INTERNAUT

It's put up or shut up time for managers of federal Web sites

Shawn P. McCarthy

By now, many federal webmasters are catching the fallout from the General Accounting Office's privacy study released last month. Are federal Web sites' privacy and security really as bad as the report made them sound?

You need a free Adobe Acrobat reader to view the study at www.gao.gov/new.items/ai00295.pdf. It essentially said that federal sites and computer services have failed to ensure adequate privacy and security for visitors.

The most embarrassing finding was that government sites don't live up to the Federal Trade Commission's own rules for how a commercial site should handle security and online privacy. GAO seemed to be asking, how can the government expect commercial sites to adhere to policies that the government itself doesn't seem to follow?

It's fair to say the report arrived with political baggage. It grew out of requests by Republican leaders who object to the privacy regulations forced upon commercial sites this year. Also, the study's sample size was small'just 65 out of thousands of federal Web services.

Political push

Although the report might have been politically motivated, the accusations weren't pulled out of thin air. There are indeed many security and privacy issues affecting government sites.

Only 3 percent of the 65 sites surveyed met all FTC guidelines. Just 69 percent posted a privacy notice. Fewer than half offered an opt-out choice when information was collected about visitors. And about a quarter of the sites were deemed to have inadequate security, often because their administrators had failed to patch known security holes.

Other problems weren't covered in the report, such as continued use of cookies despite a White House order to halt the practice. Also, occasional errors allow information collected from citizens to become visible on government Web sites. Such holes are usually plugged when discovered but are embarrassing.

Read some of the FTC's files on online privacy at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html, as well as www.ftc.gov/reports/privacy/privacy1.htm and www.ftc.gov/reports/privacy3/index.htm.

The point of these documents is more than just posting a privacy policy. They require everyone in the agency to adhere to the policy.

The report, however, fell short in discussing what's going on behind the scenes. It would have been helpful, for instance, to know how many of the surveyed sites were already preparing fixes for cited problems.

Security must be painstakingly designed for a specific network's size and configuration. It can't be rolled out overnight. But the report didn't touch on what's in development and how soon it might arrive.

It's time to talk turkey about agency Web site performance:

' The few Web managers who have ignored the calls to post privacy policies in all page footers should be replaced, or their work outsourced.

Ditto for those who still collect information without saying what it's used for, and who neglect to patch known security holes in their operating systems and applications.

' Web managers who have a good plan for privacy and security, but who haven't been able to roll it out to all systems, need to become better cheerleaders.

They should tell the public and Congress that problems are being attacked head-on. They need to convince their supervisors to fund important fixes. It's a good offensive tactic to let the world know you're vigilant.

' Web managers who keep their sites secure by quickly patching known holes and securing connections for transactions, who have posted and honored an agencywide privacy policy, and who don't use cookies, need to get much better at self-promotion. For whatever reason, their great sites aren't being held up as shining examples of what the government has done right.

Any report that dwells on the negative without holding up a few positive examples hurts the government's laudable efforts to bring information and data services online.

If GAO really wants things to change, it should stop hitting the panic button and help set some benchmarks that all agencies can strive to meet.

Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at smccarthy@lycos-inc.com.

inside gcn

  • open doors to cloud (Sergey Nivens/Shutterstock.com)

    New vendors join FedRAMP Connect

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group