Columns

Prime Minister’s Privacy Policy Requires a Re-Write

As public concern over Internet privacy has grown in recent years, one of the first responses is invariably to focus on the need for improved disclosure through easily accessible website privacy policies. The policies provide information on how personal information is collected, used, and disclosed to third parties.

While few visitors read the policies from start to finish, it is important for websites to ensure that they are accurate, since misleading statements can lead to liability. My weekly technology law column (Toronto Star version, homepage version) notes the need for accuracy is particularly true if you’re say, the Prime Minister of Canada. Yet a reader recently noticed that the Prime Minister’s Office website may be incorrectly stating its use of cookies, which are small files that may be placed on user’s computer hard drive by a website to monitor usage or identify repeat visitors.

Cookies can be used for a single visit to track how a user arrived at the site or which pages they visit. Alternatively, some cookies are “persistent” since they remain on the user’s hard drive for months or years, often storing information such as language preferences or repeat visit data.

In 2003, the Privacy Commissioner of Canada was asked to rule on the privacy issues associated with cookies in a complaint against Air Canada. The commissioner ruled that “information stored by the temporary and permanent cookies qualified as personal information for the purposes of the Act.”

The Prime Minister’s website features a prominent “Important notices” on its front page, which directs visitors to the site’s privacy policy. It states:

We do not regularly use “cookies” to track how our visitors use the site. Whenever we enable “cookies” to facilitate your transactions, we will first inform you.

Notwithstanding the assurances that no cookies track how visitors use the site, the site currently inserts at least five cookies on a user’s computer. Two cookies expire at the end of the visit, one lasts for the day, another remains on the computer for six months, and one stays on the computer for two years. 

The site does not provide explicit information on the cookies, but it appears that several are related to Google Analytics, a commonly used service that analyzes website traffic and visitors. The cookies on the Prime Minister’s site can be used to track the time of the visit, repeat visits, how the visitor arrived at the site (search engine, link from another site), and how long the visitor stays on the site.

An additional cookie may be linked to a Twitter feed on the site. The Twitter cookie allows that service to track users who are logged into their account at the time and have not requested to stop tracking in their preferences.

The Prime Minister’s website is not the only site that has adopted this language but appears to use regularly use cookies. Two related sites – a site devoted to the Speech from the Throne and one on the government’s Economic Action plan – both use the same policy language and insert similar cookies.

The source of the problem appears to be the use of an old sample Treasury Board privacy policy that was designed for sites that do not use cookies. Given that these sites use cookies, the policies are inaccurate and should obviously be replaced.

The failure to properly disclose the site’s privacy practices points to three issues. First, the use of sample privacy policies may often create problems since websites collect and use personal information in different ways.

Second, websites should regularly revisit their privacy policies to ensure that they reflect current practices.

Third, given the ease with which Internet users can be tracked online, the government should consider incorporating do-not-track provisions into its privacy legislation, thereby ensuring that user privacy choices are respected.

Tags: / /

11 Comments

  1. Anthony Reimer says:

    Discard Cookies at end of session
    This is why I use a browser that automatically discards all cookies when I quit the browser (the venerable OmniWeb for Mac OS X). If I have to use a different browser (like on my iPad), I block all third-party cookies and flush the others regularly.

  2. Exporting cookies to the U.S.
    The third party cookies from Google Analytics and Twitter are an interesting part of this story. Not only is the site providing private companies with our browsing information, but since these companies are U.S. based, they are subject to American laws such as the Patriot Act. If any American law enforcement agency wishes to find out who has been visiting the PM site, they can obtain this information without any judicial review. Perhaps Vic Toews can get his surveillance wishes for Canadians met more easily by asking U.S. authorities to do it for him.

  3. unimportant says:

    False premise. “The need for accuracy is particularly true if you’re say, the Prime Minister of Canada.”
    Nobody reads privacy policies or believes they’re true. Few people are both technologically and law-jargon literate enough to read the policy, let alone write one, so they’re usually copied off another website. This isn’t about “the prime minister”, but “even the prime minister”.

    I’m sorry, the answer to privacy policies isn’t law, it’s technological. Encryption and anonymization technologies exist to make “privacy violations” impossible. A Canadian “do-not-track” law won’t be obeyed on an internet, and government shouldn’t coddle people who give up privacy. To help, promote the technology.

  4. AdBlock Plus
    And enter ||google-analytics.com on a custom filter line.

    Done.

  5. Odetta Coen says:

    Definitely agree that re-write is needed!
    It is true that not many Internet users are realizing the amazing importance of blocking the third-party cookies that are tracking their visited websites and gathering all kind of info on a regular base! The problems with our privacy while using Internet are increasing daily, as Facebook became the center of the attention too, regarding all that, but there are no two opinions that extra measures securing our untrackable privacy should eb secured!
    Rental Company

  6. Denise Eisner says:

    Understanding Google Analytics and First Party Cookies
    Web analytics experts including Brian Clifton have repeatedly asserted that by default Google Analytics does not collect personally identifiable information (PII) and uses only 1st-party cookies. In addition, all reported data is aggregate. That means it is grouped data and not that of individuals. This would thus mean that explicit consent is not required if the only cookie is set for Google Analytics. Moreover, collecting PII is also against the Google Analytics Terms of Service.

    I agree that explicit, plain language policies are the best approach to guide users to make decisions about whether to allow cookies. That said, website owners should be allowed to analyze user trends in order to improve their services. There is a happy medium.

  7. @Denise Eisner
    Agreed. Problem is that these things are used all over the place. For instance, something here is setting off a web security policy violation, in that something related to this site is contacting statcounter.com. Is it directly related? No idea.

  8. Elusive Medium
    Agreed with Denise that there is a happy medium, unfortunate that it’s so elusive

  9. www.cheapnorthfacejacketssale.co.uk says:

    http://www.cheapnorthfacejacketssale.co.uk
    Despite the efforts to combat leaks, information on the Internet chapter has begun to emerge

  10. http://www.northfacejacketsau.com/ says:

    north face
    http://www.northfacejacketsau.com/ women and young adults searching for the most up-to-date outfits within outfits size 18 in addition and also equipment.

  11. bestgenericviagra.info says:

    Nice Onre
    Given that these sites use cookies, the policies are inaccurate and should obviously be replaced.
    http://www.bestgenericviagra.info/