The Federal Office of Management and Budget (OMB) is considering changing the cookie policy for federal government websites. In a recent Federal Register entry, they propose allowing Federal agencies to use cookies to track users to their websites, as long as those agencies:

• “Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
• Post clear and conspicuous notice on the Web site of the use of Web tracking technologies;
• Provide a clear and understandable means for a user to opt-out of being tracked; and
• Not discriminate against those users who decide to opt- out, in terms of their access to information.”

The OMB is seeking comments on the proposed policy changes through August 10, 2009. Comments may be made on the OSTP blog.

In response, we offer the following comments:

Cookies are small text files used by web servers to maintain state information in the normally state-less Hyper Text Transfer Protocol (HTTP). There are concerns about the use of cookies on government websites:

[1] Most Internet users do not understand cookies, including thinking that they are viruses, or that they are bad all the time. (See V. Ha, K. Inkpen, F. Al Shaar, L. Hdeib, “An Examination of User Perception and Misconception of Internet Cookies”, Proc. of the Conf. on Human Factors in Computer Systems, Montreal, 2006, pp. 833-838)

[2] Web browsers, as currently implemented, do not allow cookies to meet the FTC’s Fair Information Practices (FIPS). For example, users are not given notice and made aware of a website’s use of cookies before those cookies are placed on their computers. Websites may mention cookies in their privacy policies, but studies show that most Internet users do not comprehend privacy policies, and think that the mere existence of a privacy policy makes their information secure, even if the privacy policy states “we share your information with everyone”! (See M.W. Vail, J.B. Earp, A.I. Antón, “An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies”, IEEE Trans. on Engineering Management, 55(3), Aug. 2008, pp. 442-454)

[3] Cookies do not meet the Choice/Consent FIP. In order to read a website’s privacy policy, a user must visit the website’s homepage, and then find the policy link and read it. However, most privacy policies express the concept of “implied consent,” i.e., simply visiting the homepage of the website implies consent with the privacy policy, without even having the opportunity to read it.

[4] Cookies do not meet the Access/Participation FIP. Modern browsers often contain cookie management utilities, to view and delete cookies stored on a user’s computer. Oftentimes, the information contained in the cookie is encrypted, or is a code or identifier that is only understandable to the website, but not the users. Users are unable to interpret the data contained in such cookies. Without understanding the data, users cannot verify the accuracy of such information.

[5] Cookies do not meet the Integrity/Security FIP. The cookie specification contains an expiration field, indicating the lifetime of the cookie. Many cookies are set with lifetimes of 10, 20, or 30 years. This is much longer than necessary.

[6] OMB’s proposal requires websites to provide a means “for a user to opt-out of being tracked.” However, opt-out cookies do not reliably opt a user out of the tracking. Automated cookie removal by antispyware utilities, and manual cookie deletion will delete the opt-out cookie along with other cookies on the user’s machine. Thus, the user is unknowingly opted-in to the tracking service.  To achieve reliable opt-out, modifications must be made to the design of antispyware utilities, web browsers, and whitelists of opt-out cookies must be maintained. (See P. Swire, A.I. Antón, Testimony before the Federal Trade Commission, Apr. 10, 2008)

Cookies have an important function in the design of the modern Internet, but raise legitimate privacy concerns that remain unadressed, especially within the context of government websites. The advantage of having website statistics may not outweigh the privacy cost. There are other means to evaluate a website, such as user focus groups, surveys, etc. These may be less effective, and subject to other biases, but the efficiency loss is well worth the privacy gained by not using cookies on government websites, until an alternative, privacy-preserving technology is developed.

This entry was posted by Jeremy Maxwell (jcmaxwe3@ncsu.edu) on Friday, July 31st, 2009 at 3:54 pm and is filed under Government Programs. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Note: Blog posts are the opinions of their authors and do not reflect the official opinion of the National Science Foundation or North Carolina State University.