Managing Technology<br><p>The Privacy Debate<p><font size="2"><i>Monitoring of Web site users has sparked calls for tougher privacy rules.</i></font>

For federal executives, the rules used to be pretty well spelled out. The Privacy Act has been in place since 1974, and a host of other legislation covers access to information, security, matching records and the basics of what is a record. Web sites spell out their privacy rules and, except where law enforcement or national security is involved, the rules are clear.

However, technology is not static. The bar-the level of what technology makes possible-keeps moving into uncharted and unlegislated territory. One example of new territory is where government has been asked to behave more like a business. A consequence of that new behavior is that the lines between business and government sometimes become blurred.

Citizens often don't distinguish among levels of government or among different parts of any particular organization. Now it may be difficult even to tell what is government. Does a citizen who chooses to pay a ticket online know where business starts and government stops? What protections does a citizen have for the information that is entered into a private business Web site acting as an agent or middleman for government? Some of the business models for these services depend on the sale or provision of the data collected, such as when information on drivers' licenses is provided to insurance companies.

One emerging stan- dard requires customers to "opt in" and approve any sale or distribution of their personal information. As an indication of how complex this disclosure can be, govWorks.com revised its posted privacy policy in early September. The new version now spans more than 30 screens and spells out in detail the use of "cookies" and the sale of information to third parties. (Cookies are files placed on a Web user's hard drive by a Web site. They allow the Web site to track the user's use of the Web and any patterns of use-often without the user's knowledge.) Two other organizations, EzGov.com and niccommerce.com also have sites with lengthy descriptions. It is not yet clear whether the posting of such policies will be enough to calm concerns voiced by privacy advocacy groups. Perhaps because it is an election year, or perhaps because politicians have sensed a change of public attitude, a rush has ensued in Congress to enact new legislation to protect consumer privacy. The issue has sparked calls for the creation of a privacy czar and for government regulation of privacy on Web sites.

Dozens of bills addressing privacy in one form or another were introduced in this session of Congress. Passage of any bills before the break for the presidential election is a long shot; however, some congressional observers believe sentiment is growing to compromise by establishing a commission to study the issue.

In the midst of this extended debate about collecting and monitoring information from Web sites, several congressmen asked the General Accounting Office to study how federal sites are stacking up in the privacy arena. Two studies were released in September-one that assessed how well federal agencies are following rules requiring them to post their privacy policies and another that examined how federal sites have adopted the Federal Trade Commission's four fair information principles.

Commercial sites are supposed to follow these principles, but, technically, they do not apply to federal Web sites.

GAO reported near-perfect results on posting privacy policies with 69 out of 70 federal Web sites having a posted policy and 67 classified as "clearly labeled and easily accessed." This report shows a dramatic improvement over a similar study a year earlier, which counted only a third of federal Web sites displaying privacy policies.

A stickier situation, however, arises with the automatically collected information and with the use of cookies. The Office of Management and Budget has instructed agencies that they must disclose the use of cookies, but when GAO did its survey in April 2000, only 28 agencies out of 70 indicated whether they used them. Automatically collected electronic information-such as that in log files that tell the provider where the user is going on the site-provides useful data about what parts of the site are used most, but can also be interpreted as intrusive.

The second GAO study compared federal Web practices with those recommended by the FTC as its Fair Information Principles. The agencies scored much worse in this round, with only 3 percent of those polled using elements of all four principles (notice, choice, access and security).

OMB disputes even the notion of this second survey. The agency says federal Web sites are governed by the Privacy Act and OMB regulations, not FTC rules, which were designed for commercial sites. Agencies have been instructed to follow OMB rules. Sally Katzen, OMB's deputy director for management, compared the GAO summary statistics in this case "to a complaint that an apple lacks a thick, orange rind."

While Katzen's fine turn of phrase may skewer the effect of this report, a much larger question looms. Do federal privacy policies for Web sites represent the public's view of fair practice, or has technology moved the bar so that new policies and safeguards need to be developed?

Members of Congress have a finely tuned sense of public sentiment, especially when issues are heating up. The avalanche of privacy bills is a loud signal that it may be time to look once again at the policies that guide federal Web sites and to see if it is time for a tune-up.