'Cookies' prove persistent

Some agencies still have not complied with the Clinton administration's

4-month-old rule on protecting the privacy of visitors to federal Web sites.

In June, the Office of Management and Budget issued a memo prohibiting

agencies to use "cookies," a piece of code that enables a Web server to

recognize that a visitor to the Internet site has returned. When a user

visits the site for the first time, the server stores the code on the visitor's

hard drive. OMB allows agencies to use cookies if the agency can meet several

conditions, including providing a clear notice on the site that it uses

cookies.

OMB sent a letter in September to the CIO Council clarifying that the policy

applies only to persistent cookies, which stay on the user's hard drive

for a specified period of time. The policy doesn't require agencies to provide

notice if a site is using session cookies, which are erased when users shuts

down their browsers.

However, a General Accounting Office survey of 13 agency Web sites conducted

in September and released Oct. 20 found that seven of those sites still

used persistent cookies without giving notice.

The seven agencies have removed the persistent cookies, but some members

of Congress cite this survey as proof that agencies cannot be trusted when

it comes to collecting personal information about citizens. Sen. Fred Thompson

(R-Tenn.), who commissioned the study as chairman of the Senate Governmental

Affairs Committee, said GAO's findings show that the administration is not

following its own policies. "The federal government should set the standard

for privacy protection," Thompson said in a statement. "Unfortunately, it

appears that in some instances, the agencies are misleading the public about

whether they or third parties are tracking information about citizens who

visit their Web sites."

Administration officials, however, say that agencies must learn to use the

technology more judiciously because Web-based services, such as the U.S.

Mint's online shopping offerings, can provide better service if the Web

server can recognize returning users and their interests. "We're talking

about a technology here; what we want to get rid of is a behavior," said

Roger Baker, co-chairman of the CIO Council's privacy subcommittee. "Cookies

don't track people, people track people."

Some pages using persistent cookies were agency home pages. One was the

Bureau of Labor Statistics' home page. The bureau's site began tracking

visitors as soon they entered it. By doing so, the bureau did not give visitors

a chance to decide if the site could place cookies on their hard drives.

The bureau's privacy policy states that the agency does not collect personal

information unless the user chooses to provide it.

Baker said agencies' not following their own Web policies is a problem

and one that extends beyond the use of cookies.

The GAO study was conducted before the deadline to remove cookies passed,

administration officials said. OMB told agencies that the cookies must be

removed by the time they submitted fiscal 2002 budgets, which typically

occurs in November and December. Administration officials said agencies

should have until then to remove the cookies. "It's a big federal government,

and there are more than 27 million [Web] pages out there," said Peter Swire,

chief counselor for privacy at OMB. "So if you say in June to do something,

it doesn't get to all 27 million pages immediately."

In the meantime, Rep. Rodney Frelinghuysen (R-N.J.) attached an amendment

to the Treasury Department's fiscal 2001 appropriations bill, which passed

in October, that bans the use of all cookie technology until Congress establishes

a governmentwide policy.

Baker said Congress should avoid such bans because cookies can be useful

for electronic government. "It will be very difficult to do e-government

with certain technologies used by the private sector outlawed for our use,"

he said.

Featured

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.