Luckily, the framework for revision that OMB has initially proposed begins to go down that very path. OMB released a set of general principles to govern all federal agency uses of web tracking technology and a multi-tiered system that would accrue additional privacy protection to particular uses based on their potential privacy impact. While OMB is off to a good start, there’s a lot of work left to be done to craft a policy that maintains the current policy’s level of privacy protection while giving federal agencies the flexibility to employ state-of-the-art web technologies. In comments that we submitted to OMB jointly with EFF, we provided detailed suggestions about how the new policy should work, including:
– Making sure the policy applies to all web tracking technologies (like web beacons, Flash cookies, DOM storage and the like), and not just cookies;
– Requiring that agencies provide detailed disclosures about their web tracking intentions in the form of a Privacy Impact Assessment (PIA) that must be verified by the agency privacy office prior to deploying a tracking technology;
– Requiring that agencies retain tracking data only as long as necessary for the purpose for which it was collected, and deleting certain information (such as IP addresses) immediately;
– Requiring agencies to display an easy-to-use choice mechanism on every page of each site where cookies are used for analytics;
– Differentiating between cookies used to store preferences (like the user’s preferred language) and cookies used to store authentication information (which allow users to login and maintain a persistent identity); and
– Requiring enhanced security, access, and consent procedures when authentication cookies are used.
The administration has pledged to make the government more transparent, open and participatory. Federal agency web sites are a key part of that strategy, but they’ve been limited in their ability to take advantage of all the advances in web technology that we’ve seen in the decade since the federal policy on tracking technologies was put in place. We now have the opportunity to fix the current policy, maintain its high level of privacy protection, and enhance the capacity of federal agencies to serve citizens online.