Letter Report: The Internal Revenue Service Complied with Federal Privacy Policies Regarding the Collection of Personal Information on Federal Web Sites
Reference Number: 2001-20-071
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
April 18, 2001
MEMORANDUM FOR COMMISSIONER ROSSOTTI
FROM: Pamela J. Gardiner /s/ Pamela J. Gardiner
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Internal Revenue Service Complied with Federal Privacy Policies Regarding the Collection of Personal Information on Federal Web Sites
This report presents the results of the subject review. In summary, we found that the Internal Revenue Service (IRS) followed Federal privacy policies on its Internet sites. The IRS did not collect personal information on individuals visiting its two public sites. The IRS agreed with the information presented in this report. The full text of management's response is included as an appendix.
Copies of this report are being sent to the IRS managers who are affected by the report and to the United States Congress, as required by the Consolidated Appropriations Act, 2001, Pub. L. No. 106-554, § 646. Please contact me at (202) 622-6510 if you have questions, or your staff may call Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs), at (202) 622-8510.
Objective and Scope
The objective of this review was to determine whether the Internal Revenue Service (IRS) collected personal information on individuals who accessed its public Internet sites, as restricted by Federal privacy policies. We focused on the use of persistent cookies, web bugs, and electronic mail (email) capabilities at the Internet sites. We also determined whether the IRS entered into agreements with third parties to collect or obtain personal information relating to an individual’s access or viewing habits on any Internet site, IRS and non-IRS.
This review was required by the Consolidated Appropriations Act, 2001. The review also followed up on the Office of Management and Budget (OMB) Memorandum 00-13 issued to all heads of departments and agencies on June 22, 2000, regarding Privacy Policies and Data Collection on Federal Web Sites. We conducted our review on the two publicly accessible IRS Internet sites, which were the IRS’ Digital Daily and the IRS’ Procurement web site. These sites together maintained over 6,900 web pages. The Digital Daily contained the newly created "Small Business and Self Employed Community" web site, which we included in our review. We performed the following steps for this review:
We performed our audit work between January and March 2001. This audit was performed in accordance with Government Auditing Standards. Major contributors to this report are listed in Appendix I. Appendix II contains the Report Distribution List.
The Consolidated Appropriations Act, 2001 requires the Inspector General of each department or agency to submit to the Congress a report on any activity of his/her respective department or agency regarding the following information:
OMB Memorandum 00-13 reminded the heads of departments and agencies that, "Each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies." The memorandum further mentioned that certain web technology (e.g., cookies) can be used to track activities of users over time and across different web sites. The presumption is that cookies should not be used at Federal web sites unless, in addition to giving clear and conspicuous notice of such action, a compelling need to gather such information exists.
The IRS did not collect personal information on individuals who visited its two public Internet sites. The IRS did not use persistent cookies or web bugs at its sites. While both sites had email capabilities, the only personal information requested was the visitor’s email address, solely for the purpose of responding to the visitor. In addition, we did not identify any IRS agreements with third parties to collect personal information relating to viewing habits on any Internet site, IRS or non-IRS.
The policy also stated that, "No attempts are made to identify individual users unless illegal behavior is suspected." When the IRS suspects illegal activity by a visitor, it coordinates with the Treasury Inspector General for Tax Administration – Office of Investigations, and the ISPs to identify the individual.
These notices help ensure taxpayers understand the risk when accessing a link provided to a non-IRS controlled Internet site. For example, during our review, we identified links that, when accessed, placed persistent cookies on our computer hard drives.
The IRS agreed with the information in this report, and the full text of its response is included as Appendix IV.
Major Contributors to This Report
Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs)
Steve Mullins, Director
Kent Sagara, Audit Manager
Harry Dougherty, Senior Auditor
Bret Hunter, Senior Auditor
Louis Lee, Senior Auditor
Larry Reimer, Senior Auditor
Midori Ohno, Auditor
Report Distribution List
Commissioner, Wage and Investment W
Deputy Commissioner N:DC
Deputy Commissioner for Modernization/Chief Information Officer M
Chief, Agency-Wide Shared Services A
Chief Communications and Liaison CL
Chief Counsel CC
National Taxpayer Advocate TA
Privacy Advocate CL:PA
Director, Procurement A:P
Director, Electronic Tax Administration W:E
Director, Legislative Affairs CL:LA
Director, ETA Modernization Program Office W:E:MPO
Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O
Office of Management Controls N:CFO:F:M
Deputy Commissioner for Modernization and Chief Information Officer M
Examples of Internet Site Departure and Disclaimer Notices
The following examples were two departure and disclaimer notices from the Internal Revenue Service’s (IRS) Digital Daily Internet site. The first was used for links to commercial Internet sites and the second for links to government Internet sites.
(1) "Please note that by clicking on this link, you will leave the IRS web site and enter a privately-owned web site created, operated, and maintained by a private business.
The information that this private business collects and maintains as a result of your visit to its web site may differ from the information that the IRS collects and maintains (please see the IRS web site privacy and security notice for privacy protections the IRS provides to web site visitors).
By linking to this private business, the IRS is not endorsing its products, services, privacy, or security policies. We recommend you review the business’s information collection policy or terms and conditions to fully understand what information is collected by this private business."
(2) "Please note that by clicking on this link, you will leave the IRS web site and enter another government web site created, operated, and maintained by that agency.
The information that another government agency/bureau/office collects and maintains as a result of your visit to its web site may differ from the information that the IRS collects and maintains (please see the IRS web site privacy and security notice for privacy protections the IRS provides to web site visitors). We recommend you review the other agency’s information collection policy or terms and conditions to fully understand what information is collected."
Management’s Response to the Draft Report
The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.