Action for provacy can force cookies to crumble
In my last column I discussed the Internet cookie phenomenon. A cookie is a device that
allows an Internet server to store information on your computer about your Net activities
and to retrieve that information in a later session.
This record of your activities is created usually without your knowledge or approval.
The data collected can be saved, used and even sold without any restrictions.
There is a benefit to this tracking because smart World Wide Web pages can do a better
job of meeting user needs. But there clearly is a privacy concern when personally
identifiable information is collected, linked and stored without the consent of the
Is it possible to reconcile better service with fair information practices that protect
privacy? This shouldn't be hard to do.
Established privacy remedies include a notice of information collection and use
policies. An Internet server that has cookie capabilities (or similar technology) should
notify its users, indicating what information is collected, how long it is stored and how
it may be used or disclosed.
Ideally, each user should choose whether to use a system that maintains information
after termination of a particular session. It does not matter if the data is stored
remotely or locally. If someone can retrieve and use identifiable data, the data subject
should get a notice and a choice.
Let's apply these principles to the Web pages operated by the federal government.
Federal agencies must comply with the rules in the Privacy Act of 1974 for the collection,
use and disclosure of most personal information. This law applies to network activities if
a federal agency obtains personal information, even if it is just an e-mail address.
Many federal Web sites are not in compliance with the act. That's evident from the lack
of Privacy Act notices. There is no time like the present to begin, and here is a modest
Every federal agency Web page should include a privacy icon that would display three
items. There should be a copy of the formal Privacy Act notice describing the agency's
policies governing the personal data collected through the Web page. These notices appear
in the Federal Register, but let's also put them where real people can find them.
The Privacy Act has a loophole that lets an agency collect personal information and
avoid filing a notice. The usual excuse is that the information collected is not actually
retrieved by personal identifier. Even if this loophole applies to a Web page, no agency
should use it.
Internet data policies should be fully described so that users can have confidence in
agency practices. An agency that is not collecting any information about users should say
Second, if an agency tracks any individually identifiable user activity on its Web
page, the practice should be disclosed in clear and direct language. The notice should
explain exactly what information is collected, where it is stored, how long it is
maintained, and how it is used and disclosed.
It doesn't matter if the information is stored centrally or on the user's computer.
Full disclosure is essential.
Third, the best policy for federal agencies is not to hold any identifiable information
about Web user activities when a session is over. It may even be illegal. But if there is
a reason to do so, get the user's consent. If users will benefit, explain why and let each
user decide if it is worthwhile.
A policy of disclosure and consent will work for private Web pages as well. It is a
matter of common courtesy and fair information practices. A privacy icon would be a useful
feature everywhere on the Net.
The Clinton administration has done an excellent job promoting agency use of the
Internet. To date, however, the administration has paid only lip service to network
Putting privacy notices on federal Web pages would be simple and inexpensive. No
legislation is needed. The Office of Management and Budget could order this to be done
tomorrow, but agencies don't have to wait for instructions.
The administration should set a good example for the Internet community by showing how
network technology can be used in a manner that shows respect for privacy.
Robert Gellman, former chief counsel to the House Government Operations
Subcommittee on Information, Justice , Transportation and Agriculture, is a Washington
privacy and information policy consultant. His e-mail address is email@example.com.