Privacy advocates give limited approval for new White House Web 2.0 policies

Civil liberties advocates are pleased some of their recommendations were included in new privacy policies that allow agencies to use website-tracking tools and third-party applications, but they are disappointed the guidelines omit more important safeguards that could better protect the public.

On June 25, the Office of Management and Budget ended a 10-year ban on cookies, which monitor what a user does on a website, and updated privacy notice requirements for sites such as Facebook and YouTube that incorporate nongovernment social networking tools.

The regulations give agencies the green light to install online interactive features that citizens typically encounter on commercial sites, but the agencies must follow a strict set of conditions.

For example, sites using cookies to gather personally identifiable information that can be traced back to an individual's name, such as the location of an Internet server, must delete this data within a year. Cookies are files saved on users' computers when they visit a website and often store a visitors' login information and remember their preferences, as well as monitor a site's traffic volume and visitor demographics. Under the rules announced on June 25, agencies that use third-party services to collect PII also must conduct multiple privacy impact assessments to determine whether controls are in place that meet federal privacy regulations.

"I will say that they certainly listened," said Chris Calabrese, legislative counsel to the American Civil Liberties Union. "The cookie policy is very good in a lot of ways and bad in one major way," because it exempts law enforcement, national security and intelligence activities from the privacy limits.

"An individual shouldn't fear tracking if they want to get information on government services," he said. "In many cases the government is the authoritative source for information. Anybody should be able to get that anonymously and without concern about what might [happen] because they are interested in that information."

OMB officials said the policy does not create exceptions. Rather, pre-existing laws, including the 1978 Foreign Intelligence Surveillance Act, and executive orders forbid such OMB privacy policies from applying to law enforcement, national security and intelligence organizations.

Officials also pointed out agencies cannot collect PII unless a user opts-in to divulge such information, a policy Calabrese applauded. Many commercial sites automatically gather personally identifiable information from visitors, unless the individual takes action to opt-out.

He also commended OMB for meeting with privacy groups and including an expansive definition of personally identifiable information.

The memo tries to cover all possible categories of PII by not restricting the definition to a laundry list of items such as e-mail addresses, Social Security numbers and ZIP codes. Instead, determining what it is "requires a case-by-case assessment of the specific risk that an individual can be identified," the memo stated. "It is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available -- in any medium and from any source -- that, when combined with other available information, could be used to identify an individual."

The Electronic Privacy Information Center, which OMB also consulted, asked the Obama administration to stick with the traditional tracking prohibitions aimed at protecting civil liberties and was disappointed with the policy.

"It is stunning that the White House could develop these policies and make no mention of the federal privacy act," said EPIC Executive Director Marc Rotenberg. "That law regulates the collection and use of personal information by federal agencies. Without a legal basis for these policies, it remains unclear what force they will have, or how readily they could be changed."

The guidance on third-party apps cites the privacy act, but the cookie policy does not reference privacy laws.

OMB officials said the cookie memo stated all Web measurement and customization technologies must comply with existing policies on privacy and data safeguarding standards. The two memos are intended to work in tandem to protect people, they added.

The Center for Democracy and Technology, a privacy group that supported relaxing the ban within limits, also found holes in the new policies. The center's blog on Friday stated, "The memos released today are a start toward a more nuanced way to approach these tools for federal agencies, but do not provide the guidance around measurement technologies that we hoped for."

The group said the cookie policy language is vague and confusing. One line stated agencies cannot use the tools "to track user individual-level activity on the Internet outside of the website, or application from which the technology originates." This guideline might be intended to bar agencies from collecting data on outside websites but that interpretation is not clear from the text, CDT officials wrote.

OMB officials clarified the guideline, saying agencies employing cookies to analyze a user's activity on their sites are forbidden from applying the technology to follow the user elsewhere on the Web.

Some federal new media officials said they believe the policies strike the right balance between empowering agencies to engage with citizens and safeguarding their privacy. Jack Holt, senior strategist for emerging media at the Defense Department, said he envisions a hypothetical situation in which Defense.gov would operate like Google's iGoogle customizable home page. A frequent visitor to Defense's home page could control the settings on the site to spotlight newly proposed regulations at the top and press releases at the bottom.

But agencies that want to take advantage of the new freedoms might have to do some extra work, according to the rules. If websites use third-party tools that collect PII, agencies must perform a privacy impact assessment for each service. "If an agency's use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application," the third-party app memo stated.

Currently, when a visitor clicks on a link on a .gov website to access an outside site, a boilerplate statement will pop up that reads, "You are exiting the agency Web server. Thank you for visiting our site. You will now access [name of the third-party site]." Holt said the new policy might require officials to post a longer explanation of the difference between the agency site and third-party site privacy policies. "I'm sure there's going to be a lot of discussion on that over the next few weeks," he said.

Website consultants say the payoff from using cookies and third-party applications will be well-worth the additional effort.

While cookies can be misused, most work by "allowing sessions to be more personalized to the user's needs and by allowing various technologies a better way to measure the experience that users are having so that the agencies can improve upon that experience," said Larry Freed, president and chief executive officer of ForeSee Results, a market research firm that evaluates citizen satisfaction with government websites.

"One thing that some advocates of removing the cookie restrictions have said in the past is that it is the user's responsibility to protect themselves," he added. "While they do have the capabilities in the browsers to do so, it is not only their responsibility but the responsibility of government to protect its citizens."

Until OMB withdrew the ban on June 25, agencies had to undergo a laborious process of obtaining a waiver to use cookies to save a visitor's password. The General Services Administration got a waiver earlier this year to speed the sign-in process for citizens who want to engage in online debates about openness in government on agency websites. GSA ultimately obtained approval for IdeaScale, the tool that hosts the discussions, to use cookies to remember participants' passwords.

"There was a lot of paperwork involved in getting the waivers," Rob Hoehn, IdeaScale's president of customer development, said on Monday. "We and anybody in this space are pretty excited that they're giving some more clear direction on this."

Some government transparency activists have said they wished the government would let them automatically log on to the tool from a.gov website and access any agency's debate page. Hoehn said under the new policies it would be much easier to support that kind of navigation.

Facebook spokesman Andrew Noyes said the guidance "largely codifies best practices for using various Web 2.0 technologies. Facebook is pleased to see the Obama administration take such an active interest in encouraging responsible and effective governmentwide use of innovative services like ours."

Google, which owns YouTube and Google Moderator, a comment and discussion site available governmentwide, declined to comment on the regulations.