EXCLUSIVE: UN websites and social media have long-neglected security, privacy and legal issues

As it rushed headlong into the brave new world of social media, the United Nations Secretariat for years apparently kept its legal department out of the loop in signing up for services like Facebook, YouTube, Twitter and Flickr, resulting in potential leaks of delicate internal information, among other things, according to an internal auditors’ report.

Among the serious risks produced by the U.N.’s haphazard methods of using web-based media were compromised user privacy, possible copyright infringements and potential legal exposures despite U.N. legal immunities, as well as other undefined security concerns.

Many of those problems apparently still have not been fixed, and powerful portions of the U.N. bureaucracy were apparently opposed to getting the U.N.’s lawyers to help fix them.

In an unusual display of bureaucratic defiance, the U.N.’s 700-member Department of Public Information (DPI) rejected as “unrealistic” a formal recommendation from the auditors that the U.N. lawyers be involved in advance before the world body signed any more such media deals.

Click for the audit report.

Details of the risky way that the U.N. rushed to join the digital universe are not spelled out in the auditors’ report, which spanned a decade of U.N. activity and was presented to top officials last October. But in some cases, at least, the breaches may have been—and still may be—sizeable.

In a number of cases, the report says, “minimum security requirements for the development of [U.N.] websites were not defined, and risk assessment, security and encryption procedures were not implemented.”

A number of U.N. websites were also apparently developed by external consultants, without proper coordination with the U.N.’s own Office of Information and Communications Technology (OICT), which reports directly to U.N. Secretary General Ban Ki-moon, and which lists “social networking and collaboration” as one of the major initiatives of its Orwellian-sounding Knowledge Management Program.

Moreover, the report says, service contracts “were not always in place” for internal U.N. sites hosted by OICT itself, as well as the U.N.’s Department of Field Support, which is the mainstay of peacekeeping operations, as well as those of the U.N.’s $180 million Department of Public Information.

The lurch of the U.N. into the world of social media and the Internet has apparently been so rapid and spontaneous—in contrast to the sluggishness for which it is otherwise notorious-- that Ban’s office could not even say how many websites are operating in its New York based Secretariat, how much money it had spent on them, or the number of staffers involved in producing them.

That is a remarkable degree of fogginess considering that the U.N.’s 2012-2013 budget is still being discussed in the U.N.’s powerful finance committee. Some 30 staffers employed in the U.N.’s central Web Services Section are only the tip of the iceberg, the U.N. spokesman indicated.

So helter-skelter has the effort been, the audit report says, that U.N. domain names don’t even follow a coherent pattern.

The importance the U.N. places on the web effort, however, is underlined on OICT’s website, where it says that “the impact that the United Nations is able to make on the world is critically dependent upon the quality of the information it collects, collates and publishes, as well as the knowledge of its staff; these variables are further dependent on new working methods that are required to support the development of innovative products and services.”

All the more reason, one might think, for the world body to be especially scrupulous about the ways that it subsequently disseminated that knowledge via the Web. Yet the data privacy concerns outlined in the auditors’ report apparently still have not been allayed.

In many cases, the U.N. apparently relied on “click-through” agreements basically similar to those endorsed by ordinary users of social media when they sign up on the web. In going over those agreements the U.N. auditors from the Office of Internal Oversight Services (OIOS) noted that they exposed the organization to “serious legal risks, e.g., by subjecting the United Nations to local law and to the jurisdiction of the local courts,” beyond the protection of normal U.N. diplomatic immunity.

They noted that “there was also no documented evidence” that lawyers had been consulted on such issues as “staff use of social media; privacy issues related to the use of Google analytics and discovery; and use of cloud computing services within the Organization.”

Copyright issues are a special mess. According to the report, the kind of “click-through” deals may U.N. departments have signed "usually provide websites with a worldwide, non-exclusive, royalty-free license to use, copy, reproduce, process, adapt, modify, transmit and display the user’s content in any and all media distribution methods known or later developed by the sites.” In other words, the U.N.’s brand is at risk.

Furthermore, “the licenses usually allow the site to collect web site usage information whether with the assistance of 'cookies' which track individual usage of the site or with the assistance of third-parties such as 'Google, Analytics,' which in turn imposes its own terms and conditions on the user.” (Questioned about the issue by Fox News, Google declined to comment.)

The auditors concluded that “it may be extremely difficult to negotiate different terms/conditions at this stage.”

That is, even if the U.N. thought it was a high enough priority to do so. In response to questions from Fox News about the audit, a spokesman for U.N. Secretary General Ban Ki-moon confirmed that a full-fledged data privacy program for U.N. social media that the auditors recommended was not included in the organization’s 2012-2013 budget, because of a “severely constrained budget environment.”

What that meant about the security of U.N. information—or the data privacy of those who access U.N. social information sites—was not clear. When asked if U.N. social media providers were able to access any of the data of site visitors, the spokesman said only that “Like any other organization, the U.N. is using those social media tools it feels are the most appropriate. We [meaning the U.N. itself] do not harvest, store or access our followers’ personal information.”

Even so, the U.N. now appears to be reversing field at least in some respects. The spokesman told Fox News that U.N. was now “in active discussions with various social media providers to establish overall contracts with the organization that reflect the particular status of the United Nations.”

Those discussions, the spokesman said, have the “support of DPI.” Nonetheless, the spokesman’s phrasing seemed to indicate that whatever contracts were involved had not been finalized, or perhaps even drafted.

The U.N.’s claim to be hot on the trail of a solution might be taken with a grain or two of salt. The U.N. audit relates that the world organization spent at least the two previous years without addressing similar warnings about its data protection policies that were presented to top brass by the self-same auditing watchdog, in May 2009.

Yet another report issued in December, 2009, further underlined that adequate controls to protect data privacy for U.N. staffers and diplomats who used the U.N. system were also not in place.

In the May 2009 report on DPI’s role in “information dissemination through the Internet,” the current auditors relate, they recommended that the U.N.’s public information arm “develop a comprehensive and coherent web communications strategy and establish web governance architecture for the United Nations Secretariat.”

Neither recommendation is anywhere near complete. Yet another inter-departmental U.N. organization has been formed, known as the Internet Governance Group, or IGG. It has been laboring away since 2009 to develop “a web communication strategy to provide guidelines on how the Secretariat should be portrayed over the web,” but so far hasn’t come up with any such strategy, the auditors said.

And so far as the “governance structure” goes, it is “still being defined,” and isn’t expected to be finished until December 31, 2012.

George Russell is executive editor of Fox News and can be found on Twitter @GeorgeRussell

Click for more stories by George Russell.