EXECUTIVE
OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
Administrator
Office of Information
and Regulatory
Affairs
September
5, 2000
Roger Baker
Chief Information Officer
U.S. Department of Commerce
Room 5033
14th & Constitution Avenue, NW
Washington, DC 20230
Dear Roger:
Thank
you for your letter of July 28, 2000, regarding OMB Memorandum 00-13
on "Privacy Policies and Data Collection on Federal Web Sites."
We appreciate the CIO Council's strong support for protecting the
personal information of citizens who visit federal web sites. We
also stand ready to assist agencies as needed in implementing this
guidance.
The
President and the Vice President are strongly committed to the protection
of privacy rights. They believe that the federal government should
serve as a model of good privacy practices. Agencies need to be
particularly careful before launching any effort to gather information
on the activities of citizens who visit federal web sites. As we
work to promote customer service, we must keep privacy concerns
in mind.
In
this spirit, OMB issued Memorandum 00-13, which aims specifically
at the tracking of "the activities of users over time and across
different web sites." As you correctly point out, a principal example
of such is the use of persistent cookies. In accord with the Memorandum,
federal web sites should not use persistent cookies unless four
conditions are met:
-
The site
gives clear and conspicuous notice;
-
There is
a compelling need to gather the data on the site;
-
Appropriate
and publicly disclosed privacy safeguards exist for handling
any information derived from the cookies; and
-
The agency
head gives personal approval for the use.
We
are concerned about persistent cookies even if they do not themselves
contain personally identifiable information. Such cookies can often
be linked to a person after the fact, even where that was not the
original intent of the web site operator. For instance, a person
using the computer later may give his or her name or e-mail address
to the agency. It may then be technically easy for the agency to
learn the complete history of the browsing previously done by users
of that computer, raising privacy concerns even when the agency
did not originally know the names of the users.
We
recognize that agency web sites can also seek information from visitors
in ways that do not raise privacy concerns. Specifically, they may
retain the information only during the session or for the purpose
of completing a particular online transaction, without any capacity
to track users over time and across different web sites. When used
only for a single session or transaction, such information can assist
web users in their electronic interactions with government, without
threatening their privacy. One example of such an approach that
supports electronic government would be the use of a shopping cart
to purchase a number of items online from the U.S. Mint. Another
example would be the current technology that assists users in filling
out applications that require accessing multiple web pages on the
Department of Education's Direct Consolidation Loan site. We do
not regard such activities as falling within the scope of Memorandum
00-13.
In
your letter, you also inquired whether we should extend the policy
guidance in Memorandum 00-13 to agency intranet sites as well as
agency external internet web sites. The guidance, of course,
focuses on internet traffic between the government and citizens.
You raise an important issue, however, and we look forward to working
with the CIO Council to review our policies regarding agency intranets.
Thank
you again for sharing your insights and those of our CIO Council
colleagues. Your creativity and support are indispensable to our
electronic government efforts.
|
Sincerely,
|
|
/s/
|
|
John
T. Spotila
|
|