Congress: Stay out of the cookie jar

Just as agencies seem poised to begin offering more electronic services,

digital government advocates are worried that recent efforts to control

the collection of personal data on federal World Wide Web sites may slow

the movement.

Congress added language to the Treasury/ Postal appropriations bill,

which passed the House July 20, barring the use of "cookies," Web technology

that collects personal information about people visiting a Web site.

The amendment would ban cookies and other such technology "until we

have a governmentwide, consistent policy under force of law that provides

the necessary protections against the unintentional and involuntary collection

of people's information," said Rep. Rodney Frelinghuysen (R-N.J.) in a statement

introducing the amendment.

A cookie is software placed on users' hard drives to identify them when

they return to a site so that the site's developers can customize information

for users based on the content they accessed in previous visits.

The use of cookies on federal Web sites became an issue last month when

it was reported that the White House site for the Office of National Drug

Control Policy used the technology to track which pages visitors accessed.

Some privacy advocates and members of Congress fear the information could

be misused.

As a result, Jacob Lew, director of the Office of Management and Budget,

sent a memorandum reminding agencies of the White House's policy on privacy

for federal Web sites, which directs agencies to clearly label a Web site's

privacy policy and make it easily accessible to visitors.

The memo also set stricter criteria that agencies must meet before

collecting users' personal data, including demonstrating a compelling need

for the information and posting a clear notice for users.

A complete ban on such technology could have unintended consequences,

said Roger Baker, chief information officer at the Commerce Department and

co-chairman of the CIO Council's privacy committee. "When Jack Lew puts

out policy with wording in it, then the people who have to interpret it

are the people who are putting it in place," he said. "When you put out

law with wording in it, then the people who are interpreting it are the

lawyers."

Baker added that the language could stop many electronic initiatives

just when agencies have started putting services online. When users submit

information to an agency via the Web or conduct a transaction, such as paying

a federal fee, the process involves using cookies. Banning the technology

could shut down popular new sites such as the U.S. Patent and Trademark

Office's online patent application system.

"If you tie both hands behind our backs, then implementing e-government

is going to be fairly hard," Baker said.

In most cases, Web sites use technologies such as cookies for the visitor's

benefit, said Rich Kellett, director of the Emerging IT Policies Division

at the General Services Administration's Office of Governmentwide Policy.

"Cookies remember password information, which certainly is the convenience

that people want," he said.

Kellet said Congress' concern that information collected by cookies

could be misused should always be a consideration. But he added that the

Privacy Act of 1974 does not prohibit collecting personal information but

rather requires that the agency have a legitimate need for the information.

As for the OMB memo asking agencies to meet certain criteria before

collecting information, Baker plans to submit a letter detailing all CIOs'

concerns to Lew. Overall, CIOs support the new policy, but many are concerned

about more clearly defining what constitutes a cookie vs. other technologies.

"The CIO Council, as the tech weenies responsible, needs to get back

to Jack Lew saying, "Here's what we read into this,' and just clear up a

couple of the nuances," he said.