Agencies warned on cookies

Bush administration officials are promising "to light a fire" under agency Web managers who violate privacy regulations that forbid the use of cookies that track the activities of Web site visitors.

The cookie ban imposed last June by the Clinton administration "is still in effect, and we expect [agencies] to be in compliance with it," said Chris Ullman, a spokesman for the Office of Management and Budget. "We will work with them on that."

Reports submitted to Congress by inspectors general from 16 agencies showed that as of March 30, seven agencies operated 64 federal Web sites that continued to use persistent cookies. Sen. Fred Thompson (R-Tenn.) released the findings April 17.

The 16 agencies, including the Federal Aviation Administration and the Treasury Department, represent about a third of the agencies required to send Web audit reports to Congress. With dozens of agencies yet to file reports, the number of sites violating the ban likely will be higher, said Chris Hoofnagle of the Electronic Privacy Information Center.

OMB banned persistent cookies from federal Web sites in all but the most unusual circumstances. Persistent cookies were deemed a violation of Web users' privacy when it was discovered that the Office of Drug Control Policy was using them to track visitors to its Web site.

Persistent cookies are pieces of computer code placed on an Internet user's computer by a Web site. They track the user's movement from page to page through the Web site, and some track movement from site to site.

In the private sector, companies use cookies to tie online activity to data such as names, addresses and buying habits.

Many privacy advocates worry that cookies give the government too much monitoring ability. For example, they fear that monitoring a taxpayer's visits to Internal Revenue Service pages about tax deductions might lead to audits.

But John Spotila said he was "never aware of anything sinister" about cookies being used on government Web sites. Until last year, Spotila was head of the Office of Information and Regulatory Affairs.

He said cookies can help improve Web pages by providing information about what site visitors like and don't like. In addition, government Web sites that were designed by commercial contractors may include cookies simply because they are common on commercial sites, Spotila said. In other cases, agency Web managers may be unaware that cookies have essentially been banned on government sites.

The ban on cookies does not apply to "session cookies," which disappear from the user's computer when an Internet session ends.

Cookies aren't the only violations the inspectors general reported. Many sites fail to post privacy policies as required.

Half the Education Department's Web sites that collect personal information lack posted privacy policies, and nine pages were linked to servers that collect e-mail addresses without the user's knowledge.

The Trasportation Department said April 20 that it had removed all cookies from its 23 Web sites after its IG reported finding them in mid-February. The agency created a checklist for Web managers to follow to prevent cookies from being used on DOT Web sites in the future, a spokesman said.

"For the most part, they were inadvertent," he said. The cookies were added to Web sites during upgrades — often automatically by software — and unbeknownst to agency Web managers.

Thompson, who is chairman of the Senate Governmental Affairs Committee, said the discovery of such widespread cookie use was disturbing because agencies "should be setting the standard for privacy protection in the Information Age." Thompson said he planned to introduce legislation that would create a commission to examine government privacy practices.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group