The Future of Privacy Forum is providing the below suggestions to offer a roadmap for enabling the use of analysis, site optimization and tracking technologies by government agencies. Personalizing site content for users who wish to have a setting remembered, enabling long term shopping carts and capturing analytics information over time to improving site usage are key to providing the public the best possible web experience.
With regard to the use of analytics tools in particular, we note the deep reliance of public and private sector web managers on these technologies to understand the basics of web site performance, such as unique users, the ability of users to navigate to the content they seek, and the usability of a web site in general.
These functions are currently limited by various approval requirements, including the need that a “compelling purpose standard” be met. As a result, agencies may end up either forgoing the use, or they seek approval but may not seek to establish additional necessary controls to ensure these technologies are used in the most privacy friendly manner.
Although cookies may assist in correlating various IP addresses logged over time, the essential link to an identifiable individual (in the hands of a government enforcement agency or via other legal process to force such identification) is the logging of the user’s IP address. We believe that implementing a narrow retention terms for such data, as we propose below, is essential for addressing this concern.
Similarly, other than with a user’s express consent (for example asking a user whether certain content should be always presented to a user first upon return visits, or a user’s preference for a certain language or format), a user’s passive interaction with a government site should not be used to treat individual users differently than others. It would be appropriate to conduct an analysis of individual cookie/log file data in order to produce a summary report indicating that users entering a government site after clicking through via a search result provided by a search engine end up navigating through content that isn’t what they are seeking, before they are able to find the relevant content they want elsewhere at the web site. An effective web manager might use this information to optimize web pages containing the content of interest so that links to it appeared to users seeking this material at search engines or they might make this content easier to access from the homepage. But using cookies to store profiles of individual users to analyze their interests and tailor the content they are shown should not be permitted without express user consent. (Contextually providing links to other content, for example, offering a user “additional articles relevant to this article” should be appropriate. Providing “additional articles relevant based on articles you have viewed today and on prior visits” should be allowed only with prior express consent).
We propose that the current restrictions on cookies and similar technologies be revised. In their place should be requirements that establish leading practices for such technology practices.
Ensuring that Interactive Tools used by Government Provide Users with Enhanced Transparency and Controls for Data Collection and Retention Analytics, Research or Others Using Cookies, Tracking Pixels or Other Tools Restrictions that should always apply:
1. Delete log-files after a defined limited period of time. It may be useful to note here that industry in this area has increasingly been sensitive to the risks of long term retention of log file level data. Just several years ago, not a single major search engine, ad network or analytics companies had a formal retention policy in place. Today, despite the commercial desire to maximize product features and profits, many have recognized the privacy and data breach risks and have established practices which delete or minimize data after certain periods. See, for example, the policies of Yahoo and Google which require data anonymization of some degree at 3 months and 9 months, respectively.
2. Cookies should have limited expiration periods and should not be used to store personal information unprotected or without user consent.
3. IP addresses logged by vendors should be obscured or deleted as soon as possible.
4. The use of the tools and user options should be transparent and prominently explained.
5. Only “first party” domains should be used, rather than “third party” domains, to avoid potential for unwanted correlation across unrelated Web sites.
6. Domains used for cookie setting should be obvious, so that users examining their browser cookies files can understand who set the cookie and its uses. For example, analytics.whitehouse.gov is transparent to users, but 306fn.whitehouse.gov is not. Additionally, information should be posted at analytics.exampleagency.gov which describes the particular agency’s use and privacy practices related to the cookie and other log information of such a sub-domain.
7. Due to the fact that privacy enhancing choice mechanisms for non-cookie tracking mechanisms are so limited and are practically unknown by most users, Flash cookies and other tracking methods should not be used until web browsers are able to provide users the means to block or delete these from within the browser.
8. Contractual representations with vendors should be included in contracts that bar the use of data for purposes other than services contracted, other than aggregate reporting.
Restrictions applicable for non-unique cookie identifiers:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such an ID and active selection by the user.
Restrictions applicable for unique identifiers that expire at the end of a session:
No additional restrictions need to be applied when the cookie ID used doesn’t indicate an individual user. Examples include both passive setting of such and ID and active selection by the user.
Restrictions applicable for unique identifiers that are persistent and that are unique:
If, active choice by user to accept cookie after description of the permitted use and clear expression of consent, no additional restrictions
If passively set, the following additional restrictions to apply.
a) Home Page: Notice should be provided via a home page notice such as: “Cookies and other technologies are used to analyze how users navigate this site. Click here for options.”
b) Opt-out: Users should be able to maintain their current browser settings and select a one click option to prevent the setting of a unique persistent identifier. As former and current FPF Advisory Board members Professor Peter Swire and Professor Annie Anton and others have written, available tools supporter by web browsers are inadequate for this purpose.
c) Priority should be given to implementations that improve on the current opt-out options. Opt-out should be set to persist for a minimum of 5 years or longer to ensure they do not expire during expected lifetime of a users computer.
i. Standard browser handling of the opt-out cookie – today opt-out cookies are regularly deleted by users who aren’t aware that doing so reverts they opt-out choice and they are often removed by anti-spyware tools.
ii. Browser plug-in handling of the opt-out cookie – enhanced options available today include “TACO”, the Google opt-out browser plug-in and other downloads under development that assist in maintaining opt-outs. Yahoo and Microsoft have options that enable authenticated users to maintain opt-outs from those companies. Although these options are an advance over the prevailing practices, they depend on users taking additional actions to download additional programs or to authenticate.
iii. Potential “opt-out header” development – The Future of Privacy Forum has coordinated discussions among advocacy groups, browser developers and companies about easy to use browser supported options that would be more stable than the current options. Although TACO already or will soon include a basic version of an “opt-out header” in its Firefox plug-in, consensus among among browser companies, developers, industry and advocates about how such a feature would best be presented or interpreted does not yet exist.
Government support in this area, by including contracting preference for vendor proposals that include improvements for opt-outs could spur privacy technology developments for both public and private sector users.
Tracking across government domains – there may be some limited circumstances where government domains interact in a manner that calls for analysis across certain domains. For example, it may be useful to understand which government domains are succeeding in helping bring users who provide comments at the Open Government blog. Such use should require additional approval and may warrant for more limited retention periods to avoid the potential for collection and aggregation of a wider range of user interaction with government.
We conclude by noting that although some of these proposals may be useful for the private sector, we raise these specifically for the public sector because of the much greater privacy implications of data collection and use by government. Many private sector uses of cookies are intended to support both functionality, analysis and the data use needed for the advertising revenue that supports the services. We highlight many of the leading practices of the private sector at the Leading Practices Gallery at www.futureofprivacy.org and we urge other companies to seek to implement those advances where relevant.
Future of Privacy Forum