@Info.Policy: Flap is brewing over federal Web privacy policies

Robert Gellman

The E-Government Act of 2002 has privacy provisions that affect agency Web sites. Let's take a closer look.

There are two basic site requirements. First, agencies have to post privacy notices. This is a good thing, even if it isn't new. The Office of Management and Budget directed agencies to do something similar three years ago. Visit www.whitehouse.gov/omb/memoranda/m99-18.html.

The good news is that most agencies already have notices. If you don't, I can't feel sorry for you after three years.

The bad news: The statutory requirements differ from the OMB directive. This means that your privacy notice will have to be revised. Even worse, some of the newly required information is meaningless.

For example, the notice has to describe opportunities for consenting to disclosures. That sounds good, but consent is rarely relevant under the Privacy Act. Adding text telling people they have no control over their records won't help much.

The second provision requires OMB to have agencies transform their notices into machine-readable format. The intent is to make agency Web sites compatible with the Platform for Privacy Preferences, also known as P3P.

P3P lets Web sites and users find common ground on privacy. Instead of asking users to read privacy policy statements, P3P automates the process. The browser automatically compares a user's privacy preferences with the site policies and issues a warning about any differences.

The privacy community is deeply split over P3P. Some think it will let people make real decisions about what kind of privacy policies they expect to find on Web sites. Others think that P3P is too complex and fails to address many Internet privacy problems. Detractors call it Pretty Poor Privacy.

I am agnostic. I am not quite prepared to bury P3P, but I am not willing to praise it either.

Here's the real problem. Elsewhere on the Net, people can make a choice. If you don't like the privacy policies at Google, you can try Yahoo. But if you don't like the privacy policies at the IRS, you are out of luck. You can't take your business to another federal tax agency. So P3P doesn't make much sense for government sites.

P3P advocates need a critical mass. Although new browsers and some sites support it, P3P still hasn't caught on. Because they are not succeeding in the marketplace, P3P advocates want to jump start things with legislation.

OK, but government sites won't give P3P the buzz that's essential for success. I have never found anyone other than privacy wonks who have heard of P3P.

If you are stuck with the hard task of coding your site for P3P, get a copy of Lorrie Cranor's book, Web Privacy with P3P, published by O'Reilly & Associates Inc., www.oreilly.com. This book will help you understand and code P3P. I recommend it highly.

Unfortunately, by the time most agencies get around to complying with the new law, P3P might already be dead.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above