Swire: Making privacy a priority

Recent investigations have uncovered Web cookies on the sites of the National Security Agency and other federal agencies, in violation of federal guidelines.

The guidelines limit federal Web sites' use of persistent cookies, pieces of code placed on the visitor's hard drive so the site can recognize the computer on

return visits. Cookies don't reveal the visitor's name.

A site has the cookie number and the user's name; however, the cookie does track an identifiable individual. That happens, for instance, if the visitor completes a transaction or fills out a form, linking the cookie to a name.

A lot is at stake in violating these rules. The guidelines date back to June 2000, when I was serving as chief counselor for privacy at the Office of Management and Budget. At that time, the press discovered that the White House Office of National Drug Control Policy's Web site placed cookies on users' computers, contrary to the site's privacy policy.

The cookies were reporting surfing behavior to DoubleClick, which could link a person to visits at private-sector sites. DoubleClick and the White House site were not collecting names, but they could find names if users identified themselves at any of the private-sector sites.

In response to the problem, OMB issued guidance on June 22, 2000, stating that federal Web sites should not persistently track their visitors. The rules allow tracking devices such as cookies, but only with notice to users and approval of a high agency official. Agencies' sites can also employ temporary "session cookies" because they expire when users close their browsers.

The logic behind the policy is that citizens should be able to browse federal sites without their visits becoming part of a permanent record. Citizen access to sites is vital to e-government. Tracking citizens at government sites can reduce trust and discourage access to e-government services.

OMB may be able to fine-tune the guidance to take advantage of advances in Web technology while still protecting citizen privacy. If it does, OMB should make the changes explicit and take responsibility for any new policy choices. However, the problem now is that agencies were caught violating the rules. That sends the message that protecting citizen privacy is not important. It also signals that following the OMB rules, which have been on the books for more than five years, is not a priority.

This concern about government snooping and rule-breaking is especially serious now. President Bush has acknowledged that the National Security Agency has used wiretaps on citizens without a warrant. His message has been, "Trust us, we're careful in how we do this."

Recent press accounts, however, show that agencies have violated privacy rules regarding cookies, and the public knows agencies are breaking the rules. If agencies are openly breaking cookie rules, they might also be breaking less-public privacy rules.

The Bush administration does not have a policy official to address privacy issues. Such an official would help convince the public that it should trust government to follow the rules.

Swire is the C. William O'Neill Professor of Law at the Ohio State University and a visiting senior fellow at the Center for American Progress.