Lots of policies are being fixed or have been fixed like cookies policy, etc.
Some common ones listed are:
-Records retention – although there are good examples of what agencies are doing policy-wise and technology to solve
-Security – or at least perceived security risk. Kind of like how State Dept didnt allow the Internet as was “dangerous” until Colin Powell said don’t be stupid