by the FTC, as authorized or required by law. As
explained earlier, Tweets about the FTC may be reviewed and collected internally to highlight
trends online, but, in such cases, no Twitter handles that would identifY individual Twitter users
will be collected or maintained.

2.4 How is the infonnation collected?

As noted above, the FTC does not intend to collect or maintain any PH of Twitter users that may
be available to the FTC through the site. Tweets mentioning the FTC will be monitored by
OPA's Social Media Specialist, who may copy relevant Tweets, without identifYing Twitter
handles, daily to highlight trends about the FTC online. Tweets from some journalists and news
agencies may be collected and inserted into the internal "clips" report for the FTC.

2.5 How will the infonnation be checked for accuracy and timeliness?

OP A will manage the Twitter account and ensure timeliness and accuracy before posting each
Tweet. Infonnation that is sent out via Twitter will only be previously approved public
infonnation as detennined by OP A. Since the FTC does not intend to use Twitter to collect or
maintain any personally identifiable intonnation about Twitter users, and the FTC has no access
to any PH about visitors to Twitter who are not registered users, the FTC has no reason or basis
to check the accuracy or timeliness of any of that infonnation.

2.6 Is the system using technologies in ways that the FTC has not previously employed (e.g.,
monitoring software, Smart Cards, etc.)? If so, how does the use of this technology affect
individuals' privacy?

4
Creation of an FTC Twitter account will not require the FTC to use new technologies.
Administrators of the account will be able to access it by visiting TwitteLcom using a standard
Web browser and logging in with an email address and a pa')sword.

2.7 What law or regulation permits the collection of this information?

The FTC does not intend to collect, maintain, or disseminate any PH from individuals who visit
or follow the FTC Twitter account With respect to the information that the FTC will
disseminate through the account, or any other miscellaneous information that the FTC may
collect through Twitter as described earlier, the FTC Act authorizes the FTC to prevent unfair
and deceptive acts and practices in interstate commerce and, in furtherance of this mission, to
gather, compile, and make information availahle in the puhlic interest. See 15 U.S.c. 45, 46(a),
(t).

2.8 Considering the type of information collected and sources of collection, what privacy
risks were identified and how were these risks mitigated?

The types ofPII available to the FTC through Twitter are generally limited in scope (e.g., screen
name, information posted by users, no PH about visitors), so the privacy risk is similarly limited.
As noted earlier, any comments collected from Twitter will not be associated with a Twitter
handle, to avoid the maintenance by the FTC of any PH about individual Twitter users. The only
exception will be news agencies and journalists Tweeting about the FTC, in which case, using
their Twitter handles adds additional credibility to Tweets.

A separate risk is that the FTC's Twitter account could be used in an unauthorized manner to
disseminate PH improperly, even ifthe FTC docs not collect any PH from users or visitors
through Twitter. To mitigate the risk of unauthorized dissemination, only a select number of
OPA staff will have administrative access to the account. In addition, the information
disseminated will be well-vetted before it is posted, to mitigate any risk that information,
including PH that is not appropriate for public dissemination will be posted.

There are other privacy risks that are not within the control of the FTC and that the FTC has
limited ability to mitigate. Third party advertisements for example may pose privacy risks in the
form of cookies or malware to those individuals who click on them. The FTC's terms of service
with Twitter prohibit the appearance of third party advertisements on the FTC Twitter account,
however, thus eliminating those risks. Twitter may also track and collect other information or
data about user activities, such as links clicked or viewed, which would be governed by Twitter's
privacy policy and would be outside the FTC's control.

There is also a risk that individual users will reveal PH or other sensitive information about
themselves or others in their Tweets, including those that may also appear on the FTC's stream
or other users' streams. Users may also include links that may adversely affect those who click
on them (such as links to malicious software or to websites marketing a fraudulent business
opportunity). The FTC makes every effort to mitigate this risk by posting a disclaimer in the
FTC Twitter account "bio" informing visitors to the FTC Twitter account that they are not at the
official FTC.gov website, and, where feasible, to warn about Tweets containing suspicious links

5
or spam Tweets that include the FTC's handle or mention the FTC, which the FTC cannot
control or prohibit. The FTC will also advise users that when they are using Twitter that
Twitter's privacy policy applies, not the FTC's. See http://twitter.com/privacy. Under Twitter's
privacy policy, any information in a user's Tweets is going to be public unless the user has made
his or her profile private.

3 USE AND ACCESS TO DATA TN THE SYSTEM

3.1 Describe how information in the system will or may be used.

The FTC does not intend to collect, use, disseminate, or maintain PH from individuals who visit
or indicate that they "follow" the FTC Twitter account.

The FTC and all registered Twitter users will be able to see the names of those individuals who
indicate that they "follow" the FTC Twitter account, as well as any other information those
individuals have decided to make available via their Twitter account. The FTC may read,
review, or rely upon information that individuals make available to the public or to the FTC on
Twitter, including comments on the account created by the FTC, as authorized or required by
law. As noted earlier, some Tweets may be collectcd for internal use to monitor trends online,
but will not be collected in conjunction with a Twitter handle, which could identify individuals.
The exception to the use of Twitter handles may be journalists or news agencies Tweeting about
the FTC, Likely those Tweets will link back to news stories. Those Tweets will be used as part
of the daily clips sent out by the Office of Public Affairs internally.

The FTC will use Twitter to disseminate information in furtherance of the Commission's
consumer protection and competition missions. This will be publicly available in1ormation and
include press releases, speeches, tips and information, quizzes, photos, and short videos.

3.2 Which internal entities will have access to the information?

Twitter collects PH from individuals who register with them and who may ultimately visit or
indicate that they "follow" the FTC Twitter account. The FTC does not collect, disseminate, or
maintain this information and no internal FTC entities have access to any information that is not
available to the general public through Twitter.

Staff from OPA who serve as account administrators (e.g., OPA Director, Social Media
Specialist, Public Affairs Specialists and Web Content Manager) will have access to the FTC
Twitter account. They will be able to edit content on the account, and see the names and pictures
of those individuals who have indicated they "follow" the account as well as anyone who used
the FTC's Twitter handle in their Tweets or talks about the FTC on Twitter.

3.3 Which external entities will have access to the information?

The information that the FTC makes available on the FTC Twitter account can be accessed by
anyone, whether or not they are registered Twitter users or have indicated that they "follow" the
page.

6
Twitter users determine what information is available about them to other Twitter users and to
the general public (i.e., external entities) in accordance with Twitter's policies and terms of use.
The FTC does not have access to any more inforn1ation than any member of the public about
other Twitter users and does not control or have the ability to provide access to any user's PH.

As noted earlier, a user's public profile and Tweets may also be accessible through other public
search engines, aggregators and applications, Library of Congress archives, or other public
sources that may incorporate or compile Twitter content.

4 NOTICE AND ACCESS FOR r~OJVIDUALS

4.1 How will individuals be informed about what information is collected, and how this
information is used and disclosed?

Because the FTC does not collect any PH from individuals who visit the FTC Twitter account,
individuals who seek information about how Twitter uses their PII should review Twitter's
Terms, http://twitter.com/tos, and Privacy Policy, http://twitter.comlprivacy. The FTC's account
"bio" will alert users that they are not on an FTC web site, and that Twitter's privacy policies
apply.

4.2 Do individuals have the opportunity and/or right to decline to provide information?

Twitter (not the FTC) determines what information Twitter collects from an individual, and
whether there is an opportunity or right not to provide that information, in order to obtain an
account and become a registered user. By contrast, Twitter does not request or require any
personal information from an individual who simply visits Twitter and views the FTC's public
Twitter profile or Tweets (or any other public profile or Tweets), although Twitter may
automatically maintain their own administrative log data (e.g., time, date, visitors' Internet
Protocol (IP) address) about such visits, as Twitter explains in its privacy policy
(http://twitter.comlprivacy), which cannot be declined.

4.3 Do individuals have the right to consent to particular uses of the information? Ifso, how
would an individual exercise this right?

See Section 4.2, and Twitter's privacy policy.

4.4 What are the procedures that allow individuals to gain access to their own information?

Twitter requires registered users to enter their login ID (i.e., Twitter handle or email address) and
password at the Twitter home page to gain access to their Twitter account and change or update
their account information. The FTC has no control over or involvement in that process, which is
operated and governed solely by Twitter. Twitter has no special procedures for users who wish
simply to view their own Tweets or other information that may be posted on their public profile
pages, which can be visited by anyone (whether or not registered with Twitter).

7
4.5 Discuss the privacy risks associated with the process ofproviding individuals access to
their own records and how those risks are mitigated.

Not applicable to the FTC. The privacy risks, if any, that Twitter users assume when
establishing, using and accessing their Twitter accounts are addressed in Twitter's privacy policy
and terms of service.

As noted earlier, to mitigate the risk of unauthorized access to individual accounts, Twitter
requires registered users to login using their Twitter handle or email address and a password.

5 WEB SITE PRIVACY ISSUES

5.1 Describe any tracking technology used by the website and whether the technology is
persistent or temporary (e.g., session cookie, persistent cookie, Web beacon). Currently,
persistent tracking technology is not approved for use by the FTC (see 5.2).

Ibe FTC will not use any persistent tracking technology on its FTC Twitter account. Twitter
does use "cookie" technology to collect additional website usage data, as described in its privacy
policy, and may use both session cookies and persistent cookies in its data collection. The FTC
will post a notice on its pages to ensure that those who visit the FTC Twitter account are notified
that Twitter's privacy policy governs, including Twitter's use, ifany, of persistent technology.
See http://twitteLcom/privacv.

5.2 If a persistent tracking technology is used, ensure that the proper issues are addressed.

See 5.1. The FTC will not use any persistent tracking technology on its FTC Twitter account.

5.3 Ifpersonal information is collected through a website, page, or online form accessible
through the internet, is appropriate encryption used? If not, explain.

Not applicable. The FTC does not intend to collect any PH through its FTC Twitter account.
(Any questions about whether Twitter uses encryption when it collects or maintains personal
information of its users should be directed to Twitter. See also 6.4 below.)

5.4 Explain how the public will be notified of the Privacy Policy.

The FTC will provide notice to those who visit the FTC Twitter account that Twitter's privacy
policy applies to any information an individual provides. This notice will also provide a link to
the official FTC website as appropriate.

5.5 Considering any website or internet issues, please describe any privacy risks identified
and how they have been mitigated.

See 2.8. To ensure that only approved content, including any PH, is disseminated through the
FTC Twitter account, only a select group OPA staff will have login credentials (username and
password) that allow them to access the account and make content edits.

8
5.6 If the website will collect personal information from children under 13, or be directed at
such children, explain how it will comply with the Children's Online Privacy Protection Act
(COPPA).

The FTC will not collect any PIt including PH of children under the age of 13, through its
Twitter account. Likevvise, Twitter's teID1S of service and privacy policy indicate that their
service is not for children under 13.

6 SECURITY OF INFORMATION IN THE SYSTEM

6.1 Are all IT security requirements and procedures required by federal law being followed
to ensure that information is appropriately secured?

The FTC does not own or control access to Twitter. Individuals who seek infoIDlation about
Twitter's security controls should review Twitter's privacy policy and/or direct their inquiries to
Twitter.

6.2 Has a Certification & Accreditation been completed for the system or systems supporting
the program?

Not applicable.

6.3 Has a risk assessment been conducted on the system?

Not applicable.

6.4 Does the project employ technology that may raise privacy concerns? If so, please
discuss its implementation.

The FTC does not own or control access to Twitter. Individuals who seek information about
how privacy concerns are addressed in the technology employed by Twitter should review
Twitter's privacy policy and/or direct their inquiries to Twitter.

6.5 What procedures are in place to deternline which users may access the system and are
they documented?

The FTC does not own or control access to Twitter. The OP A Director will determine which
staff members have access to the FTC Twitter account for the purpose of disseminating
FTC information. In addition, all account administrators shall be required to sign rules of
behaviors to acknowledge their understanding of and agreement to their responsibilities for the
properly using and safeguarding the FTC's account.

6.6 Describe what privacy training is provided to users either generally or specifically
relevant to the program or system.

9
OPA staff members with responsibility for posting information to the Twitter account will
participate in annual privacy and data security

6.7 \Vhat auditing measures and technical are in place to the misuse of
data?

See Section 6.5.

7 DATA RETENTION

7 .1 For what period of time will data collected by this system be maintained?

FTC does not collect, maintain, or disseminate any PH from individuals who visit its Twitter
account. As noted previously, the FTC will, however, disseminate information that is currently
available on the FTC website via the FTC Twitter account. Twitter stores that information and it
will remain on the account until the FTC determines that it should deleted.

Individual Twitter users have the ability to delete their individual accounts. When that happens,
Twitter's current policy is to delete any comments posted by those individuals, including those
that may have appeared on the FTC Twitter profile page stream. This is a function of 'Iwitter
and not the FTC. Likewise, the FTC does not have any control over, or ability to delete or
remove Tweets or other content that has been captured or retransmitted by other search
aggregators, applications or other sources (e. Library of Congress m-chives).

In the rare instance where the FTC collects the PH that individuals available to the public
through Twitter, and where FTC collects other information as described previously in this PIA
coutent of without Twitter handles), it will be maintamcd disposed in
accordance with the record retention schedules applicable to the relevant system into which the
PH or other information has been incorporated.

What are the plans for destruction or disposal of the infonnation?

Tweets or other content on the FTC's Twitter profile page will remain publicly available until
the FTC determines to delete it, or such content is deleted by Twitter because the account of the
individual who originally posted the comment has been closed by the user. See also Section I

Describe any privacy risks identified in the data retention and disposal of the information,
and describe how these risks have been mitigated.

The FTC does not collect any PH about individuals who merely visit its Twitter account, as no
such PH is made available to the FTC through Twitter, so there is no PH to retain or destroy. In
the rare instance where FTC collects the PH that individuals make available to the public through
Twitter, FTC will retain the information in a secure maImer and dispose of it in a manner that
makes it impossible to recover. The information that the FTC disseminates through Twitter is
public and there are no identifiable privacy associated with its retention and disposaL The
privacy risks that registered llsers assume if they post PH about themselves or others on Twitter,

10
and the retention and disposal of such information by Twitter, is addressed by Twitter's privacy
policy and terms of service, as noted earlier.

8 PRIV ACY ACT

8.1 Will the data in the system he retrieved by a personal identifier?

Not applicable. The FTC does not intend to collect any PI! about individuals who visit or follow
its Twitter account and, therefore, the FTC does not intend to include PlI from Twitter in any
agency system that is retrieved by a personal identifier. As explained earlier, any comments
pulled from Twitter will normally not include the '[witter handle, thus disassociating users from
their remarks. The only exception will be journalists and/or news agencies Tweeting about the
FTC will links back to their news articles. In the rare instance where the FTC collects PH made
available to the FTC (and the public) through Twitter, it will be maintained in a relevant agency
system and may, depending on the system, be retrieved by a personal identifier.

8.2 Is the system covered by an existing Privacy Act System of Records notice (SORN)?

See Section 8.1. In the rare instance where the FTC collccts PII through Twitter, and maintains
that PIT in a system in which it is retrieved by that individual's personal identifier, it will be
covered by the applicable SORN(s). See, e.g., FTC I-I (nonpublic investigational and other
nonpublic legal program records). See generally <,~:'tc:~",~:~_,:~~~-"~<'=~~co,==-'<c,",=::~:"".c"~:=-'-'-"-<=-"<=-'
(FTC Privacy Act SORNs).

9 PRIVACY POLICY

9.1 Confirm that the collection, use, and disclosure of the information in this system has been
reviewed to ensure consistency with the FTC's privacy policy.

The FTC confirms that its use of Twitter, as described above, is consistent with its privacy
policy, which is posted on the FTC's official Web site, (In
accordance with OMS Memorandum M-l 0-23, the FTC is making conforming changes to its
privacy policy to reflect the agency's use of Twitter and other social media, as applicable.) The
FTC will proVIde notice to those who visit the FTC's Twitter page that the visitor is not viewing
an official website of the Federal Trade Commission and that Twitter's privacy policy applies to
any illfonnation an individual may post or otherwise make available (e.g., through direct
message) to other users or the public, including the FTC. This notice will also provide a link to
the official FTC website.

11
10 Approval and Signature Page

Prepared for the Business Owners of the System by:

_________________________________ Date: __________

Cecelia Prewett
Director, Office of Public Affairs

Review:

__________________________________ Date: __________

Alexander C. Tang, Attorney
Office of the General Counsel

Date:
Marc Groman
Chief Privacy Officer

__________________________________ Date: _______________

Jeff Nakrin
Director, Records and Filings

Approved:

Date:
Margaret Mech
Chief Information Security Officer

__________________________________ Date:
Pat Bak
Chief Information Officer