[Department of the interior activities to collect, review, and use information that identifies individuals who access the department's internet sites]
[From the U.S. Government Printing Office, www.gpo.gov]

Title: ï¿½ï¿½ï¿½

 
Date:  April 30, 2001
                  
			*********DISCLAIMER**********

This file contains an ASCII representation of an OIG report.  No attempt has been made to display graphic images or illustrations.  Some tables may be included, but may not resemble those in the printed version.

A printed copy of this report may be obtained by referring to the PDF file 
or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 208-4599.
                  ******************************

April 30, 2001

Report on Department of the Interior Activities to Collect, Review, and Use Information that Identifies Individuals who Access the Department's Internet Site (No. 01-I-340)

As required by Section 646 of the Treasury and General Appropriations Act, 2001, we reviewed the Department of the Interior's (DOI) Web pages to identify the DOI's activities related to:

* Collecting or reviewing singular data or creating aggregate lists that include personally identifiable information about individuals who access any Internet site1 of the DOI.
* Entering into agreements with third parties, including other governmental agencies, to collect, review, or obtain aggregate lists or singular data containing personally identifiable information relating to any individual's access or viewing habits of governmental and nongovernmental Internet sites.

RESULTS OF REVIEW

The DOI generally did not inappropriately collect personally identifiable information on individuals who accessed its Internet Web pages.  Of the DOI's more than 6,000 Web pages, we reviewed 598, including the DOI's 532 Internet sites.  We found that generally the DOI and its components and third parties did not collect, review, or obtain singular data or create aggregate lists that included personally identifiable information about individuals who accessed the DOI's Web pages.  Additionally, we found that generally the DOI notified users when personally identifiable information was being collected and explained its use of this information.  However, we found some exceptions in the Web pages reviewed.  These exceptions were as follows:

* "Cookies" were not disclosed to the Internet user on 29 Web pages.
* Web bugs existed on 12 Web pages.  
* Of the 84 Web pages that collected personally identifiable information, 17 did not disclose to the Internet user all uses of this information.
* Of the five third-party contractors that collected personally identifiable information, three did not disclose all uses of the collected information.

The details of our review are discussed in the paragraphs that follow.

"COOKIES" AND WEB BUGS

We found that of the 598 Web pages reviewed, 17 had session "cookies"2 (see Appendix 1).  Of these 17 Web pages, only 4 disclosed the use of session  "cookies."  We also found 18 Web pages that had persistent "cookies" (see Appendix 2).  Of these 18 Web pages, 16 did not disclose to the Internet user that persistent cookies were being used.  In addition, agency head approvals for these 18 Web pages were not provided to us.  Rather than providing us with agency head approvals, the Web masters removed the persistent "cookies" from nine of the Web pages, and three Web pages could no longer be accessed.  We verified that as of April 17, 2001, these 
12 persistent "cookies" no longer existed or the Web pages could not be accessed.   For the remaining six Web pages, we found that as of April 17, 2001:

* One Web page had been updated to disclose the use of a persistent "cookie."
* Five Web pages continued to use persistent "cookies" without disclosure of their use.
* None of the six Web pages had agency head approval for the use of "cookies."
 
We also followed up on the General Accounting Office's report "Internet Privacy:  Federal Agency Use of Cookies," issued in October 2000.  In that report, the General Accounting Office identified two DOI Web sites that included session "cookies" (www.blm.gov and reservations.nps.gov) that were not disclosed.  As of April 17, 2001, we found that www.blm.gov no longer had a session "cookie" but that reservations.nps.gov continued to have a session "cookie" and the use of the session "cookie" was not disclosed.  National Park Service (NPS) management is addressing this issue.

We found that 12 of the 598 Web pages contained a Web bug3 (see Appendix 3).  Further, the use of the Web bug was not disclosed on the Web page privacy notice.  We contacted Chief Information Officer management and Web masters regarding the use of Web bugs.  In four of the cases, the Web bugs were removed.  We verified that as of April 17, 2001, the four Web bugs no longer existed on these Web pages.  In none of the 12 instances were we provided information to support the use of the Web bug.

COLLECTING PERSONALLY IDENTIFIABLE INFORMATION

Our audit staff, with the assistance of the DOI and its components, identified that at least 84 of the 598 Web pages collected personally identifiable information.4  We reviewed these 84 Web pages and found that 62 contained disclosures related to the use of the personally identifiable information collected and 5 could not be accessed. Additionally, the privacy notice statements on these 62 Web pages indicated that the personally identifiable information collected was subject to disclosure but would be handled in accordance with the requirements of the Privacy Act and the Freedom of Information Act to ensure the greatest protection of personal privacy in the event of any required disclosure.  The privacy notice further stated that unless required by law, the personally identifiable information would not be shared with outside parties.  
 
Of the 17 Web pages that collected personally identifiable information and this fact was not disclosed, we found that 10 were for users to submit comments or feedback to the agency.  Personally identifiable information was collected only if the user requested a response.  Generally, the personally identifiable information collected included the Internet users' name, home address, and electronic mailing address.  The remaining seven Web pages were for users to perform such actions as submitting applications for positions, registering for conferences, and downloading application software.

Generally, Internet users that contact the DOI and its components electronically through Web pages to do activities such as to ask questions, provide feedback, fill out questionnaires, or sign guest books provided personally identifiable information voluntarily.  Of the 598 Web pages, 310 included privacy notice statements.  If the Internet user wanted to contact the agency through a Web page, the DOI's privacy notice statements disclose the use of any personally identifiable information collected.  Further, these privacy notices provide the user assurance that the personally identifiable information collected when contacting the DOI or its components will not be shared with any entity outside the DOI.  Although the remaining 288 Web pages reviewed did not contain privacy notice statements, these pages generally were not used to contact the agency to ask questions (see Appendix 4).

THIRD PARTIES COLLECTING PERSONALLY IDENTIFIABLE INFORMATION

We reviewed five Web pages that were maintained by third-party organizations for the DOI.  These Web pages were generally for the purposes of transacting business with the Internet user.  The following were the specific purposes of these five Web pages: 

* Purchasing Federal Duck Stamps
* Obtaining geological reference materials
* Adopting a wild horse or burro
* Making a reservation at a national park
* Purchasing a national park pass

All of these Web pages were able to collect Internet users' viewing habits and collect the users' personally identifiable information.  Additionally, not all of these Web pages contained privacy statement notices.  Specific details of these Web pages are discussed in the paragraphs that follow.

We were provided a copy of the agreement between the U.S. Fish and Wildlife Service and its contractor that sold Federal Duck Stamps.  The contract did not address the collection and/or distribution of the personally identifiable information.  Further, the contractor's Web pages did not contain a privacy statement that disclosed the use of the personally identifiable information collected to purchase a Federal Duck Stamp or that stated whether aggregate lists of viewing habits were shared or otherwise disclosed to other parties.  Additionally, for the Internet user to purchase a Federal Duck Stamp, substantial personally identifiable information was needed, including a credit card number.  When we contacted contractor personnel, they stated that the buyer information was not shared.

We received a copy of the agreement between the U.S. Geological Survey and its geological reference material contractor.  The contractor's Web page did include a privacy statement that indicated information may be shared.  When discussed with Geological Survey Information Technology management, they said that the reference to the Federal Acquisition Regulation clauses in the agreement prohibited the contractor from disclosing or otherwise sharing the personally identifiable information and the Internet users' aggregate viewing habits that could be collected.  In our review of the Federal Acquisition Regulation clauses included in the agreement, we did not find a reference that the contractor was prohibited from sharing or disclosing personally identifiable information and the Internet users' viewing habits.

The Web pages maintained by a contractor for adopting a wild horse or burro did not contain adequate privacy information regarding the use and disclosure of the personally identifiable information collected from the Internet user.  This is of concern because two of the Web pages we reviewed contained a Web bug that was a third-party software provider "cookie" and could be used to share the Internet users' viewing habits.  Further, although we requested a copy of the agreement, we had not received a copy by the time we prepared our report.  The Web page where personally identifiable information was collected required the applicants to provide the following:

* Name, address, telephone number, and electronic mailing address.
* Driver's license number.
* Social security number.

We requested additional information regarding the use and disclosure of the personally identifiable information collected.  As of April 17, 2001, no response had been received.

Within the NPS's reservation Web pages that are maintained and operated by a contractor, we found that when making a reservation at Mammoth Cave the Internet users' personally identifiable information could be shared with outside parties.  Further, the Web page did not explicitly state that the users' personally identifiable information may be shared with a party outside of the NPS and its contractor.  The NPS and its contractor stated that the users' personally identifiable information would be provided to the other third party only if the users acknowledged that they wanted additional information about the Mammoth Cave area.  We received a copy of the agreement between the NPS and the organization that received the personally identifiable information.  The NPS has modified the contract to make it explicit that once the user has been provided the information about Mammoth Cave, the personally identifiable information collected will be destroyed.   However, the Web page privacy notice was not modified to inform the Internet users that their personally identifiable information may be shared.

The NPS contractor collected personally identifiable information when an Internet user purchased a national park pass.  The contractor-maintained Web site included a privacy notice statement that disclosed that Internet users' viewing habits, in aggregate, may be shared for research purposes with whomever the contractor chooses.  The NPS policy is to notify Internet users whenever the user leaves the NPS Web page to visit a third party's Web page unless the site has been reviewed and approved by formal agreement.  When Internet users accessed the Web page to purchase a park pass, the users were not warned that they were leaving the NPS Web page and accessing a third-party Web page.  We were not provided the agreement between the NPS and its contractor for managing the purchase of passes to national parks by the time we prepared our report. Without the opportunity to review this formal agreement, we were not able to determine whether the contractor had been authorized by the NPS to share the Internet users' personally identifiable information or viewing habits with others.

SCOPE AND METHODOLOGY

We reviewed Web pages that were identified as major or principal entry points by the DOI Web masters.  In addition, we randomly selected other DOI Web pages and Web pages or sites maintained by third parties.  The Web pages selected for the review were those in existence as of February 1, 2001.  We used an optional feature offered by the Microsoft browser to identify the use of "cookies" and used Web bug detection software recommended by the General Accounting Office.  If we found evidence of the use of session or persistent "cookies," we reviewed the Web page for proper disclosure information and requested proof of the agency head's approval for the use of persistent "cookies." 

This review was conducted in accordance with guidance provided by the President's Council on Integrity and Efficiency, issued specifically for this review.  Fieldwork was performed during January through April 2001 at the Web master offices in Washington, D.C., and our office in Denver, Colorado.  
1An Internet site is defined as an agency's principal Web pages; other major entry points to sites, including home pages of agency components and Web pages that receive a high number of visits; and any Web page where substantial amounts of personal information are collected or posted.
2A "cookie" is a mechanism that the Web server uses to store a small piece of information on the client's (user's) computer.  A session cookie is stored on the user's computer only during the browsing session.  A persistent cookie is stored on the user's computer during the browsing session and remains after the session is closed.

3A Web bug is a mechanism to store a small piece of information on the client computer that can be shared with other sites.  In the case of DOI, the Web bugs were third-party cookies stored on the client computer by a software vendor and not the host of the Web page.
4 These Web pages do not include Web sites addressed under the "Third Parties Collecting Personally Identifiable Information" section of this report.

(01-I-340)