Harmless Government Cookies Digg this entry Add this entry to del.icio.us bookmarks Add this entry to Slashdot bookmarks

Before deciding to post something here, tonight was a night like most nights. I was getting ready for bed, reading different news items from feeds I've stored on my Google Reader account. While doing so, Sarah asked me if I'd heard or read anything about the federal government's desire to resume using cookies on their websites after being restricted for the last 9 years.

<sidebar>

I believe there are two types of people when it comes to privacy issues. I'll call the first group advocates. These are the people you read about in the news, usually as part of an official sounding committee or privacy group, who actively go out and search for issues to report. This is done so that normal people, who aren't normally concerned about their privacy, can feel safer that someone is looking out for them. It's also so the privacy-aware (such as myself) can feel vindication that the world isn't safe at all. Going out on a limb, I'd say that 80% of advocates are politically motivated, even if they don't want to admit it. I'd also say that 80% of those 80% are leftists in some degree or another, due to the fact that businesses are reported more often than governments (unless the sitting government is pro-business).

The other privacy-related group, whom I will call pragmatists, don't really care to understand "who" is watching them. They're just upset that they're being watched. They don't want to be tracked or have their time wasted. They would prefer not to be acknowledged by anyone. They hate cold calls, and can't stand being asked "Do you need help with anything?" when out shopping. They might even use the NoScript extension for Firefox and turn off third-party cookies. To this person, life isn't about making the world a better place. It's about making their world quiet and efficient. I fit into this type.

</sidebar>

So Sarah explained the news item about the federal government cookies to me, and how it related to other recent news stories. My initial reaction was that this is just another non-story. Cookies have a bad reputation, but are generally harmless. They can be blocked by changing settings in your browser. They can be removed or even edited using a text editor. They are stored on your machine, so the user has full control over them.

The most common and altruistic reason for using cookies is not to track users, but to store login information. Without the use of cookies, logging on to your favorite website would be unreliable at best.

So it didn't bother me that the federal government wants to use cookies on their sites. Instead, I was shocked that they handcuffed themselves with this policy. It doesn't happen often, but my curiosity got the best of me, and I decided to read more about it.

Not surprisingly, the media is doing a terrible job of reporting on this issue. The articles are very vague. There's never mention of how, when or why cookies are a privacy concern; it's just accepted that they are. Most news articles are a rehash of the above blog post, which isn't much help. The subtext in each of the articles is that we should be concerned. And they leave it at that.

And then I was struck by the irony. Even when AOL and Prodigy were "the internet", there were anti-capitalists in the media who warned that cookies are evil, with no good explanation why, no distinction between first- and third-party cookies. Then, in June 2000, a group of privacy advocates protested the way cookies were being used on a government website. I feel pretty safe in guessing that these privacy groups belong to the 80% of the 80% described above, and these groups were happy to use the fear-filled media stories of prior years to get their point across.

Now that the federal government, run by anti-capitalists, wants permission to use tracking cookies on .gov websites without an uproar, they can't. It's just beautiful!

More Questions than Answers

The blog post which started this madness is a PR nightmare. It begins on the defensive by listing four propositions in their promise not to abuse the technology. They offer to:

  • Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
  • Post clear and conspicuous notice on the website of the use of web tracking technologies;
  • Provide a clear and understandable means for a user to opt-out of being tracked; and
  • Not discriminate against those users who decide to opt-out, in terms of their access to information.

If there is a PR group behind this, they need to be fired. It raises a few questions:

  • Shouldn't the government adhere to laws and policies by default?
  • Is this a public admission that, in most cases, the government is above the law?
  • Which are they protecting us from -- their malice, or their ineptitude?
  • Can we also have clear and conspicuous notices on websites that aren't tracking users?
  • If so, would any exist now?
  • While so many websites are proudly advertising "Now with Web 2.0!" or "Now using the cloud!", can we expect .gov sites to proclaim "Now with cookies"? Because, seriously, that would be kind of funny.
  • Server logs can track user trends without needing the specificity of cookies. Are we being tracked through those? If so, can we have a notice for that?
  • If a user opts out of being tracked, how do you know that user has opted out, if not via the use of cookies?
  • Logins are useful in that they do discriminate against users. Specifically, those users who are not logged in. Does this policy mean your information will not improve as a result?

After a fun brainstorming session of these questions with Sarah's help, I then began to research the details of the cookie-crushing OMB directive. First, according to the 2000 article on the Wired website, the directive didn't ban cookies outright. It allowed cookies on government websites if "...a number of strict conditions are met, including approval by the agency head and the notification of users that cookies will be deployed". This explains why a visit to whitehouse.gov, irs.gov, and most other .gov websites will result in a tracking cookie named "WT_FPC" being stored on your computer. (Run for your life! You're being tracked already!).

As I see it, the point of the blog post, and this media flap in general, isn't to ask for permission to use cookies; they're already using them. It isn't to lift an outright ban on cookie use on .gov sites; the ban isn't outright. I don't even think it's to allow the use of first-party cookies without any approval process whatsoever, which is how most of the rest of the internet operates. Who would care if they started tracking, and didn't announce this? I know I wouldn't.

The real reason (hold on, it's tinfoil hat time!) goes back to the original OMB ruling.

The ruling was, according to Wired, a result of third-party cookies from DoubleClick being stored on the Office of National Drug Control Policy website. I believe that this was a legitimate privacy concern, regardless of whether I'm correct in my assumption the protest was politically motivated. With those third-party cookies in place, the government could obtain information from DoubleClick on searches and browser history of anyone who visits their site.

There are plenty of good reasons that browsers prevent websites from reading your entire history. This third-party tracking cookie, with the help of DoubleClick, would have allowed the government to circumvent those protections and, in doing so, violate your privacy. What caught the attention of privacy advocates is that this is the only reason you'd want such a tracking cookie. Not for logins, usability, or other user-centric enhancements. This was a government power-grab of information most would consider private.

I believe that the reason for the requested removal of the OMB directive corresponds to the reason it was created. Buried in the blog post, the administration requests your feedback about the "applicability and scope of such a framework on Federal agency use of third-party applications or websites". In other words, they explicitly want to allow the use of the same third-party cookies that prompted the draconian ban in the first place. Today, Google owns DoubleClick, and are becoming increasingly friendly with our elected officials.

Summary

There are more than a few stories covering this government request, and most of them are useless and watered-down. They contain no more information than similar articles in the mid-90's, which were so weak on details that they are likely the reason for the widespread belief that cookies in general are not neutral, but completely evil. With no explained distinction between first- and third-party cookies in the press, it's up to the government to inform the public of that distinction if they want the trust of their web users. They're not doing that.

So they're either idiots and they fail to understand how maligned the perception of cookies is, or they're not well-intentioned, and they wish to reinstitute the use of third-party tracking cookies. Due to the mention, in some couched language, that they might want to make use of third-party cookies, I'll have to go with the second option. If they were idiots, this really would be a non-story. As it stands today, I don't think this is the case.


2 CommentsRSS

1 Zac Grierson wrote: [6:50pm on March 14 2010]

Wow this is going to change the way i use/thinkabout cookies. Thanks was worth the read now to find other blogs you have got on stuff.

2 JD Wohlever wrote: [5:04am on August 9 2010]

Thought provoking and sound thinking on your part. We live in such a "tell everyone what I'm doing" society with places like Facebook, twitter and so forth I'm surprised that many people are as concerned about privacy when they turn right around and twitter the whole world about using the bathroom. Personally, I don't mind if the US Govt knows what I am doing on the net, however, that does not mean that I think they should be allowed to track anyone whomever them please. So revoking the earlier ban would be a smack in the face to all those who worked hard to get the cookie ban in the first place. Even though I don't mind right now if the government knows what I am doing, that doesn't mean that in some future administration of the US Govt. that I wouldn't feel differently. When Bush was in office I wouldn't want his administration to know anything about me. I'm not really a Democrat per say, just more of I didn't trust Bush as far as I could spit.

Comments are disabled for this entry.