Friday, July 24th, 2009
Posted by Michael Fitzpatrick and Vivek Kundra
In June 2000, the OMB Director issued a memorandum (M-00-13, later updated by M-03-22)) that prohibited Federal agencies from using certain web-tracking technologies, primarily persistent cookies, due to privacy concerns, unless the agency head approved of these technologies because of a compelling need. That was more than nine years ago. In the ensuing time, cookies have become a staple of most commercial websites with widespread public acceptance of their use. For example, every time you use a “shopping cart” at an online store, or have a website remember customized settings and preferences, cookies are being used.
This past June, we blogged about ways to enhance citizen participation in government through basic policy changes, including revisions to the current policy on web-tracking technologies. We heard a lot of informal comments on that blog, so we decided to pursue the more formal comment route through the Federal Register. The goal of this review is to develop a new policy that allows the Federal Government to continue to protect the privacy of people who visit Federal websites while, at the same time, making these websites more user-friendly, providing better customer service, and allowing for enhanced web analytics.
Under the framework we’re looking at, any Federal agency using web tracking technologies on a Federal Government website would be subject to basic principles governing the use of such technologies and would be required to:
- Adhere to all existing laws and policies (including those designed to protect privacy) governing the collection, use, retention, and safeguarding of any data gathered from users;
- Post clear and conspicuous notice on the website of the use of web tracking technologies;
- Provide a clear and understandable means for a user to opt-out of being tracked; and
- Not discriminate against those users who decide to opt-out, in terms of their access to information.
OMB is considering a three-tiered approach to the use of web tracking technologies on Federal Government websites:
- 1st – Single-session technologies, which track users over a single session and do not maintain tracking data over multiple sessions or visits;
- 2nd – Multi-session technologies for use in analytics, which track users over multiple sessions purely to gather data to analyze web traffic statistics; and
- 3rd – Multi-session technologies for use as persistent identifiers, which track users over multiple visits with the intent of remembering data, settings, or preferences unique to that visitor for purposes beyond what is needed for web analytics.
We expect that there would be more stringent restrictions or review of the technologies within the tiers that might have higher privacy risks.
To share your comments on this approach, you can post a comment here, submit comments directly in response to the Federal Register notice mentioned above, or email them to: firstname.lastname@example.org. Comments submitted by August 10, 2009 in one of these three ways, will be taken into consideration though we strongly encourage you to comment here so that others can respond. Comments submitted via email will also be republished here. We’re hoping to hear your thoughts on:
- The basic principles governing the use of such technologies;
- The appropriate tiers;
- The acceptable use and restrictions of each tier;
- The degree of clear and conspicuous notice on each website that web tracking technologies are being used;
- The applicability and scope of such a framework on Federal agency use of third-party applications or websites;
- The choice between an opt-in versus opt-out approach for users;
- Unintended or non-obvious privacy implications; and
- Any other general comments with respect to this issue.
We appreciate the feedback that we’ve received already, and we look forward to hearing more.
Michael Fitzpatrick is Associate Administrator, OMB Office of Information and Regulatory Affairs
Vivek Kundra is Federal CIO
Privacy advocates are raising questions about a proposal to revamp the use of tracking cookies on federal government Web sites.
Under the proposal, U.S. government agencies would be allowed to use single-session and multi-session cookies, including persistent cookies, to track users — as long as security and privacy standards governing the collection and use of tracking information are met. The agencies would have to post clear notice of data collection and allow users to opt-out.
The idea is to make government Web sites more user-friendly and to enable better customer service and Web analytics, according to federal CIO Vivek Kundra and Michael Fitzpatrick, the associate administrator at the Office of Information and Regulatory Affairs. They wrote about the proposed changes in a blog post Friday.
Agencies and the public have until Aug. 10 to comment on the proposal, which came from the Office of Management and Budget.
If the plan is adopted, it would mark a departure from a policy first put in place in 2000 and updated in 2003 that prohibits government sites from using persistent cookies “or any other means” such as Web beacons to track visitor activity, unless agency heads authorize thier use. When tracking cookies are used, agencies must conspicuously post the reasons for collecting information, spell out the sort of data collected and detail privacy safeguards.
Privacy advocates have for some time maintained that such restrictions protect site visitors from being tracked and profiled. They have argued that users should reasonably expect privacy when visiting a government site and that any attempt to dilute the protections is ill-advised. Those concerns have grown in recent months, with many worried that the Obama Administration’s espousal of Web 2.0 technologies and social networking tools will affect long-held privacy protections.
Soon after Obama took office, for instance, privacy advocates were up in arms over a White House policy change that permitted the use of tracking cookies in YouTube videos embedded on the WhiteHouse.gov Web site.
“The Obama Administration must tread very carefully here and think about our civil liberties in the digital era,” said Jeffery Chester, executive director of the Center for Digital Democracy (CDD), a privacy rights advocacy group. “Given the unique data collection and targeting power of online media, the government should be limited in the information it can collect on us.”
As administrations change, policies regarding the use of data collected by Web analytics tools could also change, he said. “[The] government could have an arsenal of profiling data that could be used to influence voters and the public.” While there are benefits from using cookies, the blog post by Fitzpatrick and Kundra “glossed over” concerns that have been previously expressed by many including lawmakers.
Cindy Cohn, legal director of the Washington-based Electronic Frontier Foundation said that the government needs to clearly articulate what it wants to do with any data it gets. “The devil is going to be in the details,” she said. While session cookies can yield information that is useful in delivering a better user experience, the use of persistent cookies on government Web sites should be studied carefully.
“We would want to see a pretty serious case effort … showing us why the information would be useful,” what officials would do with the data and what kind of checks would be there to ensure compliance, Cohn said.
Just because commercial enterprises have been using persistent cookies doesn’t automatically mean that government agencies should be allowed to use them, she said. “The government doesn’t need to do the same sort of analytics that commercial companies do. The government doesn’t have the same interests and shouldn’t have the same interests.”
Lawmakers eye bill to ban P2P use on government, contractor networks
By Jaikumar Vijayan
July 29, 2009 02:53 PM ET
Computerworld – Details about a U.S. Secret Service safe house for the First Family — to be used in a national emergency — were found to have leaked out on a LimeWire file-sharing network recently, members of the House Oversight and Government Reform Committee were told this morning.
Also unearthed on LimeWire networks in recent days were presidential motorcade routes and a sensitive but unclassified document listing details on every nuclear facility in the country, Robert Boback, CEO of Tiversa Inc. told committee members.
The disclosures prompted the chairman of the committee, Rep. Edolphus Towns, (D-N.Y.), to call for a ban on the use of peer-to-peer (P2P) software on all government and contractor computers and networks. “For our sensitive government information, the risk is simply too great to ignore,” said Towns who plans to introduce a bill to enforce just such a P2P ban.
Tiversa is a Cranberry Township, Pa.-based provider of P2P monitoring services. In the past, it has served up dramatic examples of highly sensitive information found on file-sharing networks. In January for instance, the company disclosed how it had discovered sensitive details about the President’s helicopter, Marine One, on an Iranian computer after a document leaked out over a P2P network.
Today’s hearing continued in that vein, with Tiversa providing new sensational examples of leaked information. Boback showed off a document, apparently from a senior executive of a Fortune 500 company, listing every acquisition the company planned to make — along with how much it was willing to pay. Also included in the document were still-private details about the company’s financial performance. Boback also showed numerous documents listing Social Security numbers and other personal details on 24,000 patients at a health care system, as well as FBI files, including surveillance photos of an alleged Mafia hit man that were leaked while he was on trial. He demonstrated to members of the committee how pedophile predators troll file-sharing networks looking for images and data.
Speaking with Computerworld before the hearing, Boback said that all of the information was readily available on LimeWire’s file-sharing network after apparently being leaked. The data on the nuclear sites was found on computers associated with four IP addresses in France, though it is not immediately clear where the data came from. The files containing information about the president and his family had Barack Obama’s seal on it and a July date.
Though the information was not classified, it was sensitive enough that under normal circumstances it would not have been available even via a Freedom of Information Act request, he said.
This is the third time that the House Oversight committee has held a hearing on the topic of data leaks on P2P networks. The last hearing was two years ago and featured similar revelations from Tiversa and others.
The problem is well understood, but it remains difficult to stop. The leaks typically occur when a user installs a P2P client such as Kazaa, LimeWire, BearShare, Morpheus or FastTrack on a computer for the purposes of sharing music and other files with others on the network. In many cases, users inadvertently expose not just the files they want to share, but also every other file on their computers.
Boback and others have warned that leaks have resulted in file-sharing networks becoming vast treasure troves of information for identity thieves, corporate spies and even foreign intelligence agencies. That has prompted calls for lawmakers to force software vendors to implement stricter security controls in their applications.
The only vendor at today’s hearing was Mark Gorton, chairman of Lime Group LLC, the umbrella organization that runs Lime Wire LLC, developer of LimeWire, which is the most-used P2P client available. Gorton testified two years ago and promised at that time to implement changes in the company’s products to make it harder for users to inadvertently share files.
Today he insisted that the company had implemented many of those changes and that the latest version of LimeWire makes it much harder for data to be inadvertently leaked. Those claims were largely rejected by members of the committee, who blasted Gorton for failing to live up to his promises.
Pointing to the examples offered by Boback, Towns said that the file-sharing industry’s promises to regulate itself had clearly failed. “Specific examples of recent LimeWire leaks range from appalling to shocking,” Towns said. “As far as I am concerned, the days of self-regulation should be over for the file-sharing industry.”
Other members want the issue investigated by the Federal Trade Commission, the Securities and Exchange Commission and law enforcement authorities. They said that the continued failure by companies such as LimeWire to take more proactive steps to stop inadvertent file-sharing is tantamount to enabling illegal activity resulting from the data leaks.
Towns plans to meet with the chairman of the FTC to determine whether the failure to stop inadvertent file-sharing constitutes an unfair trade practice by P2P companies.
By Mike Cronin
Wednesday, March 4, 2009
Its discovery that someone in Iran shared online the engineering and avionics data about one of the helicopters in President Barack Obama’s fleet has thrust a Cranberry Internet security company into the public eye this week.
Tiversa Inc. had become well-known among national security officials as early as 2004 — after a meeting among company co-founders Robert Boback and Sam Hopkins and Sen. Orrin Hatch, R-Utah, then chairman of the Senate Judiciary Committee.
The Pittsburgh-area natives told Hatch that Tiversa found Arabic-language training videos that al-Qaida operatives were sharing using peer-to-peer networking over the Internet — and that Tiversa’s technology also found the individuals who were searching for those files, Boback said.
“Senator Hatch kept us overnight in Washington, D.C., and set up meetings for us with the CIA in Langley (Va.) the next day,” said Boback, chief executive officer of Tiversa.
“He told us he said to George Tenet, who headed the CIA back then: ‘George, I don’t know if the CIA has this capability, but if they don’t, they better.'”
Today, Tiversa employs nearly 40 employees, all of whom make at least $45,000 — and the company provides Internet security monitoring services for companies around the globe, Boback said.
“I’m 99.9 percent sure that Tiversa is the only game in town. They’re pretty unique in what they do, and how they do it,” said Larry Ponemon, chairman and founder of Michigan-based Ponemon Institute, an independent research company that focuses on information security and data protection.
Ponemon now sits on Tiversa’s advisory board after being so impressed with the company’s technology, he asked to join.
Media coverage of Tiversa grew after the company alerted the federal government Feb. 25 that someone in Iran had shared a file on potentially sensitive data about a helicopter in President Obama’s fleet, said Keith Tagliaferri, director of operations for Tiversa.
An executive for a Bethesda, Md., defense contractor inadvertently released the file last fall while using peer-to-peer file-sharing software, Tagliaferri said.
Computer users most often employ that type of software to share music or video files, said Dave Andersen, a Carnegie Mellon University computer science professor. LimeWire and BitTorrent are examples of such software, he noted.
The “outside-in” approach that Tiversa uses enables the company to identify information that already has leaked, Andersen said.
“It’s a huge problem in industries from health care to finance,” Andersen said.
Leaks happen for many reasons. Sometimes employees misconfigure files, he said. In other instances, people who work from home using personal computers might unintentionally make their entire hard drive available to those on file-sharing networks, Andersen said.
The possibility of those kinds of leaks is why health-insurance company Highmark Inc., Downtown, has purchased Tiversa’s services.
“Not a lot of companies are aware of that exposure,” said Kimberly Gray, Highmark’s chief privacy officer, in Camp Hill, Cumberland County. “We want to protect our employers, the patients in our network and the doctors in our network. We’re fortunate that Tiversa is located in the Pittsburgh marketplace. They understood this arena far better than anyone else we’d spoken with.”
PC Magazine – 07.17.2009
The popular social networking site Facebook is not doing enough to protect the personal information it gets from subscribers, and it gives users confusing and incomplete information about privacy matters, Canada’s privacy commissioner said on Thursday.
PC Magazine – 06.19.2009
Can you anonymously surf the Web and peruse social networks without consequence, or are today’s top tech companies compiling a FBI-like file on your behavior?
PC Magazine – 06.12.2009
At the request of a European data protection group, Google has made a few changes to the international version of its Street View feature.
PC Magazine – 05.05.2009
In the wake of news reports that classified and confidential information is popping up on file-sharing networks worldwide, Congress on Tuesday tackled two bills intended to protect users from unlawful use of their information via data breaches or P2P networks.
PC Magazine – 04.28.2009
Companies that track consumer behavior on the Web for targeted advertising without proper consent are near their “last chance” to self-regulate, the head of the U.S. Federal Trade Commission said on Monday.
PC Magazine – 04.23.2009
House members went back to the drawing board on Internet consumer protection Thursday; once again tackling the subject of how much personal data Web companies should collect about you, and whether or not Congress needs to legislate a solution.
PC Magazine – 04.22.2009
Several members of Congress have requested for a renewed examination of the privacy and security risks associated with P2P networks.
PC Magazine – 03.20.2009
Google has commissioned a report that unsurprisingly touts the benefits of cloud computing, and offers recommendations for policy makers looking at the technology.
ExtremeTech – 03.18.2009
In a letter to the Federal Trade Commission, the Electronic Privacy Information Center (EPIC) claimed Google doesn’t secure its cloud-computing services enough, and called on the FTC to investigate.
PC Magazine – 07.22.2009
Recently a top Symantec executive made a bit of a stink by arguing that it’s dangerous to rely on free antivirus software. While it may be a nakedly self-interested one, he does have a point.
PC Magazine – 07.22.2009
The popularity of Facebook and other popular social networking sites has given hackers new ways to steal both money and information, the security company Sophos said in a report released on Wednesday.
PC Magazine – 07.20.2009
Microsoft has filed a civil lawsuit in King County Superior Court in Seattle, alleging that Funmobile Ltd. has conducted a spamming campaign of malicious links and other content against Windows Live Messenger users.
PC Magazine – 07.17.2009
Has your Windows Security Center tray icon turned red lately? It might be that your anti-malware software hasn’t updated its Windows interfaces.
PC Magazine – 07.16.2009
PC Magazine – 07.16.2009
PC Magazine – 07.15.2009
Panda Internet Security 2010 offers reduced performance impact and impressive malware removal accuracy–but not real-time anti-malware protection.
PC Magazine – 07.13.2009
Microsoft has released a security advisory disclosing a vulnerability in an old ActiveX control from Microsoft Office. Here are the products it affects.
PC Magazine – 07.09.2009
I spent a day or so putting Norton Internet Security 2010 beta through its paces, and I’m very impressed.
Related Previous Links
ABC: P-to-P Users Expose U.S. Government Secrets, July 2007
Michelle Malkin: Bully boys: A brief history of White House thuggery
Trail Blazers Blog (Dallas Morning News: Cornyn to White House: Quit collecting health care info