You are not logged in. LOG IN NOW >

Shorter Orszag: Cookies Aren't So Toxic

BY Nancy Scola | Monday, June 28 2010

Departing OMB Director Peter Orszag announced Friday new federal policies loosening the federal government's approach to web "cookies" and tightening its approach to third-party tools like Twitter and Facebook; Center for American Progress photo.

On Friday, I joked that I really couldn't make heads or tails of the Office of Management and Budget's new guidance on cookies. Here, with the benefit of time, rereading, and conversations with smart people, comes a little insight into what has gone down. What's important to keep in mind is that OMB has tackled two topics here. The first is loosening the federal government's decade long strictness about how federal folks can make use of web cookies. The second is tightening up the logic around when and how federal agencies make use of third-party online services a la Twitter, Facebook, YouTube and the rest. By breaking those topics into two pieces, OMB has refined the federal way of thinking about how government enages online.

In short, on his way out the door, Peter Orszag did actually provide some clarity for how the federal government can and should make use of the web. He just could have been a little clearer about it. Here, in brief, are some of the details of what's changed.

We'll start with Memo One, technically M-10-22 but we'll call it the Orszag Cookie Memo. Federal practice for how government can use cookies -- or tiny pieces of text left on users' computers that help customize their online experiences -- was set way back in 2000, by then OMB director Jacob Lew. Persistent little "spy files," to be dramatic about it, got people thinking at the time about how the United States government should be observing and engaging with American citizens online. The Lew Cookie Policy (M-00-13, if you're keeping track), read this way:

Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency.

Thus the "cookie ban" that federal web managers have since been operating under since the Clinton Administration.

Enter the 2010 Orszag Cookie Policy. In short, as of Friday, federal government agencies and departments now have the option of using persistant cookies, in most cases, with certain restrictions and requirements attached. The primary opportunity that seems to open up for folks is using web metrics tools like Google Analytics to track and customize the online experiences of citizens, particularly across user sessions.

Those restrictions and requirements include giving users of federal government websites the option to opt-out of the cookie interaction, whether that's giving them a simple way to do it on the site itself or providing directions on how they can, for example, tweak their browser security settings. (Google recently released a browser plug-in that lets web users opt out of having their IP address and other information logged by Google Analytics.)

Data collected by cookies, says the Orszag memo, should only be kept by agencies as long as necessary and generally for a year or less, and should only be viewed by federal employees on a need to know basis.

In a fairly major policy adjustment, cookie use no longer needs " personal approval by the head of the agency" -- though with the caveat that for cookie usages that involvings collecting Personally Identifiable Information, or PII in security speak, across mulitiple sessions, the agency CIO and head must be brought into the approval process, a public comment period must be opened, and users must explicitly "opt-in" to the experience.

With cookies now on the table, Orszag's OMB has taken steps to ensure that government doesn't get too loosey goosey with using them. One significant part of the new federal cookie policy is that agencies have to proactively review how they're collecting online data from users of their web properties, ideally posting that their [agency].gov/open site. Agencies are prohibited from cross-referencing cookie information with what they might otherwise know about individual web users, and none of what is collected can be shared with other agencies or departments.

(Related: Eli Pariser's "filter buble," and the possibility that customization policies are the new privacy policies.)

Which brings us to Memo Two, M-10-23 in OMB's files but one we might call the Twitter/Facebook/YouTube Memo. Here Orszag and company are attempting to impose a little order and process on the federal agency rush to embrace those sort of third-party web tools and platforms.

"The purpose of this Memorandum," it reads, "is to help Federal agencies to protect privacy, consistent with law, whenever they use web-based technologies to increase openness in government." In short, this memo instructs agencies to be a litte more dilberate and a little more transparent about how they're using Twitter and Facebook and their ilk. For one thing, agencies should keep in mind that citizens should be able to do most of their core engagement with government on official government properties, even if that means simply including an email address as a way that people can communicate with Uncle Sam online. More than that, agencies are directed to do thorough investigations of the privacy policies of those third party sites (including, said an OMB administrator on a call Friday, those services whose policies -- cough, Facebook -- seem to change with a frequency. Those third-party privacy policies must now be reflected in the privacy statements shared by the agencies with the public.

Agencies should take steps, directs Orszag, to make clear to users the official-yet-external nature of government properties on places like Twitter and Facebook, whether that's through pop-up exit notices or the use of official seals on social network profiles (though the latter, as we've seen with Facebook's "community page" debacle, might not exactly do the trick).

So that's that. More coverage on the Orszag Cookie Memo and the Orszag Twitter/Facebook/YouTube Memo from O'Reilly's Alex Howard, NextGov's Aliya Sternstein and National Journal's Chris Strohm.

Also, Orszag and staff might want to catch up on what's happening on the Plain Language Movement front.