GTC East: Web 2.0

Last week, I attended two sharply contrasting GTC East sessions focusing on New York State government use of Web 2.0 technology. (i.e., Web tools and technologies that enable end users to post content online, customize how they receive Web content, and build and sustain online communities. Examples include blogs, social networking sites such as Facebook and MySpace, and RSS feeds.) Now that I’ve had a chance to mull over these presentations, I wanted to say a few things about them.

The first session, “Security: Getting Past ‘No’ -- How to Implement 2.0 without a Security Crisis,” heavily emphasized new life that Web 2.0’s interactive nature has breathed into all manner of old Web security threats: cross-site scripting, cross-site request forgery, widget attacks, SQL injection attacks, XPATH vulnerability, cross-scripting worms, and authentication and authorization vulnerabilities.

One of the panelists (sadly, I didn’t catch his name, which doesn’t appear anywhere on the GTC East 2009 Web site or print program) works for the New York State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC). He noted that CSCIC is currently blocking third-party social networking sites pending analysis of their risks, costs, and benefits but stressed that other agencies needed to answer the following questions for themselves:

• Can your employees safely use these sites?
• Do you trust the creators of these sites to address security vulnerabilities appropriately?
• Do all of the good things that social networking offers outweigh the risks?

These are crucial questions, and I’m glad that CSCIC is helping to ensure that New York State agencies don’t unwittingly wander into security minefields, but it struck me that the overall tenor of this session -- which also featured Ken Kaminski of Cisco Systems -- might feed the sort of “I don’t understand it, so I’m going to ban it” mentality that the “Emerging Technology: Open Source” panelists identified as a recurring problem. I’m really hoping that the agency information security specialists who sat in on this session are of the “assess and manage risk” school, not the “fear and resist change” one.

The other session, “Engaging Citizens Through Web 2.0” emphasized the benefits of Web 2.0. Andrew Hoppin, the CIO of the New York State Senate, highlighted its role in making the Senate more transparent and more participatory. The Senate Web site:

• Uses a collaborative filtering process that highlights the most frequently accessed resources on the site’s home page.
• Gives individual senators and committees complete control over the content that appears on their own pages, their own RSS feeds, and the ability to link to their Facebook pages, Twitter feeds, etc.
• Allows citizens to comment on proposed legislation and upon comments left by other users of the site, which helps to ensure that popular ideas “float to the top. (staff remove hate speech, scatological language, etc., but keep moderation to a minimum, which ensures lots of public input -- check out some of the great comments concerning the Senate’s tumultuous recent past)
• Provides social bookmarks that make it easy for citizens to post items of interest to Facebook, etc.

Hoppin and his colleagues are also popularizing the use of the “@nysenate” Twitter tag so that tweets relating to the Senate can be identified more readily.

After Jim Silvia of Laserfiche discussed how enterprise content management systems can, among other things, help governments create Web 2.0 applications and meet recordkeeping and other requirements relating to all types of government information, there was a lengthy question-and-answer session that focused largely on the Senate’s enthusiastic embrace of Web 2.0. Topics included:

• Building support: The Office of the CIO had to go through a very lengthy consensus-building process governing the posting of content, and has carved out a few narrow areas in which re-use is prohibited; for example, information posted on the site cannot be used for fundraising or other political purposes. Whenever possible, the Office of the CIO “evangelizes” about new possibilities for citizen involvement.

• Coordinated citizen campaigns: comments are tracked by IP address, so a small number of people can’t game the system by posting comments repeatedly or ranking each other’s comments favorably. It is possible for large, organized groups of citizens to deluge the Senate site with comments, but citizen groups have long engaged in letter-writing campaigns, etc., and it’s easy to figure out when a coordinated effort is taking place. Moreover, all citizen input has value.

• Security (my question): The Office of the CIO has determined that third-party social networking sites support the Senate’s core mission of interacting with and soliciting input from citizens. It keeps systems housing restricted data separate from those that offer Web 2.0 capability.

• The digital divide: some citizens lack ready access to or comfort with the Web, and Hoppin and his colleagues are exploring other ways to interact with citizens (e.g., telephone).

I think I’ve seen the future of New York State government’s Web presence -- and it looks a lot like the Senate’s current presence. Sorting out all of the records issues associated with Web 2.0 is going to be a challenge, but it should be kind of fun, too.