DOD aims to protect Web users

In an effort to protect the privacy of users who visit its World Wide Web sites the Defense Department is crafting a policy on what kind of information it will keep about individuals who access its Web pages.

The policy which also will address the maintenance of other electronic records such as file transfer protocol logs most likely will call for managers of DOD Web sites to destroy after 60 days the so-called logs of users who visit a site said Kurt Molholm administrator of the Defense Technical Information Center (DTIC) which manages more than 90 DOD Web sites. The policy was prompted by a recent Freedom of Information Act request by a commercial entity which Molholm declined to identify that sought access to copies of all DTIC logs. The policy likely to be released within weeks as a Federal Register notice is designed mainly to protect the privacy of Pentagon Web users Molholm said.

In addition to outlining log management procedures the notice will describe the types of logs DTIC maintains and the purpose of the recordings.

The logs contain personal data that can be used to identify the user and record how the user arrived at the site such as files or services the user requested. This information is generated by what is commonly called a "cookie " which is a standard mechanism that allows a Web site to deliver data to a client and in many cases return information to the Web site.

The user's browser must accept the cookie before it can be given back to the Web site.

"You can get a lot of information about where a person is searching " Molholm said. "If I know what you're searching on I can retain it and help you do a better search next time. On the other hand you might not want me to do that."People who obtain the information could theoretically use it or sell it for marketing purposes he said.

The company that requested logs from all of DOD's sites planned to use the information to perform an analysis of Internet traffic Molholm said. DTIC officials denied the request because the agency's operations would have been severely hampered by the monumental task of assembling the logs. DTIC officials log 1.8 million to 2 million accesses to their pages each week. The company also requested logs from several other agencies including NASA and the Energy Department Molholm said.

Although DOD would become the first federal agency to tackle the maintenance of information generated by cookies the Office of Management and Budget has said publicly in the past that it was mulling the issue of how to manage data gathered from the use of cookies.

OMB officials could not be reached for comment by press time.Shari Steele general counsel to the San Francisco-based Electronic Frontier Foundation a nonprofit civil liberties organ-ization geared to protect on-line privacy and free speech said the foundation characterizes cookies as an invasion of privacy unless users are explicitly aware of what information is being gathered and are given the option of not allowing the data to be collected.

However she said policies regarding the destruction of records must balance privacy issues with public citizens' right to obtain public information. "The policies themselves probably aren't going to be all that problematic if they aren't designed to thwart people from getting what they have a right to get " Steele said.