Peter Swire

Chief Counselor for Privacy
Executive Office of the President
Office of Management and Budget
Office of Information and Regulatory Affairs
Washington, DC 20503


Dear Peter,

We were heartened by your April 8, 1999 comments at the Computers, Freedom and Privacy Conference (CFP) on the powers that the Office of Management and Budget (OMB) can use to improve the privacy practices of federal agencies. We agree that OMB’s paperwork, regulatory and budgetary powers could be used to effectuate privacy protective changes in agency behavior. However, powers only matter if they are used. CDT and others have long bemoaned OMB’s failure to use its powers to effect changes in federal information policy. You recognized some of the reasons for this in your recent book, Nobody’s Business. While we are encouraged by your optimism, we are still concerned that OMB will not be able to quickly and effectively change agency practices. However, we would like to offer you the opportunity to prove that our skepticism is misplaced.

There are numerous areas where CDT and others in the privacy community would like to see OMB’s powers used to enhance privacy. As a starting point, we suggest that OMB immediately require agencies to post on their Web sites clearly labeled, good quality privacy notices displayed or linked from the agencies’ home pages.

Your commitment, stated at CFP, to use the full range of OMB’s powers to drive privacy policy within the federal agencies prompted us to revisit the agency sites to assess progress. As you may know, in August 1997, OMB Watch issued a report "A Delicate Balance: The Privacy and Access Practices of Federal Agency World Wide Web Sites." Ari Schwartz, currently CDT’s policy analyst on privacy issues, authored the OMB Watch report. The OMB Watch report detailed the failure of agency Web sites to post privacy policies -- even when collecting personal information. One of the recommendations of the report was that the Office of Information and Regulatory Affairs (OIRA) in OMB should begin working with the budget arm of OMB to make sure that agencies post privacy notices. Since 1997, the absence of privacy notices at federal agency Web sites has been the subject of national press stories and federal Webmasters’ discussions.

Earlier this week, we reviewed agency Web sites for clear posting of privacy policies. We did not systematically assess the quality of the privacy notice. As the attached results reveal, just over one-third of federal agencies have a simple "privacy notice" link from the agency’s home page. Eight other sites have privacy policies that we found after following a link or two and on 22 sites we could not find a privacy policy at all.

Although we did not conduct a detailed assessment of each privacy policy, several agencies’ practices raised immediate privacy concerns:

Veterans Administration (VA)

For example, the VA Web site did not have a clearly marked privacy policy. The agency was advising visitors that it uses cookies to monitor traffic. To illustrate the type of information collected, the VA was, at the time we reviewed the site, linking to actual Web logs. These logs included domain information and in some cases IP addresses. IP addresses can, in some cases, be associated with individual users (in fact, several federal agencies have been refusing Freedom of Information Act requests for Web logs for this very reason). Instead of this potential intrusive material, a simple privacy policy explaining what cookies are; the type of information collected via the WebTrends software; and a summary of VA’s obligations under the Privacy Act would be sufficient. We discussed this with a VA Webmaster and the agency is in the process of remedying the situation.

Central Intelligence Agency (CIA)

The CIA does not have a privacy policy. Instead, the agency has a "consent to monitoring" policy, which states "that Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing." Since the agency does not explain what kind of monitoring it is conducting or why, it is difficult to determine whether such monitoring is legal. Even the CIA, should not monitor visitors’ access to publicly-available information. At the very least, the agency should explaining why monitoring and auditing is necessary and what kind of monitoring is being done.

Health and Human Services (HHS)

It seemed odd to us that an agency that collects and houses as much information on individuals as HHS would not have a privacy notice at all. So, despite finding no privacy policy on the home page or on any of the obvious links from the homepage, we continued to search for some kind of notice. After following every set of links from the home page, we conducted a search on the agency’s search engine for the term "privacy." The only statement that we found (23 search results down the list) was a privacy policy from the Office of Population Affairs (OPA) within HHS. Yet, even the OPA statement is not directly linked from the OPA home page. The statement was only linked from the "Contact OPA" page.

Many surveys have shown that use of the Web will not reach its full potential until privacy is protected. With Americans’ traditional concerns with government surveillance and use of personal information, federal agencies need to be particularly vigilant in addressing privacy issues. Providing clear and concise notice about information practices is critical.

We urge OMB to inform agencies that they must post a privacy policy reviewed by your office and plainly linked from the agency home page, within 30 days, or risk a cut in their Information Technology budget. The memo should also discuss the role of new technical standards such as the Platform for Privacy Preferences (P3P) and require agencies to turn the privacy policy that they have created into P3P statements by year’s end. Such a memo would send a clear message to agencies, and the public, that agencies face real consequences if they fail to follow Administration privacy policy.

We would be happy to discuss our findings with you or your staff. Please feel free to contact Ari directly.

Sincerely,

Ari Schwartz
Policy Analyst

Jerry Berman
Executive Director


cc:
Donald Arbuckle, Acting Administrator, Office of Information and Regulatory Affairs, Office of Management and Budget

David Beier, Chief Domestic Policy Advisor to the Vice President

The Honorable Steve Horn, Chairman, Subcommittee on Government Management, Information and Technology

The Honorable Jim Turner, Subcommittee on Government Management, Information and Technology