CDT POLICY POST Volume 8, Number 25, November 21, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:

(1) New Law to Require Privacy Impact Assessments for U.S. Agencies

(2) Privacy Notices, Including P3P Statements, Now Required for Agencies

(3) E-Government Act Includes Other Important Provisions

(1) NEW LAW TO REQUIRE PRIVACY IMPACT ASSESSMENTS FOR U.S. AGENCIES

The E-Government Act of 2002, passed by Congress this week and soon to be signed into law, includes an innovative and potentially far-reaching provision requiring federal government agencies to conduct privacy impact assessments before developing or procuring information technology or initiating any new collections of personally-identifiable information.

Under the legislation, originally introduced by Senators Joe Lieberman (D-CT) and Conrad Burns (R-MT), a privacy impact assessment must address what information is to be collected, why it is being collected, the intended uses of the information, with whom the information will be shared, what notice would be provided to individuals and how the information will be secured. To the extent practicable, privacy impact assessments must be published. The Director of the White House's Office of Management and Budget (OMB) will issue guidelines for the assessments.

CDT believes that the law could have a significant positive impact in three ways:

The assessments will raise the level of attention to privacy issues within federal agencies, at the most critical stage: before new technology is purchased or new collections of data are initiated.
The assessments will bring greater transparency to the IT development and procurement process, allowing Congress, citizens and advocacy groups to better scrutinize the privacy decisions of the government.
Using the massive purchasing power of the U.S. government , the assessments could help to increase the marketplace for technologies that incorporate privacy "by design."

CDT supported the privacy impact assessment provision.

Related legislation, the Federal Agency Protection of Privacy Act (HR 4561), introduced by Representative Bob Barr (R-GA), would have required privacy impact assessments for new agency rules and regulations. That bill passed the House earlier this year but was never taken up by the Senate. Rep. Barr, a leader on many privacy issues, will not be in Congress next year. But his proposal remains valid and a sound complement to the E-Gov Act. We believe OMB should require such assessments as best practices despite not being required in law.

Links to the text and legislative history of the E-Government Act: http://thomas.loc.gov/cgi-bin/bdquery/z?d107:hr2458: http://www.cdt.org/legislation/107th/e-gov/

A link to the Barr bill can be found at http://www.cdt.org/legislation/107th/privacy/

(2) PRIVACY NOTICES, INCLUDING P3P STATEMENTS, NOW REQUIRED FOR AGENCIES

The E-Government Act also requires agencies to post privacy notices on their Web sites, detailing agency practices and individual rights. Most agencies already post written privacy notices after the Clinton administration, under the leadership of Chief Privacy Counselor Peter Swire, required them in an administrative order. The new law will take the agencies one step further by requiring "machine-readable" notices, such as those specified in the Platform for Privacy Preferences (P3P) standards.

Under the P3P framework, Web sites can express their privacy policies in a standardized format that can be read by Web browsers and other end-user software tools. These tools can display information about a site's privacy policy to end-users and take actions based on a user's preferences. Such tools can notify users when the sites they visit have privacy policies matching their preferences and provide warnings when a mismatch occurs.

Currently, only a few federal agency Web sites are P3P compliant, including the Federal Trade Commission, the US Postal Service and portions of the Department of Commerce.

While privacy notices do not in and of themselves guarantee privacy protection, they offer a basis for public and Congressional scrutiny of agency practices.

For more information about P3P and privacy notices on government Web sites:

Policy Post 8.09, Privacy Standard Moves Forward, April 26, 2002 -- http://www.cdt.org/publications/pp_8.09.shtml
P3P Toolbox - http://www.p3ptoolbox.org
OMB Memorandum M-99-18, Privacy Policies on Government Web sites -- http://www.whitehouse.gov/omb/memoranda/m99-18.html
Letter from CDT urging posting of privacy policies on federal Web sites, April 15, 1999 -- http://www.cdt.org/privacy/lettertoswire.html

(3) E-GOVERNMENT ACT INCLUDES OTHER IMPORTANT PROVISIONS

The E-Government Act includes a host of other provisions that could have an impact on how the public interacts with the government. Many of these could have merited free-standing legislation. Most of them have received little attention. At the risk of an overly-long Policy Post, we list some of them here - see the text of the bill for full details:

Creates a specific position in OMB for the Administrator of the Office of Electronic Government. Some Members of Congress had wanted to create a Chief Information Officer for the federal government, but the Administration balked. The compromise basically codifies current practice, under which Associate Director Mark Forman heads up e-government efforts. The new position does not have a lot of direct power, but as a statutorily-authorized position it will be subject to more consistent Congressional oversight. Sec. 101.
Authorizes an E-Government Fund with $45 million in fiscal 2003, an amount that would increase to $150 million by fiscal 2006, to fund the development and implementation of innovative uses of the Internet and other electronic methods by federal agencies. Sec. 101.
Requires the General Services Administration to establish a framework to allow interoperability among federal agencies when using electronic signatures, including the development of a "Federal bridge certification authority for digital signature capability." Sec. 203.
Requires each federal court to establish a Web sites where the public could get court rules, decisions, docket information and documents filed with the court in electronic information. The section requires the Supreme Court to adopt rules to protect privacy and security concerns relating to the electronic filing and availability of documents. Sec. 205.
Requires federal regulatory agencies, "to the extent practicable," to ensure that a publicly accessible federal government Web site includes all information that the agency is required to publish in the Federal Register, and to accept electronic submissions in rulemaking proceedings. Sec. 206.
Creates a committee to study the adoption of standards to enable government information to be searched across agencies. Sec. 207. A separate section requires a 3 year study of interoperability and the integrated collection and management of data. Sec. 212. Such initiatives have positive implications for electronic Freedom of Information Act requests, but may have negative implications for privacy, allowing even greater amalgamation of personally-identifiable information in the hands of disparate government agencies. A third provision requires OMB and the Interior Department to develop common protocols for the acquisition and application of geographic information (GIS), in order to maximize the degree to which unclassified geographic information from various sources can be made electronically compatible and accessible, something that will be of importance on environmental issues. Sec. 216.
Requires OMB to develop and maintain a repository that fully integrates information about research and development funded by the federal government. Sec. 207(g).
Authorizes an IT exchange program under which mid-level information technology managers of the federal government can be detailed to work in the private sector for up to 2 years and private sector employees can be assigned to work in federal agencies. Sec. 209.
Requires the Administrator of E-Gov to develop an online tutorial explaining how to access government information services and information on the Internet. Sec. 213 (f).
Requires a National Academy of Sciences study on the digital divide. Sec. 215.
At the behest of Chairman Tom Davis (R-VA), includes the "Federal Information Security Management Act" (FISMA). The provisions impose certain responsibilities on agency heads, give OMB certain oversight of agency information security practices, mandate annual independent audits of agency computer security practices, and require reports to Congress. The Act also renames the Computer System Security and Privacy Advisory Board (CSSPAB) as the Information Security and Privacy Advisory Board, keeping its dual focus on security and privacy.
Establishes a very strict rule of confidentiality for information collected by the federal government for statistical purposes, which may prove to be especially important as Zip Code and other data that is not strictly personal becomes easier to use for personal profiling purposes. Secs. 501-513.

Ironically, the E-Government Act makes no improvements in Congress' own practices -- failing to address such deficiencies as the lack of a searchable index of individual Member voting records.

For more information:

CDT Deputy Director Jim Dempsey's testimony on FISMA, May 2, 2002 http://www.cdt.org/testimony/020502dempsey.shtml
CDT's statement on e-government to the Governmental Affairs Committee, July 11, 2001 http://www.cdt.org/testimony/010711cdt.shtml
CDT press release in support of the E-Government Act, May 1, 2001 http://www.cdt.org/press/010501press.shtml
More on E-Government http://www.cdt.org/righttoknow/

Detailed information about online civil liberties issues may be found at http://www.cdt.org/.

This document may be redistributed freely in full or linked to http://www.cdt.org/publications/pp_8.25.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org