White House quietly exempts YouTube from cookie privacy rules

[David Farber <dave () farber net>]

While such technologies clearly exist, the vast majority of users of  
the WH ste will have no knowledge of them and no idea what to do. So  
while we, the knowledgeable, will preserve our privacy, the public MAY  
not   djf


Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: January 22, 2009 5:26:24 PM EST
To: David Farber <dave () farber net>
Subject: Re: [IP] White House quietly exempts YouTube from cookie  
privacy rules


Dave,

Without attempting to address here any legal, privacy policy, or
appropriateness issues associated with YouTube use by the White House,
it's worthwhile to note that the existing controls included in the
most popular Web browsers already provide -- no add-ons required --
fine-grained control over cookie usage, including site-by-site and
third-party cookies.

There is no requirement that cookies be accepted to play YouTube
videos -- they'll display just fine without them, whether embedded
or not (unlike some sites, like CNN, which refuse to even play
videos unless you take their cookies!)

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
  - People For Internet Responsibility - http://www.pfir.org
Co-Founder, NNSquad
  - Network Neutrality Squad - http://www.nnsquad.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com

- - -

On 01/22 16:44, David Farber wrote:
> Begin forwarded message:
>
> From: Christopher Soghoian <csoghoian () gmail com>
> Date: January 22, 2009 2:46:47 PM EST
> To: dave () farber net
> Subject: White House quietly exempts YouTube from cookie privacy rules
>
> Hi Dave,
>
> Following up on the IP discussion regarding the White House website's
> new privacy policy:
>
> I wrote up this story today: http://news.cnet.com/8301-13739_3-10147726-46.html
>
> At least right now, the White House site fails to deliver on the
> promises made in its privacy policy. Every visitor to the white house
> blog receives a YouTube cookie, not just those who actually click play
> to view the embedded YouTube video.
>
>
> White House quietly exempts YouTube from federal Web privacy rules
>
> The new website for Obama's White House is already drawing attention
> from privacy activists and tech bloggers. While the initial focus has
> been on site's policies relating to search engine robots, a far more
> interesting tidbid has so far escaped the public eye: the White House
> has quietly exempted YouTube from strict rules regulating to the use  
> of
> cookies on federal agency websites.
>
> The new White House website privacy policy promises that the site will
> not use long-term tracking cookies, complying with a decade old rule
> prohibiting such user tracking by federal agencies. However, the  
> privacy
> policy then reveals that Obama's legal team has exempted YouTube from
> this rule -- YouTube videos are embedded at various places around the
> White House website.
>
> While the White House might not be tracking visitors, the Google owned
> video sharing site is free to use persistent cookies to track the
> browsing behavior of millions of visitors to Obama's home in  
> cyberspace.
>
> No other company has been singled out and rewarded with such a waiver.
>
> In a blog post back in November, I criticized the Obama Transition
> Team's Change.gov website for its use of embedded YouTube videos. At  
> the
> time, I stated that the practice might violate long-standing federal
> rules that forbid federal agencies from using persistent tracking  
> cookies
> on their websites. It turns out that I was wrong: The transition  
> team was
> technically not a federal agency and thus not bound by the anti-cookie
> rules.
>
> Now that Obama is President, his official website is required to abide
> by the cookie regulations. Furthermore, as of Wednesday afternoon,
> several YouTube videos have been embedded on the White House blog. As
> soon as a visitor surfs to one of the blog pages that contain a  
> YouTube
> video, a long-term tracking cookie is automatically set in the user's
> browser -- even for those users who do not click the "play" button.
>
> Someone on the Obama legal team seems to have read my previous blog
> post, as they've modified the White House privacy policy to  
> specifically
> exclude YouTube's tracking cookies from federal rules that would
> otherwise prohibit their use:
>
> "For videos that are visible on WhiteHouse.gov, a 'persistent  
> cookie' is
> set by third party providers when you click to play the video.
>
> This persistent cookie is used by YouTube to help maintain the  
> integrity
> of video statistics. A waiver has been issued by the White House
> Counsel's office to allow for the use of this persistent cookie."
>
> YouTube and cookies
>
> Each time a new user visits YouTube, a unique permanent tracking  
> cookie
> is issued by the website to the user's browser, which it stores.  
> Whenever
> the user later revisits YouTube, that cookie is transmitted to the  
> video
> sharing site, allowing it to identify users and monitor their video
> viewing habits.
>
> YouTube is also able to set and access a user's tracking cookie when  
> she
> visits a 3rd party webpage that has embedded a video stored on the
> YouTube site (such as a blog or other website), even if the user never
> clicks the play button.
>
> The moment that the flash file containing the video player is  
> downloaded
> from YouTube's servers and displayed in the user's browser as part of
> another webpage, the cookie is transmitted to YouTube's servers.
> Considering how widespread the practice of embedding YouTube videos  
> has
> become, this gives Google (which owns the site) an amazing amount of  
> data
> on the web-browsing activities of hundreds of millions of Internet  
> users
> -- many of whom may not realize that such tracking data is being 
> collected.
>
> The White House policy is not being followed
>
> The YouTube related text in the new White House privacy policy implies
> that not all users will be tracked by YouTube. The policy notes that:
>
> "If you would like to view a video without the use of persistent
> cookies, a link to download the video file is typically provided just
> below the video."
>
> As of Thursday morning, this statement is false.
>
> In multiple tests by this blogger with both Internet Explorer and
> Firefox, merely visiting pages on the White House Blog causes  
> YouTube to
> set a long-term tracking cookie in the browser -- even if the user  
> does
> not press the play button to start the video. After 8 months, this  
> cookie
> will be automatically deleted by the user's browser -- unless, of  
> course,
> the user visits another web-page somewhere else on the Internet
> containing a YouTube embedded video, in which case, the 8 month cookie
> clock is reset. Given how widespread YouTube video embeds have become,
> this cookie essentially lasts forever.
>
> While it is obvious that I am rather critical of this entire affair, I
> am willing to give the Obama web team the benefit of the doubt in one
> area -- the fact that their current web infrastructure does not  
> deliver
> on the promises made by their privacy policy.
>
> The Obama White House website is only two days old, and so it is
> certainly possible that the team simply hasn't gotten around to
> deploying a more privacy preserving system for YouTube video embeds.
> Protecting users who do not click play from automatically receiving a
> cookie is certainly possible -- the Electronic Frontier Foundation in
> 2008 released a wrapper script for YouTube videos that provided this
> very feature. Let us hope that the Obama team deploys such a  
> technology
> in due course.
>
> Can YouTube be justified as a 'compelling need'?
>
> For the past 10 years, federal agencies have been prohibited from  
> using
> tracking cookies on their websites, except in a few special cases. The
> Office of Management and Budget rule M-03-22 states that:
>
> "Agencies are prohibited from using persistent cookies or any other
> means (e.g., web beacons) to track visitors' activity on the Internet
> except .... [when there is] a compelling need."
>
> The question we must now focus on is this: Is the need for Obama to  
> use
> embedded videos hosted by YouTube (and not, say, another company's
> video-streaming platform that does not force cookies upon its users) a
> use that can be reasonably described as compelling?
>
> Presumably, this has been justified on the basis that YouTube forces
> cookies on the visitors of any website that embeds one of its videos.
> However, while Joe or Jane blogger has no bargaining power with
> YouTube/Google, the federal government certainly does.
>
> In just the past couple weeks, YouTube has launched dedicated pages  
> for
> both the House and Senate to show off their own videos, and the site  
> also
> recently started allowing users to directly download copies of some
> videos. This latter feature has not yet been widely deployed across  
> the
> site, and is seems to be limited to videos posted by Obama's team.
>
> Given the famously close connections between Obama and Google, you'd
> think his tech team could negotiate for a cookie-less way to embed
> videos. At a technical level, this would be an easy enough change,  
> even
> if it would deny Google the ability to collect even more information  
> on
> millions of Americans.
>
> Cookies and other federal agencies
>
> Finally, the new White House YouTube rule may have a far broader  
> impact
> on the way that federal agencies use Web 2.0 content. Simply put, if
> another federal agency embeds a YouTube video in its website without
> first having the agency's legal team issue a waiver, have federal  
> rules
> been violated?
>
> Up until this week, federal agencies have been free to embed Web 2.0
> content in their own sites without any real need to consider the  
> privacy
> risks posed to end users. The fact that the White House Counsel has  
> felt
> it necessary to issue such a waiver for YouTube videos appearing on  
> the
> White House webpage could be reasonably interpreted to mean that  
> such a
> waiver is now required for all embedded Web 2.0 content that might  
> force
> cookies upon end-users. This is certainly new legal ground.
>
> Consider, for example, the Transportation Security Administration,  
> which
> has posted YouTube videos to its blog numerous times over the past  
> year.
> Its privacy policy makes no mention of YouTube cookies. Could this  
> lead
> to issues for the TSA web-team, or perhaps even congressional
> investigations? Given my own history with TSA, I certainly hope so.
>
>
>
>
>
>
>
>
> -------------------------------------------
> Archives: https://www.listbox.com/member/archive/247/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/247/
> Powered by Listbox: http://www.listbox.com




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com