A law in need of a new look
- By Ari Schwartz
- Oct 29, 2000
The revelation that the federal Office of Drug Control Policy was using
profiling cookies to collect data on visitors to its Web site was just one
of several recent incidents that have raised concerns about how the government
collects personal information online.
The Clinton administration has responded with new guidance on Web site
privacy policies and a ban on certain uses of cookies on agency Web sites.
Yet reactive steps like those do not add up to the comprehensive, proactive
protection promised under the Privacy Act of 1974. A growing body of research,
augmented by two new General Accounting Office reports, shows that it is
time to strengthen this important statute for the Internet Age.
The new GAO reports show that agencies are paying greater attention
to privacy and following existing law and administration policy. But those
findings offer little ground for complacency.
The first report — requested by Sen. Joseph Lieberman (D-Conn.) in November
1999 — came out Sept. 6. It found that almost all of the major federal Web
sites post privacy notices. This is a major improvement from previous studies,
which showed that less than half had policies. However, the new study also
noted that many agencies are not posting policies on pages that collect
personal information. This may violate existing law.
The second report, requested by Reps. Dick Armey (R-Texas) and Billy
Tauzin (R-La.) this summer, found that only 3 percent of government Web
sites satisfy all the principles of notice, choice, security and access
that the Federal Trade Commission believes should be met by commercial sites.
The administration said this was an unfair test because the FTC rules
were not meant to apply to the public sector. To some extent this is true;
government practices must differ from the private sector, and this should
have been better reflected in the report. Yet the guidelines by the Organization
for Economic Cooperation and Development on data privacy, which the United
States has endorsed, include the same four basic concepts and are intended
for both the private and public sectors.
To answer those concerns, GAO correctly recommends that agencies receive
better guidance. The Office of Management and Budget's Privacy Act guidance
was written in 1975 and has never received a systematic update. However,
Congress should also address some of the major structural flaws in the Privacy
* As early as 1977, a congressional commission found that the act's
central definition — "systems of records" — was outdated. Particularly on
the Internet, where multiple databases can be linked, searched, copied and
reconfigured, the concept simply does not work.
* Privacy advocates and policy-makers have long complained that the
"routine use" exemption is being used in ways going far beyond its original
intent and needs redefining.
* Congress should address the privacy implications of public records
that go online. The tension between privacy and the public's right to know
has been strained as government records move from practically obscure paper
files to searchable online databases. The pending inquiry into online posting
of bankruptcy records is a preview to what all agencies may need to do to
minimize the amount of personally identifiable information posted online.
The phrase "Internet time" refers to the compressed innovation cycle
that characterizes the development of new media products and services. In
Internet time, the Privacy Act is very old indeed. When it tackles e-commerce
privacy next year, Congress should also make sure that the goals of the
Privacy Act map onto the new digital technology.
Schwartz is a policy analyst at the Center for Democracy and Technology
in Washington, D.C.