The Honorable Vivek Kundra

Chief Information Officer

Office of Management and Budget
Executive Office of the President
The White House
Washington, D.C. 20500

July 30, 2009

Dear Mr. Kundra,

Thank you for seeking public comments on the Administration’s proposed new cookie and web tracking
policies.

The federal government’s existing cookie policies were established in 2000 after the White House Office of
National Drug Control Policy was discovered to be using permanent tracking cookies on its web site.
Describing the reason for the strict new rules, an administration official told the New York Times:

“People shouldn't have to worry when they're getting information from the government that the
government is getting information from them.”1

This statement is just as true today as it was in 2000. In addition to the massive technical advances in data
mining algorithms over the past nine years, the federal government has rushed to deploy these technologies
at an alarming scale. According to a study by the Government Accountability Office study reported in
2006, 52 government agencies had launched, or planned to begin, at least 199 data-mining projects. A vast
majority of these programs are for law enforcement or counterterrorism purposes.2

The federal government has a poor track record when it comes to protecting the privacy of US citizens.
Recent notable examples include the Orwellian Total Information Awareness program, the widespread
abuse of National Security Letters by the FBI as well as the NSA’s massively illegal warrantless
wiretapping of emails, Internet searches and phone calls of millions of Americans.

Americans have good reason to worry about the data collection practices employed by the government. It is
therefore vital that you put privacy and transparency before all other concerns as you look to update the ten
year old federal cookie and web tracking rules.

The commenting party

I am a student fellow at the Berkman Center for Internet & Society at Harvard University, and a PhD
Candidate in the School of Informatics at Indiana University.3 My academic research is focused at the
intersection of applied computer security and privacy, technology law and policy. My activism has resulted
in the successful passage of an amendment to Indiana's data breach laws, a Congressional investigation of
web security flaws at the Transportation Security Administration, as well as several media firestorms.

I have been a persistent critic of this Administration’s approach to online privacy, cookies and the use of
embedded third party code. In particular, I worked to draw attention to the privacy problems associated
with the use of embedded YouTube videos on the White House web site.

1
See: http://www.nytimes.com/2000/06/22/us/drug-office-ends-tracking-of-web-users.html
2
See: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402063_pf.html
3 This letter is written in my personal capacity, and the opinions expressed here do not necessarily
represent those of Indiana University, Harvard University or any other organization.
I am also the author of the Targeted Advertising Cookie Opt-out (TACO) Firefox browser add-on4, which
enables consumers to easily and permanently opt-out of behavioral advertising performed by 90 different
advertising companies. TACO is currently used by more than 100,000 people per day, and is responsible
for the installation of more than 9 million opt-out cookies.

Privacy guidelines should focus on the degree of personally identifiable information contained within
cookies, rather than their intended usage

In a recent OSTP blog post, you stated that you are considering adopting a three-tiered approach to the use
of web tracking technologies on Federal Government websites:

• 1st - Single-session technologies, which track users over a single session and do not maintain
tracking data over multiple sessions or visits;
• 2nd - Multi-session technologies for use in analytics, which track users over multiple sessions
purely to gather data to analyze web traffic statistics; and
• 3rd - Multi-session technologies for use as persistent identifiers, which track users over
multiple visits with the intent of remembering data, settings, or preferences unique to that
visitor for purposes beyond what is needed for web analytics.

This framework correctly identifies that different types of tracking technologies do not all carry the same
level of privacy risk for web users. The concept of a multiple tiered system for dealing with cookies is
sound. However, I believe that additional layers in this framework could provide even more transparency
and protection for users.

Rather than evaluating cookies and other tracking technologies based on their intended usage, I urge you to
instead focus on the degree to which they can be used to track individuals and other potential privacy
harms.

Cookies are used for many purposes, some of which raise significant privacy issues, and some of which do
not. It is vital that any federal guidelines consider the risk individual cookies pose to end-user privacy when
evaluating their use. Simply put, cookies that track individual users pose the greatest threat to user privacy,
and so any federal guidelines should place these in the most restricted tier.

There are few if any privacy related issues that should prohibit an agency from using persistent cookies to
store a user’s preferences for a particular web site, as long as those preferences are stored in a generic and
non-identifiable way.

As an example, a persistent cookie set by whitehouse.gov in order to store user’s preferences of visitors to
the site (USER_LANGUAGE=SPANISH or WEBSITE_VERSION=LOW_BANDWIDTH) should be
fine.

On the other hand, web analytics services and other tracking software that assign unique tracking IDs to
users in the form of permanent cookies should be heavily restricted, since these would allow citizens to be
tracked as they browsed around Federal web sites. Within this category of cookies, the use of third party
cookies placed by web bugs that allow users to be tracked across different web domains should be heavily
regulated, if not banned outright, as these pose the greatest threat to user privacy. Any agency wishing to
make use of third party cookies should be required to justify the decision, and explain why cookies served
from a first party domain would not provide the necessary functionality.

Thus, if recovery.gov attempted to track individual users via a persistent cookie set by analytics software
(for example: USER_ID=12345678), this would likely attract attention and criticism from the privacy
community.

4 See: http://taco.dubfire.net
I propose that you adopt the following multi-tier approach for evaluating the use of cookies and other
tracking technologies:

• 1st - Single-session technologies, which track users over a single session and do not maintain
tracking data over multiple sessions or visits;
• 2nd – Multi-session technologies which store data across multiple visits that are used to
remember data, settings or preferences, but which only store generic, non-identifiable
information.
• 3rd - Multi-session technologies which track users over multiple sessions but are served from a
first party domain, and can thus only be used to track visits to a single web site.
• 4th - Multi-session technologies which track users over multiple sessions but are served from a
third party domain, and can thus be used to track visits to multiple web sites across different
domains.

The federal government should learn from the mistakes of the behavioral advertising industry

In your blog post, you also propose that federal government web sites be required to “[p]rovide a clear and
understandable means for a user to opt-out of being tracked.”

As you consider a policy that will require federal websites to offer opt-outs to consumers, it would be
useful to look to the situation in the behavioral advertising industry (where opt-out capabilities are
widespread5, yet difficult to use and discover by consumers), in order to avoid some of the many mistakes
and pitfalls that have been made there.

While over 100 advertising firms offer opt-outs, and the industry has not provided a universal way for
consumers to opt-out. The Network Advertising Initiative (NAI) has created a single web site through
which consumers easily obtain the opt-outs from its 36 member companies. However, the NAI site does not
provide consumers with the opt-outs of the 50+ non-NAI advertising firms. Thus, consumers are
unrealistically expected to visit 50+ different web sites in order to obtain individual opt-out cookies.

Once these opt-out cookies have been inserted into the user’s browser, it is easy for them to be lost or
unintentionally erased.6 Furthermore, as I highlighted in a recent letter to the NAI, many opt-out cookies
have been set to expire after alarmingly short periods of time, thus requiring the consumer to repeat the
laborious opt-out process multiple times per year.7

My free TACO tool allows users of the Firefox browser to easily set persistent opt-out cookies for 90
different advertising firms, without having to worry about the opt-out cookies being accidentally deleted or
expiring after just a few short months. TACO users do not need to visit 50+ different websites in order to
achieve opt-out coverage. A single installation, done via a couple clicks, is enough.

While TACO makes behavioral advertising opt-outs slightly more usable, it is by no means a silver bullet.

The current system of opt-outs for the behavioral advertising industry is a mess. Each advertising firm uses
a different format for their opt-out cookies8, making the collection and maintenance of the opt-out cookie
list a nightmare. Each time a new advertising firm enters the market, I have to manually step through the
opt-out process in order to observe and obtain that company’s cookie, and then push an update out to the
100,000+ existing users of TACO.

5 Unfortunately, most of these firms only allow consumers to opt-out of the use, not the collection of data.
6 Professors Swire and Antón have documented these problems in great depth. See:
http://www.ftc.gov/os/comments/behavioraladprinciples/080410swireandanton.pdf
7
See: http://paranoia.dubfire.net/2009/07/open-letter-regarding-opt-out-cookie.html
8 For example, Google’s cookie is “id=OPT_OUT”, Microsoft’s is “TOptOut=1”, Yahoo’s is “AO=o=1”,
BlueKai’s is “BKIgnore=1”, and AOL’s is “ACID=optout!”
While I would likely add any federal government opt-out cookies to TACO, the addition 100 or so cookies
for federal opt-outs would needlessly add bloat to TACO when a single federal opt-out would work far
better.

My recommendations for federal opt-outs

In order to make the federal web tracking opt-out process as painless as possible for end-users as well as
developers of privacy tools, I urge you to do the following:

1. Require that all federal web sites providing opt-out cookie functionality use a single, standard
format for the opt-out cookie.
2. Require that federal opt-out cookies be generic, and non identifiable. Any one user opting out of
tracking should receive the exact same cookie issued to a different user the week before. 9
3. Require that all federal tracking opt-out cookies be set to expire after a reasonably lengthy period
of time, preferably at least 10 years.
4. While the NAI opt-out web site is not perfect, it is still pretty good. The federal government
should create a similar site, perhaps located at privacy.gov, where web users can easily install opt-
out cookies for every federal web site with a single mouse click.
5. Provide a link on the privacy.gov (or similar) site to tools like TACO, so that users can obtain
persistent Federal web tracking opt-outs that are resistant to accidental (or intentional) cookie
deletion.
6. Require that Federal web sites support a single, browser based universal opt-out header10 in
addition to the opt-out cookie. This header approach has been repeatedly proposed in the
behavioral advertising arena, and would solve many of the problems that plague the current
cookie-based opt-out model.

Requiring transparency for all waivers

In some cases, the new cookie privacy rules will prove to be too restrictive for a particular agency, and so
waivers will likely be sought. The 2000 cookie rules permitted such a waiver of the general prohibition of
the use of permanent cookies, by requiring that:

Under this new Federal policy, "cookies" should not be used at Federal web sites, or by
contractors when operating web sites on behalf of agencies, unless, in addition to clear and
conspicuous notice, the following conditions are met: a compelling need to gather the data on the
site; appropriate and publicly disclosed privacy safeguards for handling of information derived
from "cookies"; and personal approval by the head of the agency.

Within the first days of this Administration, these cookie rules were deemed to be too restrictive, and so a
waiver was issued to permit the use of third party persistent tracking cookies by YouTube on the White
House web site.11 Likely in response to criticism from the blogosphere, this waiver was later generalized to
apply to “some third party providers.”12

The Electronic Frontier Foundation and I have repeatedly requested copies of these waivers from the White
House Counsel.13 These requests have unfortunately been ignored.

9 Generic and non identifiable means no timestamps in the cookies, or anything else that might help to
identify an individual from a pool of other opted-out persons.
10
See: https://addons.mozilla.org/en-US/firefox/addon/12765
11 See: White House exempts YouTube from privacy rules, http://news.cnet.com/8301-13739_3-
10147726-46.html
12
See: White House yanks ‘YouTube’ from privacy policy, http://news.cnet.com/8301-13739_3-10150534-
46.html
13 See: http://www.eff.org/deeplinks/2009/01/eff-white-house-counsel and
http://www.eff.org/deeplinks/2009/06/cookies-crumbling
Given the President’s much publicized commitment to require openness and transparency, the White
House’s refusal to publish these waivers (or to even acknowledge the requests for them) is rather shocking.

In addition to the other recommendations outlined in this letter, I ask that you require that any agency
waivers of the new cookie and web privacy policies be published both on the agency web site, as well as on
privacy.gov (or some other high profile web site). Furthermore, the White House should set an example by
finally publishing the January 2009 cookie waiver documents, in full.

Should you have any questions about my recommendations, please send me an email. I am happy to talk.

Christopher Soghoian
csoghoian@gmail.com