New Federal Web 2.0 Rules Lack Full Privacy Protections
Luckily for web managers, the memos released today make it easier to use third party services, measurement and analytics tools, and customization for users. However, some of the guidance does not clearly require agenices to protect user privacy in ways we had hoped.
Agencies Using Third-Party Websites and Services
The first memo – “Guidance for Agency Use of Third Party Websites and Applications” – addresses agency use of third party services, and how to protect privacy even as agencies interact with the public on sites that they do not have full control over. These technologies are often used in support of the Open Government Initiative, but the privacy implications and requirements had not been clearly set out for web managers. Using third party services makes it much easier to engage with the public, but pose privacy questions that have not been well addressed.
While the memo only addresses the use of third-party services toward the principles of the Open Government Directive, it seems that the memo should also guide agency use of all third party services on websites, including third party measurement or customization tools (which are not specifically addressed in the second memo).
A few important principles are codified in the memo, including that the public should always be able to get the same kinds of information at the agency website as they can on a third party website, and should never be required to use a third party site or service to engage with the agency. While these third party tools may be helpful and allow agencies to go where the public already interacts, they should never be the only way that a member of the public can choose to interact with the agency – and the agency should make it clear to the visitor when they move from an agency-controlled website to one that is maintained by a third party.
While the memo makes it easier for agencies to use third party services, it also lays out the requirements for using these services, including a Privacy Impact Assessment and prominent public notice to users of third party sites that while they may be interacting with government, they are doing so on a third party site.
When federal web managers listed the barriers to using social media and other third party services in government, privacy was a prominent barrier in their use. This memo clarifies how, and when, to use third party services for openness in government – with an emphasis on ensuring that the public is informed how and when their privacy could be impacted. While agencies have already been using these third party services, guidance from OMB will ensure that there are consistent expectations on the use of these services across agencies, and easily accessible public notices around privacy and use of these websites.
When we offered suggestions for a new policy around cookies and Web 2.0 services for the government, we highlighted principles to protect privacy while allowing agencies to use technologies available to measure and improve the user experience. Several of them are reflected in the new memos, but some are missing and the memo as a whole lacks the details we were hoping to see. While the use of measurement technologies (otherwise known as analytics) and website customization could be very useful for agencies, collecting information about visitors must be done carefully in order to ensure that privacy continues to be a paramount consideration on Federal websites.
OMB lays out several options for how agencies might provide users with choices about their participation in measurement and customization. Among these is a "client-side opt-out," otherwise known as agencies providing users with an explanation of how to block cookies in their browsers. This is an entirely inadequate policy for OMB to be promoting, particularly when the explanation linked from the memo recommends disabling all first-party cookies (whereas a clear opt-out process would opt users out of only those tracking technologies employed by government agencies). A large majority of commercial websites rely on first-party cookies in order to function properly. Many of these sites instruct users to turn first-party cookies on if they are off. Thus, users who follow the guidance suggested by OMB will likely end up with no privacy protection at all. A more protective policy would have required agencies conducting measurement or customization on an opt-out model to provided targeted, highly-visible opt-out mechanisms.
We are pleased to see the memo tackle the issues of data retention and access limits, particularly the requirement that agencies “may retain data collected from web measurement and customization technologies for only as long as necessary to achieve the specific objective for which it was collected.” Unfortunately, OMB undercuts this requirement by suggesting that data can be retained for one year. This policy may be a result of a separate records management requirement for the federal government, but in any event it would have been helpful for OMB to more thoroughly discuss the relationship between records management and data retention for measurement and customization, rather than leaving interpretation up to the agency.
Enabling the use of new technologies in government
As agencies push forward in using third party services and new technologies to enhance their sites, it is key to ensure that privacy is protected. All the enthusiasm in the world can't be put to good use if users don't trust agency websites to use these tools judiciously. We are also hoping that new tools from industry – easier opt-outs and privacy controls – will help users to make informed choices easily when interacting with government. The memos released today are a start towards a more nuanced way to approach these tools for federal agencies, but do not provide the guidance around measurement technologies that we hoped for.
CDT’s Alissa Cooper also contributed to this piece.