When the 'cookie' crumbles
- By Ari Schwartz
- Jul 03, 2000
The OMB memo on privacy policies
In the wake of the revelation that the White House Office of Drug Control
Policy's relationship with Internet advertiser DoubleClick Inc. was causing
and Budget Director Jacob Lew has issued a memorandum enforcing stricter
The focus of the memo is the "cookie," a small file used to collect
data from people visiting a World Wide Web site. Various agencies have used
cookies without giving it a second thought — until now.
warns agencies that they will need to include a description of their privacy
practices and the steps they take to ensure compliance with the new policy
in their information technology budget submission for fiscal 2003.
Agencies or their contractors can still use the much-maligned cookie
technology only when:
* There is a compelling need to gather the data on the site.
* The agency takes appropriate and publicly disclosed privacy safeguards
for handling information derived from cookies.
* The Web site administrator has received personal approval from the
That means if the Defense Department would like to continue using cookies,
as it does at the writing of this article, they will need to get the approval
of Secretary William Cohen.
The technology can be used for benign purposes, such as counting first-time
visitors to a single site, but the prevalent tracking uses, teamed with
the lack of user controls on cookies, have made the technology's benefits
difficult to defend.
function can be done without them, so the "cookies ban" should not have
a major impact on most agency Web sites.
Although the ban has received the most attention, Lew's memo contains
a second, more important message. After years of urging from privacy advocates,
Lew has made compliance with basic fair information practices a pre-requisite
of agency budget requests. OMB has always been reluctant to couple information
policy with the budget — accenting the split between the budget and management
halves of the office.
It's unclear if privacy will count when an agency's budget is on the
line. But the mandate is the first to truly widen accountability for privacy
to agency heads.
With the General Accounting Office's study of privacy on federal Web
sites due out in October, at the request of Sen. Joseph Lieberman (D-Conn.)
and the urging of Rep. Dick Armey (R-Texas) in a letter to the White House
on the issue, the internal and external scrutiny of agency privacy practices
will increase. The best way for an agency to know if it's respecting privacy
is to conduct a privacy audit of its information systems and practices.
Because this is also the only way for OMB, Congress and the public to
really know if an agency is complying with privacy policies, no one should
be surprised if this type of audit is mandated in the near future.
—Schwartz is a policy analyst at the Center for Democracy and Technology
in Washington, D.C.