Is waiting for the White House's Office of Management and Budget (OMB) guidelines on a new Federal Government cookie policy like waiting for Godot? One might not be blamed for thinking as much.

And in fact, you might say that it is. Public comments were taken in the summer of 2009, there was expectancy that an announcement would be made this past April 7 during the Open Government Initiative fanfare, and Vivek Kundra, the U.S. CIO, said recently at a Federal Government web managers meeting that a decision could be made next month.

While it is expected that persistent cookies will be allowed, there is equivalent expectation among Federal web managers whom I speak to that there will be accompanying "opt out" protocols, multiple tier for usage definitions, data expiration and approval rules, that will actually make it as -- if not more -- difficult than it is today to get anonymous visitor data.

After the public comment period over the summer, I'd expect that OMB had more content to sift through than they expected (classic data deluge scenario) before they could figure it all out. 

The Hot Button Questions

I've been a sometimes participant in the process -- I've added my 2 cents during the commenting period and have provided opinions, clarifications and definitions when asked. But for the most part, I feel pretty much like an observer watching how Washington works and how policies get made. I guess just like any analysis, the more answers you find the more questions arise. Here are some of mine:

  • What is the role and influence of the Center for Democracy and Technology (CDT), a non-profit public interest group with a mission shaping government policies on Internet issues?
    Ari Schwartz, the organization's COO is credited with developing the paper that kicked off the discussion in May 2009. He sits on the board of the Information Security and Privacy Advisory Board (ISPAB) of the National Institute of Standards and Technology, the the federal technology agency that works with industry to develop and apply technology, measurements, and standards. Google also sits on the ISPAB as do other consulting, IT firms, universities and government agencies.
  • CDT co-wrote a set of recommendations with the Electronic Frontier Foundation in May 2009 that outlines the disclosure, data retention, opt out measures described above, as well as requiring that Federal agency Inspector Generals verify their privacy compliance. Is this the blueprint for the new cookie policy?
  • Mr. Schwartz wrote in a blog post on January 9, 2009 "that government should be creating policies to encourage this innovation, rather than railroading the issue with an inflexible mandate (i.e., the current policy) or eliminating the government-wide policy altogether (a possible alternative)" He goes on to say:         

"1) There are a growing number of cases where information about an individual may not be directly personally identifiable, but where the individual has a privacy interest based on the use of the information. IDs of all kinds (including those used in state management mechanisms) and location information are two prominent examples. Today, there are few privacy rules in government to cover these kinds of information."

"2) There are clearly some instances where federal Web sites could be greatly improved through the use of monitoring aggregate and individual usage for diagnostic and analytical use. The feasibility of conducting such analysis in a privacy-protective manner deserves further exploration."

"A study panel should consider what the appropriate policy guidelines should be for these situations. This panel should assess how policies specific to federal Web sites can allow beneficial uses of cookies and other state management mechanisms while protecting privacy, taking the differences between the types of data commonly collected online into account."

My questions: Has this panel ever been convened? Who participated? What was determined? What was the outcome? Where is the report available?

  • How does Google influence this discussion? Well, they serve on the ISPAB, they are probably the private sector lightening rod for all things related to privacy, and they have a rapidly spreading footprint within the Federal Government for services and applications. I don't think its a coincidence that they announced Google Analytics availability on the GSA schedule, nor that they are working on opt out options. Although the company has pointed out to me that opt-out will also help them do business in other parts of the world where privacy is a big issue.
  • Where is the web analytics "lobby"? Oh right, there is no web analytics lobby. There's the Web Analytics Association, but haven't been hearing too much from them on this issue outside of some meetings. That's probably because the interest among web analytics software vendors and the WAA membership is in "online marketing optimization." Sure there's interest in selling to the government, but its a tough sell, and a lot more limited in upsell modules like testing, behavioral targeting, and so forth. Maybe they'll start paying more attention to what's going on in DC after the introduction of the privacy bill in the House by Rick Boucher. I haven't seen the bill, but there's curiously familiar terminology being  put out there like "it would require firms to allow consumers to "opt out" of having such information collected." Maybe everyone is waiting for Google to carry the banner on this. So, I wonder what the WAA, its corporate members and all those who are invested in online are going to do about this. Then again, we all know how long it can take any bill to get through Congress. Maybe its not something to worry about....too much...for this decade.

The Internet's Own Maginot Line?

Getting back to the Federal cookie policy, I wonder if by the time this new policy comes out and folks figure out what to do with it if it doesn't become the Internet version of the famous Maginot line. You remember your WWII history, right?

The French built a line of defense on the German border thinking it would keep them from being invaded. So what did the German's do? They marched around the line and completed their invasion. 

I wonder if this is how the new cookie policy will viewed after it's published, if it indeed does come with the baggage outlined in the CDT/EFF recommendations.

Related Article: What is Web Engagement Management?

Don't Lose Sight of the Real Value

The larger and simpler issue in my mind is in making government web sites more valuable to the citizenry. Making them more valuable means making them easier to use -- better and personalized content, finding what you need more quickly, applications that save time.

Using cookies to enable personalization, get a better idea of unique visitation, first time visitors, repeat visitors, where visitors are from, what campaigns brought them in and so forth all help in guiding decisions towards that end.

Making it hard for Federal government agencies to use persistent cookies is akin to "throwing out the baby with the bath water." In the name of privacy, the main objective of Federal web sites...to provide useful information and help us interact with the government, is hampered and diminished.

The Federal government already has all of my information and if they wanted to tie it together -- which they do already if there's a perceived security threat or criminal act -- then they can.

Amazon, Google, Microsoft and Adobe already have a boatload of info about me. And everyone else in the U.S. State governments and non-U.S. governments have been using persistent cookie based analytics solutions like Google Analytics to successfully improve their web sites for their constituencies.

So, if Federal Government web managers are given a mandate to improve their web sites to serve the citizens, and do it in a cost effective manner, and need web analytics to guide them -- perhaps they'll just start using Google Analytics and Yahoo! Analytics -- both of which are free and come with ways to disable persistent cookies -- and take their chances that a constituent or enterprising reporter is going to look at their site and see that there's web analytics code on their pages and collecting information about their site usage.

So what. It will be in the papers for a few days and then go away. Remember, this has already happened to the White House -- and life went on. With this thinking perhaps more Federal web managers can re-focus on the real issue: delivering an online presence that's engaging and useful for the citizens.