The objective of this review was to determine whether the Internal Revenue Service (IRS) collected personal information on individuals who accessed its public Internet sites, as restricted by Federal privacy policies. We focused on the use of persistent cookies, web bugs, and electronic mail (email) capabilities at the Internet sites. We also determined whether the IRS entered into agreements with third parties to collect or obtain personal information relating to an individual’s access or viewing habits on any Internet site, IRS and non-IRS.

This review was required by the Consolidated Appropriations Act, 2001. The review also followed up on the Office of Management and Budget (OMB) Memorandum 00-13 issued to all heads of departments and agencies on June 22, 2000, regarding Privacy Policies and Data Collection on Federal Web Sites. We conducted our review on the two publicly accessible IRS Internet sites, which were the IRS’ Digital Daily and the IRS’ Procurement web site. These sites together maintained over 6,900 web pages. The Digital Daily contained the newly created "Small Business and Self Employed Community" web site, which we included in our review. We performed the following steps for this review:

• To determine whether the IRS requested voluntary personal information from visitors, we searched the web pages within each Internet site to identify any such requests of information, including the acceptance of email questions and comments. We also discussed this capability with the owners of each site.
• To determine whether the IRS collected involuntary personal information on visitors with the use of persistent cookies, we cleared our computers of cookies and accessed each Internet site. We then manually traversed through a judgmental sample of 517 web pages from both sites and determined whether any persistent cookies had been placed on our computers. We also obtained documents (e.g., GAO reports and Congressional correspondence) that had previously assessed the use of cookies at the IRS.
• To determine whether the IRS collected involuntary personal information on visitors with the use of web bugs, we ran a computer program designed to identify the existence of web bugs on a discovery sample of 1,776 web pages.
• To determine whether the IRS entered into third party agreements to collect personal information, we interviewed the Privacy Advocate and executives responsible for each of the web sites regarding the use of third-party agreements.

We performed our audit work between January and March 2001. This audit was performed in accordance with Government Auditing Standards. Major contributors to this report are listed in Appendix I. Appendix II contains the Report Distribution List.

The Consolidated Appropriations Act, 2001 requires the Inspector General of each department or agency to submit to the Congress a report on any activity of his/her respective department or agency regarding the following information:

1. "The collection or review of singular data, or the creation of aggregate lists that include personally identifiable information, about individuals who access any Internet site of the department or agency."
2. "Entering into agreements with third parties, including other government agencies, to collect, review, or obtain aggregate lists or singular data containing personally identifiable information relating to any individual’s access or viewing habits for governmental and nongovernmental Internet sites."

OMB Memorandum 00-13 reminded the heads of departments and agencies that, "Each agency is required by law and policy to establish clear privacy policies for its web activities and to comply with those policies." The memorandum further mentioned that certain web technology (e.g., cookies) can be used to track activities of users over time and across different web sites. The presumption is that cookies should not be used at Federal web sites unless, in addition to giving clear and conspicuous notice of such action, a compelling need to gather such information exists.

The IRS did not collect personal information on individuals who visited its two public Internet sites. The IRS did not use persistent cookies or web bugs at its sites. While both sites had email capabilities, the only personal information requested was the visitor’s email address, solely for the purpose of responding to the visitor. In addition, we did not identify any IRS agreements with third parties to collect personal information relating to viewing habits on any Internet site, IRS or non-IRS.

The IRS posted its Internet Security and Privacy Policy on its two public Internet sites. The policy stated that, "We will not collect personal information about you just because you visit the site." It also stated that, "We do not use cookies, a file placed on a visitor’s hard drive that allows the web site to monitor the individual’s use of the site."

The posted privacy policy also indicated that the Internet site collects and maintains statistical information to improve the usefulness of the site and to monitor network traffic flow and volume. This information consisted of: (1) domain name, (2) Internet Protocol address, and (3) the date and time the IRS Internet site was visited. This information is normal for any web site.

The policy also stated that, "No attempts are made to identify individual users unless illegal behavior is suspected." When the IRS suspects illegal activity by a visitor, it coordinates with the Treasury Inspector General for Tax Administration – Office of Investigations, and the ISPs to identify the individual.

In addition to posting its privacy policy on its two public Internet sites, the IRS used departure and disclaimer notices to inform visitors when they were leaving the IRS site and going to other linked government or commercial Internet sites. Both IRS Internet sites we reviewed contained many links to other Internet sites. The use of links is an accepted Internet practice that facilitates the sharing of information for which the Internet was designed. When clicking on these links, the user’s Internet browser will take them to the Internet site associated with that link.

Because the IRS cannot control the privacy policies and practices of the linked web sites, it incorporated the use of departure and disclaimer notices when visitors clicked on these links. The departure and disclaimer notices warned the visitors that they were leaving the IRS Internet site and that the linked Internet site may not have the same privacy policy as the IRS. It also asked the visitors if they wished to continue and leave the IRS Internet site. Appendix III presents examples of these notices from the Digital Daily.

These notices help ensure taxpayers understand the risk when accessing a link provided to a non-IRS controlled Internet site. For example, during our review, we identified links that, when accessed, placed persistent cookies on our computer hard drives.

The IRS did not collect personal information (including the use of persistent cookies and web bugs) on individuals who visited its two public Internet sites. The IRS also did not enter into any agreements with third parties to collect such data regarding viewing habits for any Internet site, IRS or non-IRS. The IRS took positive steps to highlight the importance of privacy on the Internet by posting its privacy policy and by consistently using departure and disclaimer notices on web sites linked to its two public Internet sites.

The IRS agreed with the information in this report, and the full text of its response is included as Appendix IV.

Scott E. Wilson, Associate Inspector General for Audit (Information Systems Programs)

Steve Mullins, Director

Kent Sagara, Audit Manager

Harry Dougherty, Senior Auditor

Bret Hunter, Senior Auditor

Louis Lee, Senior Auditor

Larry Reimer, Senior Auditor

Midori Ohno, Auditor

Commissioner, Wage and Investment W

Deputy Commissioner N:DC

Deputy Commissioner for Modernization/Chief Information Officer M

Chief, Agency-Wide Shared Services A

Chief Communications and Liaison CL

Chief Counsel CC

National Taxpayer Advocate TA

Privacy Advocate CL:PA

Director, Procurement A:P

Director, Electronic Tax Administration W:E

Director, Legislative Affairs CL:LA

Director, ETA Modernization Program Office W:E:MPO

Director, Office of Program Evaluation and Risk Analysis N:ADC:R:O

Office of Management Controls N:CFO:F:M

Audit Liaison:

Deputy Commissioner for Modernization and Chief Information Officer M

The following examples were two departure and disclaimer notices from the Internal Revenue Service’s (IRS) Digital Daily Internet site. The first was used for links to commercial Internet sites and the second for links to government Internet sites.

The response was removed due to its size. To see the complete response, please go to the Adobe PDF version of the report on the TIGTA Public Web Page.