It's put up or shut up time for managers of federal Web sites
Shawn P. McCarthy
By now, many federal webmasters are catching the fallout from the General Accounting Office's privacy study released last month. Are federal Web sites' privacy and security really as bad as the report made them sound?
You need a free Adobe Acrobat reader to view the study at www.gao.gov/new.items/ai00295.pdf
. It essentially said that federal sites and computer services have failed to ensure adequate privacy and security for visitors.
The most embarrassing finding was that government sites don't live up to the Federal Trade Commission's own rules for how a commercial site should handle security and online privacy. GAO seemed to be asking, how can the government expect commercial sites to adhere to policies that the government itself doesn't seem to follow?
It's fair to say the report arrived with political baggage. It grew out of requests by Republican leaders who object to the privacy regulations forced upon commercial sites this year. Also, the study's sample size was small'just 65 out of thousands of federal Web services.Political push
Although the report might have been politically motivated, the accusations weren't pulled out of thin air. There are indeed many security and privacy issues affecting government sites.
Only 3 percent of the 65 sites surveyed met all FTC guidelines. Just 69 percent posted a privacy notice. Fewer than half offered an opt-out choice when information was collected about visitors. And about a quarter of the sites were deemed to have inadequate security, often because their administrators had failed to patch known security holes.
Read some of the FTC's files on online privacy at www.ftc.gov/bcp/conline/pubs/buspubs/dotcom/index.html
, as well as www.ftc.gov/reports/privacy/privacy1.htm
The report, however, fell short in discussing what's going on behind the scenes. It would have been helpful, for instance, to know how many of the surveyed sites were already preparing fixes for cited problems.
Security must be painstakingly designed for a specific network's size and configuration. It can't be rolled out overnight. But the report didn't touch on what's in development and how soon it might arrive.
It's time to talk turkey about agency Web site performance:
' The few Web managers who have ignored the calls to post privacy policies in all page footers should be replaced, or their work outsourced.
Ditto for those who still collect information without saying what it's used for, and who neglect to patch known security holes in their operating systems and applications.
' Web managers who have a good plan for privacy and security, but who haven't been able to roll it out to all systems, need to become better cheerleaders.
They should tell the public and Congress that problems are being attacked head-on. They need to convince their supervisors to fund important fixes. It's a good offensive tactic to let the world know you're vigilant.
Any report that dwells on the negative without holding up a few positive examples hurts the government's laudable efforts to bring information and data services online.
If GAO really wants things to change, it should stop hitting the panic button and help set some benchmarks that all agencies can strive to meet.Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at email@example.com.