Agencies eye Web privacy

OMB Memo on Privacy Provisions of the E-Gov Act

Agencies are meticulously examining their Web pages for weaknesses in privacy protections, as Office of Management and Budget officials call their attention to Section 208 of the E-Government Act of 2002.

Section 208 lays out rules and guidelines agencies must follow to protect the privacy of citizens using government Web sites. OMB officials issued a memorandum offering specific guidance on implementing the privacy provisions in late September. Agencies must begin submitting annual reports on their compliance with the privacy rules, and the first report is due Dec. 15.

The agencies are moving into high gear now, said David Grant, director of accessibility solutions at Watchfire Corp., a company that makes software tools including products for automating the privacy validation process.

"Privacy was always a 'nice-to-have,' but there was never something like this to enforce it," he said. "Agencies and departments are all concerned."

Both Section 208 and OMB's September memo spell out clear rules that agencies have to follow. The problem is that most agencies have Web pages that predate those rules, sometimes by years, Grant said. Now they are under orders to examine their older pages and bring them into compliance.

The rules include some fairly standard practices that almost any Web site will offer. Agencies must post privacy policies on Web sites used by the public, for example, and must spell out in the policies what information the site collects and how it is used. The policies must inform users when they reveal information voluntarily.

However, the rules also define some limits on what federal sites can do that agencies might have done in the past.

For example, agencies cannot use persistent cookies to track visitors. Persistent cookies are small files that the site transfers to a user's computer to identify visitors when they return to the site. But agencies can use session cookies, which track a visitor's clicks through the site and can temporarily personalize the site, but expire as soon as the visitor leaves.

Agencies also have to submit privacy impact assessments to OMB — and make them publicly available when purchasing new information technology equipment — when making changes to their Web sites that could affect privacy.

Sorting through all of the rules and ensuring compliance are daunting tasks, but agencies are tackling them. Commerce Department officials are working on updating all of their sites in time to meet the deadline, said Tom Pyke, the department's chief information officer.

"The department's chief privacy officer is working with CIOs across the department who are responsible for the privacy statements on Commerce Web sites, to guide them as they update the privacy statements and make any other changes that may be required by this guidance," he said. "Commerce expects to be able to report to OMB in December 2003 that these actions have been completed."

The Securities and Exchange Commission is undertaking a similar effort, said spokesman John Nester. SEC staff members are developing plans for reviewing the SEC site for policy statements and evaluating the information technology systems that work with Web interfaces to determine what information they collect.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.