EFF to White House Counsel: What Will You Do to Protect the Privacy of WhiteHouse.gov Users?
As we noted last week, the new WhiteHouse.gov site uses embedded YouTube movies, raising concerns of privacy and open government advocates. Embedded video clips can place or add to a cookie on the user’s computer – thus enabling tracking of users as they use the web. In response, the Obama Administration acted quickly, implementing a partial fix that ensures cookies will only be used when the user chooses to play the video, and not automatically upon loading a page.
This is an improvement, particularly impressive for the speed of the response, and we commend the Obama Administration for it.
For videos that are visible on WhiteHouse.gov, a “persistent cookie” is set by third party providers when you click to play a video.
This persistent cookie is used by some third party providers to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.
Given the importance of the “no cookie” presumption to the privacy of visitors to WhiteHouse.gov, we’d like to know why the White House Counsel decided to waive it. To answer this question, we have sent a letter to White House Counsel Gregory Craig, asking him to detail the “information and analysis” on which his waiver is based.
While the White House counsel has no obligation under the law to reply to our query, we hope he will do so in light of the memo issued by the President on his first day in office instructing all agencies to “adopt a presumption in favor of disclosure… to usher in a new era of open Government.”
We have also provided Craig, the folks at WhiteHouse.gov and YouTube with a short list of suggestions to better protect the WhiteHouse.gov users regardless of the waiver:
- Work with YouTube to end the retention of cookie data for any video embedded on a government site, including so-called “flash cookies.” We see no reason why YouTube needs to retain this information and every reason why it can use this opportunity to make a solid commitment to the public good.
- The White House has already taken the helpful step of providing visitors with a direct-download link to a high definition MP4 of most video. To build on this, the site could embed the low definition videos using its own Flash-player and stream the video directly from the White House’s own server, rather than relying on YouTube.
- Add a link to privacy information near each video embed specifically identifying third parties that may have access to the data, so that users will be fully informed of their risks and options.
- An "invisible pixel" style webbug/tracker on every page on the site, hosted by WebTrends.com.
- The entire WhiteHouse.gov domain appears to utilize edge-caching technology provided by Akamai, Inc.
- Access to direct-download MP4s of video content appears to be hosted by Amazon S3.
In each of these cases, when a person visits the WhiteHouse.gov site, a third-party logs IP addresses and other personally identifiable information. Yet the limitation on cookies was espressly adopted in 2000 out of concern about the risk of the technologies that “can track the activities of users over time and across different websites.”
So in addition to asking the White House Counsel for information about this waiver to allow third-party cookies, we’ve asked a specific question: What is the White House willing to do to continue to protect the privacy of visitors to government websites, even as it utilizes tools other than cookies that can do similar tracking?
President Obama is leading the way in making new and unprecedented use of the new technologies to keep the public informed and engaged. We are hopeful that his Administration will readily recognize that part of open and responsive Government is making sure that neither the government, nor any third parties, are tracking the activities of those who seek to access government information.
We have asked the White House counsel to respond to our two questions by February 6, 2009. We’ll let you know what happens.