Interesting People mailing list archives
White House quietly exempts YouTube from cookie privacy rules
From: David Farber <dave () farber net>
Date: Thu, 22 Jan 2009 20:18:55 -0500
While such technologies clearly exist, the vast majority of users of the WH ste will have no knowledge of them and no idea what to do. So while we, the knowledgeable, will preserve our privacy, the public MAY not djf
Begin forwarded message: From: Lauren Weinstein <lauren () vortex com> Date: January 22, 2009 5:26:24 PM EST To: David Farber <dave () farber net>Subject: Re: [IP] White House quietly exempts YouTube from cookie privacy rules
Dave, Without attempting to address here any legal, privacy policy, or appropriateness issues associated with YouTube use by the White House, it's worthwhile to note that the existing controls included in the most popular Web browsers already provide -- no add-ons required -- fine-grained control over cookie usage, including site-by-site and third-party cookies. There is no requirement that cookies be accepted to play YouTube videos -- they'll display just fine without them, whether embedded or not (unlike some sites, like CNN, which refuse to even play videos unless you take their cookies!) --Lauren-- Lauren Weinstein lauren () vortex com or lauren () pfir org Tel: +1 (818) 225-2800 http://www.pfir.org/lauren Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, NNSquad - Network Neutrality Squad - http://www.nnsquad.org Founder, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy Lauren's Blog: http://lauren.vortex.com - - - On 01/22 16:44, David Farber wrote:
Begin forwarded message: From: Christopher Soghoian <csoghoian () gmail com> Date: January 22, 2009 2:46:47 PM EST To: dave () farber net Subject: White House quietly exempts YouTube from cookie privacy rules Hi Dave, Following up on the IP discussion regarding the White House website's new privacy policy: I wrote up this story today: http://news.cnet.com/8301-13739_3-10147726-46.html At least right now, the White House site fails to deliver on the promises made in its privacy policy. Every visitor to the white house blog receives a YouTube cookie, not just those who actually click play to view the embedded YouTube video. White House quietly exempts YouTube from federal Web privacy rules The new website for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on site's policies relating to search engine robots, a far more interesting tidbid has so far escaped the public eye: the White Househas quietly exempted YouTube from strict rules regulating to the use ofcookies on federal agency websites. The new White House website privacy policy promises that the site will not use long-term tracking cookies, complying with a decade old ruleprohibiting such user tracking by federal agencies. However, the privacypolicy then reveals that Obama's legal team has exempted YouTube from this rule -- YouTube videos are embedded at various places around the White House website. While the White House might not be tracking visitors, the Google owned video sharing site is free to use persistent cookies to track thebrowsing behavior of millions of visitors to Obama's home in cyberspace.No other company has been singled out and rewarded with such a waiver. In a blog post back in November, I criticized the Obama TransitionTeam's Change.gov website for its use of embedded YouTube videos. At thetime, I stated that the practice might violate long-standing federalrules that forbid federal agencies from using persistent tracking cookies on their websites. It turns out that I was wrong: The transition team wastechnically not a federal agency and thus not bound by the anti-cookie rules. Now that Obama is President, his official website is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. Assoon as a visitor surfs to one of the blog pages that contain a YouTubevideo, a long-term tracking cookie is automatically set in the user's browser -- even for those users who do not click the "play" button. Someone on the Obama legal team seems to have read my previous blogpost, as they've modified the White House privacy policy to specificallyexclude YouTube's tracking cookies from federal rules that would otherwise prohibit their use:"For videos that are visible on WhiteHouse.gov, a 'persistent cookie' isset by third party providers when you click to play the video.This persistent cookie is used by YouTube to help maintain the integrityof video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie." YouTube and cookiesEach time a new user visits YouTube, a unique permanent tracking cookie is issued by the website to the user's browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the videosharing site, allowing it to identify users and monitor their video viewing habits.YouTube is also able to set and access a user's tracking cookie when shevisits a 3rd party webpage that has embedded a video stored on the YouTube site (such as a blog or other website), even if the user never clicks the play button.The moment that the flash file containing the video player is downloadedfrom YouTube's servers and displayed in the user's browser as part of another webpage, the cookie is transmitted to YouTube's servers.Considering how widespread the practice of embedding YouTube videos has become, this gives Google (which owns the site) an amazing amount of data on the web-browsing activities of hundreds of millions of Internet users -- many of whom may not realize that such tracking data is being collected.The White House policy is not being followed The YouTube related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that: "If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video." As of Thursday morning, this statement is false. In multiple tests by this blogger with both Internet Explorer andFirefox, merely visiting pages on the White House Blog causes YouTube to set a long-term tracking cookie in the browser -- even if the user does not press the play button to start the video. After 8 months, this cookie will be automatically deleted by the user's browser -- unless, of course,the user visits another web-page somewhere else on the Internet containing a YouTube embedded video, in which case, the 8 month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever. While it is obvious that I am rather critical of this entire affair, I am willing to give the Obama web team the benefit of the doubt in onearea -- the fact that their current web infrastructure does not deliveron the promises made by their privacy policy. The Obama White House website is only two days old, and so it is certainly possible that the team simply hasn't gotten around to deploying a more privacy preserving system for YouTube video embeds. Protecting users who do not click play from automatically receiving a cookie is certainly possible -- the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided thisvery feature. Let us hope that the Obama team deploys such a technologyin due course. Can YouTube be justified as a 'compelling need'?For the past 10 years, federal agencies have been prohibited from usingtracking cookies on their websites, except in a few special cases. The Office of Management and Budget rule M-03-22 states that: "Agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet except .... [when there is] a compelling need."The question we must now focus on is this: Is the need for Obama to useembedded videos hosted by YouTube (and not, say, another company's video-streaming platform that does not force cookies upon its users) a use that can be reasonably described as compelling? Presumably, this has been justified on the basis that YouTube forces cookies on the visitors of any website that embeds one of its videos. However, while Joe or Jane blogger has no bargaining power with YouTube/Google, the federal government certainly does.In just the past couple weeks, YouTube has launched dedicated pages for both the House and Senate to show off their own videos, and the site alsorecently started allowing users to directly download copies of somevideos. This latter feature has not yet been widely deployed across thesite, and is seems to be limited to videos posted by Obama's team. Given the famously close connections between Obama and Google, you'd think his tech team could negotiate for a cookie-less way to embedvideos. At a technical level, this would be an easy enough change, even if it would deny Google the ability to collect even more information onmillions of Americans. Cookies and other federal agenciesFinally, the new White House YouTube rule may have a far broader impacton the way that federal agencies use Web 2.0 content. Simply put, if another federal agency embeds a YouTube video in its website withoutfirst having the agency's legal team issue a waiver, have federal rulesbeen violated? Up until this week, federal agencies have been free to embed Web 2.0content in their own sites without any real need to consider the privacy risks posed to end users. The fact that the White House Counsel has felt it necessary to issue such a waiver for YouTube videos appearing on the White House webpage could be reasonably interpreted to mean that such a waiver is now required for all embedded Web 2.0 content that might forcecookies upon end-users. This is certainly new legal ground.Consider, for example, the Transportation Security Administration, which has posted YouTube videos to its blog numerous times over the past year. Its privacy policy makes no mention of YouTube cookies. Could this leadto issues for the TSA web-team, or perhaps even congressional investigations? Given my own history with TSA, I certainly hope so. ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- White House quietly exempts YouTube from cookie privacy rules David Farber (Jan 22)
- <Possible follow-ups>
- White House quietly exempts YouTube from cookie privacy rules David Farber (Jan 22)
- Re: White House quietly exempts YouTube from cookie privacy rules David Farber (Jan 23)