Report: Fed Fails Web Privacy Codes

Congressional investigators say a huge majority of federal Web sites fail to measure up to the Federal Trade Commission's standards for Internet privacy, including the FTC's own site.

At the behest of Republican legislators, the General Accounting Office graded 65 of the government's most popular World Wide Web sites on the basis of four principles: adequate notice of practices, choice to give or not to give information, access to change personal information and assurance that information is secured properly. The report found that only 3 percent of federal sites pass.

Rep. Dick Armey, R-Texas, who requested the report, said government Web sites have all kinds of personal information about the public that should be held to a higher standard than commercial information that companies glean when customers visit their sites.

"You are required to give this information to the government — you have no choice," said Armey, the House majority leader. "You don't have to use a commercial Web site if you feel it has a bad privacy policy. Which worries you more?"

Eighty-five percent of federal Web sites post privacy policies, informing users about information the site collects and what the site does with it. This practice is mandatory, as directed by the Office of Management and Budget, which has been taking the lead in bringing federal sites up to speed.

The report says only 69 percent of sites satisfy the "notice" test, however, because their privacy policies disclose too little information about how the site uses personal information.

Web sites fared much lower in the rest of the categories, with only 17 percent of federal sites telling people they can access and change incorrect information kept on the site.

In the FTC's May privacy report, the agency reviewed popular commercial Web sites to evaluate compliance with the four pillars of privacy. The FTC concluded that the industry had achieved limited success in achieving the principles, finding that 42 percent of the most popular sites implemented them, at least in part.

The GAO report took a similar tactic, checking federal sites that handle about 90 percent of consumer traffic. Of those, only 6 percent implemented the four principles.

The 65 federal sites included parts of every cabinet-level department, as well as the U.S. Postal Service, Environmental Protection Agency, NASA, Office of Personnel Management, Social Security Administration and the Federal Emergency Management Agency.

In responding to the report, the agencies argued the rules for commercial sites do not match the laws and direction given to federal sites.

Sally Katzen, deputy director for management at OMB, said the agencies have been directed to follow the Privacy Act and OMB policy, rather than the FTC guidelines. Also, she said, access and security principles the FTC uses are based on what is disclosed in the privacy policy, rather than th actual level of access or security that exists.

"The measure of good security is good security," Katzen said in a letter to the GAO, the investigative arm of Congress, "not whether a federal Web site makes a brief statement saying that security is protected."

On Monday, the GAO released another report saying federal computer security is "fraught with weaknesses" that put critical operations at risk. Last week's GAO report, which assessed federal Web sites' efforts in implementing OMB policy noted that many federal sites don't adequately follow OMB rules either.

The FTC guidelines and the Privacy Act are similar in their intent, but differ slightly in how the principles are applied in the public and private sectors.

Armey used the report to chide the government for considering new legislation to rein in commercial sites.

"People with glass Web sites should not throw stones," he said.

© 2000 The Associated Press. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed