This Report is also available on the worldwide web at:
http://www.state.il.us/auditor

The General Assembly may wish to consider enacting a law which requires all State agencies with a web-site to develop and prominently post a privacy policy addressing the collection, maintenance, and disclosure of personal information, as well as the use of technology to collect information on the use of their web-sites.

In response to a survey we mailed to State agencies, 114 of 135 agencies reported having an Internet web-site.

At least 52 of the 114 agencies with web-sites used some form of technology to collect information about users. The types reported included user and web logs, session cookies, and persistent cookies.

Agencies stated user logs were primarily used for the purpose of web-site development and maintenance.

Session cookies are short-lived, are used only during the current online session, and expire when the user exits the browser.

Unlike session cookies which expire when the user exits the browser, persistent cookies remain on the user's computer until a specified expiration date.

Agencies generally did not provide notification to users that logs or cookie technology were being used.

There is no requirement that privacy statements or policies be developed or disclosed on State of Illinois web-sites, nor is there any Statewide guidance on the use of tracking technology, such as cookies.

Of the 114 agencies that reported having a web-site, only 32 agencies (28 percent) reported that they had a privacy statement or policy located on their web-sites.

We identified 32 states that had a link to the privacy policy on the primary web-site for the state.

There currently exists no statewide requirements specifically for State agencies' use of technology to collect information on users of State web-sites or requirements regarding the establishment and posting of privacy policies.

The General Assembly may wish to consider legislation which establishes basic requirements that agencies must follow regarding operations of their web-sites.

REPORT CONCLUSIONS

The Internet provides immediate access to vast amounts of information on State agencies and their programs. By accessing State agencies’ web-sites, users can communicate with government officials, request program information, apply for services, and make purchases. As noted in House Resolution Number 263 which requested this audit, concerns have been raised in both the private and public sectors about the privacy of individuals as they use the Internet, and specifically, the use of technology to track the browsing habits of Internet users.

As of November 2001, 114 State agencies reported having an Internet web-site that the public could access to obtain information on programs and services. Of these 114 agencies, at least 52 used some form of technology, such as "cookies" or user logs, to collect information on the use of their web-sites. A "cookie" is a short string of text that is sent from a web-site to the user's computer. The following technology was used: 30 agencies used only cookies; 12 agencies used both logs and cookies; and 10 agencies used only user or web logs. Of the 42 agencies which used cookies, 19 agencies used session cookies only, 6 used persistent cookies only, and 17 used both.

In responding to our initial survey sent in June 2001, only 19 agencies reported that cookies were used on their web-sites. However, our follow-up examination identified an additional 23 agencies whose web-sites used cookies. When we inquired as to why cookies were not reported on the survey, agency officials generally cited one of three reasons: 1) they were unaware of the cookies' existence; 2) the cookies were being placed by third parties and were beyond their control; or 3) the cookies were added to the web-site subsequent to their completion of our survey. Instances where agencies are unaware of cookies on their web-sites or allow cookies to be set by third parties raise concern about the adequacy of agency control over information collected on their web-sites.

Of the 42 agencies that used cookies, only 7 disclosed in privacy policies that cookies were being used. Most of the State agencies that were using cookie technology either did not have a privacy policy or had a privacy policy that did not disclose the use of cookies.

Generally a user log or cookie does not capture information which can, on its own, identify a specific user. However, if a log or cookie can be matched to personal information supplied by a user, then it may be possible to track the browsing of a web-site user. None of the agencies we surveyed reported using technology and matching it with personal information to monitor the routine browsing of specific users; however, several agencies noted that user or web logs were needed for security purposes (such as to identify the users trying to hack into the system).

Most agencies stated that the technology they used was needed. Web and user logs were used to compile web-site activity data which is useful for development and maintenance of the site. Session cookies were used to also compile usage information for web-site maintenance and development, as well as for the convenience of the user (e.g., maintains the state of a customer's order while ordering materials online). Persistent cookies were used to recognize returning users, for reasons such as eliminating the need for users to enter information more than once and validating users before they enter a secured site.

There currently exist no Statewide requirements specifically for State agencies' use of technology to collect information on users of State web-sites or requirements regarding the establishment and posting of privacy policies. Consequently, each State agency is responsible for developing privacy policies which disclose how the agency will use information obtained over the Internet.

Of the 114 agencies that reported having a web-site, only 25 agencies (22 percent) reported in their response to our June 2001 survey that they had a privacy statement or policy located on their web-sites. In our November 2001 follow-up, 7 additional agencies reported now having privacy policies, thereby increasing the total number of agencies with privacy policies to 32 (28 percent). Of these 32 agencies, 15 privacy policies were accessible or linked to the homepage; 8 were not located on the homepage but were readily accessible at other locations on the agency's web-site; and the remaining 9 were not readily accessible. A web-site's privacy policy should be readily available to the user of the web-site and generally be accessible from the homepage and all pages that set cookies or solicit personal information.

We found that the content of the privacy statements or policies varied widely. Some were very detailed, addressing logging activities, use of cookie technology, and information regarding the disclosure of personal information. Other policies contained limited notices to web-site users on the collection, maintenance, and use of information about them.

The General Assembly may wish to consider enacting a law which requires all State agencies with a web-site to develop and prominently post a privacy policy addressing the collection, maintenance, and disclosure of personal information, as well as the use of technology to collect information on the use of their web-sites.

BACKGROUND

House Resolution 263 directed the Auditor General to conduct an audit of each State officer and agency that maintains a World Wide Web site and determine the following:

• whether the officer or agency uses technology that allows it to track the browsing or buying habits of Internet users who visit the site;

• whether the tracking is necessary; and

• whether the officer or agency protects those users through adequate notice, choice, access, and security.

With the development of the Internet, users have immediate access to a vast amount of information on State agencies and their programs. Since 1992, the State of Illinois has had a homepage. A homepage is generally considered the principal web-site for an organization and is the primary entry point from the Internet. The homepage for the State is located at http://www.state.il.us/.

In response to a survey we mailed to State agencies, 114 of 135 agencies reported having an Internet web-site. Ninety-nine of the 114 agencies reported that they maintained their own web-site. In addition to obtaining information about an agency, most State agency web-sites allow users to communicate with agency officials through the use of an e-mail address included on the web-site. Additionally, some web-sites provide users with request forms, solicit survey information, and permit financial transactions.

The system of, and control over, State agency web-sites is decentralized in Illinois. There are no Statewide requirements or policies to guide agencies' web-site activities, including whether technology is used to monitor and/or track web-site users. (pages 2 – 4)

TRACKING TECHNOLOGY USED

At least 52 of the 114 agencies with web-sites used some form of technology to collect information about users. The types reported included user and web logs, session cookies, and persistent cookies. Many of the agencies used more than one type of technology.

Web or User Logs

Of the 114 agencies with web-sites, 22 (19 percent) reported using web or user logs. The actual number of State agencies that have access to or use log data is higher than the survey results would indicate since most web server software programs employ web or user logs.

A web or user log captures information such as the Internet Protocol (IP) address of the accessing computer, the type of browser (such as Netscape Navigator or Microsoft Internet Explorer), the specific page requested, and the date and time of the request. Generally a web or user log does not capture information which, on its own, identifies a specific user.

Agencies stated user logs were primarily used for the purpose of web-site development and maintenance. The user log allows web-site administrators to ascertain the frequency with which different portions of its web-site are visited and if there are problems in the functionality of the web-site. Agencies also reported that user logs were used for security purposes.

Most agencies reported that they believe the use of web and user logs are needed. Of the 22 agencies responding to the survey question of need for these logs, only 3 said the logs were not necessary. In these three instances, the logs were used for site management and/or statistics. However, 16 other agencies used logs for the same purpose and stated that the logs were necessary. (pages 12 - 14)

Session cookies were the most common type of cookie used, with 36 agencies using them. A "cookie", which is a short string of text, is established when the user accesses a web page using cookie technology. When the web page is first accessed, the web server sends a cookie back to the user's computer. When the user's computer requests a page from the web server that sent it a cookie, the user's computer sends a copy of that cookie back to the server. Digest Exhibit 1 shows how a cookie is placed. Digest Exhibit 2 summarizes the 42 agencies that had cookies on their web-sites.

Session cookies are short-lived, are used only during the current online session, and expire when the user exits the browser. Information collected in a session cookie may include its unique identification number, its expiration date, IP address, type of browser used, and its domain name (such as state.il.us).

Agencies reported using session cookies to gather web-site statistics, which are used to evaluate the effectiveness of the site for the purpose of developing and maintaining the site. Agencies also reported using session cookies to enhance the user's online experience.

Persistent Cookies

Twenty-three agencies' web-sites contained persistent cookies. Unlike session cookies which expire when the user exits the browser, persistent cookies remain on the user's computer until a specified expiration date. Persistent cookies can be used by a web-site to track a user's browsing behavior. The data contained in a persistent cookie may be linked to personal information provided by an individual. None of the agencies we surveyed reported using technology and matching it with personal information to monitor the routine browsing of specific users.

Persistent cookies allow a web-site to recognize a returning user and thus eliminate the need for the user to re-enter information to validate who the user is or establish preferences. Several of the persistent cookies we identified were cookies set by third parties (i.e., third party cookies). Some third party cookies are placed on the user's computer while the user is on the State agency's web-site; in other instances, the third party cookie is placed when the user goes to another web-site which performs a function or service for the State agency. (pages 14 - 17)

NOTIFICATION OF TECHNOLOGY BEING USED

Agencies generally did not provide notification to users that logs or cookie technology were being used. When notification was provided, it was generally through disclosure in an agency's privacy policy or statement. However, of the 52 agencies that used logs or cookies, 32 did not have a privacy policy; consequently, users were not notified of the technology being used.

In most instances, there was no notification provided on the page of the web-site where the cookie was placed. Of the 42 agencies that used cookies, only 4 had a link to their privacy policy on the page where the cookie was being set. (page 18)

PRIVACY POLICIES

There is no requirement that privacy statements or policies be developed or disclosed on State of Illinois web-sites, nor is there any Statewide guidance on the use of tracking technology, such as cookies. In July 2001, the Illinois Technology Office added a privacy policy to the State of Illinois homepage.

There were, however, aspects of the policy that could be improved or clarified. For example, the policy did not clearly specify to which agencies or web-sites it applied. By appearing on the State's homepage, one could interpret that the policy applied to all State agencies, or at least those State agencies' web-sites listed on the State's homepage. After informing ITO officials about the potential for differing interpretations of the State's homepage privacy policy, they stated they would work on clarifying the policy.

On October 11, 2001, an updated privacy policy was added to the State of Illinois homepage which specifically applies only to the State’s homepage. The policy contains the following statement:

"The State of Illinois Home Page is a portal with links to other web sites. These include links to web sites operated by Illinois agencies and officials, other government agencies, nonprofit organizations and private businesses. When you link to another site, you are subject to the privacy policy of that new site."

Illinois Technology Office officials stated the purpose of the change was to clear up any confusion regarding which pages were covered by the policy and inform users that once they leave the State’s homepage, they are subject to the policy on subsequent pages visited. (pages 23 – 27)

Individual State Agency Privacy Policies

Of the 114 agencies that reported having a web-site, only 25 agencies (22 percent) reported in their response to our June 2001 survey that they had a privacy statement/policy located on their web-sites. In our November 2001 follow-up, 7 additional agencies reported now having privacy policies, thereby increasing the total number of agencies with privacy policies to 32 (28 percent). We visited the web-sites for these 32 agencies to locate and review the privacy policies. Digest Exhibit 3 summarizes the results of this review.

Of the 32 agencies which reported having privacy policies, 15 had the policy posted either on their homepage or clearly linked to their primary homepage. Another 8 web-sites had privacy policies that, while not on their homepage, were easily accessible by users elsewhere on their web-site. For the remaining 9 agencies which reported having a privacy policy, the policies were not readily accessible to users, and in some instances, were either not posted on the web-site or were generic privacy policies and not specific to Internet privacy issues.

We also conducted a review of agencies' privacy policies accessible on web-sites to determine whether they contained the four criteria identified in the third determination of House Resolution Number 263. While the applicability of these criteria may vary depending upon what information is collected by the State agency, State agencies need to consider and address all four criteria.

The four criteria were:

• Notice -- provide clear and conspicuous notice of the agency's information practices, such as the type of information collected and how it is collected.

• Choice -- offer users choices as to how personal identifying information is used beyond the use for which the information was provided.

• Access -- offer users reasonable access to the information the web-site has collected about them.

• Security -- take reasonable steps to protect the security of information collected.

Sixty-nine percent (22 of 32) of the policies contained some form of notice regarding the collection of personal information. The other 10 policies either were not accessible on the web-site or did not contain a disclosure about personal information. Sixty-three percent (20 of 32) of the policies had statements regarding choice; however only 7 of 32 and 4 of 32 had statements regarding security and access, respectively. (pages 27 - 29)

Other States' Privacy Policies

In June of 2001, we accessed the primary web-site for state government for each of the 50 states. We conducted a review of the primary web-site to determine if a privacy policy existed and whether the policy was included on the primary web-site for the state.

We identified that 32 states had a link to the privacy policy on the primary web-site for the state. While these states had a link to a privacy policy on the primary web-site, it does not necessarily mean that the policy applied to all state web-sites. Additionally 2 other states had a privacy policy; however, it was not linked from the primary web-site. (pages 30 - 32)

CONCLUSION

There currently exist no Statewide requirements specifically for State agencies' use of technology to collect information on users of State web-sites or requirements regarding the establishment and posting of privacy policies.

Only 32 agencies reported that they had a privacy policy or statement on their web-sites of the 114 agencies that reported having a web-site. Additionally, we found that the content of the privacy statements and policies varied widely.

While privacy policies are clearly needed to inform users of web-sites how information State agencies receive from them will be used, due care needs to be taken by the agencies to ensure that their policies accurately state their use of technology and information handling practices. An agency may be subject to potential liability if it uses information in a manner inconsistent with its stated privacy policy.

MATTER FOR CONSIDERATION BY THE GENERAL ASSEMBLY

The General Assembly may wish to consider legislation which establishes basic requirements that agencies must follow regarding operations of their web-sites. Such legislation could require that:

• Each State agency develop a privacy policy for its web-site and that such privacy policy should be readily accessible (such as being located on the homepage and other places where personal information is collected and tracking technology is used);

• The privacy policies clearly identify the use of any technology used to collect information on or track individual users;

• The privacy policies contain provisions that effectively disclose practices regarding notice, choice, access, and security; and

• A compelling need be demonstrated to gather data from users on a State agency web-site. (pages 32 - 34)

AGENCY RESPONSE

Responding to the above Matter for Consideration by the General Assembly, the Illinois Technology Office (ITO) noted that although it agreed "with the need to provide clear and prominent privacy policies, legislation may be too restrictive to adapt to continual changes in the industry and tools used to serve citizens better, especially given the current security considerations in our nation and actions we may need to take in the future." The ITO's written response can be found in Appendix K of the full report.

_________________________

WILLIAM G. HOLLAND

Auditor General

WGH\JS