Remember the rules when surveying via the Web

Privacy is a major concern for visitors to federal Internet sites.

Agencies have special responsibilities beyond those of our private sector counterparts.
A special activity--the gathering of survey data from the public--has taken on new
ramifications with the advent of World Wide Web visitor logs.

In the last issue, I described the Defense Department's Web privacy policy. In this
column, I'll zero in on the problem of surveys.

Fortunately, DOD, in updating its Web privacy policy, has provided us an excellent
summary of our privacy obligations. Based on DOD's experience, the policy gives practical
and balanced direction about the data you can collect and the data you can't collect. Read
the policy at

The Paperwork Reduction Act of 1995 requires requests for identical information from 10
or more members of the public--in other words, surveys--to be approved by the Office of
Management and Budget. In my experience, this process is time-consuming and uncertain.

Even if you have a legislative mandate, such a review can be daunting. Consequently,
reviewing the typical Web site guest log, an activity that could be construed as a survey,
is rarely worth the hassle for the typical federal webmaster.

The DOD policy does not mention this, but surveys made of other agencies and their
personnel must be approved by the General Services Administration, which is a less arduous
process. Moreover, these rules do not apply to agency personnel. So when it comes to one's
own colleagues, Webmasters can ask away. But unless your guest book is inside your agency
firewall, the existence of such a form could be understood as a public survey, triggering
the Paperwork Reduction Act rules.

Some organizations have legitimate reasons for gathering statistical data on Web site
visitors. If so, the DOD policy prescribes how to notify users that their visits are being

Air Force Capt. Jim Knotts, deputy for technology integration in the DOD Public Affairs
Office, said, "We talked to other federal and legal agencies to make sure we aren't
violating any statutes, particularly the Privacy Act, and that sites that do collect
visitor data properly alert the users in writing on the home page."

The DOD policy requires a simple link that states, "Please read this privacy and
security notice" to appear on first page of major sections of the Internet service.
The notice itself, spelled out in the DOD directive, covers the sponsor and purpose of the
site and declares that the information on the Web site is public and may be distributed
and copied.

The Web protocols include the creation of log files of the characteristics of visitors
to a Web server. Typically the information is collected for site management purposes, not
to track individual visitors. Nevertheless, the DOD directive prohibits other attempts to
identify individual users or their usage habits, except for law enforcement
investigations. Furthermore, site operators must disclose the reasons why the data is
collected. The data logs are to be destroyed regularly, per National Archives and Records
Administration regulations.

The policy doesn't require it, but you should also disclose the collection methods. For
example, more sophisticated statistical programs make use of so-called cookies, records of
a visitor's sessions. The DOD policy authorizes the use of cookies to "collect or
store non-user-identifying information." It requires that users "always be
notified of what information is collected and stored, why it is being done and how it is

I would add that Web sites should explain how they track a visitor, as well as why and
what they track.

Cookies normally remain on the visitor's computer. Recent changes to popular Web
programming languages prevent a Web server from reading the cookies created on visitors'
PCs by servers in other domains. But the changes are up to the Web browser manufacturer;
no standards or regulations govern this technology.

Agency webmasters must be careful not to collect cookies, thereby inadvertently
creating a system of records, as defined by the Privacy Act of 1974. You must announce
collections of personal identifying information in the Federal Register, even though this
can lead to scrutiny by oversight agencies and the public.

Cookies can be annoying at best and an invasion of privacy at worst. If you need to use
them, notify your visitors and avoid collecting the data on the server side unless you
have followed all the necessary reporting requirements.

Walter R. Houser, who has more than two decades of experience in federal information
management, is webmaster for a Cabinet agency. His own Web home page is at

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.