E-Gov 2.0 in Action
January 22nd, 2009 by Alissa Cooper
[Editor Note: This entry has been updated, please see below.]
Last week we blogged (Part I and Part 2 ) about how current federal policies around the use of Internet technologies may need to be updated to keep pace with the past few years’ advances in both privacy protection and technological sophistication. We highlighted how the current policy governing the use of cookies on federal Web sites could be improved to facilitate federal agencies’ full use of Web 2.0 services while continuing to respect citizens’ privacy. We suggested that federal Web sites could offer site visitors their choice of using a particular feature – such as embedded video – with or without persistent cookies.
Ask, and ye shall receive. When President Obama’s official home on the Web was unveiled as he was sworn into office yesterday, it came together with a privacy policy prescribing just the kinds of choices we were thinking about.
According to the policy:
For videos that are visible on WhiteHouse.gov, a ‘persistent cookie’ is set by third party providers when you click to play the video.
This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.
If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video.
This policy is completely in line with the guidelines about the use of cookies on federal Web sites that were issued in 2003. Yet it allows WhiteHouse.gov to take full advantage of streaming video (a technology that was hardly mainstream back then) while also offering site visitors increased control over their online privacy. It would seem that as an opening salvo, the WhiteHouse.gov policy is spot-on.
Unfortunately, policy and practice are not quite one and the same. A quick review of the most prominent videos currently available on WhiteHouse.gov (the President’s inaugural address, for example) reveals that persistent cookies belonging to the White House’s video provider (YouTube) are set as soon as a visitor accesses the landing page containing a video. Even if the site visitor never clicks the play button, he or she will come away with a persistent YouTube cookie that doesn’t expire for nine months or so. And one of the videos linked from the site’s home page, the whistlestop tour video, does not allow users to download the video rather than watch it on the Web.
UPDATE: Talk about a quick turnaround. WhiteHouse.gov has instituted a fix for its video cookie problem so that merely visiting a landing page containing a video does not automatically set a persistent cookie. Instead, each landing page contains an image of the video player. Only after a site visitor clicks the image is the actual video player displayed (accompanied by its cookie). The White House has also updated its privacy policy to indicate that it fully intends to adhere to its stated cookie policy despite initial technical difficulties. The updated policy provides a link that site visitors can use to inform the White House about any difficulties they may be having with the site.
Whitehouse.gov ‘Bugged’
Over on Dave Farber’s Interesting-People mailing list, Karl Auerbach has pointed out another potential privacy pitfall on the site. WhiteHouse.gov appears to be using WebTrends, a third-party private company that provides Web analytics and statistics services. WebTrends is placing a Web beacon – an invisible image file that allows the company to record the IP addresses and browser information of site visitors — on pages of the WhiteHouse.gov site. This allows WebTrends to track individual users by IP address, both on the White House site and the many other sites that make use of WebTrends analytics.
The WhiteHouse.gov privacy policy makes no mention of its use of Web bugs or third-party data collection partners. This flies in the face of federal guidance on the issue, which requires disclosure of tracking technologies and specifically mentions Web beacons. Furthermore, it is unclear how the White House can justify using a third-party analytics provider, which opens site visitors up to being tracked across the Web at large, instead of doing analytics from its own first-party Web server.
Given that WhiteHouse.gov has been live for less than two days and its content was obviously put together in a hurry to match the presidential transition schedule, it may be unreasonable to expect the site’s privacy protections to be perfect from the outset. But we expect both of these issues to be dealt with promptly if we are to believe that President Obama’s commitment to privacy is more than mere rhetoric.
This entry was posted on Thursday, January 22nd, 2009 at 9:35 am and is filed under CDT, Consumer Privacy, Open Government. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
January 22nd, 2009 at 7:23 pm
You are incorrect and misinformed on this matter.
Whitehouse.gov and many other Federal websites have had the webtrend’s code for several years now. By Federal guidelines, the system can only implement web analytics or similar site-side visitor behavior systems with a session-cookie. That means after the visitor has left the site (or timed-out) the cookie that is used to collect anonymous data is deleted. Lastly, tools like Webtrends, Google Analytics and others cannot be “tracked across the Web at large”
regarding the persistent cookie. That is very specific to the use of YouTube.
January 23rd, 2009 at 11:49 am
I would argue that the issue of whether a web beacon is used in conjunction with a persistent cookie is irrelevant given the way that federal guidance on the issue is written. The most recent guidelines state that “agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors’ activity on the Internet” unless the agencies meet four conditions: they provide clear and conspicuous notice of the use of the tracking technology; they demonstrate a compelling need to use the tracking technology; they publicly disclose the privacy safeguards in place for handling any information derived from the use of the tracking technology; and they obtain personal approval for the use of the tracking technology by the head of the agency. I take this to mean that web beacons cannot be used unless federal agencies meet all four conditions. The WebTrends web beacon currently in use on WhiteHouse.gov does not cause a persistent cookie to be set, but to my mind its use by the White House must still be governed by the four conditions, none of which appear to have been met. Other federal agencies using web beacons should be held to the same standard.
As far as the YouTube cookies go, they may be the first third-party persistent cookies that this White House has decided to use, but they are not likely to be the last. That’s why we suggested updates to federal policy that would provide consumers with control over their privacy while still allowing federal Web sites to take full advantage of Web 2.0.