'Cookies' prove persistent
- By Diane Frank
- Oct 29, 2000
Some agencies still have not complied with the Clinton administration's
4-month-old rule on protecting the privacy of visitors to federal Web sites.
In June, the Office of Management and Budget issued a memo prohibiting
agencies to use "cookies," a piece of code that enables a Web server to
recognize that a visitor to the Internet site has returned. When a user
visits the site for the first time, the server stores the code on the visitor's
conditions, including providing a clear notice on the site that it uses
OMB sent a letter in September to the CIO Council clarifying that the policy
applies only to persistent cookies, which stay on the user's hard drive
for a specified period of time. The policy doesn't require agencies to provide
notice if a site is using session cookies, which are erased when users shuts
down their browsers.
However, a General Accounting Office survey of 13 agency Web sites conducted
in September and released Oct. 20 found that seven of those sites still
used persistent cookies without giving notice.
The seven agencies have removed the persistent cookies, but some members
of Congress cite this survey as proof that agencies cannot be trusted when
it comes to collecting personal information about citizens. Sen. Fred Thompson
(R-Tenn.), who commissioned the study as chairman of the Senate Governmental
Affairs Committee, said GAO's findings show that the administration is not
following its own policies. "The federal government should set the standard
for privacy protection," Thompson said in a statement. "Unfortunately, it
appears that in some instances, the agencies are misleading the public about
whether they or third parties are tracking information about citizens who
visit their Web sites."
Administration officials, however, say that agencies must learn to use the
technology more judiciously because Web-based services, such as the U.S.
Mint's online shopping offerings, can provide better service if the Web
server can recognize returning users and their interests. "We're talking
about a technology here; what we want to get rid of is a behavior," said
Roger Baker, co-chairman of the CIO Council's privacy subcommittee. "Cookies
don't track people, people track people."
Some pages using persistent cookies were agency home pages. One was the
Bureau of Labor Statistics' home page. The bureau's site began tracking
visitors as soon they entered it. By doing so, the bureau did not give visitors
a chance to decide if the site could place cookies on their hard drives.
information unless the user chooses to provide it.
Baker said agencies' not following their own Web policies is a problem
The GAO study was conducted before the deadline to remove cookies passed,
administration officials said. OMB told agencies that the cookies must be
removed by the time they submitted fiscal 2002 budgets, which typically
occurs in November and December. Administration officials said agencies
should have until then to remove the cookies. "It's a big federal government,
and there are more than 27 million [Web] pages out there," said Peter Swire,
chief counselor for privacy at OMB. "So if you say in June to do something,
it doesn't get to all 27 million pages immediately."
In the meantime, Rep. Rodney Frelinghuysen (R-N.J.) attached an amendment
to the Treasury Department's fiscal 2001 appropriations bill, which passed
in October, that bans the use of all cookie technology until Congress establishes
a governmentwide policy.
for electronic government. "It will be very difficult to do e-government
with certain technologies used by the private sector outlawed for our use,"