Under the proposal, U.S. government agencies would be allowed to use single-session and multi-session cookies, including persistent cookies, to track users -- as long as security and privacy standards governing the collection and use of tracking information are met. The agencies would have to post clear notice of data collection and allow users to opt-out.
The idea is to make government Web sites more user-friendly and to enable better customer service and Web analytics, according to federal CIO Vivek Kundra and Michael Fitzpatrick, the associate administrator at the Office of Information and Regulatory Affairs. They wrote about the proposed changes in a blog post Friday.
Agencies and the public have until Aug. 10 to comment on the proposal, which came from the Office of Management and Budget.
If the plan is adopted, it would mark a departure from a policy first put in place in 2000 and updated in 2003 that prohibits government sites from using persistent cookies "or any other means" such as Web beacons to track visitor activity, unless agency heads authorize thier use. When tracking cookies are used, agencies must conspicuously post the reasons for collecting information, spell out the sort of data collected and detail privacy safeguards.
Privacy advocates have for some time maintained that such restrictions protect site visitors from being tracked and profiled. They have argued that users should reasonably expect privacy when visiting a government site and that any attempt to dilute the protections is ill-advised. Those concerns have grown in recent months, with many worried that the Obama Administration's espousal of Web 2.0 technologies and social networking tools will affect long-held privacy protections.
Soon after Obama took office, for instance, privacy advocates were up in arms over a White House policy change that permitted the use of tracking cookies in YouTube videos embedded on the WhiteHouse.gov Web site.
"The Obama Administration must tread very carefully here and think about our civil liberties in the digital era," said Jeffery Chester, executive director of the Center for Digital Democracy (CDD), a privacy rights advocacy group. "Given the unique data collection and targeting power of online media, the government should be limited in the information it can collect on us."
As administrations change, policies regarding the use of data collected by Web analytics tools could also change, he said. "[The] government could have an arsenal of profiling data that could be used to influence voters and the public." While there are benefits from using cookies, the blog post by Fitzpatrick and Kundra "glossed over" concerns that have been previously expressed by many including lawmakers.
Cindy Cohn, legal director of the Washington-based Electronic Frontier Foundation said that the government needs to clearly articulate what it wants to do with any data it gets. "The devil is going to be in the details," she said. While session cookies can yield information that is useful in delivering a better user experience, the use of persistent cookies on government Web sites should be studied carefully.
"We would want to see a pretty serious case effort ... showing us why the information would be useful," what officials would do with the data and what kind of checks would be there to ensure compliance, Cohn said.
Just because commercial enterprises have been using persistent cookies doesn't automatically mean that government agencies should be allowed to use them, she said. "The government doesn't need to do the same sort of analytics that commercial companies do. The government doesn't have the same interests and shouldn't have the same interests."