In response to a request for comment from the Office of Science and Technology Policy, today USACM submitted comments on how federal government websites should use web tracking technologies. These technologies include, but are not limited to, cookies, little bits of code that can be deposited on your computer to help the web site your visiting remember things about you. Other web tracking technologies include deep packet inspection and web bugs. Specific areas that the government sought comments on included:
- The basic principles governing the use of such technologies;
- The appropriate tiers;
- The acceptable use and restrictions of each tier;
- The degree of clear and conspicuous notice on each website that web tracking technologies are being used;
- The applicability and scope of such a framework on Federal agency use of third-party applications or websites;
- The choice between an opt-in versus opt-out approach for users;
- Unintended or non-obvious privacy implications;
USACM took care to recognize that web-tracking technologies have definite benefits, both for consumers and for website operators:
Many of the challenges in using these technologies come about when personally identifiable information (PII) is used during this web tracking, or when other sensitive information (financial records, medical information sought online, etc.) is part of this web-tracking, or could be exposed through careless collection or use of PII. To the extent possible, USACM recommended minimizing the collection of PII.
Other USACM recommendations include:
- Until a newer, not yet envisioned technology is available, tracking across websites should be limited to HTTP cookies.
- The general guidelines governing these technologies should not presume to know the type of device with which a user accesses a website.
- Government websites that embed third-party content (regardless of tier) need to ensure that those third parties cannot use personal information to track individuals absent explicit consent by the individual and disclosure of this third-party use of personal information to the individual and the government. The third parties that interact with government websites should be restricted to U.S. entities.
- Any use [of web tracking technologies] for personalization should comply with fair information practices and should be restricted to the third tier. Any data collected for third tier uses should be carefully controlled in terms of access and use, and the notice required should be clear and conspicuous.
- A Privacy Impact Assessment (PIA) may help identify and rectify instances of unnecessary privacy risks by minimizing and/or eliminating the collection of PII.
- [I]t is critical that any information collection about government website users by a third party undergo additional scrutiny.
- The security and privacy indicators of websites should be made compliant with the Americans with Disabilities Act (ADA).