The Cookie Kerfuffle

by on January 23, 2009 · 6 comments

Chris Soghoian called out a problem and now takes credit for a fix to the way the Web site delivered third-party cookies – specifically YouTube cookies.

The use of YouTube videos on the President’s site is a Web 2.0-ish improvement, which is welcome, but embedding videos meant that YouTube was placing cookies on the computers of visitors to and – as a natural result – collecting records of people’s visits to that site.

Things got weird when the privacy policy exempted YouTube cookies from the general ban on persistent cookies on federal Web sites.

For videos that are visible on, a ‘persistent cookie’ is set by third party providers when you click to play a video. . . . This persistent cookie is used by YouTube to help maintain the integrity of video statistics. A waiver has been issued by the White House Counsel’s office to allow for the use of this persistent cookie.

A government entity should not show preference for a particular service provider in a policy like this and the White House should either exempted third-party cookies generally, or not at all.

The federal government’s June, 1999 policy on cookies (formerly found here, but apparently moved) reflects June, 1999 thinking about cookies – as sinister and dastardly. It was a little silly back then, and is more so today.

And that’s the one small difference I have with the way Chris characterizes the problem. He says, “the decision to embed YouTube videos . . . also enabled the Google owned video sharing site to sneakily collect data on the millions of people who visit”

Cookies aren’t sneaky. First- and third-party cookies are placed by more sites than not, and they exist in droves. They are used for tracking, recordkeeping, and customer service functions of various kinds. To someone who knows how the Internet and browsers work, they’re anything but sneaky. They’re integral.

I agree that policy and practice were out of step with one another, and exempting YouTube from the policy was not a good fix. But Web sites using cookies to gather information online is about as sneaky as humans using eyeballs to gather information on the street. As with controlling what you reveal when you walk down the street, the onus should be on Internet users to be aware of cookies, their purpose and function, and how to control them.

I, for one, ask my browser to prompt me about first- and third-party cookies, refusing most of them. (It’s quite easy once you’re in the habit.) User education and personal responsibility are the solutions to the cookie “problem.” That’s not easy – it’ll take one generation – but the result will be much better than chasing Web site after Web site trying to insulate a supine user community from their own profligacy with information.

Previous post:

Next post: