Mr. John T.
Chair, CIO Council
Office of Information and Regulatory Affairs
Old Executive Office Building
Washington, DC. 20503
Memorandum on Privacy Policies and Data Collection on Federal Web
Dear Mr. Spotila:
Chairman of the federal Chief Information Officers (CIO) Council
subcommittee on Privacy, I strongly support the increased focus
on federal web site privacy protections expressed in the referenced
memorandum from Jacob Lew, and the goal that there should be a presumption
against the tracking of personal information provided as a result
of interacting with a federal web site. I have solicited comments
from my colleagues on the CIO Council and the privacy subcommittee,
and have found general, widespread support for this increased focus.
implementing the policies expressed in your memorandum, CIOs will
have to make several technical choices, as detailed herein. We would
like to recommend specific choices be made in two areas.
the use of the term "cookie" currently covers a very wide array
of techniques used to track information about web-site usage. As
is made clear in the memorandum, "Particular privacy concerns may
be raised when uses of web technology can track the activities of
users over time and across different web sites." The technical term
used for these are "persistent" cookies. The most common use of
persistent cookies is to retain and correlate information about
users between sessions.
the term "cookie" is also commonly used to describe place-keepers
used to retain context during an individual user session ("session
cookies"). Because the web is based on a "stateless" system (i.e.,
session context is not retained on the host system), the place-keeper
technology is used to simulate session context. Without this technology,
true electronic commerce applications, including electronic signatures,
would be cumbersome or impossible, as a user would need to provide
complete selection or authentication information on every screen
submitted. This would impede our progress towards our electronic
government goals without an appreciable gain in privacy protection.
Mr. Lew's memorandum refers to cookies used to track and retain
personal information. We recommend that session cookies, which are
discarded on completion of a session or expire based on a short
time frame and are not used to track personal information, not be
subject to the requirements of the memorandum. The use of these
cookies should, however, continue to be disclosed in the privacy
statement for the web site.
the policies in the memorandum should apply only to web sites used
for public interaction (i.e., on the Internet). We recommend that
web sites serving internal users (i.e., accessible only from a government
Intranet) not be subject to the requirements of your memorandum.
Intranets are, by definition, used by internal, authorized users
only, and should be governed by the existing rules for employee
communications tools such as e-mail and telephones.
light of the first two items, we strongly support the requirement
that the use of any technology, including persistent cookies, to
track the activities of users on web sites be approved personally
by the head of the executive department (for the 14 executive departments)
we make progress towards electronic government, personalization
of web sites, typically done through persistent cookies, may become
necessary in order to serve our customer's requirements. At that
time, it would be appropriate for OMB to review the "no delegation"
policy in light of the then-current "state-of-the-art" in privacy
protections. For example, OMB may decide to relax this policy when
customers are given a choice of selecting either a personalized
(i.e., with persistent cookie) or non-personalized (no persistent
cookie) web experience.
together, OMB and agency CIOs have made significant progress in
the implementation of privacy protections on federal web-sites during
the past year. In particular, we have greatly increased the focus
on establishing and publishing privacy policies on web sites, to
the point that the federal government clearly leads the way in this
look forward to working with you and your team as we continue to
work to provide the public with easy access to systems that they
Roger W. Baker
CIO, Department of Commerce
Security, Privacy, and Critical Infrastructure Committee