Potential gov't cookie policy change prompts concerns

A potential change in the U.S. government's policy that would permit the broad use of Web cookies on government sites could "allow the mass collection of personal information," according to the American Civil Liberties Union.

The ACLU filed comments today on a proposal by the White House Office of Management and Budget to allow greater use of cookies on government Web sites. Since 2000, the OMB has permitted U.S. government Web sites to use cookies in limited cases, when there's a "compelling need" to gather the data, publicly disclosed privacy safeguards and personal approval by the head of the agency.

But the OMB and Vivek Kundra, the federal CIO, proposed late last month to broaden the use of cookies. Doing so would "create a more open and innovative government," Kundra and Michael Fitzpatrick, associate administrator of the OMB Office of Information and Regulatory Affairs, said in a blog post July 24.

Kundra and Fitzpatrick blogged about the potential use and rules of using multisession tracking cookies and persistent cookies. In their blog post, they asked for input on a new cookie policy.

"The implications of allowing the government to collect and store such information are staggering," wrote Christopher Calabrese, counsel for the ACLU's Technology & Liberty Project, in the comments filed on the cookie proposal. "As great as the privacy concerns are with the private use of cookies, their use by the government implicates privacy rights at a much more fundamental level. Americans use the Internet for everything. It is impossible to even summarize everything that the use of cookies might reveal to the government."

A spokesman with the White House Office of Science and Technology wasn't immediately available for comment on the ACLU concerns.

The ACLU isn't necessarily opposed to the U.S. government using cookies in some circumstances, but there need to be strong privacy safeguards in place, said Michael Macleod-Ball, acting director of the ACLU Washington Legislative Office.

"We'll have to put some very shielded boxes around the information that's being collected, retained and used," he said.

The Kundra and Fitzpatrick blog post also said the government shouldn't discriminate against Web surfers who opt out of government cookies. But Macleod-Ball suggested that the government should get opt-in permission before it assigns tracking cookies to visitors of government Web sites.

"I don't think the opt-out thing works for us in a government context," he said.

Many private Web sites allow users to opt out of tracking technologies, but few get opt-in permission before issuing tracking cookies.

While Macleod-Ball said he wasn't opposed to the government's use of some cookies, several people posting comments on OSTP's blog said they were opposed to the government collecting personal data.

"The current 'cookie' policy should be kept in place," one person wrote. "The potential for abuse in gathering a person's personal computer data is too great and yet another example of the Federal Government trying to intrude in the private lives of its citizens."

Another poster commented: "Keep your nose out of my business, your snitches off my back and your cookies out of my computer."

However, others commenting said the old cookie policy is outdated and doesn't allow the U.S. government to deliver many Web-based services.

"If permitted, persistent cookies will enable government websites to move to the next level in offering our patrons increased customization instead of one-size-fits-all websites," wrote Valerie Allen, Web manager for several government sites hosted by the U.S. Department of Energy's Office of Scientific and Technical Information. "These capabilities are routinely available on nongovernmental sites. As technologies advance, federal government websites may fall behind due to limited options open to developers, and with it an overall decrease in user satisfaction."

Users of government Web sites should get clear notice of the use of cookies and should be able to opt out, Allen added. In addition, multisession and persistent cookies should have privacy safeguards, she said.

FREE Computerworld Insider Guide: IT Certification Study Tips
Join the discussion
Be the first to comment on this article. Our Commenting Policies