WASHINGTON (AP) _ One in four Web sites run by the Defense Department have no privacy statement posted, according to an oversight report released Tuesday. An even larger number collect information about the public despite a White House directive barring the practice.
The audit found it possible that commercial companies might secretly have collected and sold personal information about visitors to Defense Web sites.
Since July, the Defense Department has required display on Web sites of a privacy notice at each major entry point and wherever identifying information is collected from visitors. Defense and all other departments and agencies already were bound by similar rules under a June 1999 order of the White House's Office of Management and Budget.
Rep. Jay Inslee, D-Wash., and Sen. Fred Thompson, R-Tenn., called the new report disturbing. The two were responsible for an amendment that requires each agency's inspector general to conduct a privacy audit and report to Congress.
``Americans should not have to worry about federal agencies monitoring their Internet activity, yet this audit found seven examples of invisible Web bugs on Navy, Air Force and Marine Corps Web sites,'' Inslee said. A Web bug is a tiny invisible image on a Web page used to track users.
The report checked a sample of 400 Defense sites; 100 had no privacy notices.
``This 25 percent failure rate is astronomical, given how late we are into the privacy discussion,'' Inslee said.
In a response to the auditors, Deputy Assistant Defense Secretary J. William Leonard said the sites were not necessarily collecting personal information but admitted that the prohibited Internet text files, called ``persistent cookies,'' were present.
Leonard said the auditor's recommendations _ to remove the tracking software, post privacy notices and make sure officials know the policies _ would be completed by Aug. 31.
The director of the Defense Privacy Office noted that since Web masters were not aware of the tracking rules, ``the proscribed activity results from acts of nonfeasance rather than malfeasance on the part of the Web masters.''
Thirty-six Defense Web masters had tracking code on their sites. Ten knew about them, of which seven said they didn't know that the Defense department forbids them.
``Web masters complained that they were not provided guidance on the DoD (Department of Defense) policy or instructions to identify persistent cookies or Web bugs,'' the auditors say.
Since many of the cookies originated with commercial companies, the auditors worry that consumer privacy may be at risk.
``DoD has inadequate assurance that the involuntary collection of personal information by commercial companies at DoD Web sites is safeguarded and not sold or given away after it is collected,'' the report states.
The auditors told Defense officials to remove the cookies, although the survey sample was a small fraction of the 2,608 registered Defense sites.
Government agencies have had a long string of Internet privacy and security breaches in the last year. On several occasions investigators discovered the use of tracking software on their sites.
Federal investigators also have found significant security lapses at many agencies _ including the Environmental Protection Agency, Veterans Affairs and the office that controls Medicare _ that could lead to hackers stealing or altering sensitive data.