Lots of policies are being fixed or have been fixed like cookies policy, etc.
Some common ones listed are:
-Records retention - although there are good examples of what agencies are doing policy-wise and technology to solve
-Security - or at least perceived security risk. Kind of like how State Dept didnt allow the Internet as was "dangerous" until Colin Powell said don't be stupid