I took the opportunity to re-examine the federal approach to privacy, and submitted the proposal that follows in this blog.
The proposal is narrowly limited to allowing as much pseudonymity as I could around logging on to government sites. There may be intriguing ways it could also promote pseudonymity for contributions made by these visitors (such as whistle-blowers); but I'll leave that idea for later after I can talk to more experts about it.
Comments will continue to be accepted from the public until August 10.
Summary: Privacy requirements could be met by creating a government web site backed by OpenID where people wishing to participate in government web discussions can register without providing personal information.
Each government agency that wishes to track visitor participation can authenticate the visitor through the central government OpenID server. Although OpenID requires sites to accept and store cookies, they contain or point to minimal personal information.
OpenID server and pseudonymity
An appropriate federal agency furnishes the backbone of this plan by setting up an OpenID server (http://openid.net/). OpenID is a stable and by now familiar technology, used by sites that people use everyday such as Google, Yahoo!, AOL, and even retailers. ( "Sears and KMart Adopt OpenID to Simplify Customer Registration and Login While Enhancing the Shopping Experience", July 2nd, 2009).
Although hundreds of thousands of accounts can be anticipated, the server handles very little traffic and processing for each access and should not be hard to scale. Of course, replication and other high-availability technologies should be used to minimize the possibility of failure.
No information is collected on the individual who creates an account, unless the government finds a reason to conduct a survey that would be entirely optional. However, in order to manage the account, the individual would be encouraged to provide a point of contact. This could be an email address, social networking service, or other location where information about the account would be delivered.
The OpenID server's privacy statement would limit the use of the point of contact to the task of sending information to the visitor about changes in the account or other relevant news. The point of contact should not be used to send lost passwords, because email is transmitted in the clear and is not secure. If laws permit the government to use the point of contact to investigate criminal activity, this would be stated in the privacy statement.
Thus, the OpenID server comes as close as is practical to true pseudonymity, where the visitor has a persistent account that can be tracked but cannot be traced to a real-life person.
Agency logins and cookies
Each agency that wishes to track visitor participation would authenticate visitors through the central government OpenID server. The site would:
- Explain to visitors that new visitors need an account on the government's OpenID server, and link to that site.
- Provide a box for visitors with accounts to log in.
- Provide an alternative login method in case a disaster takes down the OpenID server.
The cookie stored by the agency has minimal information: an encrypted key that points to a record about the visitor on the agency site (not the OpenID server). The record would be limited to information that meets the OMB's stated purposes: "analytics" and "remembering data, settings, or preferences unique to that visitor."
Combination of data for analytics
Although agencies can use the information in visitor records for analytics on their own sites, the government may want to aggregate statistics from many sites. This could prove quite valuable if different agencies share servers through virtualization. To permit aggregation, sites that authenticate with the OpenID server can register with the site responsible for combining the analytics and can send relevant data from visitor records as needed.
Conformance with privacy laws and regulations
A compelling need for tracking
The "data, settings, or preferences unique to that visitor" are conveniences for the visitor, so sites should allow opt-out from such tracking. If analytics are considered a compelling necessity, the government need not allow the visitor to opt out from collecting data for that purpose, but offering opt-out might still be feasible because so few people would choose to opt out that they would not substantially affect statistics.
The key elements of the privacy statement on the OpenID server have already been described. Individual agency sites will provide notice when the visitor logs in. This notice can briefly mention:
- The requirement for the browser to allow cookies
- The content of the cookie and visitor record
- The purposes to which the record will be put
Visitors should be allowed to retrieve information from the OpenID server about how their account has been used.
The government should allow visitors to delete the information stored for their convenience at each agency, which they may choose to do when their participation in a particular initiative finishes. The OMB should also consider allowing visitors to delete logs of their accesses from the OpenID server and even to delete their account entirely on the OpenID server, although deleting the account might require keeping the data for analytics under an anonymous account.
Separation of information
The storage of separate visitor information at each agency meets the requirement that "agencies shall ensure that their systems of records do not inappropriately combine groups of records which should be segregated."
(I am indebted to Chris Messina of the OpenID Foundation and Citizen Agency for technical comments and suggestions about deleting data. Any mistakes or misconceptions are my responsibility.)
UPDATE: August 3, 2009: I put up a blog examining the policy choices with an impact on this proposal: Privacy and open government: conversations with EPIC and others about OpenID. It answers some of the questions in the two comments posted to this blog, and takes off in some of the directions these comments suggest.