Few federal websites meet standards

At the behest of Republican legislators, the General Accounting Office graded 65 of the government's most popular World Wide Web sites on the basis of four principles: adequate notice of practices, choice to give or not to give information, access to change personal information and assurance that information is secured properly. The report found that only 3 percent of federal sites pass.

Rep. Dick Armey, R-Texas, who requested the report, said government Web sites have all kinds of personal information about the public that should be held to a higher standard than commercial information companies glean when customers visit their sites.

"You are required to give this information to the government – you have no choice," said Mr. Armey, the House majority leader. "You don't have to use a commercial Web site if you feel it has a bad privacy policy. Which worries you more?"

Eighty-five percent of federal Web sites post privacy policies, informing users about information the site collects and what the site does with it. This practice is mandatory, as directed by the Office of Management and Budget, which has been taking the lead in bringing federal sites up to speed.

The report says only 69 percent of sites satisfy the "notice" test, however, because their privacy policies disclose too little information about how the site uses personal information.

Web sites fared much lower in the rest of the categories, with only 17 percent of federal sites telling people they can access and change incorrect information kept on the site.

Jake Siewert, a spokesman for President Bill Clinton, called the report "seriously misleading" Tuesday.

"We've actually made significant progress in this area," Mr. Siewert said.

He added that the report is flawed because it compares federal agency policies to a policy designed for commercial Web sites.

In the FTC's May privacy report, the agency reviewed popular commercial Web sites to evaluate compliance with the four pillars of privacy. The FTC concluded that the industry had achieved limited success in achieving the principles, finding that 42 percent of the most popular sites implemented them, at least in part.

The GAO report took a similar tactic, checking federal sites that handle about 90 percent of consumer traffic. Of those, only 6 percent implemented the four principles.

The 65 federal sites included parts of every cabinet-level department, as well as the U.S. Postal Service, Environmental Protection Agency, NASA, Office of Personnel Management, Social Security Administration and the Federal Emergency Management Agency.

In responding to the report, the agencies argued the rules for commercial sites do not match the laws and direction given to federal sites.

Sally Katzen, deputy director for management at the Office of Management and Budget, said the agencies have been directed to follow the Privacy Act and OMB policy, rather than the FTC guidelines. Also, she said, access and security principles the FTC uses are based on what is disclosed in the privacy policy, rather than the actual level of access or security that exists.

"The measure of good security is good security," Ms. Katzen said in a letter to the GAO, the investigative arm of Congress, "not whether a federal Web site makes a brief statement saying that security is protected."

On Monday, the GAO released another report saying federal computer security is "fraught with weaknesses" that put critical operations at risk. Last week's GAO report, which assessed federal Web sites' efforts in implementing OMB policy noted that many federal sites don't adequately follow OMB rules either.

The FTC guidelines and the Privacy Act are similar in their intent, but differ slightly in how the principles are applied in the public and private sectors.

Mr. Armey used the report to chide the government for considering new legislation to rein in commercial sites.

"People with glass Web sites should not throw stones," he said.

Bloomberg News contributed to this report.

Grading the government

Here's how the GAO graded the Web sites of the major government agencies:

B: Social Security Administration

B-: National Science Foundation

C: Education Department, State Department

C-: Department of Housing and Urban Development, Commerce Department, Agency for International Development

D+: Defense Department

D: Veterans Affairs Department, Treasury Department

D-: Environmental Protection Agency, General Services Administration, NASA

F: Office of Personnel Management, Health and Human Services Department, Agriculture Department, Small Business Administration, Justice Department, Labor Department, Interior Department

Incomplete: Energy Department, Nuclear Regulatory Commission, Transportation Department, Federal Emergency Management Agency