Cookies Letter, 07-28-00

July 28, 2000

Mr. John T. Spotila
Chair, CIO Council
Office of Information and Regulatory Affairs
Room 350
Old Executive Office Building
Washington, DC. 20503

Reference: Memorandum on Privacy Policies and Data Collection on Federal Web Sites

Dear Mr. Spotila:

As Chairman of the federal Chief Information Officers (CIO) Council subcommittee on Privacy, I strongly support the increased focus on federal web site privacy protections expressed in the referenced memorandum from Jacob Lew, and the goal that there should be a presumption against the tracking of personal information provided as a result of interacting with a federal web site. I have solicited comments from my colleagues on the CIO Council and the privacy subcommittee, and have found general, widespread support for this increased focus.

In implementing the policies expressed in your memorandum, CIOs will have to make several technical choices, as detailed herein. We would like to recommend specific choices be made in two areas.

First, the use of the term "cookie" currently covers a very wide array of techniques used to track information about web-site usage. As is made clear in the memorandum, "Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites." The technical term used for these are "persistent" cookies. The most common use of persistent cookies is to retain and correlate information about users between sessions.

Unfortunately, the term "cookie" is also commonly used to describe place-keepers used to retain context during an individual user session ("session cookies"). Because the web is based on a "stateless" system (i.e., session context is not retained on the host system), the place-keeper technology is used to simulate session context. Without this technology, true electronic commerce applications, including electronic signatures, would be cumbersome or impossible, as a user would need to provide complete selection or authentication information on every screen submitted. This would impede our progress towards our electronic government goals without an appreciable gain in privacy protection.

Clearly, Mr. Lew's memorandum refers to cookies used to track and retain personal information. We recommend that session cookies, which are discarded on completion of a session or expire based on a short time frame and are not used to track personal information, not be subject to the requirements of the memorandum. The use of these cookies should, however, continue to be disclosed in the privacy statement for the web site.

Second, the policies in the memorandum should apply only to web sites used for public interaction (i.e., on the Internet). We recommend that web sites serving internal users (i.e., accessible only from a government Intranet) not be subject to the requirements of your memorandum. Intranets are, by definition, used by internal, authorized users only, and should be governed by the existing rules for employee communications tools such as e-mail and telephones.

In light of the first two items, we strongly support the requirement that the use of any technology, including persistent cookies, to track the activities of users on web sites be approved personally by the head of the executive department (for the 14 executive departments) or agency.

As we make progress towards electronic government, personalization of web sites, typically done through persistent cookies, may become necessary in order to serve our customer's requirements. At that time, it would be appropriate for OMB to review the "no delegation" policy in light of the then-current "state-of-the-art" in privacy protections. For example, OMB may decide to relax this policy when customers are given a choice of selecting either a personalized (i.e., with persistent cookie) or non-personalized (no persistent cookie) web experience.

Working together, OMB and agency CIOs have made significant progress in the implementation of privacy protections on federal web-sites during the past year. In particular, we have greatly increased the focus on establishing and publishing privacy policies on web sites, to the point that the federal government clearly leads the way in this important area.

I look forward to working with you and your team as we continue to work to provide the public with easy access to systems that they can trust.



Roger W. Baker
CIO, Department of Commerce
Security, Privacy, and Critical Infrastructure Committee

cc: Robert L.Mallet
Sally Katzen
Peter Swire
Dan Chenok
Jim Flyzik
John Gilligan
Fernando Burbano