White House exempts YouTube from privacy rules

23 Gen White House exempts YouTube from privacy rules

CNET News, By Chris Soghoian, January 22, 2009
The new Web site for Obama’s White House is already drawing attention from privacy activists and tech bloggers. While the initial focus has been on the site’s policies relating to search engine robots, a far more interesting tidbit has so far escaped the public eye: the White House has quietly exempted YouTube from strict rules relating to the use of cookies on federal agency Web sites. The new White House Web site privacy policy promises that the site will not use long-term tracking cookies, complying with a decade-old rule prohibiting such user tracking by federal agencies. However, the privacy policy then reveals that Obama’s legal team has exempted YouTube from this rule (YouTube videos are embedded at various places around the White House Web site). While the White House might not be tracking visitors, the Google-owned video sharing site is free to use persistent cookies to track the browsing behavior of millions of visitors to Obama’s home in cyberspace. No other company has been singled out and rewarded with such a waiver. In a blog post back in November, I criticized the Obama transition team’s Change.gov Web site for its use of embedded YouTube videos. At the time, I stated that the practice might violate long-standing federal rules that forbid federal agencies from using persistent tracking cookies on their Web sites. It turns out that I was wrong: the transition team was technically not a federal agency and thus not bound by the anti-cookie rules. Now that Obama is president, his official Web site is required to abide by the cookie regulations. Furthermore, as of Wednesday afternoon, several YouTube videos have been embedded on the White House blog. As soon as a visitor surfs to one of the blog pages that contain a YouTube video, a long-term tracking cookie is automatically set in the user’s browser–even for those users who do not click the “play” button. Someone on the Obama legal team seems to have read my previous blog post, as they’ve modified the White House privacy policy to specifically exclude YouTube’s tracking cookies from federal rules that would otherwise prohibit their use: “For videos that are visible on WhiteHouse.gov, a ‘persistent cookie’ is set by third party providers when you click to play the video. This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.” Each time a new user visits YouTube, a unique permanent tracking cookie is issued by the Web site to the user’s browser, which it stores. Whenever the user later revisits YouTube, that cookie is transmitted to the video-sharing site, allowing it to identify users and monitor their video viewing habits. YouTube is also able to set and access a user’s tracking cookie when she visits a third-party Web page that has embedded a video stored on the YouTube site (such as a blog or other Web site), even if the user never clicks the play button. The moment that the flash file containing the video player is downloaded from YouTube’s servers and displayed in the user’s browser as part of another Web page, the cookie is transmitted to YouTube’s servers. Considering how widespread the practice of embedding YouTube videos has become, this gives Google an amazing amount of data on the Web-browsing activities of hundreds of millions of Internet users–many of whom may not realize that such tracking data is being collected. The YouTube-related text in the new White House privacy policy implies that not all users will be tracked by YouTube. The policy notes that:
“If you would like to view a video without the use of persistent cookies, a link to download the video file is typically provided just below the video.” As of Thursday morning, this statement is false. In multiple tests by this blogger with both Internet Explorer and Firefox, merely visiting pages on the White House blog causes YouTube to set a long-term tracking cookie in the browser–even if the user does not press the play button to start the video. After eight months, this cookie will be automatically deleted by the user’s browser–unless, of course, the user visits another Web page somewhere else on the Internet containing a YouTube-embedded video, in which case, the eight-month cookie clock is reset. Given how widespread YouTube video embeds have become, this cookie essentially lasts forever. While it is obvious that I am rather critical of this entire affair, I am willing to give the Obama Web team the benefit of the doubt in one area: the fact that their current Web infrastructure does not deliver on the promises made by their privacy policy. The Obama White House Web site is only two days old, and so it is certainly possible that the team simply hasn’t gotten around to deploying a more privacy-preserving system for YouTube video embeds. Protecting users who do not click “play” from automatically receiving a cookie is certainly possible; the Electronic Frontier Foundation in 2008 released a wrapper script for YouTube videos that provided this very feature. Let us hope that the Obama team deploys such a technology in due course. Can YouTube be justified as a “compelling need”?