@Info.Policy: Flap is brewing over federal Web privacy policies

Robert Gellman

The E-Government Act of 2002 has privacy provisions that affect agency Web sites. Let's take a closer look.

There are two basic site requirements. First, agencies have to post privacy notices. This is a good thing, even if it isn't new. The Office of Management and Budget directed agencies to do something similar three years ago. Visit www.whitehouse.gov/omb/memoranda/m99-18.html.

The good news is that most agencies already have notices. If you don't, I can't feel sorry for you after three years.

The bad news: The statutory requirements differ from the OMB directive. This means that your privacy notice will have to be revised. Even worse, some of the newly required information is meaningless.

For example, the notice has to describe opportunities for consenting to disclosures. That sounds good, but consent is rarely relevant under the Privacy Act. Adding text telling people they have no control over their records won't help much.

The second provision requires OMB to have agencies transform their notices into machine-readable format. The intent is to make agency Web sites compatible with the Platform for Privacy Preferences, also known as P3P.

P3P lets Web sites and users find common ground on privacy. Instead of asking users to read privacy policy statements, P3P automates the process. The browser automatically compares a user's privacy preferences with the site policies and issues a warning about any differences.

The privacy community is deeply split over P3P. Some think it will let people make real decisions about what kind of privacy policies they expect to find on Web sites. Others think that P3P is too complex and fails to address many Internet privacy problems. Detractors call it Pretty Poor Privacy.

I am agnostic. I am not quite prepared to bury P3P, but I am not willing to praise it either.

Here's the real problem. Elsewhere on the Net, people can make a choice. If you don't like the privacy policies at Google, you can try Yahoo. But if you don't like the privacy policies at the IRS, you are out of luck. You can't take your business to another federal tax agency. So P3P doesn't make much sense for government sites.

P3P advocates need a critical mass. Although new browsers and some sites support it, P3P still hasn't caught on. Because they are not succeeding in the marketplace, P3P advocates want to jump start things with legislation.

OK, but government sites won't give P3P the buzz that's essential for success. I have never found anyone other than privacy wonks who have heard of P3P.

If you are stuck with the hard task of coding your site for P3P, get a copy of Lorrie Cranor's book, Web Privacy with P3P, published by O'Reilly & Associates Inc., www.oreilly.com. This book will help you understand and code P3P. I recommend it highly.

Unfortunately, by the time most agencies get around to complying with the new law, P3P might already be dead.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].


  • 2020 Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected