Back to www.cdt.org                    
  IMAGE MAP

Policy vs. Practice

A Progress Report on Federal Government

Privacy Notice on the World Wide Web

Summary

Many recent surveys have shown that use of the World Wide Web will not reach its full potential until the privacy of individuals is protected. With Americans’ traditional concerns with government surveillance and use of personal information, federal agencies need to be particularly vigilant in addressing privacy issues. Providing clear and concise notice about information practices is critical. The Clinton Administration has recognized the importance of notice as a crucial element to privacy protection in both the public and private sector. This report finds that federal agencies have not yet even reached this first step.

Background and Results

An August 1997, OMB Watch report "A Delicate Balance: The Privacy and Access Practices of Federal Agency World Wide Web Sites" <http://ombwatch.org/ombw/info/balance.html>

detailed the failure of agency Web sites to post privacy policies — even when collecting personal information. One of the recommendations of the report was that the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB) should begin working with the budget arm of OMB to make sure that agencies post privacy notices. Since 1997, the absence of privacy notices at federal agency Web sites has been the subject of national press stories and federal Webmasters’ discussions.

With the recent appointment of Peter Swire as OIRA’s first Chief Counselor for Privacy, CDT decided that it was time to put together a new progress report to see if agencies really were responding. From April 9, 1999 to April 14, 1999, The Center for Democracy and Technology reviewed agency Web sites for clear posting of privacy policies. CDT did not systematically assess the quality of the privacy notice. As the results of the study reveal, just over one-third of federal agencies have a simple "privacy notice" link from the agency’s home page. Eight other sites have privacy policies that we found after following a link or two and on 22 sites we could not find a privacy policy at all.

Detailed Examples

Although CDT did not conduct a detailed assessment of each privacy policy, several agencies’ practices raised immediate privacy concerns:

Veterans Administration (VA)

For example, the VA Web site did not have a clearly marked privacy policy. The agency was advising visitors that it uses cookies to monitor traffic. To illustrate the type of information collected, the VA was, at the time we reviewed the site, linking to actual Web logs. These logs included domain information and in some cases IP addresses. IP addresses can, in some cases, be associated with individual users (in fact, several federal agencies have been refusing Freedom of Information Act requests for Web logs for this very reason). Instead of this potential intrusive material, a simple privacy policy explaining what cookies are; the type of information collected via the WebTrends software; and a summary of VA’s obligations under the Privacy Act would be sufficient. We discussed this with a VA Webmaster and the agency is in the process of remedying the situation.

Central Intelligence Agency (CIA)

The CIA does not have a privacy policy. Instead, the agency has a "consent to monitoring" policy, which states "that Government may monitor and audit the usage of this system, and all persons are hereby notified that use of this system constitutes consent to such monitoring and auditing." Since the agency does not explain what kind of monitoring it is conducting or why, it is difficult to determine whether such monitoring is legal. Even the CIA, should not monitor visitors’ access to publicly available information. At the very least, the agency should explaining why monitoring and auditing is necessary and what kind of monitoring is being done.

Health and Human Services (HHS)

It seemed odd to us that an agency that collects and houses as much information on individuals as HHS would not have a privacy notice at all. So, despite finding no privacy policy on the home page or on any of the obvious links from the homepage, we continued to search for some kind of notice. After following every set of links from the home page, we conducted a search on the agency’s search engine for the term "privacy." The only statement that we found (23 search results down the list) was a privacy policy from the Office of Population Affairs (OPA) within HHS. Yet, even the OPA statement is not directly linked from the OPA home page. The statement was only linked from the "Contact OPA" page.

The results led CDT to send a letter <http://www.cdt.org/privacy/lettertoswire.html> urging OMB to inform agencies that they must post a privacy policy reviewed by your office and plainly linked from the agency home page, within 30 days, or risk a cut in their Information Technology budget. The letter also suggested that the memo should also discuss the role of new technical standards such as the Platform for Privacy Preferences (P3P) and require agencies to turn the privacy policy that they have created into P3P statements by year’s end. Such a memo would send a clear message to agencies, and the public, that agencies face real consequences if they fail to follow Administration privacy policy.

Federal Agencies Without A Clearly Labeled Privacy Notice on the Agency Home Page (22)

United States Department of Energy — http://home.doe.gov/

United States Department of Health and Human Services — http://www.os.dhhs.gov/

United States Department of Labor — http://www.dol.gov/

United States Department of Transportation — http://www.dot.gov/

United States Department of Treasury — http://www.ustreas.gov/

United States Department of Veterans Affairs (description of cookie policy and link to statistical logs) — http://www.va.gov/

Arms Control and Disarmament Agency — http://www.acda.gov/

Central Intelligence Agency (non-descriptive "monitoring policy") — http://www.odci.gov

Consumer Product Safety Commission — http://www.cpsc.gov/

Corporation for National Service — http://www.cns.gov/

Commodity Futures Trading Commission — http://www.cftc.gov/

Federal Election Commission — http://www.fec.gov/

Merit Systems Protection Board — http://www.access.gpo.gov/mspb/

National Endowment for the Arts — http://arts.endow.gov/

National Endowment for the Humanities — http://ns1.neh.fed.us

National Security Agency — http://www.nsa.gov

National Science Foundation — http://www.nsf.gov

National Technology Transfer Center — http://www.nttc.edu

Railroad Retirement Board — http://www.rrb.gov/

Small Business Administration — http://www.sba.gov/

United States Agency for International Development — http://www.usia.gov/

Voice of America — http://www.voa.gov/


Federal Agencies with Poorly Labeled Privacy Policies (8)

United States Department of Agriculture — http://www.usda.gov/ (part of a section called "about USDA")

United States Department of Education (part of a section called "Disclaimers and Notices") — http://www.ed.gov/

United States Department of State (part of a section called "Disclaimers") — http://www.state.gov

Environmental Protection Agency (part of a section called "notices") — http://www.epa.gov

Federal Communications Commission (part of a section called "notices") — http://www.fcc.gov/

Nuclear Regulatory Commission — http://www.nrc.gov (part of a section called "Site Disclaimer")

Smithsonian Institution — http://www.si.edu/ (called "disclosure policy")

United States Postal Service (part of a section called "terms of use") — http://www.usps.gov/


Federal Agencies with Easy-to-Find Privacy Policies (16)

United States Department of Commerce — http://www.doc.gov

United States Department of Defense — http://www.defenselink.mil/

United States Department of Housing and Urban Development — http://www.hud.gov/

United States Department of Interior — http://www.doi.gov

United States Department of Justice — http://www.usdoj.gov/

Federal Deposit Insurance Company — http://www.fdic.gov/

Federal Trade Commission — http://www.ftc.gov

General Services Administration — http://www.gsa.gov

National Aeronautics and Space Administration — http://www.nasa.gov

National Archives and Records Administration — http://www.nara.gov/

National Performance Review — — http://www.npr.gov

Peace Corps — http://www.peacecorps.gov/

Security and Exchange Commission — http://www.sec.gov/

Social Security Administration — http://www.ssa.gov/

United States Information Agency — http://www.usia.gov/

United States International Trade Commission — http://www.usitc.gov/

 

Methodology:

  • The survey used the US Nonprofit Gateway, http://www.nonprofit.gov, to locate Executive Branch agencies.

  • A preliminary search was completed on 4/9/99, a secondary search on 4/12/99 and final search on 4/14/99.

  • We searched for terms such as "privacy notice," "privacy statement," or "privacy policy" on the agency home page. If the sites had a "notices," "privacy," "about," or "site map" section we looked for privacy policies in those sections as well.

    • Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam
    Navigation bar
    Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
    Previous Headlines | Legislative Tracking | CDT's Privacy Policy
      The Center For Democracy & Technology
    1634 Eye Street NW, Suite 1100
    Washington, DC 20006
    (v) 202.637.9800
    (f) 202.637.0968
    Contact CDT

    Copyright © 2005 by Center for Democracy and Technology.
    The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.
    CDT Mission Get Involved Staff Policy Posts Resource Library Search the Site Jobs Take Action