|
|
Plugged In, Tuning Up (March 2001)
STATEMENTS ADDRESSING USER EXPECTATIONS
Background
In order to encourage a level of confidence and trust that in turn yields repeat traffic, commercial
Internet services, through the efforts of the Federal Trade
Commission,6 emphasize their ability to ensure
privacy protections and security. Users are provided with information on what data is collected online, and
are given an opportunity to determine how much information, if any, they wish to divulge, and how it is to
be used. The federal government itself follows
guidelines,7 stating that agencies must provide
clearly accessible privacy policies on both home pages and major points-of-entry to websites. Users,
therefore, come to have a reasonable expectation of confidence and trust with respect to the websites they use. At
a minimum, this entails a set of written guarantees, or qualification statements. These statements may
be part of an overall document, or may be separate items linked to the home page under headings such as
a "terms of use," "help," or "frequently asked questions" section. At a minimum, usage statements
should state:
- what a site can and does not provide in terms of content
- how frequently the content is revised or updated
- factors and circumstances which may affect the quality and/or presentation of information
- if and when data is collected from users and how that data is used
- what content and features are administered and maintained under what entity, especially any outside websites or resources to which the site may provide links
Items Examined
To assess the quality of state legislative resources in this area, the following elements were evaluated:
- Disclaimer: Whether a site features a written statement outlining the accuracy of the
information presented, as well as explanations for any variances with printed versions of the same content
- External Link Statement: Whether the site outlines to what degree it is responsible for the content
it presents
- Cookies: Whether or not cookies were evident on any section of the site, and if so, how
many distinct cookies were employed.8 A distinct cookie was defined as a cookie that asked for a
specific piece of data. Multiple occurrences of the same cookie type, usually if a user opted not to accept
the cookie or if the same cookie popped up on different sections of a site, were not counted.
- Cookie Statement: if cookies were found, whether there was a statement ot that effect on the
site outlining their use
- Feedback: If there were features through which users can provide comments, or ask questions,
to the administrators or technical assistance staff of a website, what type of method the
feature employed.
- Registration for Site Updates: If users can elect to receive updates on new features,
services, improvements, or modifications to a website (but not the content contained therein), it was noted
- Legislative Activity Updates: Whether a site allows users to elect to receive updates on
specific content, especially legislative activity. Registering a valid e-mail address usually does this,
or creating a username and password account that is verified by e-mail, and/or by registering a
user's IP address.
- Member Contact Services: Whether a service exists through which visitors and constituents
can target communications directly to a specified member or set of elected officials.
- Privacy Policy: Clearly written statement outlining the site's acknowledgement of user and
visitor privacy, and efforts it undertakes to enforce them
Summary of Research Findings
Table 1
| State |
Disclaimer |
External Links Statement |
Cookies Present |
Cookie Statement |
| Alabama |
No |
No |
No |
N/A |
| Alaska | Yes |
No |
1 |
No |
| Arizona | Yes |
No |
No |
N/A |
| Arkansas |
No |
No |
1 |
No |
| California |
No |
No |
1 |
No |
| Colorado |
Yes |
No |
No |
N/A |
| Connecticut |
Yes |
No |
1 |
No |
| Delaware |
Yes |
Yes |
No |
N/A |
| Florida | Yes |
No |
3 |
No |
| Georgia | No |
No |
0 |
N/A |
| Hawaii | Yes |
No |
1 |
No |
| Idaho | Yes |
No |
1 |
No |
| Illinois |
Yes |
No |
No |
N/A |
| Indiana | Yes |
No |
1 |
No |
| Iowa | Yes |
No |
No |
N/A |
| Kansas | Yes |
No |
No |
N/A |
| Kentucky |
Yes |
No |
No |
N/A |
| Louisiana |
Yes |
No |
2 |
No |
| Maine | Yes |
No |
1 |
No |
| Maryland |
No |
No |
No |
N/A |
| Massachusetts |
Yes |
No |
No |
N/A |
| Michigan |
Yes |
No |
1 |
No |
| Minnesota |
Yes |
No |
1 |
No |
| Mississippi |
Yes |
No |
No |
N/A |
| Missouri |
Yes |
No |
No |
N/A |
| Montana | No |
No |
1 |
No |
| Nebraska |
Yes |
Yes |
No |
N/A |
| Nevada | No |
No |
No |
N/A |
| New Hampshire |
No |
No |
No |
N/A |
| New Jersey |
Yes |
No |
1 |
No |
| New Mexico |
Yes |
No |
2 |
No |
| New York (Senate) |
No |
No |
No | N/A |
| New York (Assembly) |
No |
No |
No | N/A |
| North Carolina |
Yes |
Yes |
No |
N/A |
| North Dakota |
No |
No |
No |
N/A |
| Ohio | Yes |
No |
No |
N/A |
| Oklahoma |
Yes |
No |
2 |
No |
| Oregon | Yes |
No |
1 |
No |
| Pennsylvania |
Yes |
No |
No |
N/A |
| Rhode Island |
Yes |
No |
No |
N/A |
| South Carolina |
No |
No |
No |
N/A |
| South Dakota |
No |
No |
2 |
No |
| Tennessee |
No |
No |
1 |
No |
| Texas | Yes |
No |
13 |
1 |
| Utah |
No |
No |
No |
N/A |
| Vermont | Yes |
No |
No |
N/A |
| Virginia |
Yes |
No |
No |
N/A |
| Washington |
Yes |
No |
Yes |
No |
| West Virginia |
No |
No |
No |
N/A |
| Wisconsin |
No |
No |
No |
N/A |
| Wyoming | Yes |
No |
No |
N/A |
Table 2
| State |
Feedback |
Registration for Site Updates |
Legislative Update |
Contact Service |
Privacy Policy |
| Alabama |
E-mail |
No |
No |
No |
No |
| Alaska |
E-mail |
No |
No |
No |
No |
| Arizona |
E-mail |
No |
No |
No |
No |
| Arkansas |
No |
No |
No |
Yes |
No |
| California |
Online form |
No |
E-mail |
No |
No |
| Colorado |
E-mail |
No |
No |
No |
No |
| Connecticut |
No |
Yes |
E-mail |
No |
No |
| Delaware |
E-mail |
No |
No |
No |
No |
| Florida |
E-mail |
No |
No |
No |
No |
| Georgia | Online form |
Yes |
Web |
No |
No |
| Hawaii | Online form |
No |
Web |
No |
No |
| Idaho | E-mail |
No |
No |
No |
No |
| Illinois |
E-mail |
No |
No |
No |
No |
| Indiana | Online form |
Yes |
E-mail |
No |
Yes |
| Iowa | E-mail |
No |
E-mail |
No |
No |
| Kansas | No |
No |
E-mail |
No |
Yes |
| Kentucky |
E-mail |
No |
No |
Yes |
No |
| Louisiana |
E-mail |
No |
No |
No |
No |
| Maine | E-mail |
No |
No |
Yes |
No |
| Maryland |
E-mail |
No |
E-mail |
Yes |
No |
| Massachusetts |
E-mail |
No |
No |
No |
No |
| Michigan |
Online form |
No |
No |
No |
No |
| Minnesota |
E-mail |
No |
No |
No |
Yes |
| Mississippi |
No |
No |
No |
No |
No |
| Missouri |
Online form |
No |
No |
No | No |
| Montana | E-mail |
No |
No |
No |
No |
| Nebraska |
No |
No |
E-mail |
No |
No |
| Nevada | Online form |
No |
No |
No |
No |
| New Hampshire |
E-mail |
No |
No |
No |
No |
| New Jersey |
Contact info |
No |
No |
No | No |
| New Mexico |
Contact info |
No |
No |
No | No |
| New York (Senate) |
Online form |
No |
No | No | Yes |
| New York (Assembly) |
E-mail |
No |
No |
No | No |
| North Carolina |
E-mail |
No |
E-mail |
No |
No |
| North Dakota |
No |
No |
E-mail, Web |
No |
No |
| Ohio | E-mail |
No |
No |
No |
No |
| Oklahoma |
E-mail |
No |
E-mail |
No |
No |
| Oregon | E-mail |
No |
No |
No |
No |
| Pennsylvania |
E-mail |
No |
No |
No |
No |
| Rhode Island |
E-mail |
No |
No |
Yes |
No |
| South Carolina |
Contact info |
No |
E-mail, Web |
No |
No |
| South Dakota |
E-mail |
No |
No |
No |
No |
| Tennessee |
E-mail |
No |
No |
No |
No |
| Texas |
Online form |
No |
E-mail, Web |
No |
No |
| Utah |
E-mail |
No |
No |
No |
No |
| Vermont | No |
No |
No |
No |
No |
| Virginia |
No |
No |
No |
Yes |
No |
| Washington |
E-mail |
No |
No |
No |
No |
| West Virginia |
No |
No |
No |
No |
No |
| Wisconsin |
E-mail |
No |
No |
No |
No |
| Wyoming | No |
No |
No |
No |
No |
- Around 67% of state legislative online resources had disclaimer statements. Only
6%, though, provided a notice on external links.
- Some 51% of all state legislative sites used at least one distinct cookie somewhere
in conjunction with a main site feature, often for search engines. However, 96% of the
sites that used cookies did not have a statement as to their existence or use.
- Only 4% featured the ability to register for notices on site updates, while 27% provided
some means to register for updates on legislative activity.
- 75% of the sites featured some means of interactive feedback, either a linked
e-mail address or feedback form, to communicate with website administrators, 6%
provided indirect means for feedback (the text of the contact information rather than an active
e-mail link or form), while 20% provided no feedback mechanism.
- About 12% of the sites featured a contact service to communicate with legislators,
as opposed to those sites that listed the contact information, leaving it up to users
to communicate with members on their own.
- 92% of all state legislative websites lacked a clearly defined privacy policy
Considerations
The findings raise a number of interesting about the guarantees of overall quality of content
and security users of online state legislative resources can expect.
- Almost as many sites do use some number of cookies as do
not.9 Of the sites that used cookies, 77% used one distinct cookie, 15% used 2 distinct cookies, and 4% used 3
distinct cookies. Only one of those states, Texas, has a written statement explicitly on their use.
The cookies are used for a legislation search engine, and are tied to a registration process
to facilitate a particular user's future searches. Yet Texas also provides an alternative
search function that does not use cookies. Interestingly, Texas is also the state that uses the
largest number of distinct cookies (13) on its site. Virginia, for its member contact system, used
one cookie to store information on a user before allowing a message to go through.
By comparison, those states that use even only one cookie, use them in places where there
is no clear reason for their use. New Jersey, for example, set cookies for every link from
its main legislative page. Rhode Island issued a cookie directly after following the link to
the photo page of the legislative leadership. Though only a few cookies were used,
there seemed to be no purpose behind their use, other than possibly tracking the popularity
of those specific pages.
- All of the sites have at least one feature or section that involves some form of
user interaction. Yet 92% of the sites lack an easily accessible or clearly stated privacy
policy, especially at those points where data is collected, that addresses the collection or use
of data with respect to feedback processes, features requiring registrations or subscriptions,
or even member contact services. Outside of those features examined, there are
questions about the extent to which zip-code based search engines, designed to locate
individual members, may collect data as well.
- 67% of all sites did, however, provide a disclaimer statement which identified the source
of site content; factors affecting content timeliness and accuracy compared to printed
version of the same material; and other factors that laid out the minimum level of expectations
for users of the resource.
- All of the sites featured links that at some point take users outside of the main
legislative resource. Only 6%, however, stated that certain links would direct users to another site
or web server, either just before or immediately after links were followed.
- When personal information is asked of visitors to most commercial sites, such information
is normally encrypted, or obscured, when it is entered into an online form, in order to
maintain a level of integrity and security. Some sites also utilize a secure web server to handle
such transactions. On the legislative sites that required personal information as a prerequisite
for access to certain features, the data was visible as plain text. This is a good indicator that
key security safeguards (such as encryption tools and a secure server) are not in place.
Virginia, for example, has a combined member locator and contact service that utilizes not only
zip code, but street address and phone numbers to provide the right information to users.
Yet before users can see the contact information for legislators, their information must
be entered, and it is not encrypted. There is also strong evidence that an
non-legislative, unsecured server may host this feature, raising possible issues that should be presented
to users.
Recommendations
- Disclaimer statements should be included, either on the home page or at an
accessible point wherever information is updated, which sets forth reasonable expectations for users
as to what information is available and how timely and accurate the information may be.
- External Links statements should be available before users follow links that fall outside
of the responsibility of the legislature. This can help increase awareness around
the accountability of sites to the public, especially if any features are provided directly by
third parties.
- Cookies should not be used on websites unless they are tied to features requiring
user registrations or services that, for example, provide updated content for users. Where
they serve no comparable purpose, they should not be used.
- Experience, and widespread perception, has taught many users that it is difficult to
know what entities collect information and personal data online, and if their use is
responsible.10 Where possible, legislative resources should make every attempt to utilize secure
servers and encryption technology when personal information is a prerequisite for access to
certain features.
- If sites choose to use cookies, a simple, non-technical explanation of their presence,
use, when and where they are present, their duration, and how they can be removed should
be clearly visible on the homepage, on those sections of the site where the cookies
themselves will be deployed. Disabling the specific options on a browser and e-mail client can
allow users to avoid unnecessary or non-useful cookies. But the burden of security should not
fall disproportionately on the user each time they want to visit a site.
- Online usage statements should explicitly notify users as to the forms of data collection
that are employed. There are a variety of methods, in addition to cookies— including web
logs, online forms, and subscription features— that collect data both with and without explicit
user knowledge and permission.
- As more non-commercial websites take advantage of commercial services and tools
they can incorporate seamlessly into their sites, such as online directories and news
services which require subscriptions, there need to be reasonable safeguards and explanations
to users about how their information is used and how it will be collected. If any of
these features are present, there should be a notice on the homepage, as well as the
specific point where data is collected, explaining what is being collected, how it will be used,
how long it will be used, and what steps users can take to opt-out. Moreover, having
those guarantees of security will instill users with a degree of confidence, and may lead to
more willingness to voluntarily reveal more information to improve the quality of experience
for other users, and especially for members themselves.
NOTES
(6) See http://www.ftc.gov/privacy for more information
(7) The 1974 Privacy Act [5 USC § 552a] requires that protections be granted to personal information contained in
federal records. President Clinton, in 1998, gave the Office of Management and
Budget expanded authority to coordinate privacy initiatives for federal agencies, including websites.
(8) Cookies are unique personal identifier codes placed in files on a user's hard drive
by certain servers upon visiting particular websites or pages. These files might
contain information about the types of sites a user visits, or registration information, such
as usernames and passwords, for online services. Cookies are especially used
by advertiser-based third-party services to generate banner ads or graphics that
encourage users to click on them to see certain advertisements. When they are clicked,
they deposit cookies that collect information about previous sites visited or other
ads encountered, so that new and distinct ads matching user preferences—along with
new cookies—are deposited on a visitor's machine after an initial visit. They often reveal
little personal information, save for the IP number of the computer and the URL of the
page that linked to certain content, and they expire at some point between a few days and
a few months. When used properly, they do allow websites to be customized to
meet specific user preferences and interests, allowing for a more efficient and effective
web visit. The majority of cookies are temporary and relatively anonymous.
(9) Additionally, cookies are not always optional. Many commercial sites now require
their use in order to access high-end functions. Cookies are potentially harmful when
they convey personally identifiable information to servers that have nothing to do with
the website a user is currently on, and when their use and extent of information disclosed
is not stated.
(10) BOBBY <http://www.cast.org/Bobby> is not a guarantee that all site web pages will be accessible to all users. It does not, for example, check the functionality of Perl
or Javascripts, multimedia content, of related features. For these elements, web
designers must perform manual assessments to check that such content is accessible or
provided in alternative formats to end-users. It does, however, represent a widely accepted
seal of approval that a site has made an attempt to comply with best practices
for accessibility.
|