Government Proposes Massive Shift In Online Privacy Policy (Serious Threat To Personal Info)

Source: ACLU

Government Proposes Massive Shift In Online Privacy Policy (8/10/2009)

Changes Would Pose Serious Threat To Americans’ Personal Information, Says ACLU

FOR IMMEDIATE RELEASE
CONTACT: (202) 675-2312; media@dcaclu.org

WASHINGTON – The American Civil Liberties Union submitted comments today to the Office of Management and Budget (OMB) opposing its recent proposal to reverse current federal policy and allow the use of web tracking technologies, like cookies, on federal government websites. Cookies can be used to track an Internet user’s every click and are often linked across multiple websites; they frequently identify particular people.

Since 2000, it has been the policy of the federal government not to use such technology. But the OMB is now seeking to change that policy and is considering the use of cookies for tracking web visitors across multiple sessions and storing their unique preferences and surfing habits. Though this is a major shift in policy, the announcement of this program consists of only a single page from the federal register that contains almost no detail.

“This is a sea change in government privacy policy,” said Michael Macleod-Ball, Acting Director of the ACLU Washington Legislative Office. “Without explaining this reversal of policy, the OMB is seeking to allow the mass collection of personal information of every user of a federal government website. Until the OMB answers the multitude of questions surrounding this policy shift, we will continue to raise our strenuous objections.”

The use of cookies allows a website to differentiate between users and build a database of each user’s viewing habits and the information they share with the site. Since web surfers frequently share information like their name or email address (if they’ve signed up for a service) or search request terms, the use of cookies frequently allows a user’s identity and web surfing habits to be linked. In addition, websites can allow third parties, such as advertisers, to also place cookies on a user’s computer.

Read more: http://www.aclu.org/privacy/gen/40662prs20090810.html

I thought we were past this bullshit fear of cookies, but I guess not. The government can already track where many internet users go by commingling their server logs and searching on IP addresses. Modern web browsers allow users to set privacy settings which can block permanent cookies. Firefox and IE 8 both have a "porn mode" that will delete everything (cookies, history, cache, etc) from a browsing session.

tailored to the un-informned to raise fears of the Government "bogeyman" out to spy on your every move...

Great point High Density.

All this stuff can already be done.

you beat me to it. as a web developer, it makes me laugh.

Lol.

Are they fucking serious? Warrant-less wiretapping is a big deal, but this is NOT.

The ACLU does good work, but it is also clearly well populated with people who don't know how to computar.

The idea that cookies are some privacy nightmare that will steal your personal info, provide your bank data to thieves, let people follow you around the Internet, and unmask your affairs for the world to see were debunked a DECADE ago. I can't believe we're still rehashing this same debate in 2009.

There is no anonymity on the Internet. When you connect to a website, your origination data is logged whether that site uses cookies or not. If they want to track you as you use their site, all they need is a freeware log parser. If they want data on your computer, they merely need to embed a script in their pages. Cookies provide no data that can't also be uncovered through other means, without a warrant.

What cookies do permit is user personalization, which is almost standard fare in the modern Web 2.0 days of blogs, tweets, and forums. Without cookies, these things don't work right (without cookies, there would be no DU). Removing these restrictions permits the government to join us in the 21st century online.

On edit: Guess I wasn't the first after all!

Can you rectify these two claims:

"Cookies provide no data that can't also be uncovered through other means"

and

"What cookies do permit is user personalization"

If they don't need cookies to "know who I am" so to speak (or keep track of me apart from all the other visitors) they why do they need cookies to "personalize" the website?

IP: When you connect to a government site, right now, that site will record that 10.20.20.156 (your ip address) visited and viewed page X. If you click a link and visit page Y, it will do the same thing. Now, let's say you want to personalize your information (or simply have the site remember a password so you don't have to type in in every time). Their site can now record, in a database, that the username and password for 10.20.20.156 is "obamanow" and "iluvfuzzykitties9". When 10.20.20.156 is detected on the network again, they can automatically log that person in, put their favorite links on the homepage, or perform whatever other types of personalization that person wanted.

Just one problem. Your IP address belongs to your internet provider, and they change it fairly often. Today it works, tomorrow you'll have to log in again. Even worse, the guy who gets assigned 10.20.20.156 tomorrow now has access to all of your stuff without logging in. Epic security FAIL.

Cookies: A cookie merely assigns you a slightly more permanent address. Instead of being 10.20.20.156, you're now d68fhh9dds35h9ured65jku9, and that address is stored on your computer. The cookie cannot log what pages you visit, it can't "track you around the Internet", and it can't spy on you for the government. When user d68fhh9dds35h9ured65jku9 comes back to the site, their servers can react the same way they would have if you'd simply been user 10.20.20.156. Only now, they don't have to worry about giving your personalizations to the wrong person. This is why Democratic Underground and just about every other site on the Internet uses cookies.

The reality here, however, is that user activity tracking is done using server side logging that is perfectly legal and which happens today. If you log-in to a website at all, there is no security risk from cookies because you're already giving them all of the "tracking" information that a cookie might provide anyway. IF DU were to completely disable cookies right now, they could still determine every post you've looked at and replied to by simply examining their database logs. The difference would simply be that you'd have to log in again, over and over, to use the site.

As I said, cookies provide nothing that isn't already available to the government, it just makes things a little easier to implement techically. Many people argue that cookieless sites actually divulge MORE information, because any customizations require a post back to the server, which can then record exactly what you're doing. By using cookies, those customizations don't occur until after the page is sent to your computer, which reduces the servers ability to see exactly what you're doing with it.

... that very few people have static IP addresses. So how does loggint things by IP do anything?

IPs are still useful for any number of reasons (they're still fairly tied to a single area geographically, for instance), but they aren't great for letting individual users identify themselves to servers. It's also good enough for most security purposes - if you're getting attacks from a given IP, or if you know a specific mail server's spewing out a constant deluge of spam, it's specific enough to block or complain about, for instance. What they aren't good enough for is knowing that, when I load up DU or any number of other sites, that I'm me; as long as I'm on my physical computer I'm good for that, even if my IP is changing all over the place.

The current IP system is gloriously broken; that's why the whole ipv6 thing (which is erring far into the side of insane excess to make sure we don't run out of numbers) has been in the works for the last several years.

So you're saying that an IP address is relatively useless of identifying me as an individual. So when I anonymously log into a government server, as long as I don't give it personal information, it doesn't know who I am, nor able to coordinate it with past or future activities of mine.

Your DU example is classic. I frequently read, and surf, DU without logging in. I only log in if I want to post something or use other features. So without cookies, does DU know it's "me"? Is the whole point of cookies that it uniquely identifies me AS me so that it can be coordinated with past and future activities (apparently even within a session because I typically work with cookies blocked and the result is I get the same repeated commercials and popups and various other attempts to engage me during surfing.) Furthermore, depending upon how my accounts are set up, and maybe how my wives are set up, the cookies are visible to more than just the guy that put them there, no?

The concern here is that the government is looking to track everything I do when I move into "government space". These are the guys that wanted to do data mining. You are suggesting that cookies provide them no additional tools to identify my access to government sites, even when I provide no other personal information. (and yes, I understand I can "clean" out my cookie file at various different times of my choosing).

Thanks for that response.

To clarify a bit: as a government webmaster and app developer, I can already use cookies, but they have to expire at the end of the session.

We're prohibited from setting permanent cookies, though. I'm assuming this new change being debated by OPM would remove that restriction.

About the only thing I can see it affecting in my apps would be that I can now add auto-login functionality (i.e. the "remember me" checkbox). It certainly won't expose any more information about the website visitor.. and I agree with the above posts that this entire subject brings back bad memories of the 90's and all the cookie paranoia.

IMO, the ACLU is wasting their efforts with this one.

... with what Zappos does with my credit card info, than what the government does with... well... my cookies.

The federal government already has a shit ton of my private info.
Like, more than anybody or anything.
While I don't want John Negroponte watching me skip around the web, it's not like he can't do that already.

(this was not meant to pick on Zappos. they just happened to be the last place I bought from on-line.)

that keeps government in the dark ages.

Ebay can track you with a cookie, why not the government.

Stupid PANIC driven article.

or lack of gov. tracking cookies? (technically, it was constant invasions by Moroccans, Norwegians, Hungarians, &c.)

noted that the U.S. government (under both Republicans and "moderate" Democrats) was consistently increasing the punitive and invasive aspects of government (prisons, domestic spying) and cutting back on the beneficial aspects ( public infrastructure, social safety net).

Given those circumstances, it was easy for the economic libertarians to get people riled up against "the government."

of their own government. Excuse me. We should be snooping on the government. The government should not be snooping on us without obtaining warrants. This may or may not be a Fourth Amendment issue depending on what is really being proposed. But I do not want my government collecting information on me in this way. When, why, where, how and whether I go to a government website for information is not the government's business. Not unless I do something illegal while on the website. And I wouldn't want to do anything illegal while on a government website and wouldn't know how to do anything illegal while on a government website even if I did want to.

Trust the wanker, since he's at least clued enough to have known what cookies were before August of 2009 (which the ACLU doesn't seem to anyway, given their hysterical description of them).

Bush did this shit and I didn't like it and I don't like it now either.

This is a completely normal thing that every website and company does. Not saying I want the goverment to do this also.. but having this come up now just means we have more junk to distact the press and idiots from the real problems.

Deeds speak louder than words, and right now the deeds of the Obama Administration on civil liberties are raising all sorts of alarms.

I'm assuming not - anyone who did would consider this an absolute non-issue.

As does anything else that requires a login or allows you to customize any aspect of it. Calm down. This is a complete non-story.

Why worry . . . ?

I will plead guilty and pay the fine.

it sounds like they are planning to make a large comprehensive history log which stores all the information (probably years or decades) of exchanges. After all they have all this money, time combined with new, cheap, fast technology they don't know what to with. They also have people with years and years of experience in this line of work still there. So wake the bleep up, what else do you think they would be trying do, it's really just simple math :shrug:




On edit, they probably already are doing this, but this just a blurb to push it over the top while everybody else is excited about other things like health care :think:

I guess they don't realize that Cookies are a requirement if you are going to have any sort of online application, but I guess they like filling out a 30 line form over and over again.

If they are so worried, then lets makes sure we are obfuscating IP addresses as well. Sheesh, why do all the people that bring up these complaints have to do so before they actually consult an engineer that understands the current state of the art in the Internet and Web?

That's a shocker to me.

I imagine Alcoholics Anonymous seems disinterested in architecture, or that Americans United For Seperation of Church And State doesn't hold an official opinion on Microsoft's business practices, too.

And that every man, woman and child gets to be Guinea Pigs without their knowledge. I doubt that Microsoft Word will cause Parkinsons disease, or help create a new strain of dangerous, antibiotic resistant CDiff.

Thats ok, for the lemmings that don't understand the implications of GMO food, what they don't know, can't hurt the BioTech industry, can it?

Well Played Monsanto Fanboy, Well Played indeed

implying the government using cookies as a massive threat to civil liberties couldn't be seen as an overreaction

Must Reboot...

?

And this proposed shift appears to do just that.

Thanks again, ACLU.

and this, although minor, looks a lot like a camel poking his nose under a tent flap.

It's a lot easier to lock the gate before the cattle have wandered out than chase them down afterward.

There is too much talk lately of government control. Its starting to freak me out a little. I thought the Republicants were tossed out in NOV?

Am I wrong is it possible that our party is supporting this kind of intrusion? I don't care if DU collects my data, or my bank but I do care if the federal government does its way too close to big brother for me.

I am 100 percent against government intrusion in my life. Remember our party may not be in control in the future and the zealots that get power may abuse things that may appear rational when normal people are in charge of the government.

I vote NO.

I allow session cookies, but never third party cookies. I don't like getting mixed up with advertisers. The government really has no use for cookies for regular visitors, and if they allow 3rd party, I won't let them in anyway.

"Opponents of the proposal point out that tracking cookies can be used not only to keep track of what an individual has done or seen on the website in question, but also to track what other websites that person has visited, and what personal information they have handed over to the website. Thus, it is often possible to identify a computer user based on data stored in tracking cookies."

http://rawstory.com/blog/2009/08/proposal-to-track-government-website-users/

Your IP address usually doesn't change that often when you're on a broadband connection.

If you enter your personal information then it should be no surprise that this information will be stored and tracked by the site in question. Your best bet from a privacy standpoint is not to hand over this information in the first place.

I think people complaining about cookies would be best off by donating their computer to a local Goodwill store and never going on the internet again.

:applause: :applause:

also check out TOR and Vidalia for privacy. Your ip is kept secret. Just because someone has been doing something for a long time doesn't make it right, it just means we're used to it. Which is very bad.

Got a Java JRE installed on your computer? Most people do. If so, I can put a client side script on a webpage that will open a Java socket back to my server when you view the page. That socket will open from your real IP address. At that point, I have your real IP and your fake Tor IP, so I can track you using the server connection logs alone.

Tor isn't a great idea anyway. A huge number of network admins block the Tor IP's and network completely because it's most commonly used by script kiddies and botnet operators. You'll be "private", but you'll rapidly find yourself locked out of many sites across the Internet. Depending on your ISP, you may also be violating their TOS and may find yourself blocked from the Internet completely.

With a proxy an unknown third party will intercept all of your data. That's a horrible situation to willingly put yourself in.

Click Safety and InPrivate browsing, and a new browser window will open. You can go anywhere and do anything you want in that browser window, just like any other. You can even get cookies. The difference is that, when you're done, the cookies, cache, and anything else that may have been planted get scrubbed off your computer. People worried about being "tracked" can use InPrivate without worry.

You can do the same thing with FF and other browsers, but it requires the installation of addons.

Thanks for that great tip for IE8. :hi:

As technology-illiterate as the Bush admin was, I'm willing to bet that certain organizations do this already.

All used hard drives are sent to the dept. of homeland security already.

Because all I am seeing here is an argument about cookies. Are you kidding me? Cookies? I have a website and I set cookies on anybody who comes to my site. I'm talking about a piss poor site, too. The kind of thing you can host on GoDaddy.com for $4 a month. When you are arguing that the government should have less power than a caregiver who knows a little PHP, you have screwed up. You're not talking about civil liberties anymore.

now maybe there is some deeper component here, but as somebody who looks at the tech, who looks at what does go on rather than what should, cookies on government websites is a joke, a non issue. If you don't like it go to hidemyass.com or any other proxy, and this will anonymize you...Or an even more radical idea, disable cookies on your browser.

I'm fucking sick of people griping about 1984 when the government does something that corporations do regularly. I heard recently of a case of internet records, where people freaked when they heard the government was tracking them, so the solution was to outsource it to a corporation that does the same thing, everybody sighed a big sigh of relief when that happened. Yet the difference between a corporation official with your records and a government official with your records is that the government official is voted in by you, the corporate official is not, does not answer to you in any way. So seriously, do something real or STFU ACLU.

As Mark Weisbrot wrote in a NY Times op-ed today, "President Obama has continued the Bush policies and in some cases has done worse."**


** http://www.commondreams.org/view/2009/08/11-9

It is exactly change you can believe in. Wow the government wants you to be able to customize your Web experience on their sites like every other freaking page on the internet. How bushian of them.

Do you have a brain? Can you think for yourself? Just curious.

I don't know why they think those are so much better than the normal browser cookie variety. They are definitely more hidden to the average user. At one point I tried disabling all Flash storage but that broke a few sites that assumed they could set Flash cookies.

https://addons.mozilla.org/en-US/firefox/addon/6623

Had it a couple months now and it has killed over 700 LSO cookies. It seems they are much more common than I had previously thought.

Frankly, I don't much care if the government (or another government Echeloning us) is watching me; I've always assumed they were whether they say so or not.

But private interests doing the same thing bothers me a lot for some reason. Tricking the cookies into sending random or corrupt information would probably be the best way to get them to stop, but I've tried random-browsing programs and they always wind up causing me problems.

WTF with this headline.