An ideal seal for privacy in the federal government?

Privacy is a major concern of Internet users visiting commercial and government World Wide Web sites. In the private sector, one response has been the development of "seal" programs, such as the Good Housekeeping Seal, certifying that a site meets the minimum privacy standards. Is this an approach that government Web sites should adopt?

The Center for Democracy and Technology recently reviewed the three major seal programs: TrustE, BBBOnLine and CPA WebTrust. While the seals are no substitute for a baseline legal framework and have been adopted by only a small number of Web sites, they have begun to incorporate the idea of basic fair information practices into their programs, fostering at least some of the protection consumers deserve.

However, unlike the private sector, the federal government is bound by the Privacy Act of 1974. The Privacy Act codifies fair information practices and is stronger than the protection provided by the seal programs. The act prohibits the sharing of personal information among agencies, with few exceptions. It also allows individuals to find out what information agencies have collected about them and forces agencies to publicly describe their collections of personally identifiable information.

Earlier his month, the Office of Management and Budget took this one step further, requiring all agency Web sites to have privacy policies by Sept. 1 and all government points of entry on the Web to have a privacy policy by Dec. 1. Government Web sites do not need a private entity to verify that they are respecting the public's privacy, but they should educate users on their rights to privacy under the law.

Federal agency Web sites could take a number of steps to aid the public in identifying their privacy rights. A common Privacy Act logo on all government privacy policies would help achieve this goal. This logo or seal could link to a page - housed at either the Justice Department or the new privacy office within OMB - with a set of resources. These resources could include:

* Frequently asked questions about the Privacy Act.

* The text of the law.

* A direct way to submit Freedom of Information Act and Privacy Act requests online.

* General security and privacy tips for users of federal Web sites.

This does not mean that all agencies would have to adopt the same privacy policy. Each agency has different information practices, including policies on collecting and storing data, both of which should be noted in a privacy policy. For now, the Privacy Act seal would appear with the privacy policy linked from each agency's home page.

There is a move afoot to automate privacy policies so that Web browsers would be able to assess Web sites' privacy protection. The goal is to create an Internet-friendly method that enables users to understand what happens to their information without having to read the legalese of a privacy policy.

A standard, called the Platform for Privacy Preferences Project (P3P), is being developed for this purpose at the World Wide Web Consortium. Once P3P is completed, the logo could help agencies in implementing the standard. P3P will offer agencies an automated means of stating their privacy practices online. Agencies can use the seal and resource to verify that they are, indeed, covered by the Privacy Act without users having to find the privacy policy at all.

Taken together, the Privacy Act, implementation of P3P and the institution of a logo program geared to federal needs will represent a major step toward improving the online practices of the federal government.

-- Schwartz is a policy analyst at the Center for Democracy and Technology, Washington, D.C.