The Honorable Vivek Kundra Chief Information Officer Office of Management and Budget Executive Office of the President

The White House Washington, D.C. 20500 July 30, 2009 Dear Mr. Kundra, Thank you for seeking public comments on the Administration’s proposed new cookie and web tracking policies. The federal government’s existing cookie policies were established in 2000 after the White House Office of National Drug Control Policy was discovered to be using permanent tracking cookies on its web site. Describing the reason for the strict new rules, an administration official told the New York Times: “People shouldn't have to worry when they're getting information from the government that the government is getting information from them.”1 This statement is just as true today as it was in 2000. In addition to the massive technical advances in data mining algorithms over the past nine years, the federal government has rushed to deploy these technologies at an alarming scale. According to a study by the Government Accountability Office study reported in 2006, 52 government agencies had launched, or planned to begin, at least 199 data-mining projects. A vast majority of these programs are for law enforcement or counterterrorism purposes.2 The federal government has a poor track record when it comes to protecting the privacy of US citizens. Recent notable examples include the Orwellian Total Information Awareness program, the widespread abuse of National Security Letters by the FBI as well as the NSA’s massively illegal warrantless wiretapping of emails, Internet searches and phone calls of millions of Americans. Americans have good reason to worry about the data collection practices employed by the government. It is therefore vital that you put privacy and transparency before all other concerns as you look to update the ten year old federal cookie and web tracking rules. The commenting party I am a student fellow at the Berkman Center for Internet & Society at Harvard University, and a PhD Candidate in the School of Informatics at Indiana University.3 My academic research is focused at the intersection of applied computer security and privacy, technology law and policy. My activism has resulted in the successful passage of an amendment to Indiana's data breach laws, a Congressional investigation of web security flaws at the Transportation Security Administration, as well as several media firestorms. I have been a persistent critic of this Administration’s approach to online privacy, cookies and the use of embedded third party code. In particular, I worked to draw attention to the privacy problems associated with the use of embedded YouTube videos on the White House web site.

See: http://www.nytimes.com/2000/06/22/us/drug-office-ends-tracking-of-web-users.html See: http://www.washingtonpost.com/wp-dyn/content/article/2006/06/14/AR2006061402063_pf.html 3 This letter is written in my personal capacity, and the opinions expressed here do not necessarily represent those of Indiana University, Harvard University or any other organization.
2

1

I am also the author of the Targeted Advertising Cookie Opt-out (TACO) Firefox browser add-on4, which enables consumers to easily and permanently opt-out of behavioral advertising performed by 90 different advertising companies. TACO is currently used by more than 100,000 people per day, and is responsible for the installation of more than 9 million opt-out cookies. Privacy guidelines should focus on the degree of personally identifiable information contained within cookies, rather than their intended usage In a recent OSTP blog post, you stated that you are considering adopting a three-tiered approach to the use of web tracking technologies on Federal Government websites: • • • 1st - Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits; 2nd - Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and 3rd - Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.

This framework correctly identifies that different types of tracking technologies do not all carry the same level of privacy risk for web users. The concept of a multiple tiered system for dealing with cookies is sound. However, I believe that additional layers in this framework could provide even more transparency and protection for users. Rather than evaluating cookies and other tracking technologies based on their intended usage, I urge you to instead focus on the degree to which they can be used to track individuals and other potential privacy harms. Cookies are used for many purposes, some of which raise significant privacy issues, and some of which do not. It is vital that any federal guidelines consider the risk individual cookies pose to end-user privacy when evaluating their use. Simply put, cookies that track individual users pose the greatest threat to user privacy, and so any federal guidelines should place these in the most restricted tier. There are few if any privacy related issues that should prohibit an agency from using persistent cookies to store a user’s preferences for a particular web site, as long as those preferences are stored in a generic and non-identifiable way. As an example, a persistent cookie set by whitehouse.gov in order to store user’s preferences of visitors to the site (USER_LANGUAGE=SPANISH or WEBSITE_VERSION=LOW_BANDWIDTH) should be fine. On the other hand, web analytics services and other tracking software that assign unique tracking IDs to users in the form of permanent cookies should be heavily restricted, since these would allow citizens to be tracked as they browsed around Federal web sites. Within this category of cookies, the use of third party cookies placed by web bugs that allow users to be tracked across different web domains should be heavily regulated, if not banned outright, as these pose the greatest threat to user privacy. Any agency wishing to make use of third party cookies should be required to justify the decision, and explain why cookies served from a first party domain would not provide the necessary functionality. Thus, if recovery.gov attempted to track individual users via a persistent cookie set by analytics software (for example: USER_ID=12345678), this would likely attract attention and criticism from the privacy community.

4

See: http://taco.dubfire.net

I propose that you adopt the following multi-tier approach for evaluating the use of cookies and other tracking technologies: • • 1st - Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits; 2nd – Multi-session technologies which store data across multiple visits that are used to remember data, settings or preferences, but which only store generic, non-identifiable information. 3rd - Multi-session technologies which track users over multiple sessions but are served from a first party domain, and can thus only be used to track visits to a single web site. 4th - Multi-session technologies which track users over multiple sessions but are served from a third party domain, and can thus be used to track visits to multiple web sites across different domains.

• •

The federal government should learn from the mistakes of the behavioral advertising industry In your blog post, you also propose that federal government web sites be required to “[p]rovide a clear and understandable means for a user to opt-out of being tracked.” As you consider a policy that will require federal websites to offer opt-outs to consumers, it would be useful to look to the situation in the behavioral advertising industry (where opt-out capabilities are widespread5, yet difficult to use and discover by consumers), in order to avoid some of the many mistakes and pitfalls that have been made there. While over 100 advertising firms offer opt-outs, and the industry has not provided a universal way for consumers to opt-out. The Network Advertising Initiative (NAI) has created a single web site through which consumers easily obtain the opt-outs from its 36 member companies. However, the NAI site does not provide consumers with the opt-outs of the 50+ non-NAI advertising firms. Thus, consumers are unrealistically expected to visit 50+ different web sites in order to obtain individual opt-out cookies. Once these opt-out cookies have been inserted into the user’s browser, it is easy for them to be lost or unintentionally erased.6 Furthermore, as I highlighted in a recent letter to the NAI, many opt-out cookies have been set to expire after alarmingly short periods of time, thus requiring the consumer to repeat the laborious opt-out process multiple times per year.7 My free TACO tool allows users of the Firefox browser to easily set persistent opt-out cookies for 90 different advertising firms, without having to worry about the opt-out cookies being accidentally deleted or expiring after just a few short months. TACO users do not need to visit 50+ different websites in order to achieve opt-out coverage. A single installation, done via a couple clicks, is enough. While TACO makes behavioral advertising opt-outs slightly more usable, it is by no means a silver bullet. The current system of opt-outs for the behavioral advertising industry is a mess. Each advertising firm uses a different format for their opt-out cookies8, making the collection and maintenance of the opt-out cookie list a nightmare. Each time a new advertising firm enters the market, I have to manually step through the opt-out process in order to observe and obtain that company’s cookie, and then push an update out to the 100,000+ existing users of TACO.

Unfortunately, most of these firms only allow consumers to opt-out of the use, not the collection of data. Professors Swire and Antón have documented these problems in great depth. See: http://www.ftc.gov/os/comments/behavioraladprinciples/080410swireandanton.pdf 7 See: http://paranoia.dubfire.net/2009/07/open-letter-regarding-opt-out-cookie.html 8 For example, Google’s cookie is “id=OPT_OUT”, Microsoft’s is “TOptOut=1”, Yahoo’s is “AO=o=1”, BlueKai’s is “BKIgnore=1”, and AOL’s is “ACID=optout!”
6

5

While I would likely add any federal government opt-out cookies to TACO, the addition 100 or so cookies for federal opt-outs would needlessly add bloat to TACO when a single federal opt-out would work far better. My recommendations for federal opt-outs In order to make the federal web tracking opt-out process as painless as possible for end-users as well as developers of privacy tools, I urge you to do the following: 1. 2. 3. 4. Require that all federal web sites providing opt-out cookie functionality use a single, standard format for the opt-out cookie. Require that federal opt-out cookies be generic, and non identifiable. Any one user opting out of tracking should receive the exact same cookie issued to a different user the week before. 9 Require that all federal tracking opt-out cookies be set to expire after a reasonably lengthy period of time, preferably at least 10 years. While the NAI opt-out web site is not perfect, it is still pretty good. The federal government should create a similar site, perhaps located at privacy.gov, where web users can easily install optout cookies for every federal web site with a single mouse click. Provide a link on the privacy.gov (or similar) site to tools like TACO, so that users can obtain persistent Federal web tracking opt-outs that are resistant to accidental (or intentional) cookie deletion. Require that Federal web sites support a single, browser based universal opt-out header10 in addition to the opt-out cookie. This header approach has been repeatedly proposed in the behavioral advertising arena, and would solve many of the problems that plague the current cookie-based opt-out model.

5.

6.

Requiring transparency for all waivers In some cases, the new cookie privacy rules will prove to be too restrictive for a particular agency, and so waivers will likely be sought. The 2000 cookie rules permitted such a waiver of the general prohibition of the use of permanent cookies, by requiring that: Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. Within the first days of this Administration, these cookie rules were deemed to be too restrictive, and so a waiver was issued to permit the use of third party persistent tracking cookies by YouTube on the White House web site.11 Likely in response to criticism from the blogosphere, this waiver was later generalized to apply to “some third party providers.”12 The Electronic Frontier Foundation and I have repeatedly requested copies of these waivers from the White House Counsel.13 These requests have unfortunately been ignored.
9 Generic and non identifiable means no timestamps in the cookies, or anything else that might help to identify an individual from a pool of other opted-out persons. 10 See: https://addons.mozilla.org/en-US/firefox/addon/12765 11 See: White House exempts YouTube from privacy rules, http://news.cnet.com/8301-13739_310147726-46.html 12 See: White House yanks ‘YouTube’ from privacy policy, http://news.cnet.com/8301-13739_3-1015053446.html 13 See: http://www.eff.org/deeplinks/2009/01/eff-white-house-counsel and http://www.eff.org/deeplinks/2009/06/cookies-crumbling

Given the President’s much publicized commitment to require openness and transparency, the White House’s refusal to publish these waivers (or to even acknowledge the requests for them) is rather shocking. In addition to the other recommendations outlined in this letter, I ask that you require that any agency waivers of the new cookie and web privacy policies be published both on the agency web site, as well as on privacy.gov (or some other high profile web site). Furthermore, the White House should set an example by finally publishing the January 2009 cookie waiver documents, in full. Should you have any questions about my recommendations, please send me an email. I am happy to talk.

Christopher Soghoian csoghoian@gmail.com