DorobekInsider

Focusing on six words: Helping government do its job better

Archive for the ‘privacy’ Category

DorobekINSIDER Reader: Federal Internet cookie policies

leave a comment »

The Office of Management and Budget has just issued a new policy for dealing with Internet “cookies” — these are text files that a Web site can put on your computer to track how you traverse the site.

Cookies enable Web site personalization — for example, the allow a Web site to remember you and, maybe, the items you put in your online shopping cart. But they have always been watched by some privacy advocates because of the potential implications — for example, they could track a visitor’s travels to other sites. [Read how cookies work here… and how to delete them here.]

The federal government has been all but banned from using persistent Internet cookies because of those privacy concerns. OMB has just issued new policy guidance would enable agencies to use this tool. And Federal News Radio’s Max Cacas reported on the new policies on the Dorobek Insider on Friday. You can find his report here.

This is an issue I’ve followed for a long time (here is the FCW editorial I wrote on the subject back in 2006) — and, to be honest, I’m suspicious of the new policy. That being said, I have just started reading them.

The new OMB policy seeks to re-balance the privacy considerations given that the ban was instituted more than a decade ago. The idea: Times have changed and people are more accepting of these tools.

As I say, I’m reading the policies now, but… It is important to be very clear — agencies were absolutely not banned from using cookies. They had been banned from using PERSISTENT cookies — cookies that can track you long term. I didn’t get a chance to read all the comments that came in — and unfortunately OMB has not kept those comments online. And I still have to read the policies, but… I have year to hear a convincing argument why agencies must have persistent cookies. Some argue that the private sector does it, but that argument is specious — the government is not the private sector. In the end, it doesn’t matter what the private sector does. (Should government follow the Facebook privacy model?)

Let’s be very clear — this is not the most critical privacy issue facing government. That being said, it doesn’t help. People are already distrustful of government. I have yet to be convinced of the enormous public good that comes from using this tracking tool that one cannot accomplish otherwise. Again, agencies can use cookies — just not persistent cookies. How does it make people feel about their government if they feel like they are being tracked? (The stopwatch is running until the first story comes out of people using cookies to actually track people using government Web sites.)

I’m reading the new policies with an open mind, but… I’m very suspicious.

Regardless, I thought it was an opportunity to pull together the DorobekINSIDER Reader on the OMB cookie policy with background information, given that this has been going on for a long time…

The 2010 cookie/federal Web privacy policies:

* OMB policy M-10-22: Guidance for Online Use of Web Measurement and Customization Technologies [PDF] [Scribd]

* OMB policy M-10-23: Guidance for Agency Use of Third-Party Websites and Applications [PDF] [Scribd]

* The OMB “fact sheet” on the two policies

View this document on Scribd

How these came about…
Giving OMB credit, they tried to evolve these policies in a relatively public way. As I seem to say a lot these days, I think they could have developed it in a public way. That being said, it would be nice if the comments were still available.

Here were some of the discussion:

White House blog post from July 24, 2009: Federal Websites: Cookie Policy
By federal CIO Vivek Kundra and Michael Fitzpatrick, associate administrator of OMB’s Office of Information and Regulatory Policy

During the Open Government Initiative outreach, Federal employees and the public have asked us questions about the federal government’s policy on cookies. As part of our effort to create a more open and innovative government, we’re working on a new cookie policy that we’ll want your input on. But before we get into that, let’s provide some context.

In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.

Read the full post — and the comments — here.

* The Federal Register item that went along with that comment period.

* WhiteHouse.gov blog post: Enhancing Online Citizen Participation Through Policy [June 16, 2009]
By Kundra and Fitzpatrick

Last week, Vivek Kundra and Katie Stanton talked about the efforts underway to introduce more Web 2.0 technologies to the federal government sites and to open more back-and-forth communication between the American people and the government. Some of this naturally requires the adoption of new approaches and innovative technologies. But another big part of this is updating existing practices and how these tools can be used to break down barriers to communication and information.

We continue to ask for your feedback, but the best feedback is informed feedback. So what follows is background on current policies and some examples of what we’ve heard from you during the Brainstorming phase of our outreach.

Here is the specific section on cookies:

FEDERAL COOKIE POLICY: This has been a challenging issue to navigate. Put in place in 2000 to protect the privacy of Americans, the federal cookie policy limited the use of persistent cookies by federal agencies. A cookie, as many readers here know, is a small piece of software that tracks or authenticates web viewing activities by the user. In the nine years since this was put in place, website cookies have become more mainstream as users want sites to recognize their preferences or keep track of the items in their online shopping carts. We’ve heard a lot of feedback on this area. One person put it all together. “Persistent cookies are very useful as an indirect feedback mechanism for measuring effectiveness of government web sites . . . Cookies allow a greater level of accuracy in measuring unique visitors . . . Being able to look at returning visitors allows us to see what

Recognizing the fundamental change in technology in the past nine years, and the feedback that we’ve received so far, the Office of Management and Budget (OMB) is reexamining the cookie policy as part of this Open Government Initiative. There is a tough balance to find between citizen privacy and the benefits of persistent cookies, and we would welcome your thoughts on how best to strike it.

Read the rest of the post here.

* WhiteHouse.gov blog: Cookies Anyone (the http kind)? [July 24, 2009]
By Bev Godwin, who was on assignment to the White House at the time. She is currently GSA’s Director of USA.gov and the Office of Citizen Service’s Web Best Practices Office

Nine years ago – a lifetime in Internet time – the Office of Management and Budget (OMB) issued a policy commonly referred to as “the cookies policy. “This policy prohibited federal agencies from using certain web-tracking technologies, primarily persistent cookies, unless the agency head provided a waiver. This may sound like arcane, boring policy – but it is really important in the online world.

Unfortunately in this post, Godwin points to a site where people could post comments — http://blog.ostp.gov/2009/07/24/cookiepolicy. Unfortunately that page doesn’t seem to exist. It would be great to see the comments now.content is important to our citizens. We can use that data to improve the content and navigation of our sites.”

* WhiteHouse.gov blog post: On Cookies [August 11, 2009]
By Kundra and Fitzpatrick

Over the past two weeks, during the public comment period on OMB’s cookie policy, we have received significant feedback and suggested revisions to the current policy. These comments reflect individual opinions on all sides of the issue.

Our main goal in revisiting the ban on using persistent cookies on Federal websites is to bring the federal government into the 21st century. Consistent with this Administration’s commitment to making government more open and participatory, we want federal agencies to be able to provide the same user- friendly, dynamic, and citizen-centric websites that people have grown accustomed to using when they shop or get news online or communicate through social media networks, while also protecting people’s privacy.

It is clear that protecting the privacy of citizens who visit government websites must be one of the top considerations in any new policy. This is why we’ve taken such a cautious approach going forward and why we felt it so important to get feedback and hear from people on this. While we wanted to get people’s ideas for improving our policy, we also needed to hear any concerns so that we could understand better where potential pitfalls might lie.

This privacy issue has recently received some attention in the media. We want to make it clear that the current policy on Federal agencies’ use of cookies has not changed. Moreover, the policy won’t change until we’ve read the public comments that have been submitted to ensure that we’re considering all sides of the issue and are addressing privacy concerns appropriately.

Continue reading the full post here.

Going back a decade… some of the discussion that led to the persistent cookie ban.

* Letter from then Commerce Department CIO Roger Baker, now the CIO at the Department of Veterans Affairs, to John Spotila on Federal agency use of Web cookies (July 28, 2000)

[The CIO Council] strongly support the requirement that the use of any technology, including persistent cookies, to track the activities of users on web sites be approved personally by the head of the executive department (for the 14 executive departments) or agency.

As we make progress towards electronic government, personalization of web sites, typically done through persistent cookies, may become necessary in order to serve our customer’s requirements. At that time, it would be appropriate for OMB to review the “no delegation” policy in light of the then-current “state-of-the-art” in privacy protections. For example, OMB may decide to relax this policy when customers are given a choice of selecting either a personalized (i.e., with persistent cookie) or non-personalized (no persistent cookie) web experience.

* Letter from Spotila to Baker, clarification of OMB Cookies Policy (September 5, 2000)

We are concerned about persistent cookies even if they do not themselves contain personally identifiable information. Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator. For instance, a person using the computer later may give his or her name or e-mail address to the agency. It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.

* M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000)

* M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)

Written by cdorobek

June 26, 2010 at 4:21 PM

DorobekINSIDER: News Channel 8 discussing cyber-war — is it real?

leave a comment »

I will be on NewsChannel 8’s Federal News Tonight at 7:30p tonight — and we’ll be talking about the ongoing debate: Is the threat of cyber-war exaggerated?

As I mentioned earlier, this question was the subject of an Intelligence Squared debate earlier this month.

You can hear the debate here… or see the debate here.

We are looking for your thoughts… how would you answer the question: The threat of a cyber-war is exaggerated?

Arguing that the threat of cyber-war was exxagerated were:
* Marc Rotenberg, executive director of the Electronic Privacy Information Center (EPIC)
* Bruce Schneier, the cryptographer, computer security specialist, and writer who is the founder and chief technology officer of BT Counterpane, formerly Counterpane Internet Security. He writes the popular Schneier on Security blog.

And in opposition:
* Mike McConnell, former vice admiral in the Navy, the former director of the National Security Agency and the former Director of National Intelligence. He now works for Booz Allen Hamilton.
* Jonathan Zittrain, professor of Internet law at Harvard Law School and a faculty co-director of Harvard’s Berkman Center for Internet & Society. He writes the Future of the Internet blog and is on Twitter.

Some additional resources:

There currently are more than 40 cyber-security bills somewhere in the legislative process on Capitol Hill.

After heading up the President’s 60-day Cyberspace Review last year, Melissa Hathaway has some analysis. She has complied all that knowledge in a 31-page report which broke down the different bills into sections. Nine bills make the legislation to watch list, including updates to FISMA. Hathaway also says there great need for more public awarness for cybersecurity issues both in the U.S. and abroad.

That assessment came before Sens. Joe Lieberman (DI- Conn.), Olympia Snowe (R-Maine) and Tom Carper introduced the Protecting Cyberspace as a National Asset Act, which was discussed at a hearing today. (More information on the hearing here.) Today on Federal News Radio 1500 AM’s Dorobek Insider, we spoke to Bob Gourley, the former chief technology officer at the Defense Intelligence Agency and the the editor in chief of CTOVision.com, said he thinks the bill would be a step forward. (Read his post here.)

Finally, Gen. Dayle Meyerrose, former CIO of the Office of the Director of National Intelligence, addressed this issue on Federal News Radio 1500 AM’s In Depth with Francis Rose. More here.

Written by cdorobek

June 15, 2010 at 5:55 PM

The DorobekInsider reader: Obama cyber policy review

leave a comment »

As most people know, President Obama spoke today about cyber-security and the White House posted the results of the 60-day top-to-bottom review of the government’s cyber-security initiatives. (I was on DC’s WTOP radio earlier today talking about this issue. You can hear that here.)

Some of the links:

* The President’s remarks themselves. You can hear President Obama’s remarks here.

* The White House cyber-security policy review: Titled Cyberspeace Policy Review: Assuring a trusted and resilient infomration and communications infrastructure [PDF]

* WhiteHouse.gov blog post by Melissa Hathaway, Cybersecurity Chief at the National Security Council — Securing Our Digital Future

We are late in addressing this critical national need and our response must be focused, aggressive, and well-resourced. We have garnered great momentum in the last few months, and the vision developed in our review is based on the important input we received from industry, academia, the civil liberties and privacy communities, others in the Executive Branch, State governments, Congress, and our international partners. We now have a strong and common view of what is needed to achieve change. Ensuring that cyberspace is sufficiently resilient and trustworthy to support U.S. goals of economic growth, civil liberties and privacy protections, national security, and the continued advancement of democratic institutions requires making cybersecurity a national priority.

* Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris will be all over this story this afternoon. More links to come, but you can find them all here.
Among the people we have heard from today:

— Federal News Radio’s Jason Miller spoke to a number of people today about the report including Karen Evans, among others. Hear Miller’s report here
— Randy Sabett… he is a partner in the Washington office of Sonnenschein Nath & Rosenthal; served as a Commissioner on the Commission on Cyber Security for the 44th Presidency. Hear our conversation with Sabett here
Greg Nojeim, senior counsel at the Center for Democracy and Technology. Read CDT’s assessment here… Hear our conversation with Nojeim here

* Federal Drive: Fmr ODNI CIO Meyerrose analysis of cyberchanges [05.29.2009]

* NYT: Pentagon Plans New Arm to Wage Cyberspace Wars [5.29.2009]

The Pentagon plans to create a new military command for cyberspace, administration officials said Thursday, stepping up preparations by the armed forces to conduct both offensive and defensive computer warfare.

Some background:

* Federal News Radio 1500 AM’s Federal Security Spotlight featuring highlights of a speech by Hathaway. Hear part one herepart two here.

* Commission on Cyber Security for the 44th Presidency… Read the commission’s fact sheet [PDF]

* Congressional Research Service report: Comprehensive National Cybersecurity Initiative: Legal authorities and policy considerations [PDF, March 10, 2009, hat tip: TechPresident]

Of course the big question now — who will be the cyber “czar.” (Reuters has an interesting story about the Obama czars. My favorite quote from the story: Obama has “more czars than the Romanovs,” who ruled Russia for three centuries — Sen. John McCain (R-AZ)

Written by cdorobek

May 29, 2009 at 12:57 PM

What would you ask Team Obama — change.gov is now ‘open for questions’

with 3 comments

20081211-questionsMany of us are watching the Obama transition Web site change.gov for indications about how the new administration might tap into the Web 2.0 as a tool for governing. And we’re getting a very interesting peek with the newest feature on the Change.gov Web site — “open for questions.”

The Obama-Biden Transition wants to hear from you. The transition team, using the Google Moderator application, lets people post their questions for the transition team — but, more importantly, it lets you go in and grade those questions — yes, you would like to get this questions answered, no you wouldn’t, or “flag as inappropriate.”

Here is the Change.gov blog post about ‘open for questions’:

With so many Americans involved in the political process for the first time, there’s a great deal of interest in what’s happening inside the Transition right now — and what happens next.

Today, we’re rolling out a new feature that lets you ask the Transition team any questions you have about the issues that are important to you.

You can also browse through questions other folks have and check off the ones you think are the most interesting.

The Change.gov community has jumped into a true two-way dialogue with our Transition team members. So far, we’ve asked you questions about major issues in our discussion forums, and you’ve flooded this site with your comments (see here or here).

Check out our new “Open for Questions” feature, and keep the conversation going.

There are many interesting issues here — some of them the government questions. So the transition team posts the following disclaimer:

Have feedback on this system or want to suggest a better way to do this? Let us know. Before asking a question, please review our comment policy.

Disclaimer: This tool is powered by Google Moderator, a third party service. Here is their privacy policy and terms of service.

Does that mean that they don’t have to follow the Privacy Act — the site requires that you sign in, but… how does that relate to privacy laws? Did they compete this application? And there are already questions about whether uncomfortable questions are disappearing by being flagged an inappropriate. Really?

Getting away from those more bureaucratic questions, I absolutely adore the idea. In the end, it is similar to the popular Digg site… and similar to the ObamaCTO.org Web site, which has grown into something of a portal of various issue areas — including what kind of dog the Obamas should get. (More on ObamaCTO.org here… and hear our conversation with the creator of ObamaCTO.org on Federal News Radio 1500 AM’s Daily Debrief with Chris Dorobek and Amy Morris.) By the way, ObamaCTO.org is powered by an applicated called UserVoice.

And… then there are the actual questions.

According to the site, these are among the leaders:

  • “What will you do to establish transparency and safeguards against waste with the rest of the Wall Street bailout money?”
  • “What will you do as President to restore the Constitutional protections that have been subverted by the Bush Administration and how will you ensure that our system of checks and balances is renewed?”
  • “Will you lift the ban on Stem Cell research in your first 100 days in office?”
  • “What will you do to end the use of mercenary forces (ie Blackwater) by our military?”

Read others… after the break…
Read the rest of this entry »

Written by cdorobek

December 11, 2008 at 8:39 AM

Presidential cookies… and your privacy

leave a comment »

If the presidential candidates Web sites were government Web sites, they would violate federal privacy rules.

The Web sites of both presidential candidates use Web cookies. Web cookies are, to use the definition that the NIST Web site uses, are “small bits of text that are either used for the duration of a session (“session cookies) or saved on a user’s hard drive in order to identify that user, or information about that user, the next time the user logs on the a Web site (“persistent cookies”).” By OMB mandate as part of the E-Gov Act, persistent cookies are not allowed on federal Web sites unless specifically approved — and the approval process is somewhat arduous, so few do it.

I am interested to see who uses cookies and why. The issue is controversial in the Web world. Privacy advocates are not big fans of cookies — they can let a site track where you’ve been and how you make your way through a Web site. Web content managers love because they can show how users actually use the Web site so they can make it better. They also allow you to save a password or remember where you’ve been on a Web site, for example.

Frankly, most people just don’t think about it — not unlike many privacy issues, to be honest. (I follow this issue occasionally… See FCW Insider posts I did on the topic here… and here… and here.)

So I thought it would be interesting to see how the presidential candidates deal with the issue — and while both the Obama and McCain Web sites use persistent cookies, they both talk about it in their Web privacy policies.

BarackObama.com

As I mentioned, the Web site of the Obama for President campaign does use persistent cookies — as you can see, this cookie expires on September 26, 2010. But the campaign does a good job of explaining the whole thing on the campaign’s privacy policy:

Browser information collected on the web site:

We log IP addresses, which are the locations of computers or networks on the Internet, and analyze them in order to improve the value of our site. We also collect aggregate numbers of page hits in order to track the popularity of certain pages and improve the value of our site. We do not gather, request, record, require, collect or track any Internet users’ Personal Information through these processes.

We use cookies on our site. A “cookie” is a tiny text file that we store on your computer to customize your experience and support some necessary functions. We also use cookies to better understand how our visitors use our site. Our cookies contain no Personal Information and are neither shared nor revealed to other sites. We do not look for or at other sites’ cookies on your computer.

You also have choices with respect to cookies. By modifying your browser preferences, you can accept all cookies, be notified when a cookie is set, or reject all cookies. (For more information on how to block or filter cookies, see http://www.cookiecentral.com/faq.) However, if you reject some or all cookies, your experience at our site and other sites throughout the World Wide Web may not be complete. Also, you would be unable to take advantage of personalized content delivery offered by other Internet sites or by us.

We may use pixel tags (also known as web beacons or clear GIF files) or other tracking technology to help us manage our online advertising and to analyze and measure the effectiveness of online advertising campaigns and the general usage patterns of visitors to our Web site.. Such technologies may also be used by third party advertising service providers who serve or assist us in managing ads on our site, such as DoubleClick, Yahoo Tremor and 24/7 RealMedia. These files enable us or these third parties to recognize a unique cookie on your Web browser, which in turn enables us to learn which advertisements bring users to our website and to deliver advertising targeted to your interests. The information that is collected and shared using these pixel tags and similar technology is anonymous and not personally identifiable. It does not contain your name, address, telephone number, or email address. We are not responsible for and do not control any actions or policies of any third party advertising technology service providers or of any third party members of any related advertising networks. For more information about DoubleClick, including information about how to opt out of the use of these technologies by DoubleClick, go to http://www.doubleclick.net/us/corporate/privacy. To opt out of collection by 24/7 Real Media, please visit: http://www.247realmedia.com/opt-out.html. To opt our of collection by Yahoo Search Marketing, please go to http://info.yahoo.com/privacy/us/yahoo/ysmt/details.html.

Obama’s Web site also had a cookie that expired… in 1919. Hmmm.

JohnMcCain.com

The Web site of McCain for President also uses persistent cookies — see the cookie here that expires on Dec. 31, 2019. But, again, the campaign does a good job of explaining the what and why on the campaign’s privacy policy:

How we use log files to better serve you: We use log files to assess the aggregate level of traffic to JohnMcCain.com including what pages people are visiting, and to diagnose any potential problems with the Web site. This log file does contain an “Internet Protocol” or IP address that gives us insight on the general geographic area that visitors are coming from but not information on a specific individual. All users remain anonymous unless they choose to give us personally identifiable information, or log in to the website using a username and password or through a cookie stored on the user computer.

Information collected when you donate: When you make a contribution to John McCain 2008, federal law requires us to collect and report the following information: name, mailing address, employer, occupation, and amount of contribution. Federal law requires us to report this information to the Federal Election Commission if an individual’s contribution or contributions aggregate in excess of $200 in a single election cycle. Contributions from corporations, government contractors, foreign nationals without a “green card,” and minors (individuals under the age of 18) are prohibited. Any credit card information provided is only used to immediately process your donation. John McCain 2008 does not retain your credit card information once the donation is processed online. John McCain 2008 may also choose to publicly disclose donors online or in other methods.

Use of cookies and protecting your privacy: We do make use of cookies to personalize and customize your interaction with JohnMcCain.com and to provide you with the best possible online experience. A cookie is a tiny text file that is placed on your hard drive and does not contain any personal information about you.

Cookies are a privacy low hanging fruit, and that’s why I often check in on them. Often the biggest issue with privacy is giving people the option — telling them what you are doing and letting them decide — transparency, even.

Earlier in the year when I looked at all of the campaigns cookies, the campaign with the most persistent cookies: Rudy Giuliani. Cookies on his Web site expired on January 17, 2038… but even he had an explainer.

Written by cdorobek

October 15, 2008 at 7:39 AM