The reports strongly suggest that the federal government has not gone far enough to protect information submitted to the Web sites of its various agencies or in defending information systems from predators.
The GAO's privacy study used the Federal Trade Commission's methodology for judging commercial sites as a yardstick for assessing the government's Web efforts. The FTC's fair information guidelines say that Web sites should post a privacy notice before collecting information from consumers, let consumers opt out of disclosing information, let consumers review information before submitting it, and provide adequate security to prevent unauthorized usage.
When the guidelines were applied to government Web sites, the GAO found that those sites came up short. The agency's report showed that most government sites had not implemented all of the requirements and that a mere 3 percent of the 65 sites surveyed were up to snuff on all four counts.
Among those sites, 69 percent posted a privacy notice, 45 percent gave consumers a choice to opt out, 17 percent let consumers access their information before submitting it, and 23 percent provided adequate security for the information.
The report, issued yesterday, was requested by Republican congressional leaders.
It follows a May study by the FTC that found only 20 percent of the Web sites it surveyed showed adequate privacy controls. The commission asked Congress to introduce legislation to require commercial sites to adhere to its guidelines.
Computer security too lax?
The GAO's security study, meanwhile, surveyed 24 federal agencies including the U.S. departments of treasury, defense, and health and human services, as well as the Social Security Administration. It noted that evaluations of computer security at these agencies published since July 1999 continue to reveal weaknesses. As a result, critical operations, confidential information and other sensitive government data are at risk for fraud, misuse and disruption.
Because the scope of audits performed on agencies has become more comprehensive, the GAO was able to spot a wider range of security holes in its most recent survey. The survey found that federal agencies have their work cut out for them to improve computer systems security.
As in last year's security audit, the GAO this year identified "significant" data security weaknesses at each of the 24 federal agencies tracked. Security weaknesses were reported in all of the six major areas of so-called general controls.
The report showed that the weakest area for federal agencies was in control over and access to sensitive data and computer systems. Poor access-security measures can expose an agency's information and operations to hacker attacks and other forms of data corruption. Another area identified among federal agencies as poor was security program planning and management, the study found.