Web privacy guides unclear

The failure of Office of Management and Budget officials to spell out privacy guidelines in clear and concise terms has created continuing privacy concerns about agency Web sites, according to a new report by the General Accounting Office.

The report focuses on the use of "cookies," which are small pieces of software stored on users' computers when they visit a Web site. OMB officials have given agencies do's and don'ts for cookies, but the guidelines are spread across several memoranda and a letter to the federal CIO Council that is not included on the OMB Web site, GAO found.

The rules also have a confusing gap, according to GAO. OMB officials told agencies that they must meet certain terms if they want to use cookies that remain on end-users' computers after they leave the Web site — known as "persistent" cookies — including disclosing any such use to Web visitors. But officials did not say whether agencies must disclose the use of "session" cookies, which disappear once visitors leave a site.

OMB leaders told GAO that session cookies do not present a privacy concern, and therefore, no disclosure is required. But by following this position, agencies could state they are not using cookies while using session cookies.

This could "confuse and mislead" visitors to federal Web sites who have set their browser to detect cookies and "could raise questions about the practices of the Web site that would not be resolved by viewing the privacy policy," GAO officials wrote.

OMB officials had no written comment to GAO on the report.