Embed Doc
Copy Link
Readcast
Collections

CommentGo Back

Download

The Honorable Vivek KundraChief Information OfficerOffice of Management and BudgetExecutive Office of the PresidentThe White HouseWashington, D.C. 20500July 30, 2009Dear Mr. Kundra,Thank you for seeking public comments on the Administration’s proposed new cookie and web trackingpolicies.The federal government’s existing cookie policies were established in 2000 after the White House Office of National Drug Control Policy was discovered to be using permanent tracking cookies on its web site.Describing the reason for the strict new rules, an administration official told the New York Times:“People shouldn't have to worry when they're getting information from the government that thegovernment is getting information from them.”

This statement is just as true today as it was in 2000. In addition to the massive technical advances in datamining algorithms over the past nine years, the federal government has rushed to deploy these technologiesat an alarming scale. According to a study by the Government Accountability Office study reported in2006, 52 government agencies had launched, or planned to begin, at least 199 data-mining projects. A vastmajority of these programs are for law enforcement or counterterrorism purposes.

The federal government has a poor track record when it comes to protecting the privacy of US citizens.Recent notable examples include the Orwellian Total Information Awareness program, the widespreadabuse of National Security Letters by the FBI as well as the NSA’s massively illegal warrantlesswiretapping of emails, Internet searches and phone calls of millions of Americans.Americans have good reason to worry about the data collection practices employed by the government. It istherefore vital that you put privacy and transparency before all other concerns as you look to update the tenyear old federal cookie and web tracking rules.

The commenting party

I am a student fellow at the Berkman Center for Internet & Society at Harvard University, and a PhDCandidate in the School of Informatics at Indiana University.

My academic research is focused at theintersection of applied computer security and privacy, technology law and policy. My activism has resultedin the successful passage of an amendment to Indiana's data breach laws, a Congressional investigation of web security flaws at the Transportation Security Administration, as well as several media firestorms.I have been a persistent critic of this Administration’s approach to online privacy, cookies and the use of embedded third party code. In particular, I worked to draw attention to the privacy problems associatedwith the use of embedded YouTube videos on the White House web site.

See: http://www.nytimes.com/2000/06/22/us/drug-office-ends-tracking-of-web-users.html

See: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402063_pf.html

This letter is written in my personal capacity, and the opinions expressed here do not necessarilyrepresent those of Indiana University, Harvard University or any other organization.

I am also the author of the Targeted Advertising Cookie Opt-out (TACO) Firefox browser add-on

, whichenables consumers to easily and permanently opt-out of behavioral advertising performed by 90 differentadvertising companies. TACO is currently used by more than 100,000 people per day, and is responsiblefor the installation of more than 9 million opt-out cookies.

Privacy guidelines should focus on the degree of personally identifiable information contained withincookies, rather than their intended usage

In a recent OSTP blog post, you stated that you are considering adopting a three-tiered approach to the useof web tracking technologies on Federal Government websites:

•

- Single-session technologies, which track users over a single session and do not maintaintracking data over multiple sessions or visits;

•

- Multi-session technologies for use in analytics, which track users over multiple sessionspurely to gather data to analyze web traffic statistics; and

•

- Multi-session technologies for use as persistent identifiers, which track users overmultiple visits with the intent of remembering data, settings, or preferences unique to thatvisitor for purposes beyond what is needed for web analytics.This framework correctly identifies that different types of tracking technologies do not all carry the samelevel of privacy risk for web users. The concept of a multiple tiered system for dealing with cookies issound. However, I believe that additional layers in this framework could provide even more transparencyand protection for users.Rather than evaluating cookies and other tracking technologies based on their intended usage, I urge you toinstead focus on the degree to which they can be used to track individuals and other potential privacyharms.Cookies are used for many purposes, some of which raise significant privacy issues, and some of which donot. It is vital that any federal guidelines consider the risk individual cookies pose to end-user privacy whenevaluating their use. Simply put, cookies that track individual users pose the greatest threat to user privacy,and so any federal guidelines should place these in the most restricted tier.There are few if any privacy related issues that should prohibit an agency from using persistent cookies tostore a user’s preferences for a particular web site, as long as those preferences are stored in a generic andnon-identifiable way.As an example, a persistent cookie set by whitehouse.gov in order to store user’s preferences of visitors tothe site (USER_LANGUAGE=SPANISH or WEBSITE_VERSION=LOW_BANDWIDTH) should befine.On the other hand, web analytics services and other tracking software that assign unique tracking IDs tousers in the form of permanent cookies should be heavily restricted, since these would allow citizens to betracked as they browsed around Federal web sites. Within this category of cookies, the use of third partycookies placed by web bugs that allow users to be tracked across different web domains should be heavilyregulated, if not banned outright, as these pose the greatest threat to user privacy. Any agency wishing tomake use of third party cookies should be required to justify the decision, and explain why cookies servedfrom a first party domain would not provide the necessary functionality.Thus, if recovery.gov attempted to track individual users via a persistent cookie set by analytics software(for example: USER_ID=12345678), this would likely attract attention and criticism from the privacycommunity.

See: http://taco.dubfire.net

I propose that you adopt the following multi-tier approach for evaluating the use of cookies and othertracking technologies:

•

- Single-session technologies, which track users over a single session and do not maintaintracking data over multiple sessions or visits;

•

– Multi-session technologies which store data across multiple visits that are used toremember data, settings or preferences, but which only store generic, non-identifiableinformation.

•

- Multi-session technologies which track users over multiple sessions but are served from afirst party domain, and can thus only be used to track visits to a single web site.

•

- Multi-session technologies which track users over multiple sessions but are served from athird party domain, and can thus be used to track visits to multiple web sites across differentdomains.

The federal government should learn from the mistakes of the behavioral advertising industry

In your blog post, you also propose that federal government web sites be required to “[p]rovide a clear andunderstandable means for a user to opt-out of being tracked.”As you consider a policy that will require federal websites to offer opt-outs to consumers, it would beuseful to look to the situation in the behavioral advertising industry (where opt-out capabilities arewidespread

, yet difficult to use and discover by consumers), in order to avoid some of the many mistakesand pitfalls that have been made there.While over 100 advertising firms offer opt-outs, and the industry has not provided a universal way forconsumers to opt-out. The Network Advertising Initiative (NAI) has created a single web site throughwhich consumers easily obtain the opt-outs from its 36 member companies. However, the NAI site does notprovide consumers with the opt-outs of the 50+ non-NAI advertising firms. Thus, consumers areunrealistically expected to visit 50+ different web sites in order to obtain individual opt-out cookies.Once these opt-out cookies have been inserted into the user’s browser, it is easy for them to be lost orunintentionally erased.

Furthermore, as I highlighted in a recent letter to the NAI, many opt-out cookieshave been set to expire after alarmingly short periods of time, thus requiring the consumer to repeat thelaborious opt-out process multiple times per year.

My free TACO tool allows users of the Firefox browser to easily set persistent opt-out cookies for 90different advertising firms, without having to worry about the opt-out cookies being accidentally deleted orexpiring after just a few short months. TACO users do not need to visit 50+ different websites in order toachieve opt-out coverage. A single installation, done via a couple clicks, is enough.While TACO makes behavioral advertising opt-outs slightly more usable, it is by no means a silver bullet.The current system of opt-outs for the behavioral advertising industry is a mess. Each advertising firm usesa different format for their opt-out cookies

, making the collection and maintenance of the opt-out cookielist a nightmare. Each time a new advertising firm enters the market, I have to manually step through theopt-out process in order to observe and obtain that company’s cookie, and then push an update out to the100,000+ existing users of TACO.

Unfortunately, most of these firms only allow consumers to opt-out of the

use

, not the

collection

of data.

Professors Swire and Antón have documented these problems in great depth. See:http://www.ftc.gov/os/comments/behavioraladprinciples/080410swireandanton.pdf

See: http://paranoia.dubfire.net/2009/07/open-letter-regarding-opt-out-cookie.html

For example, Google’s cookie is “id=OPT_OUT”, Microsoft’s is “TOptOut=1”, Yahoo’s is “AO=o=1”,BlueKai’s is “BKIgnore=1”, and AOL’s is “ACID=optout!”