Staffers address privacy concerns after a 1-by-1-pixel image file loaded by Web page code for tracking purposes is revealed.
January 23, 2009
With the Obama administration now in place, White House media staff has been reviewing the WhiteHouse.gov Web site this week to address issues raised by privacy advocates.
This action appears to be in keeping with a commitment to be responsive to community concerns. In the first blog post on the new WhiteHouse.gov on Tuesday, Macon Phillips, director of new media for the White House, solicited user input and said that "this online community will continue to be a work in progress as we develop new features and content for you."
On the Interesting People e-mail list, maintained by Carnegie Mellon computer science professor David Farber, Karl Auerbach, CTO of at InterWorking Labs and an attorney, warned Tuesday that the WhiteHouse.gov site contains a Web bug.
A Web bug, also known as a Web beacon by those who prefer terminology less suggestive of surveillance (WebTrends uses "Clear GIF"), is a file loaded by Web page code for tracking purposes. It often comes in the form of a 1-pixel-by-1-pixel image file, which is too small to be noticed but nonetheless registers in server logs like any other file.
Thus, in the process of receiving the remote request from WhiteHouse.gov to serve a 1-by-1-pixel graphic, WebTrends also receives certain details about those visiting the White House Web site.
Auerbach observed in an e-mail that while he recognized some of the data requested -- his screen resolution and whether he had Microsoft Silverlight installed -- the other data gathered by WebTrends was unclear.
Jascha Kaykas-Wolff, VP of marketing at WebTrends, explained that the client determines whether search information is tracked for site analysis purposes and that it's useful data for Web site managers who want to figure out what content site users are looking for.
WebTrends insists this isn't the case. "Our customers own their data," said Eric Butler, director of engineering at WebTrends. "We do not have any rights outside of the rights that they give us to store and maintain the data for us. It's truly an extension of their organization and ownership of the data. The data is stored in a Tier 4, very secure data center. And the only thing that the customer does is access it through our secure reporting interface and product to gain insight into their data."
Auerbach questions that assertion. "I would suggest that since the collection, aggregation, and conveyance of the data to WebTrends is from the user's computer and not from WhiteHouse.gov that a very strong argument can be made that the data belongs to the user, not WhiteHouse.gov," he said in an e-mail. "If they are, to take the other road, asserting that WhiteHouse.gov owns the data, then we must then recognize that since WhiteHouse.gov is a U.S. federal government entity, [the data] may be governed by the Privacy Act of 1974 and other applicable privacy laws. And those laws constrain the dissemination of government data to private companies unless those companies undertake the same limitations that are imposed upon the government." Critical to this discussion is whether the data collected qualifies as "personally identifiable information," which is regulated.
Auerbach concedes that the data sent to WebTrends may not be clearly categorizable as "personally identifiable information." But he argues that the Privacy Act needs to be amended to account for advances in the science of data aggregation and linking that allow nonpersonal information to be turned into personally identifiable data.
A spokesperson for the White House media team wasn't immediately available for comment.
Writing in reference to reports that members of Congress are getting their own YouTube channels, Columbia computer science professor Steven Bellovin criticized the government's use of YouTube as a serious privacy risk.
"YouTube is, of course, a private company owned by Google," he said. "As such, it is not particularly constrained by (U.S.) privacy law. It can and does deposit cookies. ... [From visiting the House site], I ended up with cookies from YouTube, Google, and DoubleClick, another Google subsidiary. Why should Google know which members of Congress I'm interested in? Do they plan to correlate political viewing preferences with, say, searches I do on guns, hybrid cars, religion, privacy, etc.?"
Any such risk, of course, extends to WhiteHouse.gov's use of YouTube as well, though in granting YouTube a waiver from privacy rules, the White House Counsel's Office appears to believe that the benefits of having free video hosting through YouTube outweigh potential privacy drawbacks.
A spokesperson for the White House media team wasn't available to discuss whether WebTrends' use of a Web bug, or beacon, might violate OMB guidelines. Those guidelines that state "agencies are prohibited from using persistent cookies or any other means (e.g., Web beacons) to track visitors' activity on the Internet [with certain exceptions]." (Those guidelines, coincidentally, can no longer be found at the URL on the White House site where they used to be.)
More broadly, the incoming administration should consider whether it, like previous administrations, wants outsourcing to serve as the universal solvent for federal legal restraints. At the same time, it may be worth revisiting federal guidelines about online privacy practices, given that technology has changed in the years since those guidelines were written.
Auerbach worries that as budgets remain tight, the government will be increasingly willing to outsource technical functions to companies like Google or WebTrends that may be tempted to mine government data.
"It doesn't take much to elevate this kind of thing out of privacy and into security," he said. "For example, if you want to know where an army battalion is about to be sent, one can get a good indication by looking at the queries to Google Maps from browsers that are linkable to solders and their families. The bits and pieces of all of this are, in themselves, tiny and often pretty innocent looking. But they aggregate quickly."
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
How to Use Threat Intelligence to Mitigate Third-Party Risk
Everything You Need to Know About DNS Attacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment