• I’m as much for privacy as the next guy, but it worries me greatly when we start treating information gathered via one medium (the Internet) differently than we treat that same information gathered by another medium (paper). According to this bill, the Dept. of Motor Vehicles would have to tell me what they do with my personal information if I register my car using the Internet, but not if I mail it in. Why not? If privacy is good, why isn’t it good everywhere? There’s nothing special about the Web in this regard. All the information gets into the same database regardless of how I enter it.

  The problem with treating information differently based on the technology used to create and manage it is that the technology keeps changing. Meanwhile the nature of the information changes much more slowly.

• This is a very broad bill and I’m afraid that it will erode some of the open access to government records upon which our system of government is based. When you paint with a broom, you’re going to color a lot of area quickly. This is an area where I’m more comfortable with short, sure brush strokes, aimed at particular problems.

• I don’t believe that supporters of this bill are just after State Web sites. I believe that the ultimate goal is to apply this kind of criteria to all Web sites, including those operated by private businesses. As written, that would be a disaster that would drive any Internet based business from the State. Privacy policy is not free and the cost is usually hidden. I’m a proponent of Web site operators stating what their privacy policy is so that customers make decisions knowing up front what the cost to their privacy will be. The language in this bill would be overkill.

Those are my major concerns and if I had anything to do with it would be sufficient for me to try to sink this bill. Barring that, there are a number of smaller points that bear consideration:

• Paragraph 63D-2-102.1b seems to be saying that “collect” includes cookies. I’m not sure why cookies should be singled out UNLESS they are tied to personally identifiable information that is used somewhere else. Other parts of the bill would cover that. Every interesting web site uses cookies or other session ID to maintain state. That doesn’t mean that its used for identifying people “personally.” See Cookies and Privacy (PDF), a white paper I wrote when I was CIO.
• The trigger language identifying “personally identifiable information” (paragraph 63D-2-102.6) seems overly broad. Specifically:
  • Do the items in (a) all have to be present or any one of them. This needs clarification.
  • If we didn’t meet the standards for (a) to apply, how could we ever meet the standards for (b)? This seems to be saying that even if I don’t use a person’s name, address, etc. but I tie places they’ve visited together, that’s personally identifiable information even though its not tied to a particular user. This is reaching and could have serious unintended consequences.
  • I have the same comment for (c). If I’ve met (a), then the act has been triggered and (c) is superfluous. If I haven’t how could this information possibly be harmful?
  • Paragraph (d) would make this act apply to every single web site the State operates, which means you might as well just get rid of the entire triggering clause and make the bill apply to all web sites if you include (d). Every time any browser connects to any web site, it sends data that’s on the hard drive somewhere, if only the IP address of the machine and type of the browser. What is this clause trying to do? Is it meant to apply to cookies? If so, then my earlier comments about cookies apply.

Transparency is good, and as I’ve said, I’m in favor of privacy policies being placed on State Web sites. One of the first things we did when I became CIO was to create some standards in that area. Still, the problem with this bill, is that it will make those privacy policies so large and unwieldy that they would be ignored by almost everyone. The result would be a large cost to the State to maintain them for very little good.

Ask yourself (and your Representative and Senator) why information should be treated differently depending on how it gets into the databases. Does that seem rational? I think its driven by fear of technology.