Cookies persist on federal sites

Nearly a year after the White House ordered federal agencies to stop secretly collecting information on people who visit their Internet sites, the practice remains widespread.

From the Federal Aviation Administration to the Treasury and Education Departments, agencies continue to employ "persistent cookies" to monitor Web page visitors. Inspectors general reported that as of mid-February, 64 Web sites operated by seven federal agencies were still using persistent cookies.

But dozens of other agencies have yet to file Web site audit reports, so the number of sites violating a general ban on the use of cookies is undoubtedly higher, said Chris Hoofnagle of the Electronic Privacy Information Center.

Persistent cookies are pieces of computer code planted on a user's computer by a Web site. They track the user's movement from page to page through the Web site, and some can track movement from site to site.

Use of persistent cookies on federal Web sites has been banned in most instances by rules imposed last June by the Office of Management and Budget.

Many privacy advocates worry that cookie use gives the government too much ability to monitor individuals. They fear that monitoring a taxpayer's visits to IRS pages on tax deductions, for example, might lead to audits.

However, John Spotila, head of the Office of Information and Regulatory Affairs during the Clinton administration, said he was never aware of any instances of cookies being used for that sort of surveillance. "I was never aware of anything sinister," he said. Cookies can help improve Web pages by providing information about what pages visitors like and don't like on Web sites, Spotila said. Government Web sites that were designed by contractors may include cookies simply because they are common on commercial sites, he said. In other cases, agency Web managers may be unaware that cookies essentially have been banned, he said.

Cookies aren't the only violations the inspectors general reported. Numerous sites fail to post privacy policies as required.

The inspectors general findings were made public this week by Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee. Among the violations:

Half the Education Department's Web sites that collect personal information lack posted privacy policies, and nine pages were linked to servers that collect e-mail addresses without the user's knowledge. Eleven of the Treasury Department's 30 main Web sites had no privacy statements. Nineteen of the Treasury's sites weren't listed on the agency's Web site inventory. The General Services Administration had 15 Web sites that used forbidden cookies. One of them operated under an arrangement in which a contractor owned all of the data collected. The Transportation Department had 23 Web sites using cookies. Twenty were FAA sites, and three were collecting personal data for private contractors. Thompson said he planned to introduce legislation that would create a commission to examine government privacy practices.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected