OMB Ends Federal Agency Decade-Long Cookie Ban

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

The law needs to catch up with technology is a familiar truism. Similarly, the federal government needs to catch up with common practices employed by businesses to track visits to websites while maintaining user privacy. The Office of Management and Budget has issued guidance to do just that.

Since 2000, federal rules prohibited the use of persistent cookies and similar technologies that government leaders at the time felt could infringe on citizens' privacy. But more than a year ago, the Federal CIO Vivek Kundra announced the administration was reviewing that policy and on Friday OMB Director Peter Orszag (pictured, at left) issued new guidance, M-10-22, to permit federal agencies to use web measurement and customization technologies, including cookies -small pieces of browser software that track and authenticate web viewing activities by users - with the aim of making citizens visits to government websites more meaningful while safeguarding their privacy.

The guidance will allow users to customize their settings so, for instance, they needn't fill out duplicative information and let them navigate federal websites more quickly and in a way that serves their needs, Orszag said. "At the same time, OMB is acutely aware of, and sensitive to, the unique privacy questions raised by government uses of such technologies," Orszag wrote in the memo. "Any such uses must not compromise or invade personal privacy. It is important to provide clear, firm, and unambiguous protection against any uses that would compromise or invade personal privacy."

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

The guidance leaves it up to each agency to decide whether visitors to their sites should be able to opt in or opt out of the use of persistent cookies. But, in either case, agencies must make it simple for visitor to make that decision. "Agencies must not use web measurement and customization technologies from which it is not easy for the public to opt-out," the guidance states.

The Federal Information Security and Privacy Advisory Board last year called on OMB to require agencies to offer users opt in. "The individual would essentially allow and give consent to the government agency, and say, 'Yes, I trust the agency. I want to have them be able to give me the kind of user experience that I get when I go to eBay or Amazon or other types of e-commerce sites.' That will assure that the individual is provided a significant defense," Board Chairman Dan Chenok said in an interview with GovInfoSecurity.com.

On Monday, Chenok said OMB's guidance that requires agencies to provide users with explicit instructions on how to opt out is consistent with the tenor of the board's opt-in recommendation. "That's really the issue, making sure that the person knows the choice they have, and has the facts to doing something about it," Chenok said.

Chenok, a one-time senior OMB officials, said the new guidance would benefit the government because it allows agencies to provide services more effectively and efficiently and citizens who can decide the manner of interaction they seek to engage in with the government. "Whether the agencies choose to establish an opt in or a clear and explicit opt out," he said, "either way the individual has the informed choice."

The OMB director's memo states that agencies can keep data collected from web measurement and customization technologies for only as long as necessary to achieve the specific objective for which it was collected, and only employees who need to have access to the data should be allowed to do so.

Orszag also issued Friday another memo, M-10-23, that calls for transparent privacy policies, individual notice and a careful analysis of the privacy implications whenever federal agencies use third-party technologies to engage with the public. "This memorandum recognizes that open government increasingly relies on federal agency uses of new technologies, such as social media networks and web 2.0 applications," Orszag wrote. "However, increased use of these technologies also requires greater vigilance by federal agencies to protect individual privacy."