When the 'cookie' crumbles

The OMB memo on privacy policies

In the wake of the revelation that the White House Office of Drug Control

Policy's relationship with Internet advertiser DoubleClick Inc. was causing

the White House to violate its own privacy policy, Office of Management

and Budget Director Jacob Lew has issued a memorandum enforcing stricter

privacy controls.

The focus of the memo is the "cookie," a small file used to collect

data from people visiting a World Wide Web site. Various agencies have used

cookies without giving it a second thought — until now.

The memo all but outlaws the use of cookies on agency Web sites and

warns agencies that they will need to include a description of their privacy

practices and the steps they take to ensure compliance with the new policy

in their information technology budget submission for fiscal 2003.

Agencies or their contractors can still use the much-maligned cookie

technology only when:

* There is a compelling need to gather the data on the site.

* The agency takes appropriate and publicly disclosed privacy safeguards

for handling information derived from cookies.

* The Web site administrator has received personal approval from the

agency chief.

That means if the Defense Department would like to continue using cookies,

as it does at the writing of this article, they will need to get the approval

of Secretary William Cohen.

The technology can be used for benign purposes, such as counting first-time

visitors to a single site, but the prevalent tracking uses, teamed with

the lack of user controls on cookies, have made the technology's benefits

difficult to defend.

In fact, most agencies do not use cookies, and almost any important

function can be done without them, so the "cookies ban" should not have

a major impact on most agency Web sites.

Although the ban has received the most attention, Lew's memo contains

a second, more important message. After years of urging from privacy advocates,

Lew has made compliance with basic fair information practices a pre-requisite

of agency budget requests. OMB has always been reluctant to couple information

policy with the budget — accenting the split between the budget and management

halves of the office.

It's unclear if privacy will count when an agency's budget is on the

line. But the mandate is the first to truly widen accountability for privacy

to agency heads.

With the General Accounting Office's study of privacy on federal Web

sites due out in October, at the request of Sen. Joseph Lieberman (D-Conn.)

and the urging of Rep. Dick Armey (R-Texas) in a letter to the White House

on the issue, the internal and external scrutiny of agency privacy practices

will increase. The best way for an agency to know if it's respecting privacy

is to conduct a privacy audit of its information systems and practices.

Because this is also the only way for OMB, Congress and the public to

really know if an agency is complying with privacy policies, no one should

be surprised if this type of audit is mandated in the near future.

—Schwartz is a policy analyst at the Center for Democracy and Technology

in Washington, D.C.