Shorter Orszag: Cookies Aren't So Toxic
BY Nancy Scola | Monday, June 28 2010
On Friday, I joked that I really couldn't make heads or tails of the Office of Management and Budget's new guidance on cookies. Here, with the benefit of time, rereading, and conversations with smart people, comes a little insight into what has gone down. What's important to keep in mind is that OMB has tackled two topics here. The first is loosening the federal government's decade long strictness about how federal folks can make use of web cookies. The second is tightening up the logic around when and how federal agencies make use of third-party online services a la Twitter, Facebook, YouTube and the rest. By breaking those topics into two pieces, OMB has refined the federal way of thinking about how government enages online.
In short, on his way out the door, Peter Orszag did actually provide some clarity for how the federal government can and should make use of the web. He just could have been a little clearer about it. Here, in brief, are some of the details of what's changed.
Because of the unique laws and traditions about government access to citizens' personal information, the presumption should be that "cookies" will not be used at Federal web sites. Under this new Federal policy, "cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency.
Thus the "cookie ban" that federal web managers have since been operating under since the Clinton Administration.
Those restrictions and requirements include giving users of federal government websites the option to opt-out of the cookie interaction, whether that's giving them a simple way to do it on the site itself or providing directions on how they can, for example, tweak their browser security settings. (Google recently released a browser plug-in that lets web users opt out of having their IP address and other information logged by Google Analytics.)
Data collected by cookies, says the Orszag memo, should only be kept by agencies as long as necessary and generally for a year or less, and should only be viewed by federal employees on a need to know basis.
In a fairly major policy adjustment, cookie use no longer needs " personal approval by the head of the agency" -- though with the caveat that for cookie usages that involvings collecting Personally Identifiable Information, or PII in security speak, across mulitiple sessions, the agency CIO and head must be brought into the approval process, a public comment period must be opened, and users must explicitly "opt-in" to the experience.
(Related: Eli Pariser's "filter buble," and the possibility that customization policies are the new privacy policies.)
Which brings us to Memo Two, M-10-23 in OMB's files but one we might call the Twitter/Facebook/YouTube Memo. Here Orszag and company are attempting to impose a little order and process on the federal agency rush to embrace those sort of third-party web tools and platforms.
"The purpose of this Memorandum," it reads, "is to help Federal agencies to protect privacy, consistent with law, whenever they use web-based technologies to increase openness in government." In short, this memo instructs agencies to be a litte more dilberate and a little more transparent about how they're using Twitter and Facebook and their ilk. For one thing, agencies should keep in mind that citizens should be able to do most of their core engagement with government on official government properties, even if that means simply including an email address as a way that people can communicate with Uncle Sam online. More than that, agencies are directed to do thorough investigations of the privacy policies of those third party sites (including, said an OMB administrator on a call Friday, those services whose policies -- cough, Facebook -- seem to change with a frequency. Those third-party privacy policies must now be reflected in the privacy statements shared by the agencies with the public.
Agencies should take steps, directs Orszag, to make clear to users the official-yet-external nature of government properties on places like Twitter and Facebook, whether that's through pop-up exit notices or the use of official seals on social network profiles (though the latter, as we've seen with Facebook's "community page" debacle, might not exactly do the trick).
Also, Orszag and staff might want to catch up on what's happening on the Plain Language Movement front.