Shortening cookies: Using OpenID to improve government privacy online

By Andy Oram
July 30, 2009 | Comments: 3

For almost a decade, thanks to privacy laws, U.S. government web sites have been prohibited from using cookies to maintain information on visitors between sessions. (Session cookies are allowed because of their short duration.) Because so many useful features are enabled by cookies, the Office of Management and Budget released a request for proposals this week seeking new perspectives on the cookie policy and ways to enable the features that will make public participation in government more appealing.

I took the opportunity to re-examine the federal approach to privacy, and submitted the proposal that follows in this blog.

The proposal is narrowly limited to allowing as much pseudonymity as I could around logging on to government sites. There may be intriguing ways it could also promote pseudonymity for contributions made by these visitors (such as whistle-blowers); but I'll leave that idea for later after I can talk to more experts about it.

Comments will continue to be accepted from the public until August 10.


Two-tiered, pseudonymous authentication through OpenID as replacement for current cookie policy

Summary: Privacy requirements could be met by creating a government web site backed by OpenID where people wishing to participate in government web discussions can register without providing personal information.

Each government agency that wishes to track visitor participation can authenticate the visitor through the central government OpenID server. Although OpenID requires sites to accept and store cookies, they contain or point to minimal personal information.

Basic architecture

OpenID server and pseudonymity

An appropriate federal agency furnishes the backbone of this plan by setting up an OpenID server (http://openid.net/). OpenID is a stable and by now familiar technology, used by sites that people use everyday such as Google, Yahoo!, AOL, and even retailers. ( "Sears and KMart Adopt OpenID to Simplify Customer Registration and Login While Enhancing the Shopping Experience", July 2nd, 2009).

Although hundreds of thousands of accounts can be anticipated, the server handles very little traffic and processing for each access and should not be hard to scale. Of course, replication and other high-availability technologies should be used to minimize the possibility of failure.

No information is collected on the individual who creates an account, unless the government finds a reason to conduct a survey that would be entirely optional. However, in order to manage the account, the individual would be encouraged to provide a point of contact. This could be an email address, social networking service, or other location where information about the account would be delivered.

The OpenID server's privacy statement would limit the use of the point of contact to the task of sending information to the visitor about changes in the account or other relevant news. The point of contact should not be used to send lost passwords, because email is transmitted in the clear and is not secure. If laws permit the government to use the point of contact to investigate criminal activity, this would be stated in the privacy statement.

Thus, the OpenID server comes as close as is practical to true pseudonymity, where the visitor has a persistent account that can be tracked but cannot be traced to a real-life person.

Agency logins and cookies

Each agency that wishes to track visitor participation would authenticate visitors through the central government OpenID server. The site would:

  • Explain to visitors that new visitors need an account on the government's OpenID server, and link to that site.
  • Provide a box for visitors with accounts to log in.
  • Provide an alternative login method in case a disaster takes down the OpenID server.

The cookie stored by the agency has minimal information: an encrypted key that points to a record about the visitor on the agency site (not the OpenID server). The record would be limited to information that meets the OMB's stated purposes: "analytics" and "remembering data, settings, or preferences unique to that visitor."

Combination of data for analytics

Although agencies can use the information in visitor records for analytics on their own sites, the government may want to aggregate statistics from many sites. This could prove quite valuable if different agencies share servers through virtualization. To permit aggregation, sites that authenticate with the OpenID server can register with the site responsible for combining the analytics and can send relevant data from visitor records as needed.

Conformance with privacy laws and regulations

A compelling need for tracking

The "data, settings, or preferences unique to that visitor" are conveniences for the visitor, so sites should allow opt-out from such tracking. If analytics are considered a compelling necessity, the government need not allow the visitor to opt out from collecting data for that purpose, but offering opt-out might still be feasible because so few people would choose to opt out that they would not substantially affect statistics.

Notice

The key elements of the privacy statement on the OpenID server have already been described. Individual agency sites will provide notice when the visitor logs in. This notice can briefly mention:

  • The requirement for the browser to allow cookies
  • The content of the cookie and visitor record
  • The purposes to which the record will be put

Visitors should be allowed to retrieve information from the OpenID server about how their account has been used.

Control

The government should allow visitors to delete the information stored for their convenience at each agency, which they may choose to do when their participation in a particular initiative finishes. The OMB should also consider allowing visitors to delete logs of their accesses from the OpenID server and even to delete their account entirely on the OpenID server, although deleting the account might require keeping the data for analytics under an anonymous account.

Separation of information

The storage of separate visitor information at each agency meets the requirement that "agencies shall ensure that their systems of records do not inappropriately combine groups of records which should be segregated."

(I am indebted to Chris Messina of the OpenID Foundation and Citizen Agency for technical comments and suggestions about deleting data. Any mistakes or misconceptions are my responsibility.)

UPDATE: August 3, 2009: I put up a blog examining the policy choices with an impact on this proposal: Privacy and open government: conversations with EPIC and others about OpenID. It answers some of the questions in the two comments posted to this blog, and takes off in some of the directions these comments suggest.


You might also be interested in:

3 Comments

This is a legal issue and a technical issue. The technical issue will be the easiest to solve, and your idea of using OpenID is worth investigating further. But once the lawyers weigh in, this will get complex.

It seems to me that government will need multiple cookie policies, depending on context. Three such contexts come to mind: anonymous, pseudonymous, and "on the record."

Whistleblowers reporting waste, fraud or corruption imperil themselves or their careers, so they obviously need absolute anonymity. But even casual visitors to nonthreatening government blogs (like EPA's "Greenversations") may lack trust in Uncle Sam and will want to remain anonymous. Perhaps a cookie-less alternative will always be a necessary option.

Perhaps some citizens who want to leave disparaging comments on an agency blog or forum will be satisfied with pseudonymity. However, this may depend on which agency they want to disparage. Pseudonymity may be fine for those who want to complain to the National Park Service about messy campground restrooms, but what about citizens who want to complain about the tax code on the IRS website? If they believe such a comment could result in a greater likelihood of receiving an audit, they'll want anonymity, too. But what about that same citizen who then wants to e-file a tax return on the IRS site? Complex! Can OpenID handle this complexity?

Lastly, some online government processes may require significant disclosure of private information to fully participate. Environmental analyses come to mind -- citizens who wish to have standing in a future appeal may need to identify themselves when they make online comments. In these cases, citizens "voluntarily" give up rights to privacy for the right to fully participate. So if I go to the Park Service site to complain about restrooms, I'll want anonymity or pseudonymity, but when I comment on their environmental analysis of, say, drilling for oil in a national park, I'll want to be "on the record" and fully divulge my identity. Again, complex!

Can a government cookie policy accommodate each of these contexts? Can OpenID know when to protect ID information and when to disclose it? Or will we need a customized policy/procedure/technology for each and every type of government website?

A casual reading indicates that you are suggesting that the govt be OpenID provider. Am I mistaken? If not I think a better option is to govt sites be Relying Parties and encourage the readers to get OpenID from third parties that offer directed identity feature, as suggested by Will Norris at http://willnorris.com/2009/07/openid-directed-identity-identifier-select .

This is fantastic. Here’s to open government and the open web! I believe OpenID will continue to be the most convenient and trustworthy open identity standard on the Web. Open standards create a better Internet for everyone, and the U.S. government's adoption of OpenID is a huge endorsement of OpenID and a big step forward for open standards. from SEO Rider

News Topics

Recommended for You

Got a Question?