CIO Council serving 'cookies' guide
- By Diane Frank
- Nov 05, 2000
The CIO Council is putting together a guide that will allow agencies to
use "cookies" while following administration policy and privacy advocates'
recommendations on the touchy issue.
The council's action results from a decision in June by the Office of
The policy forbids agencies from using persistent cookies — software a Web
server places on a user's hard drive for a certain amount of time to identify
the user on return visits.
Agencies may only use persistent cookies if they notify visitors, demonstrate
a clear need to use the technology and get the approval of the agency head.
Agencies are allowed to use session cookies, which are erased when the user's
Web browser is closed, without special conditions.
"We think we've taken major measures, and we're working with the CIO
Council to find ways to make sure privacy policies are followed all the
way through [agencies'] sites and not just at the top level," said Peter
Swire, chief counselor for privacy at OMB.
OMB gave agencies until December to remove persistent cookies from their
Web sites and to detail how they are using the technology. But unhappy members
of Congress are holding hearings and a recent General Accounting Office
Agencies are trying to use technologies to enhance their Web-based services
to citizens, and it's understandable that citizens are wary, said Roger
Baker, co- chairman of the CIO Council's privacy committee. "A service the
CIO Council could provide is to say, "Here are valid reasons and rationales
for using cookies.' "
By putting all the different agency methods together and allowing everyone
to see and use them, agencies will not have to be afraid of pressure from
Congress or a reprimand from OMB, Baker said.
There are legitimate uses for persistent cookies. The most cited example
is the online shopping cart on the U.S. Mint's site to buy coins, but agencies
using such cookies must indicate their use in privacy policies, according
to Baker. So Congress and agencies should not act too quickly and throw
the baby out with the bathwater, he said.
"I understand why we ought to be really careful in the federal government
with any tracking that we do...but privacy is the issue, not cookies," he
The underlying issue is ensuring that agencies follow both the administration's
policy and their own, agreed Baker and Ari Schwartz, senior policy analyst
for the Center for Democracy and Technology. So, on behalf of the CIO Council,
Baker is collecting information from all agencies on whether they are electing
to retain their persistent cookies, for what reason and how they justified
that use to their administrator and OMB.
"If we all say it the same way and make sure that we've all got ourselves
in a row, then it will be much easier for people to understand," Baker said.