GAO: Web privacy guidelines not clear

The failure of Office of Management and Budget officials to spell out privacy guidelines in clear and concise terms has created continued privacy concerns about agency Web sites, according to a new report by the General Accounting Office.

The report focuses on the use of "cookies," which are small pieces of software stored on users computers when they visit a Web site. OMB officials have given agencies do's and don'ts for cookies, but the guidelines are spread across several memoranda, as well as in a letter to the federal CIO Council that is not included on the OMB Web site, GAO found.

The guidance also has a confusing gap, according to GAO.

OMB officials told agencies they must meet certain terms if they want to use cookies that remain on end-user computers after they leave the Web site — what are known as "persistent" cookies — and that they must disclose any such use to Web visitors. But officials did not say whether agencies must disclose the use of "session" cookies, which disappear once visitors leave a site.

OMB told GAO that session cookies do not present a privacy concern, and therefore, no disclosure is required. But by following this position, agencies could state they are not using cookies while continuing to use session cookies.

This could "confuse and mislead" visitors to federal Web sites that have set their browser to detect cookies, and "could raise questions about the practices of the Web site that would not be resolved by viewing the privacy policy," GAO wrote.

GAO conducted a review of the use of cookies on 65 agency Web sites between November 2000 and January 2001. GAO found that eight federal sites used persistent cookies. Four agencies did so without disclosing it in a privacy policy, as required by OMB, and two of those were using persistent cookies from third-party sites.

The other four did disclose the use of cookies but did not meet OMB's other conditions, including having a compelling need for the data and having personal approval from the head of the agency.

All four using cookies without disclosure have since removed the cookies from their sites, according to GAO. Two of the others have also removed their cookies, while the final two are going through the process to meet the OMB conditions.

GAO conducted the review following a request from Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee, because of privacy concerns raised last year when it was discovered how many agencies were using persistent cookies.

OMB officials provided no written comment to GAO on the report.