Privacy protections could hamper agencies' adoption of cookies

The White House's newly proposed plan to lift a nine-year ban on placing online-tracking devices on federal Web sites could conflict with other government regulations, some privacy and new media specialists said.

Since 2000, agencies have been barred from using cookies -- software that a site deposits on visitors computers to monitor their online behavior, such as recording the visitor's login information -- to protect the public's privacy. Citizens and government officials now say the prohibition prohibits online collaboration. They argue that the private sector has long analyzed users' preferences and settings to customize Web pages for individuals to make their online experiences more personal.

In response, the Office of Management and Budget on Monday issued a Federal Register notice asking the public to comment on a framework that would reverse the ban.

But other bureaucratic barriers could block agencies from rolling out cookies. OMB acknowledged the issue by asking the public's opinion on "unintended or non-obvious privacy implications" of its proposal. An example may be a site that collects a user's IP address, the series of numbers that identifies a user's computer. If an agency collects information that includes the IP address, and the information meets OMB's definition of "information in identifiable form," then it must conduct a privacy impact assessment, OMB officials said.

The assessments examine whether appropriate controls are in place to ensure compliance with federal privacy regulations. The process of conducting an assessment would delay deployment of certain cookies, said Noel Dickover, an independent federal consultant who specializes in removing impediments to social media in government.

According to regulations, information in identifiable form includes data that distinguishes an individual by name, address, Social Security number, telephone number or e-mail address -- or descriptors that the agency intends to combine with other data to identify specific people, such as a combination of gender, race, birth date and geography.

Agencies are is responsible for determining if their cookies rise to the threshold of identifiable information, OMB officials added.

"They are basically saying that if an IP address can be linked to an individual then it is [personally identifiable information], which in some ways is a more direct statement on the issue than what we've heard before," said Ari Schwartz, vice president of the Center for Democracy and Technology, a Washington-based civil liberties group. Privacy specialists have recently begun to debate whether personal IP addresses should be considered -- along with names, addresses and telephone numbers -- as personally identifiable information.

The White House delineates three levels of tracking. The least invasive keeps tabs on users during a single visit. The second method monitors users throughout multiple sessions to analyze trends in how the public uses the site. The third approach follows user behavior over multiple sessions to remember user data for "purposes beyond what is needed for Web analytics," which the agency did not define.

That latter approach concerns some privacy advocates who are in favor of federal cookies with user controls. "That's clearly the one where you have to put down stronger rules," Schwartz said. But seemingly innocuous tracking for measurement purposes carries risks if intruders can indentify a person's computer address, he said. As a safeguard against hackers accessing that information, the center recommends saving individual-level data for no more than 90 days.

OMB's proposal outlines general terms of use, such as allowing users to opt out of the agency tracking their movement on a site, without losing access to information.