White House exempts YouTube from privacy rules

Update: 12 hours after posting this story, the White House (partially) reversed itself. The rather dubious YouTube-only waiver from federal Web privacy rules has been maintained, but the White House Web site has been updated to limit the exposure of visitors to YouTube's tracking efforts to only those people who actually click the "play" button on a YouTube video. For more details on the new changes, read this blog post.

The new Web site for Obama's White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site's policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites.

The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama's legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site).

While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama's home in cyberspace.

No other company has been singled out and rewarded with such a waiver.

In a blog post back in November, I criticized the Obama transition team's Change.gov Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules.

Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user's browser--even for those users who do not click the "play" button.

Someone on the Obama legal team seems to have read my previous blog post, as they've modified the White House privacy policy to specifically exclude YouTube's tracking cookies from federal rules that would otherwise prohibit their use:

"For videos that are visible on WhiteHouse.gov, a 'persistent cookie' is set by third party providers when you click to play the video.

This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel's office to allow for the use of this persistent cookie."

YouTube and cookies
Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user's browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits.

YouTube is also able to set and access a user's tracking cookie when she visits a third-party Web page that has embedded a video stored on the YouTube site (such as a blog or other Web site), even if the user never clicks the play button.

The moment that the flash file containing the video player is downloaded from YouTube's servers and displayed in the user's browser as part of another Web page, the cookie is transmitted to YouTube's servers. Considering how widespread the practice of embedding YouTube videos has become, this gives Google an amazing amount of data on the Web-browsing activities of hundreds of millions of Internet users--many of whom may not realize that such tracking data is being collected.

The White House policy is not being followed
The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:

"If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video."

As of Thursday morning, this statement is false.

In multiple tests by this blogger with both Internet Explorer and Firefox, merely visiting pages on the White House blog causes YouTube to set a long-term tracking cookie in the browser--even if the user does not press the play button to start the video. After eight months, this cookie will be automatically deleted by the user's browser--unless, of course, the user visits another Web page somewhere else on the Internet containing a YouTube-embedded video, in which case, the eight-month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever.

While it is obvious that I am rather critical of this entire affair, I am willing to give the Obama Web team the benefit of the doubt in one area: the fact that their current Web infrastructure does not deliver on the promises made by their privacy policy.

The Obama White House Web site is only two days old, and so it is certainly possible that the team simply hasn't gotten around to deploying a more privacy-preserving system for YouTube video embeds. Protecting users who do not click "play" from automatically receiving a cookie is certainly possible; the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided this very feature. Let us hope that the Obama team deploys such a technology in due course.

Can YouTube be justified as a "compelling need"?
For the past 10 years, federal agencies have been prohibited from using tracking cookies on their Web sites, except in a few special cases. The Office of Management and Budget rule M-03-22 states that:

"Agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors' activity on the Internet except .... [when there is] a compelling need."

The question we must now focus on is this: Is the need for Obama to use embedded videos hosted by YouTube (and not, say, another company's video-streaming platform that does not force cookies upon its users) a use that can be reasonably described as compelling?

Presumably, this has been justified on the basis that YouTube forces cookies on the visitors of any Web site that embeds one of its videos. However, while Joe or Jane blogger has no bargaining power with YouTube/Google, the federal government certainly does.

In just the past couple weeks, YouTube has launched dedicated pages for both the House and Senate to show off their own videos, and the site also recently started allowing users to directly download copies of some videos. This latter feature has not yet been widely deployed across the site, and is seems to be limited to videos posted by Obama's team.

Given the famously close connections between Obama and Google, you'd think his tech team could negotiate for a cookie-less way to embed videos. At a technical level, this would be an easy enough change, even if it would deny Google the ability to collect even more information on millions of Americans.

Cookies and other federal agencies
Finally, the new White House YouTube rule may have a far broader impact on the way that federal agencies use Web 2.0 content. Simply put, if another federal agency embeds a YouTube video in its Web site without first having the agency's legal team issue a waiver, have federal rules been violated?

Up until this week, federal agencies have been free to embed Web 2.0 content in their own sites without any real need to consider the privacy risks posed to end users. The fact that the White House Counsel has felt it necessary to issue such a waiver for YouTube videos appearing on the White House Web page could be reasonably interpreted to mean that such a waiver is now required for all embedded Web 2.0 content that might force cookies upon end users. This is certainly new legal ground.

Consider, for example, the Transportation Security Administration, which has posted YouTube videos to its blog numerous times over the past year. Its privacy policy makes no mention of YouTube cookies. Could this lead to issues for the TSA Web team, or perhaps even congressional investigations? Given my own history with TSA, I certainly hope so.

[RUExperienced]

A decade ago I worked for an analytical company that worked with cookies. After the day I started and was shown how the software worked by the developers I locked out cookies from all my browsers! With the common knowledge today about cookies I am surprised anyone allows them blindly anymore. Now I realize some sites require cookies to login, hence why I use multiple browsers. Protect your privacy and block all cookies!

[BIGELLOW]

This is old news, covered on several different occasions by different end-of-world theorists throughout the years of the existence of the White House website.

The reason YouTube is exempted from this policy is because it is a third-party site. The no-cookies rule has only ever applied to the White House website itself. It just happens that we have reached an age where streaming video is becoming popular and it is more expensive to setup servers to stream video than it is to just host the video on a third-party site like YouTube. Given this, it means that the White House website has to rely on a third-party site to perform this action (of streaming video,) so this has become a more prominent issue.

The reality is, there is not much difference between someone going to the White House website and watching a video... or going to YouTube and performing a search for "Obama" or "white house". The fact that the government chooses not to use persistent cookies on government sites has nothing to do with whether or not commercial sites are allowed to use persistent cookies on their own sites. If the White House site had to rely on additional third-party commercial websites to function, those sites would also be exempted from the rule... which, again, only applies to government websites, not every third-party commercial entity the government happens to do business with.

[Daniel_Brandt]

Chris, you make it sound like it's only the YouTube cookies at issue. Do you realize that when you click to watch any YouTube video anywhere on the web, whether it's at the White House site or YouTube.com itself, about ten seconds into the video, the Flash code driving the video phones home to Google. It offers up the famous Google.com persistent cookie if you already have one, or plants one if you don't. This is the cookie with the globally-unique ID that used to expire in 2038, but now it ostensibly expires in two years. Of course, it doesn't really expire in two years, because every time you visit any Google site it pushes the expiration date two years ahead.

The GET request from the Flash code to Google.com includes the page URL and the YouTube video ID, and of course, the IP address (which can be geolocated), and the Google cookie with it's own ID, and it all gets logged with a date and time stamp.

I'll bet the White House cut a deal with Eric Schmidt to get access to Google's stats on White House video traffic. That sucks -- not because the White House shouldn't have anonymized stats on their own site, but because Google shouldn't have those stats themselves. Google doesn't properly anonymize its data. How else to you explain this compromise of Clinton's executive order that was issued in 2000? The White House is just lazy -- they certainly have the resources to offer videos without tracking those who choose to view the videos.

[ZetaZeta_]

Basic setting in all browsers: "Block all cookies." This isn't really a big issue. There's also in-private/incognito/stealther, as well as simply clearing your browsing history every so often.

If users can't do that, then (opinion:) they probably wouldn't care less about what a website stores on their PC.

[dbroham]

yawn...YouTube jealousy.

[webemma]

Look at it from a different perspective. Should the federal government be building out an expensive infrastructure to do video, when it's available as a commodity, for free? When youtube provides the bandwidth, which otherwise can get quite expensive? How much IT should government have to recreate, instead of focusing on core service to citizens? How much should they spend on IT to reinvent the wheel?

The cookies issue is way overblown.

[rfreedmancnet]

Yes.

If the federal government is going to make a habit of posting videos for consumption by the public, then it should have the infrastructure to host them. I am incensed that YouTube (or any private company) makes a profit of any sort when I choose to communicate with my government.

I think that it would be fine for the government to procure such a system from, say, YouTube (Google), as long as it is a separate system, and there is no direct profit tied to a citizen watching a video.

I'm am (was) a big Obama supporter, but I'm saddened and dismayed by this behavior.

[Pete Bardo]

rfreedmancnet,

Someone almost always makes money when you communicate with your government. If you phone in, if you email, if you snail mail or even show up in person, someone is going to get paid along the way. Are you suggesting the the data YouTube collects amounts to profits? I'm not so sure about that. Is YouTube also displaying its own ads when you play a video from BO?

This could very well be a privacy issue--I'm not so sure about that either--but it's hardly an issue of YouTube making profits from this. BTW, has YouTube actually mad a profit from anything yet?

[digitalshaman]

how uniformed ...

there is an alternative internet that is constantly being built out ... the "internet" is a network of networks; but, many of these inter-nets are not shared nor is any "persistent" unique identifier deployed ...

any interactions with the "state" should include respect for the First Amendment, in any IT infrastructure, built or repurposed, period.

you think providing IT is "free" ... uh-huh ... well, give me some of that Google upside if my unique ID is being used for profit seeking purposes.

and if we cannot agree on a balance between privacy & piracy let alone technical incompetence by our citizens, yes, please explain the concept "focusing on core service to citizens"?

fwiw, here is my belief - the "core service of the US Government is to uphold the Constitution" & the rule of the law it has shaped since it was ratified over 200 years ago.

PS honestly, reminds me of a sign at many Florida marina-bars _ "free beer on tap - tomorrow" - i want transparency, now

[hhs2112]

Pete_Bardo - yes, you're correct in that when I communicate with the government someone is making money. The difference here is the government is funneling business to a SOLE supplier. If I call the government I pay the phone company of MY choice, not one dictated by the administration. For your analogy to be accurate the government would have to mandate that only calls from a specific vendor, AT&T for example, are accepted and all calls originating from other suppliers are to be blocked. Or, to continue with your analogy, that all citizens arriving in person must use Joe's Cab Company or all mail must be sent via FedEx.

I?m a big Obama fan and supporter but this is just wrong! If the White House wants to stream videos they need to set up the infrastructure to allow them to do so and not funnel money to Google, who, as we all know, have been called out time and time again by privacy advocates.

Hell, if cost cutting is your big concern why not move all government email to Hotmail, document creation to Google docs, and file storage to Live Mesh? Imagine the bundle we?d save?

[LaCatin]

Wow. Big Brother has arrived. His name is You Tube.

[n3td3v]

White House + NSA + YouTube + Google = New World Order

[testeddoughnut]

It's ok, guys. You can take off your tin-foil hats. I agree, this is a breech of privacy, but some of these comments blow this way out of proportion. If you're concerned about your privacy, block cookies. No matter how much you complain, Google will still push the envelope for information. I mean, remember the outcry that gmail caused a few years ago? It's their business, and they do quite a bit good things with the seemingly meaningless information that they collect.

[hhs2112]

Just curious, what "good things" has google done with the information they collect?

[privacydude]

Remember, cookies aren't forbidden, simply their use by the executive branch for the limited purpose of tracking visitors (note cookies may have other purposes). Assuming the cookie is scoped to a Google owned and controlled domain, then the government would not be receiving this information. Given that they are not receiving it, it would be difficult to then argue that they were using it to "to track visitors' activity on the Internet". I don't think Google would be seen as acting as an agent of the government, and it appears to me that the memo is silent on enabling others to do this for their own purposes. Maybe time for another redraft.