DorobekINSIDER Reader: Federal Internet cookie policies

The Office of Management and Budget has just issued a new policy for dealing with Internet “cookies” — these are text files that a Web site can put on your computer to track how you traverse the site.

Cookies enable Web site personalization — for example, the allow a Web site to remember you and, maybe, the items you put in your online shopping cart. But they have always been watched by some privacy advocates because of the potential implications — for example, they could track a visitor’s travels to other sites. [Read how cookies work here… and how to delete them here.]

The federal government has been all but banned from using persistent Internet cookies because of those privacy concerns. OMB has just issued new policy guidance would enable agencies to use this tool. And Federal News Radio’s Max Cacas reported on the new policies on the Dorobek Insider on Friday. You can find his report here.

This is an issue I’ve followed for a long time (here is the FCW editorial I wrote on the subject back in 2006) — and, to be honest, I’m suspicious of the new policy. That being said, I have just started reading them.


The new OMB policy seeks to re-balance the privacy considerations given that the ban was instituted more than a decade ago. The idea: Times have changed and people are more accepting of these tools.

As I say, I’m reading the policies now, but… It is important to be very clear — agencies were absolutely not banned from using cookies. They had been banned from using PERSISTENT cookies — cookies that can track you long term. I didn’t get a chance to read all the comments that came in — and unfortunately OMB has not kept those comments online. And I still have to read the policies, but… I have year to hear a convincing argument why agencies must have persistent cookies. Some argue that the private sector does it, but that argument is specious — the government is not the private sector. In the end, it doesn’t matter what the private sector does. (Should government follow the Facebook privacy model?)

Let’s be very clear — this is not the most critical privacy issue facing government. That being said, it doesn’t help. People are already distrustful of government. I have yet to be convinced of the enormous public good that comes from using this tracking tool that one cannot accomplish otherwise. Again, agencies can use cookies — just not persistent cookies. How does it make people feel about their government if they feel like they are being tracked? (The stopwatch is running until the first story comes out of people using cookies to actually track people using government Web sites.)

I’m reading the new policies with an open mind, but… I’m very suspicious.

Regardless, I thought it was an opportunity to pull together the DorobekINSIDER Reader on the OMB cookie policy with background information, given that this has been going on for a long time…

The 2010 cookie/federal Web privacy policies:

* OMB policy M-10-22: Guidance for Online Use of Web Measurement and Customization Technologies [PDF] [Scribd]

* OMB policy M-10-23: Guidance for Agency Use of Third-Party Websites and Applications [PDF] [Scribd]

* The OMB “fact sheet” on the two policies

How these came about…
Giving OMB credit, they tried to evolve these policies in a relatively public way. As I seem to say a lot these days, I think they could have developed it in a public way. That being said, it would be nice if the comments were still available.

Here were some of the discussion:

White House blog post from July 24, 2009: Federal Websites: Cookie Policy
By federal CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of OMB’s Office of Information and Regulatory Policy

During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on. But before we get into that, let’s provide some context.

In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.

Read the full post — and the comments — here.

* The Federal Register item that went along with that comment period.

* blog post: Enhancing Online Citizen Participation Through Policy [June 16, 2009]
By Kundra and Fitzpatrick

Last week, Vivek Kundra and Katie Stanton talked about the efforts underway to introduce more Web 2.0 technologies to the federal government sites and to open more back-and-forth communication between the American people and the government. Some of this naturally requires the adoption of new approaches and innovative technologies. But another big part of this is updating existing practices and how these tools can be used to break down barriers to communication and information.

We continue to ask for your feedback, but the best feedback is informed feedback. So what follows is background on current policies and some examples of what we’ve heard from you during the Brainstorming phase of our outreach.

Here is the specific section on cookies:

FEDERAL COOKIE POLICY: This has been a challenging issue to navigate. Put in place in 2000 to protect the privacy of Americans, the federal cookie policy limited the use of persistent cookies by federal agencies. A cookie, as many readers here know, is a small piece of software that tracks or authenticates web viewing activities by the user. In the nine years since this was put in place, website cookies have become more mainstream as users want sites to recognize their preferences or keep track of the items in their online shopping carts. We’ve heard a lot of feedback on this area. One person put it all together. “Persistent cookies are very useful as an indirect feedback mechanism for measuring effectiveness of government web sites . . . Cookies allow a greater level of accuracy in measuring unique visitors . . . Being able to look at returning visitors allows us to see what

Recognizing the fundamental change in technology in the past nine years, and the feedback that we’ve received so far, the Office of Management and Budget (OMB) is reexamining the cookie policy as part of this Open Government Initiative. There is a tough balance to find between citizen privacy and the benefits of persistent cookies, and we would welcome your thoughts on how best to strike it.

Read the rest of the post here.

* blog: Cookies Anyone (the http kind)? [July 24, 2009]
By Bev Godwin, who was on assignment to the White House at the time. She is currently GSA’s Director of and the Office of Citizen Service’s Web Best Practices Office

Nine years ago – a lifetime in Internet time – the Office of Management and Budget (OMB) issued a policy commonly referred to as “the cookies policy. “This policy prohibited federal agencies from using certain web-tracking technologies, primarily persistent cookies, unless the agency head provided a waiver. This may sound like arcane, boring policy – but it is really important in the online world.

Unfortunately in this post, Godwin points to a site where people could post comments — Unfortunately that page doesn’t seem to exist. It would be great to see the comments now.content is important to our citizens. We can use that data to improve the content and navigation of our sites.”

* blog post: On Cookies [August 11, 2009]
By Kundra and Fitzpatrick

Over the past two weeks, during the public comment period on OMB’s cookie policy, we have received significant feedback and suggested revisions to the current policy. These comments reflect individual opinions on all sides of the issue.

Our main goal in revisiting the ban on using persistent cookies on Federal websites is to bring the federal government into the 21st century. Consistent with this Administration’s commitment to making government more open and participatory, we want federal agencies to be able to provide the same user- friendly, dynamic, and citizen-centric websites that people have grown accustomed to using when they shop or get news online or communicate through social media networks, while also protecting people’s privacy.

It is clear that protecting the privacy of citizens who visit government websites must be one of the top considerations in any new policy. This is why we’ve taken such a cautious approach going forward and why we felt it so important to get feedback and hear from people on this. While we wanted to get people’s ideas for improving our policy, we also needed to hear any concerns so that we could understand better where potential pitfalls might lie.

This privacy issue has recently received some attention in the media. We want to make it clear that the current policy on Federal agencies’ use of cookies has not changed. Moreover, the policy won’t change until we’ve read the public comments that have been submitted to ensure that we’re considering all sides of the issue and are addressing privacy concerns appropriately.

Continue reading the full post here.

Going back a decade… some of the discussion that led to the persistent cookie ban.

* Letter from then Commerce Department CIO Roger Baker, now the CIO at the Department of Veterans Affairs, to John Spotila on Federal agency use of Web cookies (July 28, 2000)

[The CIO Council] strongly support the requirement that the use of any technology, including persistent cookies, to track the activities of users on web sites be approved personally by the head of the executive department (for the 14 executive departments) or agency.

As we make progress towards electronic government, personalization of web sites, typically done through persistent cookies, may become necessary in order to serve our customer’s requirements. At that time, it would be appropriate for OMB to review the “no delegation” policy in light of the then-current “state-of-the-art” in privacy protections. For example, OMB may decide to relax this policy when customers are given a choice of selecting either a personalized (i.e., with persistent cookie) or non-personalized (no persistent cookie) web experience.

* Letter from Spotila to Baker, clarification of OMB Cookies Policy (September 5, 2000)

We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.

* M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000)

* M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)