Review of Department of Justice Internet Sites
Report No. 01-05
March 13, 2001
Office of the Inspector General
Introduction
Internet sites can be powerful tools to inform the public about federal government activities and programs. These sites raise privacy concerns when they use "cookies", a primary method of compiling information and data about Internet users, to track the activities of users over time and across different sites. 1
As a result of recently passed legislation, we are required to determine whether Department of Justice (DOJ) Internet sites or third parties working for the DOJ collect personally identifiable information from users that access DOJ Internet sites. Our review consisted of reviewing information provided by DOJ officials and limited testing of cookies for the DOJ Internet sites. We did not perform detailed tests to verify the information contained in the documentation. Thus, this report and the associated work was not performed in accordance with Government Auditing Standards (GAS), but was performed as an "other activity of an audit organization" pursuant to GAS 2.10.
Criteria
Office of Management and Budget (OMB) Memorandum M-00-13 (June 22, 2000), Privacy Policies and Data Collection on Federal Web Sites, stated that "cookies" should not be used at federal Internet sites, or by contractors operating the sites on behalf of agencies, unless there was clear and conspicuous notice; a compelling need to gather the data; and appropriate, publicly disclosed safeguards for handling "cookie"-derived information. In addition, the memorandum stated that the agency head must personally approve the use of "cookies."
The recently enacted Treasury and General Government Appropriations Act, 2001 (H.R. 5658, Section 646) (The Act) requires the Inspector General of each department or agency to report to Congress:
any activity of the appropriate department or agency relating to--
Methodology
In response to the OMB memorandum and The Act, we assessed DOJ written guidance related to web development and privacy policies, and prohibitions pertaining to collecting, reviewing, or obtaining data regarding individuals using DOJ Internet sites. In addition, on January 4, 2001, we tested the 56 DOJ Internet sites listed on the DOJ's Alphabetical List of Components with Internet Sites (see attachment) to determine whether the DOJ or third parties were collecting personally identifiable information related to any individual's access or viewing habits on the sites. To conduct our testing, we:
Results
DOJ Internet sites tested were not collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits at the time we tested the sites for "cookies." For all 56 DOJ Internet sites tested, we were neither warned nor asked to accept DOJ or third party "cookies," and, upon examining the browser's "cookies" log, found that no DOJ or third party "cookies" had been recorded.
Currently, DOJ organizations with Internet sites certify quarterly in writing to the Assistant Attorney General for Administration that they comply with OMB Memorandum M-00-13. This policy, as stated earlier, restricts but does not prohibit the use of "cookies."
However, we found no DOJ written guidance related to The Act's prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites. While The Act did not specifically cite "cookies" as the prohibited method, many commercial Internet sites use "cookies" to do just that when a user accesses their site. Currently, DOJ organizations with Internet sites are not certifying to The Act's prohibitions on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites. Rather, they are merely certifying to OMB Memorandum M-00-13's restricted use of "cookies." In our judgment, the current DOJ certification process should be expanded to include The Act's prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites.
Appendix
Alphabetical List of DOJ Components with Internet Sites Reviewed for "Cookies"
1 American Indian and Alaska Native Affairs Desk (OJP) 2 Antitrust Division 3 Attorney General 4 Bureau of Justice Assistance (OJP) 5 Bureau of Justice Statistics (OJP) 6 Civil Division 7 Civil Rights Division 8 Community Oriented Policing Services - COPS 9 Community Relations Service 10 Corrections Program Office (OJP) 11 Criminal Division 12 Diversion Control Program (DEA) 13 Drug Courts Program Office (OJP) 14 Drug Enforcement Administration 15 Environment and Natural Resources Division 16 Executive Office for Immigration Review 17 Executive Office for U.S. Attorneys 18 Executive Office for U.S. Trustees 19 Executive Office for Weed and Seed (OJP) 20 Federal Bureau of Investigation 21 Federal Bureau of Prisons 22 Foreign Claims Settlement Commission of the United States 23 Immigration and Naturalization Service 24 INTERPOL -- U.S. National Central Bureau 25 Justice Management Division 26 National Criminal Justice Reference Service (OJP) 27 National Drug Intelligence Center 28 National Institute of Corrections (FBOP) 29 National Institute of Justice (OJP) 30 Office of the Associate Attorney General 31 Office of the Attorney General 32 Office of Attorney Personnel Management 33 Office of Community Dispute Resolution 34 Office of the Deputy Attorney General 35 Office of Dispute Resolution 36 Office of Information and Privacy 37 Office of the Inspector General 38 Office of Intelligence Policy and Review 39 Office of Justice Programs 40 Office of Juvenile Justice and Delinquency Prevention (OJP) 41 Office of Legal Counsel 42 Office of Legislative Affairs 43 Office of the Pardon Attorney 44 Office of Policy Development 45 Office of Professional Responsibility 46 Office of Public Affairs 47 Office of the Solicitor General 48 Office for State and Local Domestic Preparedness Support (OJP) 49 Office of Tribal Justice 50 Office for Victims of Crime (OJP) 51 Tax Division 52 U.S. Attorneys 53 U.S. Marshals Service 54 U.S. Parole Commission 55 U.S. Trustee Program 56 Violence Against Women Office (OJP)