Agencies eye Web privacy

OMB Memo on Privacy Provisions of the E-Gov Act

Agencies are meticulously examining their Web pages for weaknesses in privacy protections, as Office of Management and Budget officials call their attention to Section 208 of the E-Government Act of 2002.

Section 208 lays out rules and guidelines agencies must follow to protect the privacy of citizens using government Web sites. OMB officials issued a memorandum offering specific guidance on implementing the privacy provisions in late September. Agencies must begin submitting annual reports on their compliance with the privacy rules, and the first report is due Dec. 15.

The agencies are moving into high gear now, said David Grant, director of accessibility solutions at Watchfire Corp., a company that makes software tools including products for automating the privacy validation process.

"Privacy was always a 'nice-to-have,' but there was never something like this to enforce it," he said. "Agencies and departments are all concerned."

Both Section 208 and OMB's September memo spell out clear rules that agencies have to follow. The problem is that most agencies have Web pages that predate those rules, sometimes by years, Grant said. Now they are under orders to examine their older pages and bring them into compliance.

The rules include some fairly standard practices that almost any Web site will offer. Agencies must post privacy policies on Web sites used by the public, for example, and must spell out in the policies what information the site collects and how it is used. The policies must inform users when they reveal information voluntarily.

However, the rules also define some limits on what federal sites can do that agencies might have done in the past.

For example, agencies cannot use persistent cookies to track visitors. Persistent cookies are small files that the site transfers to a user's computer to identify visitors when they return to the site. But agencies can use session cookies, which track a visitor's clicks through the site and can temporarily personalize the site, but expire as soon as the visitor leaves.

Agencies also have to submit privacy impact assessments to OMB — and make them publicly available when purchasing new information technology equipment — when making changes to their Web sites that could affect privacy.

Sorting through all of the rules and ensuring compliance are daunting tasks, but agencies are tackling them. Commerce Department officials are working on updating all of their sites in time to meet the deadline, said Tom Pyke, the department's chief information officer.

"The department's chief privacy officer is working with CIOs across the department who are responsible for the privacy statements on Commerce Web sites, to guide them as they update the privacy statements and make any other changes that may be required by this guidance," he said. "Commerce expects to be able to report to OMB in December 2003 that these actions have been completed."

The Securities and Exchange Commission is undertaking a similar effort, said spokesman John Nester. SEC staff members are developing plans for reviewing the SEC site for policy statements and evaluating the information technology systems that work with Web interfaces to determine what information they collect.