January 27, 2009 | By Hugh D'Andrade

EFF to White House Counsel: What Will You Do to Protect the Privacy of WhiteHouse.gov Users?

As we noted last week, the new WhiteHouse.gov site uses embedded YouTube movies, raising concerns of privacy and open government advocates. Embedded video clips can place or add to a cookie on the user’s computer – thus enabling tracking of users as they use the web. In response, the Obama Administration acted quickly, implementing a partial fix that ensures cookies will only be used when the user chooses to play the video, and not automatically upon loading a page.

This is an improvement, particularly impressive for the speed of the response, and we commend the Obama Administration for it.

But during this process the White House counsel issued a waiver for video on WhiteHouse.gov, moving away from the longstanding presumption against the use of cookies on government websites first issued in 2000. The federal rule directing the government to avoid the use of cookies is based on the important principle that the government — and third parties — should not be tracking the movements of citizens when they visit government sites. The waiver reads in part:

For videos that are visible on WhiteHouse.gov, a “persistent cookie” is set by third party providers when you click to play a video.

This persistent cookie is used by some third party providers to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie.

Given the importance of the “no cookie” presumption to the privacy of visitors to WhiteHouse.gov, we’d like to know why the White House Counsel decided to waive it. To answer this question, we have sent a letter to White House Counsel Gregory Craig, asking him to detail the “information and analysis” on which his waiver is based.

While the White House counsel has no obligation under the law to reply to our query, we hope he will do so in light of the memo issued by the President on his first day in office instructing all agencies to “adopt a presumption in favor of disclosure… to usher in a new era of open Government.”

We have also provided Craig, the folks at WhiteHouse.gov and YouTube with a short list of suggestions to better protect the WhiteHouse.gov users regardless of the waiver:

  • Work with YouTube to end the retention of cookie data for any video embedded on a government site, including so-called “flash cookies.” We see no reason why YouTube needs to retain this information and every reason why it can use this opportunity to make a solid commitment to the public good.
  • The White House has already taken the helpful step of providing visitors with a direct-download link to a high definition MP4 of most video. To build on this, the site could embed the low definition videos using its own Flash-player and stream the video directly from the White House’s own server, rather than relying on YouTube.
  • Add a link to privacy information near each video embed specifically identifying third parties that may have access to the data, so that users will be fully informed of their risks and options.

And we have pointed out that the privacy concerns don’t begin and end with the use of cookies. There are other ways that visitors to WhiteHouse.gov are leaking private data to third parties:

  1. An "invisible pixel" style webbug/tracker on every page on the site, hosted by WebTrends.com.
  2. The entire WhiteHouse.gov domain appears to utilize edge-caching technology provided by Akamai, Inc.
  3. Access to direct-download MP4s of video content appears to be hosted by Amazon S3.

In each of these cases, when a person visits the WhiteHouse.gov site, a third-party logs IP addresses and other personally identifiable information. Yet the limitation on cookies was espressly adopted in 2000 out of concern about the risk of the technologies that “can track the activities of users over time and across different websites.”

So in addition to asking the White House Counsel for information about this waiver to allow third-party cookies, we’ve asked a specific question: What is the White House willing to do to continue to protect the privacy of visitors to government websites, even as it utilizes tools other than cookies that can do similar tracking?

President Obama is leading the way in making new and unprecedented use of the new technologies to keep the public informed and engaged. We are hopeful that his Administration will readily recognize that part of open and responsive Government is making sure that neither the government, nor any third parties, are tracking the activities of those who seek to access government information.

We have asked the White House counsel to respond to our two questions by February 6, 2009. We’ll let you know what happens.


Deeplinks Topics

Stay in Touch

NSA Spying

EFF is leading the fight against the NSA's illegal mass surveillance program. Learn more about what the program is, how it works, and what you can do.

Follow EFF

The @USTradeRep's TPP proposal could block needed orphan works reforms. We join civil society groups to speak out: https://eff.org/r.updq

Aug 31 @ 5:56pm

The Chinese government now appears to be pressuring developers of open source censorship circumvention tools: https://eff.org/r.bv6z

Aug 31 @ 4:44pm

Congress's cyber 'sharing' bill? More like cyber spying:
https://eff.org/r.bdqz

Aug 31 @ 3:05pm
JavaScript license information