Time to Look at Rules for Federal Agency Web Sites, CDT and EFF Say
Loosening the strict rules surrounding persistent identifiers on federal agency Web sites would allow the sites to improve while still protecting privacy, said a draft white paper from the Center for Democracy and Technology and the Electronic Frontier Foundation. Alissa Cooper, CDT chief computer scientist, said the organizations chose to focus on the term “web measurement” rather than analytics to emphasize that the paper focuses on data reported in the aggregate and used to optimize the site, rather than data at an individual level. She spoke during a panel discussion introducing the paper, which she said is open to feedback.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The paper offered six recommendations. First, data collected for measurement should be used only for measurement, Cooper said. She said “we strongly suggest that agencies run their own analytics tools.” If it’s necessary to use a third party for the measurement, then there must be limits on what they can do with the information, she said. Peter Swire, privacy counsel in the Clinton White House, said he wouldn’t recommend for or against using a contractor -- the decision should be made based on who can best perform the task for the best costs, he said.
The paper also suggested disclosing Web measurement tools in the privacy policy, offering visitors a choice, limiting data retention to 90 days, using cross-session measurement only when single-session measurement can’t work, and obtaining third-party verification of privacy compliance. George Pappachen, chief privacy officer at the Kantar Group, said he found the suggestion to disclose in the privacy policy interesting, given that “clear and conspicuous” is the more accepted idea.
However, Pappachen said the paper is a good start. “When your starting point is no cookies, no persistent cookies, I think they're definitely workable,” he said. Swire also said the paper is a good start with a “high value, low risk” idea. From his work on the transition team, he said, he saw the huge discrepancies that have grown between federal agency rules and common practice in the private sector since OMB issued its cookies guidance in 2000.
The guidance allows federal agencies to perform single- session measurement without extra permissions. Cross-session measurement, however, requires several extra steps, including permission from the agency head. Yet cross-session measurement could be useful for agencies, Cooper said. “It gives federal web managers … the ability to say something about how their Web site is doing,” she said. Cross-session measurement is necessary to track unique visitors over time, she said. Swire said the guidance was developed because the Clinton White House had instituted a strong privacy policy on its site, only to have the drug czar break those rules and use cookies, causing accusations of hypocrisy to fly. At the same time, the administration was working on health and banking privacy policies, he said, so it wanted to be clear and came up with strict OMB guidance about cookies. “There hasn’t been any significant updating since 2000,” Swire said.
Though the paper is a good start, it leaves open some of the more difficult questions, Swire said. The question of how the government should act when it uses private sites like Facebook or YouTube remains, he said. Also, he said, “going forward there’s big issues about how to handle IP addresses.” If IP addresses are aggregated, he said, would they be considered a “system of records” under the Privacy Act? The Europeans might see a log of IP addresses as such a system of records, he said, but “the federal government hasn’t wanted to go there.”