Update: 12 hours after posting this story, the White House (partially) reversed itself. The rather dubious YouTube-only waiver from federal Web privacy rules has been maintained, but the White House Web site has been updated to limit the exposure of visitors to YouTube's tracking efforts to only those people who actually click the "play" button on a YouTube video. For more details on the new changes, read this blog post.
While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama's home in cyberspace.
No other company has been singled out and rewarded with such a waiver.
In a blog post back in November, I criticized the Obama transition team's Change.gov Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules.
Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.
"For videos that are visible on WhiteHouse.gov, a 'persistent cookie' is set by third party providers when you click to play the video.
This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie."
YouTube and cookies
Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user's browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.
YouTube is also able to set and access a user's tracking cookie when she visits a third-party Web page that has embedded a video stored on the YouTube site (such as a blog or other Web site), even if the user never clicks the play button.
The moment that the flash file containing the video player is downloaded from YouTube's servers and displayed in the user's browser as part of another Web page, the cookie is transmitted to YouTube's servers. Considering how widespread the practice of embedding YouTube videos has become, this gives Google an amazing amount of data on the Web-browsing activities of hundreds of millions of Internet users--many of whom may not realize that such tracking data is being collected.
The White House policy is not being followed
"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."
As of Thursday morning, this statement is false.
In multiple tests by this blogger with both Internet Explorer and Firefox, merely visiting pages on the White House blog causes YouTube to set a long-term tracking cookie in the browser--even if the user does not press the play button to start the video. After eight months, this cookie will be automatically deleted by the user's browser--unless, of course, the user visits another Web page somewhere else on the Internet containing a YouTube-embedded video, in which case, the eight-month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever.
The Obama White House Web site is only two days old, and so it is certainly possible that the team simply hasn't gotten around to deploying a more privacy-preserving system for YouTube video embeds. Protecting users who do not click "play" from automatically receiving a cookie is certainly possible; the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided this very feature. Let us hope that the Obama team deploys such a technology in due course.
Can YouTube be justified as a "compelling need"?
For the past 10 years, federal agencies have been prohibited from using tracking cookies on their Web sites, except in a few special cases. The Office of Management and Budget rule M-03-22 states that:
"Agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet except .... [when there is] a compelling need."
The question we must now focus on is this: Is the need for Obama to use embedded videos hosted by YouTube (and not, say, another company's video-streaming platform that does not force cookies upon its users) a use that can be reasonably described as compelling?
Presumably, this has been justified on the basis that YouTube forces cookies on the visitors of any Web site that embeds one of its videos. However, while Joe or Jane blogger has no bargaining power with YouTube/Google, the federal government certainly does.
In just the past couple weeks, YouTube has launched dedicated pages for both the House and Senate to show off their own videos, and the site also recently started allowing users to directly download copies of some videos. This latter feature has not yet been widely deployed across the site, and is seems to be limited to videos posted by Obama's team.
Given the famously close connections between Obama and Google, you'd think his tech team could negotiate for a cookie-less way to embed videos. At a technical level, this would be an easy enough change, even if it would deny Google the ability to collect even more information on millions of Americans.
Cookies and other federal agencies
Finally, the new White House YouTube rule may have a far broader impact on the way that federal agencies use Web 2.0 content. Simply put, if another federal agency embeds a YouTube video in its Web site without first having the agency's legal team issue a waiver, have federal rules been violated?
Up until this week, federal agencies have been free to embed Web 2.0 content in their own sites without any real need to consider the privacy risks posed to end users. The fact that the White House Counsel has felt it necessary to issue such a waiver for YouTube videos appearing on the White House Web page could be reasonably interpreted to mean that such a waiver is now required for all embedded Web 2.0 content that might force cookies upon end users. This is certainly new legal ground.