Bulletin, December 2013/January 2014
Governmental Internet Information Collection: Cookies Placing Personal Privacy at Risk
by Norman Gervais
Despite wide concerns about privacy on the Internet and the drastic effects that diminished privacy has, the U.S. government does not have policies that require its own websites to be private. In fact, government agencies use technologies, referred to as cookies, which allow tracking of users on the government’s own websites and even have allowed private companies to track the activities of users on government websites. Former Senator Fred Thompson has expressed unease over this practice, questioning how the government can talk about protecting privacy when it is itself jeopardizing private information . Other people believe that the benefits of these technologies outweigh this cost and provide for a better online experience on government websites .
Privacy can be defined as “the right to be left alone” [3, p.127] and may refer to controlling one’s personal information and being free of observation. Privacy is necessary for personal expression, creativity and growth and moreover affects one’s identity . Privacy allows an individual the freedom to control personal information that empowers the regulation of relationships with others and gives people a feeling that they are not objects. If identity were to be treated as an object, individuals would be denied the status of autonomous agents worthy of respect .
In today’s digital age, the effect of privacy may be of greater concern than ever. Despite an extensive list of U.S. laws that aim to protect privacy, (see , p. 127, for example), advancements in information technology have threatened individual privacy  through surveillance and data mining . As Hodson [7, p.24] noted, “EVERY move we make online leaves a trace.”
Although an IP address can provide websites with limited information, such as technical specifications on a computer and its general location, cookies provide more complete information about the user . In addition, new technologies are emerging, such as HTML 5’s local storage, which can retain data after the browser is closed or the page is left, storing it locally and avoiding the privacy hazard of sending it back to the server . However, local storage will not work with older browsers.
A cookie is a small text file that is placed on a user’s computer by a web page. It not only collects information about which web pages the user visits, but also about the user’s activities on the site. All of this information is then sent back to the website’s server. Cookies allow a website to recognize a specific user. This recognition can lead to the site remembering a user ID, allowing the use of a shopping cart and remembering preferences for later visits to the site .
There are two general types of cookies: single-session and persistent (multi-session). Single-session cookies are erased after a visit to a website and help with navigation. Persistent cookies stay on a computer until they are manually deleted or expire, which can be years , and collect personal information and browsing habits . A third type of cookie, called a third-party cookie, is created when content, such as an advertisement, is posted on one site by another with the first site’s permission. This posting may then ask your browser to deposit its cookie on your computer .
Citizen Opposition to Cookies
People are worried about online tracking invading their privacy. Recent estimates show that 73% of users are not okay with search engines collecting information on them and 68% are not okay with personal advertising because it is a result of tracking activities. Fortunately, users can choose to limit these tracking activities, but unfortunately only 38% of users know how to do so. Even though over a third of Internet users know how to limit online tracking , only 2% of users block cookies entirely .
Identity thieves, shopping sites, media companies, advertising companies, charities and even the government are collecting and sharing information about visitors to their websites . Collecting user information is such a common practice that the Wall Street Journal found that almost every commonly visited website was collecting information about user behavior and then selling the data . In addition to a company tracking a user’s movements on the company’s own website, now there are companies specifically termed “tracking companies.” They follow users across the web, collecting information to build profiles on users . Although most of the data are collected to offer a more personal web experience , through advertising, for example, there may be future uses and unintended side effects that are not desirable.
Perhaps part of the concern over Internet privacy stems from the fact that a user does not need to give away a lot of personal information to a single entity to have his entire identification revealed. In fact, an individual may be found by marketers, criminals and the government through anonymous data from different sources that are pieced together through a process called re-identification . In addition, the government and civil litigants may seek user information via subpoena. With companies, such as Google, being able to reproduce every search that was made from a specific IP address  and Internet providers being able to identify which customer is assigned that IP address , individuals may well be concerned about their privacy and who can see what information about them. In addition, even if the government is not using information about website visitors, privacy advocates believe that the government should not record people by using cookies at all .
Although M-00-13 acknowledged that tracking technologies such as cookies lead to privacy concerns, it did not necessarily ban them. However, it did put forth a process to use them if “…in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from ‘cookies’; and personal approval by the head of the agency” [22, p.1].
As of 2013, both persistent and single-session cookies are being used on government websites. These technologies can now be implemented without personal approval by the head of the agency. They can be used as long as the agency provides a clear notice of the use of such technologies and complies with all other policies, unless multi-session cookies are used with personally identifiable information. These cases require review and approval from the agency’s chief information officer. Also, some governmental services may be made available on third-party websites that have associated third-party cookies (see www.ftc.gov/ftc/cookies.shtm, for example), but the agency should provide an alternative option to the third-party service . In addition, the government is using opt-out cookies (see www.epa.gov/mobilepa/privacy.html, for example), which by default are added to a computer unless the user manually turns them off . The government does, however, provide guidance on how to opt-out if desired (see www.usa.gov/optout-instructions.shtml). In addition to telling a user how not to be tracked with cookies, agencies must post their privacy policies on their websites to allow people to understand agency policies before engaging with them .
Resolution of Cookie Use and Privacy
The United States is a democracy, which by definition is a “government by the people” or “a rule of the majority” . Even though the majority of people are not okay with being tracked on the Internet  and it poses serious risks to privacy, the government continues to do it. To allow a true democracy, the government should listen to the people and show that it is listening by changing the government’s own policies so that the government itself cannot limit privacy by tracking people on government websites.
The government does, on the other hand, have a responsibility to balance the costs and benefits of any decision that it makes so that the people can overall have the best possible freedom while still having access to an open and transparent government. Since people actually block cookies  and actions speak louder than words, one may reasonably assume that people either do not truly care about their information being tracked, believe that the overall benefits of cookies exceed the costs or do not understand how cookies work well enough to block them or make a decision about using them.
Resources Mentioned in the Article
 Hopper, D.I. (October 22, 2013). Government websites still tracking users. ABCNews. Retrieved October 15, 2013, from http://abcnews.go.com/Technology/story?id=119344&page=1
 Howard, A. (June 25, 2010). OMB updates rules for cookies and privacy on U.S. government websites: U.S. agencies can now use social media platforms and other third-party sites. Radar O’Reilly. Retrieved October 15, 2013, from http://radar.oreilly.com/2010/06/omb-updates-rules-for-cookies.html
 Robison, W.L. (1997). Privacy and personal identity. Ethics & Behavior, 7(3). Retrieved from http://people.rit.edu/wlrgsh/PrivacyandPersonalIdentity.pdf
 Thompson, J.F. (November/December 2002). Identity, privacy, and information technology. Educause Review. Retrieved from October 15, 2013, from http://net.educause.edu/ir/library/pdf/erm0267.pdf
 Hongladarom, S. (n.d.). Privacy, contingency and personal identity. Academia.edu. Retrieved October 15, 2013, from www.academia.edu/262898/Privacy_Contingency_and_Personal_Identity
 Hodson, H. (2012). How metadata brought down CIA boss David Petraeus. New Scientist, 216 (2892), 24. Retrieved October 15, 2013 from www.newscientist.com/article/mg21628925.400-how-metadata-brought-down-cia-boss-david-petraeus.html
 Reputation.com. (2011). How companies collect your private information when you browse online. Reputation.com. Retrieved October 15, 2013, from www.reputation.com/reputationwatch/articles/how-companies-collect-manage-and-use-your-private-information-when-you-browse-online
 Kyrnin, J. (2013). What is local storage and the local storage attribute in HTML 5? About.com. Retrieved October 15, 2013, from http://webdesign.about.com/od/html5/f/what-is-local-storage.htm
 Federal Trade Commission. (n.d.). Internet cookies. ftc.gov. Retrieved October 15, 2013, from www.ftc.gov/ftc/cookies.shtm
 Bobulous. (2011). Third-party cookies. Bobulous Central. Retrieved October 15, 2013, from www.bobulous.org.uk/misc/third-party-cookies.html
 Evangelista, B. (2012). Internet privacy a growing concern, Pew finds. SF Gate. Retrieved October 15, 2013, from www.sfgate.com/business/article/Internet-privacy-a-growing-concern-Pew-finds-3407488.php
 Enge, E. (2011). Web analytics and cookies. Stone Temple Consulting. Retrieved October 15, 2013, from www.stonetemple.com/articles/analytics-and-cookies.shtml
 JCS. (June 16, 2011). Invisible stalkers: Every move you make online is being tracked.
JCS Computer.com. Retrieved October 15, 2013, from
 NPR. (2010). Tracking the companies that track you online. npr.org. Retrieved from www.npr.org/templates/story/story.php?storyId=129298003
 Abine Inc. (2012). Who are these tracking companies? Abine.com. Retrieved October 15,2013, from http://abine.com/whotheyare.php
 Hansell, S. (July 7, 2008). One subpoena is all it takes to reveal your online life [blog post]. New York Times Bits. Retrieved October 15, 2013, from http://bits.blogs.nytimes.com/2008/07/07/the-privacy-risk-from-the-courts/
 ItProPortal. (2011). Everything you do online reveals your identity. ITProPortal. Retrieved October 15, 2013, from www.itproportal.com/2011/03/29/how-anonymous-data-puts-your-identity-risk/
 Von Lohmann, F. (February 4, 2006). Subpoenas and your privacy. Electronic Frontier Foundation. Retrieved October 15, 2013, from www.eff.org/deeplinks/2006/02/subpoenas-and-your-privacy
 Strickland, J. (n.d.). Can the government see what websites I visit? How Stuff Works. Retrieved October 15, 2013, from http://computer.howstuffworks.com/government-see-website2.htm
 Office of Management and Budget. (June 25, 2010). M-10-22, Guidance for online use of web measurement and customization technologies. Executive Office of the President. Retrieved October 15, 2013, from www.whitehouse.gov/sites/default/files/omb/assets/memoranda_2010/m10-22.pdf
 Office of Management and Budget. (June 22, 2000). M-00-13, Privacy policies and data collection on federal web sites. Executive Office of the President. Retrieved October 15, 2013, from www.whitehouse.gov/omb/memoranda_m00-13/
 USA.gov. (September 6, 2013). Protect your privacy online: Protect your privacy and avoid identity theft. USA.gov. Retrieved October 15, 2013, from www.usa.gov/topics/family/privacy-protection/online.shtml
 Merriam-Webster. (2013). Democracy. Merriam-Webster.com. Retrieved October 15, 2013, from
Norman Gervais is an information science Ph.D. student in the College of Computing and Information at the University at Albany, State University of New York. He can be reached at ngervais<at>albany.edu.
Articles in this Issue
Government Internet Information Collection: Cookies Placing Personal Privacy at Risk