Sunday, May 24, 2009

Measuring up to Privacy : EFF on Govt. Web Intrusion

from EFFector online

The Center for Democracy and Technology and EFF are releasing "Open Recommendations for the Use of Web Measurement Tools on Federal Government Web Sites." (Press ReleasePDF.) The document recommends repairs to the federal guidelines that regulate the use of cookies and other "persistent tracking technologies" on government websites.

Today, these regulations are problematic: They're both too harshly bureaucratic in some cases and too relaxed in others. They're too harsh because ordinary government webmasters are prohibited from performing even basic traffic analysis without acquiring personal approval from their agency's head — something they say is an insurmountable bureaucratic obstacle in many federal agencies. They're too relaxed because they don’t reach many of the tracking technologies that are in use today. In addition, in the event that the agency head does provide this sign-off, it allows a loophole which can enable the agency to use tracking technologies with almost no oversight or accountability. EFF has recently had first hand experience with this loophole since the White House has still refused to give any explanation, much less provide the actual waiver it recently issued for use of cookies on whitehouse.gov.

As an alternative, CDT and EFF are recommending a sensible way forward: Government webmasters ought to be permitted to use modern analytics tools without agency-head approval, so long as the use of those tools is carefully overseen and meets with specific strict safeguards and requirements.

Many of these safeguards will be familiar to folks who've read EFF's Best Practices For Online Service Providers: Visitor data must be speedily anonymized, and it may not be used for purposes other than traffic analysis. Visitors should be given a clear option allowing them to opt-out of tracking, and agency privacy officers must carefully review and audit the processes. And, importantly, no "agency-head approval" will be sufficient to waive these requirements.

In addition to being smart policy, the adoption of these guidelines would foster smart technology. Current web anaytics systems are notorious for hoarding data irregardless of privacy concerns. The prevailing approach is to collect as much information as possible and store it for as long as possible. To make matters worse, most systems (including the popular Google Analytics) store the data on servers that the web-manager does not own or control, increasing the likelihood that the data will be captured, leaked or misused. Adoption of these recommendations would encourage analytics providers to consider safer and smarter approaches.

The Obama Administration is expected to begin revising federal website policies soon, as part of its "Open Government" initiatives. We hope these recommendations will be incorporated. The result would be a win, both for webmasters seeking data and for citizens seeking privacy.

No comments: