OMB Requests Comments on Government Cookie Policy

The Federal Office of Management and Budget (OMB) is considering changing the cookie policy for federal government websites. In a recent Federal Register entry, they propose allowing Federal agencies to use cookies to track users to their websites, as long as those agencies:

  • “Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
  • Post clear and conspicuous notice on the Web site of the use of Web tracking technologies;
  • Provide a clear and understandable means for a user to opt-out of being tracked; and
  • Not discriminate against those users who decide to opt- out, in terms of their access to information.”

The OMB is seeking comments on the proposed policy changes through August 10, 2009. Comments may be made on the OSTP blog.

In response, we offer the following comments:

Cookies are small text files used by web servers to maintain state information in the normally state-less Hyper Text Transfer Protocol (HTTP). There are concerns about the use of cookies on government websites:

[1] Most Internet users do not understand cookies, including thinking that they are viruses, or that they are bad all the time. (See V. Ha, K. Inkpen, F. Al Shaar, L. Hdeib, “An Examination of User Perception and Misconception of Internet Cookies”, Proc. of the Conf. on Human Factors in Computer Systems, Montreal, 2006, pp. 833-838)

[2] Web browsers, as currently implemented, do not allow cookies to meet the FTC’s Fair Information Practices (FIPS). For example, users are not given notice and made aware of a website’s use of cookies before those cookies are placed on their computers. Websites may mention cookies in their privacy policies, but studies show that most Internet users do not comprehend privacy policies, and think that the mere existence of a privacy policy makes their information secure, even if the privacy policy states “we share your information with everyone”! (See M.W. Vail, J.B. Earp, A.I. Antón, “An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies”, IEEE Trans. on Engineering Management, 55(3), Aug. 2008, pp. 442-454)

[3] Cookies do not meet the Choice/Consent FIP. In order to read a website’s privacy policy, a user must visit the website’s homepage, and then find the policy link and read it. However, most privacy policies express the concept of “implied consent,” i.e., simply visiting the homepage of the website implies consent with the privacy policy, without even having the opportunity to read it.

[4] Cookies do not meet the Access/Participation FIP. Modern browsers often contain cookie management utilities, to view and delete cookies stored on a user’s computer. Oftentimes, the information contained in the cookie is encrypted, or is a code or identifier that is only understandable to the website, but not the users. Users are unable to interpret the data contained in such cookies. Without understanding the data, users cannot verify the accuracy of such information.

[5] Cookies do not meet the Integrity/Security FIP. The cookie specification contains an expiration field, indicating the lifetime of the cookie. Many cookies are set with lifetimes of 10, 20, or 30 years. This is much longer than necessary.

[6] OMB’s proposal requires websites to provide a means “for a user to opt-out of being tracked.” However, opt-out cookies do not reliably opt a user out of the tracking. Automated cookie removal by antispyware utilities, and manual cookie deletion will delete the opt-out cookie along with other cookies on the user’s machine. Thus, the user is unknowingly opted-in to the tracking service.  To achieve reliable opt-out, modifications must be made to the design of antispyware utilities, web browsers, and whitelists of opt-out cookies must be maintained. (See P. Swire, A.I. Antón, Testimony before the Federal Trade Commission, Apr. 10, 2008)

Cookies have an important function in the design of the modern Internet, but raise legitimate privacy concerns that remain unadressed, especially within the context of government websites. The advantage of having website statistics may not outweigh the privacy cost. There are other means to evaluate a website, such as user focus groups, surveys, etc. These may be less effective, and subject to other biases, but the efficiency loss is well worth the privacy gained by not using cookies on government websites, until an alternative, privacy-preserving technology is developed.

3 Responses to “OMB Requests Comments on Government Cookie Policy”

  1. SHOP ELECTRONICS!!! Says:

    MOST INFORMATIVE SITE FOR ELECTRONICS….

    **YOUTUBE VIDEO REVIEWS ON THE HOTTEST ELECTRONICS OUT**…

  2. REVIEW IT BEFORE YOU BUY IT!!! Says:

    **YOUTUBE VIDEO REVIEWS ON THE HOTTEST ELECTRONICS OUT**…

    #1 SITE FOR THE LATEST REVIEWS ON THE HOTTEST TECHNOLOGY HITTING THE MAINSTREAM!…

  3. Private Servers Says:

    Habbo Retros…

    Habbo Retros are slowly attracting more users with each passing day, most people prefer to play Habbo Retros with pets according to a recent google study, further evidence also supports that Habbo Retros have lead to an annual decrease in revenue for s…