White House to unveil Web policy

The White House has drafted privacy and security guidelines for agencies maintaining World Wide Web sites that the Office of Management and Budget plans to circulate this fall.At that time OMB will also release guidelines detailing how the Paperwork Reduction Act (PRA) and the Information Technology Management Reform Act (ITMRA) regulations apply to Web sites according to Bruce McConnell chief of information policy and technology at OMB.

McConnell does not view the draft guidelines due for release this fall as a "major" policy move. Rather he said the guidelines will serve as "reminders of the current laws and existing policies and how they apply to the Web. We don't need a lot of new policy we just want to remind agencies of the things they need to be thinking about."

McConnell added that agencies need to operate their Web sites in accordance with Circular A-130 which sets out security guidelines. If agencies use their Web sites to conduct public surveys then the agencies need to factor in how this dovetails with PRA. Agencies also need to ensure that investments made in Web technology meet the requirements of ITMRA that they "contribute to accomplishment of the agency's mission."

Agency Webmasters believe they need a framework to adapt regulations originally crafted for a paper-based world to handle the explosive growth of Digital Age technologies such as the Web according to comments made at last week's Federal Webmasters Workshop held at the National Institutes of Health Bethesda Md.

They expressed concern that the ability of Web server software such as that developed by Netscape Communications Corp. to capture information about individuals could run afoul of the Privacy Act.Janlori Goldman deputy director of the Center for Democracy and Technology (CDT) believes the ability of Web server software to capture information mandates the development of privacy policy for all sites - commercial governmental and educational.

But Goldman said agencies "have a much higher burden" than commercial sites due to the Privacy Act. "Visiting a Web site is a First Amendment-protected activity and the government should not be capturing any information. There should be a Web privacy policy in place today."

Air Force Maj. Al Dunn chief of the Policy Division in the Office of the Chief Information Officer in the Defense Information Systems Agency called the balance between privacy and public access to agency information via the Web "one of the most fundamental questions" DISA faces in developing an overall Internet and Web policy. DISA has developed a draft policy but Maj. Gen. David Kelley the vice director has asked for further work on the document to make it apply "to all information services not just the Internet or the Web."

Web server software automatically collects information from browsers including the IP (Internet Protocol) address but agencies said they use such data only to better serve the users and then destroy it quickly. Walt Okon division chief for DISA's Information Resources Division and DISA's Webmaster said: "We only look at addresses from a macro level. We want to determine where users come from - commercial military or educational domains - so we can design our pages better.... After 90 days we dump about 27 megs of that data."

Webmasters at last week's conference expressed concerns about a piece of Web software called "cookies " or client-side persistent information that they consider intrusive and a threat to security and privacy. Cookies tracks information about a Web site visit and then sends a text string with information about that visit back to the client's hard drive found in a file slugged "cookies.txt."

This ability to dump a text string into the hard drives of thousands of government computers has raised concern among DOD Webmasters as well as privacy concerns by CDT. One DOD Webmaster who declined to be identified said cookies "gives me heartburn. I know it's described as benign but who wants to run the risk of text strings being randomly spewed by Web sites to computers throughout the Pentagon?"

Cookies technology is so new - and relatively unknown - that policy-makers have not had time to catch up with it. DISA's Dunn said his agency "will obviously have to deal with cookies from the policy side."

Commercial Web sites which use cookies technology to develop user profiles seem to be the primary users. DISA's Webmaster said his agency does not hand out cookies. The Air Force's Bowman said that as far as he knows none of the sites maintained by the Defense Technical Information Center which includes Air ForceLINK and DefenseLINK hand out cookies either.

In the privacy area agencies need to be aware that if agencies use the Web "to collect information about individuals the Privacy Act may be implicated " Goldman said.

OMB's McConnell added "I think everyone needs to know that wherever you go on the Web you leave a trail."