GAO: Web privacy guidelines not clear

The failure of Office of Management and Budget officials to spell out privacy guidelines in clear and concise terms has created continued privacy concerns about agency Web sites, according to a new report by the General Accounting Office.

The report focuses on the use of "cookies," which are small pieces of software stored on users computers when they visit a Web site. OMB officials have given agencies do's and don'ts for cookies, but the guidelines are spread across several memoranda, as well as in a letter to the federal CIO Council that is not included on the OMB Web site, GAO found.

The guidance also has a confusing gap, according to GAO.

OMB officials told agencies they must meet certain terms if they want to use cookies that remain on end-user computers after they leave the Web site — what are known as "persistent" cookies — and that they must disclose any such use to Web visitors. But officials did not say whether agencies must disclose the use of "session" cookies, which disappear once visitors leave a site.

OMB told GAO that session cookies do not present a privacy concern, and therefore, no disclosure is required. But by following this position, agencies could state they are not using cookies while continuing to use session cookies.

This could "confuse and mislead" visitors to federal Web sites that have set their browser to detect cookies, and "could raise questions about the practices of the Web site that would not be resolved by viewing the privacy policy," GAO wrote.

GAO conducted a review of the use of cookies on 65 agency Web sites between November 2000 and January 2001. GAO found that eight federal sites used persistent cookies. Four agencies did so without disclosing it in a privacy policy, as required by OMB, and two of those were using persistent cookies from third-party sites.

The other four did disclose the use of cookies but did not meet OMB's other conditions, including having a compelling need for the data and having personal approval from the head of the agency.

All four using cookies without disclosure have since removed the cookies from their sites, according to GAO. Two of the others have also removed their cookies, while the final two are going through the process to meet the OMB conditions.

GAO conducted the review following a request from Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee, because of privacy concerns raised last year when it was discovered how many agencies were using persistent cookies.

OMB officials provided no written comment to GAO on the report.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from Shutterstock.com

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group