Defense initiates policy to protect Web privacy

The goal is to protect the privacy of DOD Web site visitors while sustaining the
integrity of the department's online services, said Air Force Capt. Jim Knotts, webmaster
of DOD's main public site, DefenseLink, and deputy for technology integration within the
department's Public Affairs Office.

"To the extent that there is someone sitting in a dark room of the Pentagon trying
to figure out what this person or that is visiting and where they've been, that's what
this policy tries to prevent," Knotts said.

A technology working group chaired by Knotts with representatives from the military
services drafted the policy.

Cliff Bernath, principal deputy secretary of Defense for public affairs, and Anthony
Valletta, acting assistant secretary of Defense for command, control, communications and
intelligence, are expected to sign the policy later this month.

The policy would prohibit DOD agencies from gathering user-identifying information such
as extensive lists of previously visited sites, e-mail addresses or other data to build
profiles on visitors or their Web use habits.

"This is a common practice at a lot of commercial sites-unbeknownst to
visitors," Knotts said. "DOD has no business collecting information about
individual users. But there are valid reasons to identify people when they come to the

DOD uses commercial software to build statistical summaries about Web site visits,
including the domain and IP addresses of visitors, the time and date of visits, the
location and size of requested files, and the browsers and operating systems used to
access files.

DOD organizations need this information to determine design specifications, information
of interest to users, and Web system performance and problems, Knotts said. But the most
important reason for gathering such data is to protect DOD networks from hackers who
attempt to upload or change information on the department's sites, he said.

DOD Web site managers are permitted to use cookies and other methods to collect
identifying information during visits. But the draft policy said DOD sites must notify
users what information the department collects or stores.

"A privacy and security notice must be given to each publicly accessible Web
information service," the draft policy said. "It shall be prominently displayed
or announced on at least the first page of all major sections. Providing a statement such
as 'Please read this privacy and security notice' linked to the actual notice is

To reduce the buildup of electronic records on DOD Web use, the policy calls for the
destruction of DOD Web logs 30 to 90 days after they are compiled, which is in accordance
with guidance from the National Archives and Records Administration.

Besides security and privacy regulations, the DOD policy supplies a style guide of
sorts for DOD webmasters. The policy advises against the heavy use of graphics that cause
slow downloading, directs that sites reflect an organization's mission, and establishes
security certification and accreditation procedures.

As mandated by the Office of Management and Budget, providing data location information
for the Government Information Locator Service (GILS) registry is a requirement of all DOD
Web sites.

OMB mandated that agencies create a central index or GILS so that the public can find
government information. DefenseLink is the home of the official Defense GILS.

The DOD Web policy also touches on viewer and browser software that DOD Web sites use.
It instructs DOD agencies against endorsing any vendor products on their Web sites.

"There are a lot of military sites out there that have Netscape logos on them that
say 'Best-viewed with Netscape,'" Knotts said.

"Our lawyers say that having the logo that links back to that site is an
appearance of a commercial endorsement. That's a no-no. What it should say is this site is
best viewed with a browser capable of viewing frames or tables."

DOD Web sites that violate the policy will have to redesign their sites, he said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.