|
Tech Law Journal |
 |
| News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors | |
|
|
|
| |||||
|
Editor's Notes: Rep. Dick Armey. Good morning ya'll.
The mike is open. I heard that. I wouldn't say a thing. Well today, we, or actually the GAO, is releasing its study on the extend to which the federal government meets its own privacy standards. And as you can see, finding only a 3% compliance in the government is pretty discouraging, and it is clear that the Clinton-Gore administration is not even living up to its online privacy standards that it has imposed on the rest of the world. This is particularly distressing to us, since we are required to give information to the government. We have no choice. And yet the government is less careful with our information, with respect to our privacy, than what we find by the performance of the private sector. Well, I would say that the GAO study is a devastating assessment of the Clinton-Gore administration's failure to live by its own privacy standards. One of the things that we are concerned about here is the intrusion against the Internet by the government. The effort to use any avenue they can conjure up to regulate the Internet. We believe that privacy is important. We have encouraged all users of the Internet to respect other people's privacy. But, I have to say that it is disheartening to see that the Federal Trade Commission invent a standard -- a four part standard -- out of whole cloth, test the private sector with respect to the performance of that, without any prior notification. This is a pop quiz. I taught for twenty years and never gave students a pop quiz over material we never covered in class. So, what we asked the GAO to do was use the same standards -- the same methodology -- that is used by FTC, and evaluate the government. The federal government is not living up to the standards that it imposed on everybody else. And, Billy.
Rep. Billy Tauzin. Thank you, Dick. I think that it is important to identify the areas in which the federal web sites have failed in this GAO report. First of all, the, if you look on page 3 of the GAO report, you see that they actually surveyed 65 sites. So they apparently -- some of the high impact sites -- 32 of them -- and then they did a random survey in the balance of the sites, smaller sites, smaller agencies, smaller ______. In the examination of the 65 sites only 85% actually provided a privacy notice to American citizens, who must give up information, when they enter these sites. All, all of the 65 sites collected personal data. 100% collected personal data, but only 85% actually provided any notice to consumers that they were doing so. In addition, a much smaller number of sites implemented the other three remaining requirements of the FTC standard. The FTC standard, as you know, required also choice to the consumer. Either let them collect information or not. Access. That is to access information they collect to make changes if necessary. And security, to protect that information from anyone else getting it. Here are the scores for the federal agencies in this high impact and random survey. Only 45% met the standard for choice. Only 17% met the standard for access. And a mere 23%, this is the real shocker, 23% met the standard for security. No wonder, as we are with you today, yesterday, GAO issued a report to Congressman Horn's panel, identifying security on federal web sites as dismal. And information that Americans must involuntarily supply to these federal web sites is in fact subject to hackers at an alarming rate. Only 23% of those surveyed had any kind of security to protect. Now, the GAO study did something else that is quite interesting. It indicated that a very small number of the cites -- only 22% -- disclosed that they might allow third party cookies on the site. You know about third party cookies. That is the way in which the consuming public is tempted to give up information by clicking on to the cookie, to third party users of information. Now, imagine a federal site allowing a third party cookie on that site, where other people can come in and gather information on that site. I can imagine very small, very few circumstances, where you might want to let that happen. But 22%, only 22%, gave the public any disclosure on whether they were doing or not. And here is the real kicker. 14% actually allowed the placement of cookies on federal web sites. The sum total of what the GAO has reported, at Mr. Armey's and my request, is basically, that using the FTC's methodology, using their methodology, not the, not the GAO's own methodology for government sites, but using the FTC's own methodology for judging private commercial sites, federal sites come in worse than commercial sites. That is, they performed, on that same scale, at a lower level, for privacy protection of end users, than commercial sites. Now, you will hear from the administration that, oh well, the Lieberman, the report requested by Mr. Lieberman, as to compliance with the federal privacy law, and the OMB memorandums of 1999 and 2000, is the real test. Go look at the Lieberman report. On page five, it points out, that even under that standard, of the one hundred one, of the online forms that were identified as collecting personal personal information 44 four did not have privacy policies. Even under their standard, 44 out of 101didn't have privacy policies with them. Even under the Lieberman GAO standard, of the 63 agency privacy policies that explained that they collected information automatically, only 46 follow all three of the elements that are contained in the OMB memorandum. And on page 17, half of the web sites that they identified as collecting personal information did not have privacy policies posted. Even under the Lieberman -- sort of the minimalist review -- very different from the very the ___ review provided for commercial web sites, federal web sites fail. But here is Mr. Armey's and my conclusion right off the bat. We have got some work to do with federal agencies first, in protecting the information that Americans must involuntarily share with federal agencies. Protecting it both from the standpoint of giving more notice to consumers, that this is going on. There are some federal web sites, by the way, who denied that they were collecting personal information, but GAO discovered they were. Secondly, we need to make sure that consumers have the right, indeed, to correct that information obtained by the government about them. And third, we have got to have a lot more security about the information. American citizens must give the government, and the government ought to protect, both for the consumers and the citizens of our country, and for the sanctity of those collecting systems. And finally, we ought to be seriously questioning whether federal web sites ought to be allowing cookies to be placed on web sites that you and I must travel to in order to comply with federal law. That seems to me to be a _____. The chart says it all. When you look at all four of the elements that Mr. Pitofsky and the FTC used to examine, a failing or grading point (?) for commercial web sites, only three percent of the 65 web sites they examined -- and by the way, they examined the high impact sites -- go check the 35 they examined -- you will be surprised at who they were. Now, for all of the 65 that they examined, only 3%, only 3%, met all 4 of the FTC's recommended requirements or guidelines for the commercial web sites of America. The bottom line is that the commercial web sites, I think, are performing quite well, in trying meet the privacy standards of America. They have got a way to go. They have done a good job of coming around. We have more work to do, obviously, in making sure that federal web sites protect the privacy of American citizens. Dick. Rep. Dick Armey. I would just say, I think, Billy, you and I would both say to our private web sites, "observe good privacy habits, do so, we will protect you as best we can against government intrusion. But nobody can protect you from your own failure to perform well on the privacy side." So, on the first side, I would say to the to the private web sites, "do a good privacy policy, and it will be respected." To the government, I would say, "clean up your own house, before you start tending to somebody else's." We cannot let a government that has this kind of a performance presume to police the private sector on privacy. We will, at the same time, be pushing all government agencies to meet the highest privacy standards. After all, it is much more frightening to me to have public access to my tax files, than how many jeans I might purchase at the Gap. Rep. Billy Tauzin. I might point out one other thing. You will hear criticism as well. The GAO standard, when applied to the federal sites, is flawed. Even if you have security at the site, you don't report it. You don't tell the criminal that your site is secure. We failed under the FTC's standard. That is the standard applied to commercial ____. So, if it is flawed in the way it was used for federal agencies, it is equally flawed when commercial entities are examined. The reason Mr. Armey and I asked the FTC (sic) to use the very same standard they used to judge the commercial entities, was so that we could examine that. Is it a good standard? Is it a flawed standard? Is it accurate? Number one. And how does the government compare to the commercial on an equal playing field? This is what you get. And if the government is telling the commercial web sites of America, "do as we do," only 3% of America's web sites would meet the FTC's standard. And Dick and I are simply saying that the government ought not be saying, "do as we say, but not as we do." The government ought to do as well or better than commercial web sites. Drew Clark (Tech Daily). When the FTC's report about private sector compliance with their principles came out in May, many people noted that 88% of web sites had some form of privacy notice. But they went on to say, "yes, but what about the access, security, all the things that this report has done." One point that was made is that access is an extremely debatable term -- that it is not clear at all what customers should or should not have access to. What does the GAO report say about this subject? And is it the same problem at work in looking at government web sites? Rep. Billy Tauzin. If you will read the GAO report, you will see agencies making the same complaint to the GAO that the commercial sites made to the FTC, that you are not testing us fairly. So, it is a good comparison. You are getting the same complaint at the federal agencies about the FTC's standard being unfair, as you got from commercial entities, who thought this access question was too ambiguous and not clear. As Dick said, you know, before you go test, and report to the American people, that someone is failing, your test ought to be fair. Let people know in advance that you will be testing them. Now the federal agencies knew what the FTC was doing for a long time. I will tell you what. When the FTC started doing their survey, I made sure I had a privacy notice on my web site. Dick did. All of us did. And it is fair notice to all ___. But even with fair notice, the federal flunked. Rep. Dick Armey. It is not fair if you don't give people access to what the meaning of word access is. The question and answer segment of the press conference continued. However, it became repetitious, and the event devolved, in part, into a debate between several reporters and Rep. Tauzin. The highlights are transcribed below. The second question was regarding the identities of federal web sites surveyed by the GAO. Rep. Armey and Rep. Tauzin responded that, like the FTC report, they were not identified in the report. Variations on this question were asked several more times. The third question was, "Is this more an indictment of the FTC's standards, or the privacy of the government web sites? I mean, which is the more glaring concern?" Rep. Dick Armey. "I think that it is an indictment of the audacity of the government to say that we will set, and test, and impose a standard on the private sector, that is not met by agencies of the federal government. The first rule of, I think, of government policy on privacy should be, government must be first, best, because government has access to mandatory information. When I go on the web, and I do, I have a choice to give up the information, or not. If I decline to do so, nobody comes knocking on my door. The IRS calls. For that matter, when the Census Bureau asked me how many toilets I have. If I decline to answer it, a Federal Marshall comes knocking on my door. Now, if they don't first meet the standard of highest privacy protection for me, on that mandatory information, they have no moral authority to take a look at the Gap and start criticizing them their standards of privacy." Drew Clark made the point that "the government is bound by certain higher standards under the Privacy Act," and asked for response. Rep. Tauzin responded that "despite the Privacy Act, despite the OMB memorandums of 1999 and 2000, there are important federal agencies that are not following the law, nor those memorandums. That come out in both the Lieberman report and the GAO report." Clark made the point that "citizens are already protected by these laws". Rep. Armey added, "You have to look at the absurdity of the proposition. They are saying we should not be held accountable by the laws that bind us, while we criticize the private sector for not voluntarily complying with a standard set for people who give voluntary information. And that is like the fox gets caught in the hen house, and says the hen started it." Tauzin added that there are exceptions in the Privacy Act, for example, that allow agencies to share information with other agencies, and these other agencies may not be secure -- "Like an FBI file that shows up at the White House." A question was asked about what personal information is. Rep. Tauzin said the GAO study used the FTC's definitions. He added that the GAO people were trained to conduct their survey by the FTC.
|
|
