Agencies warned on cookies

Bush administration officials are promising "to light a fire" under agency Web managers who violate privacy regulations that forbid the use of cookies that track the activities of Web site visitors.

The cookie ban imposed last June by the Clinton administration "is still in effect, and we expect [agencies] to be in compliance with it," said Chris Ullman, a spokesman for the Office of Management and Budget. "We will work with them on that."

Reports submitted to Congress by inspectors general from 16 agencies showed that as of March 30, seven agencies operated 64 federal Web sites that continued to use persistent cookies. Sen. Fred Thompson (R-Tenn.) released the findings April 17.

The 16 agencies, including the Federal Aviation Administration and the Treasury Department, represent about a third of the agencies required to send Web audit reports to Congress. With dozens of agencies yet to file reports, the number of sites violating the ban likely will be higher, said Chris Hoofnagle of the Electronic Privacy Information Center.

OMB banned persistent cookies from federal Web sites in all but the most unusual circumstances. Persistent cookies were deemed a violation of Web users' privacy when it was discovered that the Office of Drug Control Policy was using them to track visitors to its Web site.

Persistent cookies are pieces of computer code placed on an Internet user's computer by a Web site. They track the user's movement from page to page through the Web site, and some track movement from site to site.

In the private sector, companies use cookies to tie online activity to data such as names, addresses and buying habits.

Many privacy advocates worry that cookies give the government too much monitoring ability. For example, they fear that monitoring a taxpayer's visits to Internal Revenue Service pages about tax deductions might lead to audits.

But John Spotila said he was "never aware of anything sinister" about cookies being used on government Web sites. Until last year, Spotila was head of the Office of Information and Regulatory Affairs.

He said cookies can help improve Web pages by providing information about what site visitors like and don't like. In addition, government Web sites that were designed by commercial contractors may include cookies simply because they are common on commercial sites, Spotila said. In other cases, agency Web managers may be unaware that cookies have essentially been banned on government sites.

The ban on cookies does not apply to "session cookies," which disappear from the user's computer when an Internet session ends.

Cookies aren't the only violations the inspectors general reported. Many sites fail to post privacy policies as required.

Half the Education Department's Web sites that collect personal information lack posted privacy policies, and nine pages were linked to servers that collect e-mail addresses without the user's knowledge.

The Trasportation Department said April 20 that it had removed all cookies from its 23 Web sites after its IG reported finding them in mid-February. The agency created a checklist for Web managers to follow to prevent cookies from being used on DOT Web sites in the future, a spokesman said.

"For the most part, they were inadvertent," he said. The cookies were added to Web sites during upgrades — often automatically by software — and unbeknownst to agency Web managers.

Thompson, who is chairman of the Senate Governmental Affairs Committee, said the discovery of such widespread cookie use was disturbing because agencies "should be setting the standard for privacy protection in the Information Age." Thompson said he planned to introduce legislation that would create a commission to examine government privacy practices.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.