Policy Analysis
United States Marine Corps Online Privacy and Accessibility Policy
(Policy Available from HQMC and http://www.usmc.mil/marinelink/ind.nsf/privacy)
Summary
The Marine Corps Privacy Policy for its public site (http://www.usmc.mil) is perhaps much simpler than one would initially expect for a military-owned domain. The policy consists of six short statements that set forth surprisingly standard conditions for access control and collection of user data. In short, the policy states that anonymous usage statistics will be collected for the purposes of network analysis, that no concerted attempts will be made to identify specific users or usage habits except in the cases of unauthorized access, that the site is cleared for public release, and that unauthorized attempts to upload or alter data on the domain is prohibited. All of these statements are tied to the relevant statutes. The policy does however make one additional statement, one that is fairly common to government/military sites but that doesn't seem to be as common on sites in the private domain:" 2. Information presented on this site is considered public information and may be distributed or copied. Use of appropriate byline/photo/image credits is requested. " This obviously stems from the source of their funding (American taxpayers), and at first glance seems inconsequential, but in reality is quite a powerful statement. As an example, during an internship approximately a year and a half ago at the Navy Memorial Foundation, we produced our annual donor calendar, which is circulated with a very wide distribution exclusively using images from the Naval Media Center's website, which carries a similar statement of public domain. The calendar was circulated, and not a dime of royalties or fees was ever paid to the United States Navy. This same condition is the reason why "Rosie the Riveter" action figures and t-shirts can be sold by anyone, anywhere, and for any price, with no cut of the profits to the original artist or the US Government.
Analysis
Clarity
For a US Government policy, this one is fairly clear cut. It gives in simple terms the conditions of the policy, and in such a manner that the policy is not rendered ineffective by such sparse language. It states clearly what the site's administrators will and will not do, and under what circumstances, and by what authority::
"3. For site management, information is collected for statistical purposes. This government computer system uses software programs to create summary statistics, which are used for such purposes as assessing what information is of most and least interest, determining technical design specifications, and identifying system performance or problem areas. "
"4. For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. "
"5. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with [National Archives and Records Administration General Schedule 20]. All data collection activities are in strict accordance with DoD Directive 5240.1 (reference (p)). "
It also states what may and may not be done with the materials on the site, and again, under what circumstances.
Enforcability
Again, this is a fairly airtight area for this policy. The publishing of governmental works in the public domain is a longstanding practice that has always held a place in American copyright law. In terms of data collection, given that the Marine Corps website operates from inside a Department of Defense domain, the authority for data collection and investigation comes directly from their cited DoD Directives (5240.1 and NARA GS 20). Additionally, the last clause of the policy seals up the authority for criminal prosecution under the standard and well tested statutes of US Code:
" 6. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act."
With that (which is a fairly standard clause for almost all network security policies), the policy becomes extremely enforcable. And being a Department of Defense website, any sort of unauthorized access, damage, or intrusion is likely to be dealt with harshly by a federal court.
Fairness
To begin with, this privacy policy is, as mentioned earlier, fairly standard. The only information declared to be collected is anonymous usage statistics, which is a common practice that in my opinion only leads to better system performance and optimization, at minimal, if any, risk to users. It is also the right of any domain owner and/or administrator to protect their work and investments under established laws, so in terms of tracking and prosecuting malicious and unauthorized access, this policy is treading on well-worn ground, and certainly seems reasonable.
Loopholes
The strength of this policy lies in its simplicity. It does not attempt to define elaborate circumstances under which certain behaviors or actions are and are not acceptable, or to list exceptions. Additionally, as this is a US Government website, this policy is both bolstered and bound by the broader regulations imposed by the DoD and the US Government as a whole, which leaves little wiggle room in terms of how the policy can be written and to whom it may apply.
Suggestions
The only reccommendation that might improve what is otherwise a straightforward policy is perhaps a clarification of what kind of statistics and information is collected by the site's administrators. While this would be of interest only to a select group of users, to those users, that information could be considered extremely important, namely, whether or not connection logs are kept of user IP addresses, which could be considered to be something more than "anonymous usage statistics."