White House Web Site Revisits Privacy Policy

Staffers address privacy concerns after a 1-by-1-pixel image file loaded by Web page code for tracking purposes is revealed.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 23, 2009

10 Min Read
Dark Reading logo in a gray background | Dark Reading

With the Obama administration now in place, White House media staff has been reviewing the WhiteHouse.gov Web site this week to address issues raised by privacy advocates.

Embedded YouTube videos, which previously loaded and deposited a persistent third-party YouTube cookie in visitors' browsers automatically, have been moved behind an image of the video player that must be clicked to initiate loading. This addresses an inconsistency in the White House site's privacy policy, which stated that there was a way to view videos without receiving a persistent cookie.

The review could lead to changes in the site's privacy policy designed to clarify its privacy practices.

This action appears to be in keeping with a commitment to be responsive to community concerns. In the first blog post on the new WhiteHouse.gov on Tuesday, Macon Phillips, director of new media for the White House, solicited user input and said that "this online community will continue to be a work in progress as we develop new features and content for you."

Revamped on Tuesday, the new WhiteHouse.gov Web site immediately elicited criticism for transmitting data about its visitors to WebTrends, a Web analytics company, without adequate disclosure.

On the Interesting People e-mail list, maintained by Carnegie Mellon computer science professor David Farber, Karl Auerbach, CTO of at InterWorking Labs and an attorney, warned Tuesday that the WhiteHouse.gov site contains a Web bug.

A Web bug, also known as a Web beacon by those who prefer terminology less suggestive of surveillance (WebTrends uses "Clear GIF"), is a file loaded by Web page code for tracking purposes. It often comes in the form of a 1-pixel-by-1-pixel image file, which is too small to be noticed but nonetheless registers in server logs like any other file.

The Web bug on the WhiteHouse.gov home page is fetched by JavaScript code -- called via the script at www.whitehouse.gov/includes/webtrends.js or through the URL enclosed in [noscript] tags -- that collects data about the visitor's computer configuration and packs that information into the URL used to request the Web bug.

Thus, in the process of receiving the remote request from WhiteHouse.gov to serve a 1-by-1-pixel graphic, WebTrends also receives certain details about those visiting the White House Web site.

Auerbach observed in an e-mail that while he recognized some of the data requested -- his screen resolution and whether he had Microsoft Silverlight installed -- the other data gathered by WebTrends was unclear.

In a separate e-mail message sent to Farber's list, Steven Champeon, CTO of Hesketh.com, deciphered the WebTrends JavaScript. The script sends more than two dozen system configuration details, including the referring URL that brought the user to the WhiteHouse.gov site; the ID of any WebTrends cookie already installed on the visitor's system; the language the browser is set to; time since last visit; current time; and whether Java, Flash, and Silverlight are installed.

Champeon also observed that if the user's browser has a query box, the WebTrends JavaScript will include any text in the box. At least in Firefox 3, queries typed into the query box are retained. That means a search conducted through one's browser query box prior to visiting the White House site would be transmitted to WebTrends. While searches generally aren't considered to be personal information, they can be, as the AOL search data fiasco in 2006 demonstrated.

Jascha Kaykas-Wolff, VP of marketing at WebTrends, explained that the client determines whether search information is tracked for site analysis purposes and that it's useful data for Web site managers who want to figure out what content site users are looking for.

People differ about whether using JavaScript this way is a security risk. "It's not a particularly safe practice or good for privacy, although most major sites still do it anyway, using WebTrends, Omniture, or Google Analytics," said Robert Hansen, CEO of security consultancy SecTheory, in an e-mail.

"We pay very close attention to [JavaScript issues] because it's very important to us from a privacy and security perspective," said Eric Butler, director of engineering at WebTrends. "This is stuff that has been vetted by security and privacy folks on a continuous basis. We feel pretty confident we're within industry standards." He added that WebTrends has deliberately not obfuscated its code so that people can read it.

Champeon said that the White House should acknowledge what's going on more thoroughly in its privacy policy, but doesn't see a significant problem, with the possible exception of the WebTrends code that is able to access a site visitor's query box.

Auerbach's concern has to do with the government's responsibilities under the Privacy Act. "WebTrends gets to see this [data], to keep it, to aggregate and cross-link it with other data, and to sell it to others, with no visible constraint from the WhiteHouse.gov privacy policy," he said.

WebTrends insists this isn't the case. "Our customers own their data," said Eric Butler, director of engineering at WebTrends. "We do not have any rights outside of the rights that they give us to store and maintain the data for us. It's truly an extension of their organization and ownership of the data. The data is stored in a Tier 4, very secure data center. And the only thing that the customer does is access it through our secure reporting interface and product to gain insight into their data."

Auerbach questions that assertion. "I would suggest that since the collection, aggregation, and conveyance of the data to WebTrends is from the user's computer and not from WhiteHouse.gov that a very strong argument can be made that the data belongs to the user, not WhiteHouse.gov," he said in an e-mail. "If they are, to take the other road, asserting that WhiteHouse.gov owns the data, then we must then recognize that since WhiteHouse.gov is a U.S. federal government entity, [the data] may be governed by the Privacy Act of 1974 and other applicable privacy laws. And those laws constrain the dissemination of government data to private companies unless those companies undertake the same limitations that are imposed upon the government." Critical to this discussion is whether the data collected qualifies as "personally identifiable information," which is regulated.

Auerbach concedes that the data sent to WebTrends may not be clearly categorizable as "personally identifiable information." But he argues that the Privacy Act needs to be amended to account for advances in the science of data aggregation and linking that allow nonpersonal information to be turned into personally identifiable data.

A spokesperson for the White House media team wasn't immediately available for comment.

The WhiteHouse.gov privacy policy states that the site logs the IP addresses of visitors and aggregate page hits to find out which pages are popular. "We do not gather, request, record, require, collect or track any Internet users' personal information through these processes," it says.

The privacy policy explains that the site uses session cookies, which disappear after a short period or when the user closes his or her browser, as allowed by federal guidelines. Those guidelines also allow for the use of persistent cookies if there is a compelling need, provided the agency's privacy policy discloses the nature of any information collection and its purpose.

The WhiteHouse.gov privacy policy states that it allows YouTube to set a third-party persistent cookie. "This persistent cookie is used by YouTube to help maintain the integrity of video statistics," the site's privacy policy explains. "A waiver has been issued by the White House Counsel's Office to allow for the use of this persistent cookie."

Writing in reference to reports that members of Congress are getting their own YouTube channels, Columbia computer science professor Steven Bellovin criticized the government's use of YouTube as a serious privacy risk.

"YouTube is, of course, a private company owned by Google," he said. "As such, it is not particularly constrained by (U.S.) privacy law. It can and does deposit cookies. ... [From visiting the House site], I ended up with cookies from YouTube, Google, and DoubleClick, another Google subsidiary. Why should Google know which members of Congress I'm interested in? Do they plan to correlate political viewing preferences with, say, searches I do on guns, hybrid cars, religion, privacy, etc.?"

Any such risk, of course, extends to WhiteHouse.gov's use of YouTube as well, though in granting YouTube a waiver from privacy rules, the White House Counsel's Office appears to believe that the benefits of having free video hosting through YouTube outweigh potential privacy drawbacks.

In a blog post on Thursday, Bellovin said that, "[R]ather than solving the [privacy problem posed by cookies], the new White House privacy policy defines it out of existence."

Writing for the CNET blog network on Thursday, Christopher Soghoian also took issue with YouTube's exemption and said that the White House isn't living up to its privacy policy because there's no option to view videos without receiving a persistent cookie, despite the policy's assertion to the contrary. Changes made to the White House site later that day at least in part addressed his complaint. But the issue of cookies remains a complicated one. For instance, the WhiteHouse.gov privacy policy states, "You can remove or block cookies by changing the settings of your browser." But video sites that make use of Adobe Flash may deposited Flash Cookies, which aren't as easily accessed or deleted as standard HTTP cookies.

The White House Web site privacy policy acknowledges that the site collects some browser information and uses Web analytics, but it does not discuss WebTrends' role, responsibilities, or limitations.

A spokesperson for the White House media team wasn't available to discuss whether WebTrends' use of a Web bug, or beacon, might violate OMB guidelines. Those guidelines that state "agencies are prohibited from using persistent cookies or any other means (e.g., Web beacons) to track visitors' activity on the Internet [with certain exceptions]." (Those guidelines, coincidentally, can no longer be found at the URL on the White House site where they used to be.)

YouTube has been granted an exemption; WebTrends maintains its activities are innocuous and permissible under current guidelines. The question then is whether WebTrends tracking data qualifies as personal, whether there's a compelling need for WebTrends' analytics, and whether the current privacy policy adequately discloses what's going on.

More broadly, the incoming administration should consider whether it, like previous administrations, wants outsourcing to serve as the universal solvent for federal legal restraints. At the same time, it may be worth revisiting federal guidelines about online privacy practices, given that technology has changed in the years since those guidelines were written.

Auerbach worries that as budgets remain tight, the government will be increasingly willing to outsource technical functions to companies like Google or WebTrends that may be tempted to mine government data.

"It doesn't take much to elevate this kind of thing out of privacy and into security," he said. "For example, if you want to know where an army battalion is about to be sent, one can get a good indication by looking at the queries to Google Maps from browsers that are linkable to solders and their families. The bits and pieces of all of this are, in themselves, tiny and often pretty innocent looking. But they aggregate quickly."

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights