Cookies enable Web site personalization — for example, the allow a Web site to remember you and, maybe, the items you put in your online shopping cart. But they have always been watched by some privacy advocates because of the potential implications — for example, they could track a visitor’s travels to other sites. [Read how cookies work here… and how to delete them here.]
The new OMB policy seeks to re-balance the privacy considerations given that the ban was instituted more than a decade ago. The idea: Times have changed and people are more accepting of these tools.
As I say, I’m reading the policies now, but… It is important to be very clear — agencies were absolutely not banned from using cookies. They had been banned from using PERSISTENT cookies — cookies that can track you long term. I didn’t get a chance to read all the comments that came in — and unfortunately OMB has not kept those comments online. And I still have to read the policies, but… I have year to hear a convincing argument why agencies must have persistent cookies. Some argue that the private sector does it, but that argument is specious — the government is not the private sector. In the end, it doesn’t matter what the private sector does. (Should government follow the Facebook privacy model?)
I’m reading the new policies with an open mind, but… I’m very suspicious.
How these came about… Giving OMB credit, they tried to evolve these policies in a relatively public way. As I seem to say a lot these days, I think they could have developed it in a public way. That being said, it would be nice if the comments were still available.
In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.
Last week, Vivek Kundra and Katie Stanton talked about the efforts underway to introduce more Web 2.0 technologies to the federal government sites and to open more back-and-forth communication between the American people and the government. Some of this naturally requires the adoption of new approaches and innovative technologies. But another big part of this is updating existing practices and how these tools can be used to break down barriers to communication and information.
We continue to ask for your feedback, but the best feedback is informed feedback. So what follows is background on current policies and some examples of what we’ve heard from you during the Brainstorming phase of our outreach.
Here is the specific section on cookies:
* WhiteHouse.gov blog: Cookies Anyone (the http kind)? [July 24, 2009] By Bev Godwin, who was on assignment to the White House at the time. She is currently GSA’s Director of USA.gov and the Office of Citizen Service’s Web Best Practices Office
Nine years ago – a lifetime in Internet time – the Office of Management and Budget (OMB) issued a policy commonly referred to as “the cookies policy. “This policy prohibited federal agencies from using certain web-tracking technologies, primarily persistent cookies, unless the agency head provided a waiver. This may sound like arcane, boring policy – but it is really important in the online world.
Unfortunately in this post, Godwin points to a site where people could post comments — http://blog.ostp.gov/2009/07/24/cookiepolicy. Unfortunately that page doesn’t seem to exist. It would be great to see the comments now.content is important to our citizens. We can use that data to improve the content and navigation of our sites.”
Our main goal in revisiting the ban on using persistent cookies on Federal websites is to bring the federal government into the 21st century. Consistent with this Administration’s commitment to making government more open and participatory, we want federal agencies to be able to provide the same user- friendly, dynamic, and citizen-centric websites that people have grown accustomed to using when they shop or get news online or communicate through social media networks, while also protecting people’s privacy.
It is clear that protecting the privacy of citizens who visit government websites must be one of the top considerations in any new policy. This is why we’ve taken such a cautious approach going forward and why we felt it so important to get feedback and hear from people on this. While we wanted to get people’s ideas for improving our policy, we also needed to hear any concerns so that we could understand better where potential pitfalls might lie.
[The CIO Council] strongly support the requirement that the use of any technology, including persistent cookies, to track the activities of users on web sites be approved personally by the head of the executive department (for the 14 executive departments) or agency.
As we make progress towards electronic government, personalization of web sites, typically done through persistent cookies, may become necessary in order to serve our customer’s requirements. At that time, it would be appropriate for OMB to review the “no delegation” policy in light of the then-current “state-of-the-art” in privacy protections. For example, OMB may decide to relax this policy when customers are given a choice of selecting either a personalized (i.e., with persistent cookie) or non-personalized (no persistent cookie) web experience.
We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.