September 2000 – Congressional investigators say in a September 2000 report that a huge majority of federal Web sites fail to measure up to the Federal Trade Commission’s standards for Internet privacy, including the FTC’s own site.

At the behest of legislators, the General Accounting Office graded 65 of the government’s most popular World Wide Web sites on the basis of four principles: adequate notice of practices, choice to give or not to give information, access to change personal information and assurance that information is secured properly. The report found that only 3% of federal sites pass.

Rep. Dick Armey who requested the report, said government Web sites have all kinds of personal information about the public that should be held to a higher standard than commercial information that companies glean when customers visit their sites.
”You are required to give this information to the government – you have no choice,” said Armey, the House majority leader. ”You don’t have to use a commercial Web site if you feel it has a bad privacy policy. Which worries you more?”

Eighty-five percent of federal Web sites post privacy policies, informing users about information the site collects and what the site does with it. This practice is mandatory, as directed by the Office of Management and Budget, which has been taking the lead in bringing federal sites up to speed.

The report says only 69% of sites satisfy the ”notice” test, however, because their privacy policies disclose too little information about how the site uses personal information.

Web sites fared much lower in the rest of the categories, with only 17% of federal sites telling people they can access and change incorrect information kept on the site.

In the FTC’s May privacy report, the agency reviewed popular commercial Web sites to evaluate compliance with the four pillars of privacy. The FTC concluded that the industry had achieved limited success in achieving the principles, finding that 42% of the most popular sites implemented them, at least in part.
The GAO report took a similar tactic, checking federal sites that handle about 90% of consumer traffic. Of those, only 6% implemented the four principles.
The 65 federal sites included parts of every cabinet-level department, as well as the U.S. Postal Service, Environmental Protection Agency, NASA, Office of Personnel Management, Social Security Administration and the Federal Emergency Management Agency.

In responding to the report, the agencies argued the rules for commercial sites do not match the laws and direction given to federal sites.

Sally Katzen, deputy director for management at OMB, said the agencies have been directed to follow the Privacy Act and OMB policy, rather than the FTC guidelines. Also, she said, access and security principles the FTC uses are based on what is disclosed in the privacy policy, rather than the actual level of access or security that exists.

”The measure of good security is good security,” Katzen said in a letter to the GAO, the investigative arm of Congress, ”not whether a federal Web site makes a brief statement saying that security is protected.”