A law in need of a new look

The revelation that the federal Office of Drug Control Policy was using

profiling cookies to collect data on visitors to its Web site was just one

of several recent incidents that have raised concerns about how the government

collects personal information online.

The Clinton administration has responded with new guidance on Web site

privacy policies and a ban on certain uses of cookies on agency Web sites.

Yet reactive steps like those do not add up to the comprehensive, proactive

protection promised under the Privacy Act of 1974. A growing body of research,

augmented by two new General Accounting Office reports, shows that it is

time to strengthen this important statute for the Internet Age.

The new GAO reports show that agencies are paying greater attention

to privacy and following existing law and administration policy. But those

findings offer little ground for complacency.

The first report — requested by Sen. Joseph Lieberman (D-Conn.) in November

1999 — came out Sept. 6. It found that almost all of the major federal Web

sites post privacy notices. This is a major improvement from previous studies,

which showed that less than half had policies. However, the new study also

noted that many agencies are not posting policies on pages that collect

personal information. This may violate existing law.

The second report, requested by Reps. Dick Armey (R-Texas) and Billy

Tauzin (R-La.) this summer, found that only 3 percent of government Web

sites satisfy all the principles of notice, choice, security and access

that the Federal Trade Commission believes should be met by commercial sites.

The administration said this was an unfair test because the FTC rules

were not meant to apply to the public sector. To some extent this is true;

government practices must differ from the private sector, and this should

have been better reflected in the report. Yet the guidelines by the Organization

for Economic Cooperation and Development on data privacy, which the United

States has endorsed, include the same four basic concepts and are intended

for both the private and public sectors.

To answer those concerns, GAO correctly recommends that agencies receive

better guidance. The Office of Management and Budget's Privacy Act guidance

was written in 1975 and has never received a systematic update. However,

Congress should also address some of the major structural flaws in the Privacy

Act:

* As early as 1977, a congressional commission found that the act's

central definition — "systems of records" — was outdated. Particularly on

the Internet, where multiple databases can be linked, searched, copied and

reconfigured, the concept simply does not work.

* Privacy advocates and policy-makers have long complained that the

"routine use" exemption is being used in ways going far beyond its original

intent and needs redefining.

* Congress should address the privacy implications of public records

that go online. The tension between privacy and the public's right to know

has been strained as government records move from practically obscure paper

files to searchable online databases. The pending inquiry into online posting

of bankruptcy records is a preview to what all agencies may need to do to

minimize the amount of personally identifiable information posted online.

The phrase "Internet time" refers to the compressed innovation cycle

that characterizes the development of new media products and services. In

Internet time, the Privacy Act is very old indeed. When it tackles e-commerce

privacy next year, Congress should also make sure that the goals of the

Privacy Act map onto the new digital technology.

Schwartz is a policy analyst at the Center for Democracy and Technology

in Washington, D.C.