FCW Insider

Blog archive

Hand in the cookie jar...

This was a post I started way back in June, but I never finished it. But then, I saw this story about the NSA using permanent cookies... and decided it was time to revisit the issue because the NSA is not alone.

Here is the never posted post as I wrote it back then.

I'm not big into got-ya' journalism. I don't think it is good for us... and I don't think it is good for you. That being said, it is somehow ironic that I go to the Senate Committee on Homeland Security and Governmental Affairs... guess who asks for permanent cookies! Yes, the same committee that is austensibly responsible for the oversight of e-government and federal privacy rules. We understand that Congress doesn't play by the same rules that agencies do, but when we last checked, which was some time ago, I admit, permanent cookies were banned from agency Web sites. The committee Web site doesn't even have a privacy policy on it. The House's Web site, we should note, does. As does the House Government Reform Committee's Web site -- although the policy itself is not coming up at the moment on my Mac using Firefox. But the thought is there!

The White House Web site posts its privacy policy... and the U.S. Supreme Court's Web site, operated by the Government Printing Office, has a "proprietary and security notice." I guess that is the same thing, right?

And just to make sure I was being fair to the Senate, I have continued to look at sites. Of the sites I went through, GPO and the Government Accountability Office's privacy policies were the only one to actually talk about cookies.

But my search continues.

I have since come across more government Web sites that use permanent cookies including many of the Smithsonian museum's Web sites, including the main Web site and the National Zoo.

I also heard from Ari Schwartz, deputy director of the Center for Democracy and Technology, who is quoted in AP's NSA story, who said that the no permanent cookie policy still exists and that it was "reconfirmed (and slightly changed) as part of the E-Government Act privacy implementation in 2002."

Meanwhile the White House has acknowledged that its Web site was using Web bugs. White House officials said a contractor, WebTrends, was responsible. I'm curious that I didn't see this because I often check my Web bug scanner, which Yahoo has loaded on its toolbar.

White House to investigate contractor's Web tracking [Boston Globe, 12.30.2005]
Technologies may violate policy

NEW YORK -- Without the Bush administration knowing, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns at the White House's website, an official said yesterday.

David Almacy, the White House's Internet director, promised an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites. ''No one even knew it was happening," Almacy said. ''We're going to work with the contractor to ensure that it's consistent with the OMB policy."

The White House's website uses what is known as a Web bug to anonymously keep track of who is visiting and when. A Web bug is essentially a graphic image that is virtually invisible. In this case, the bug is pulled from a server maintained by the contractor, WebTrends Inc., and lets the traffic analytic company know that another person has visited a specific page on the site.

Web bugs themselves are not prohibited. But when these bugs are linked to a data file known as a ''cookie" so that a site can tell whether the same person has visited again, a federal agency using them must demonstrate a ''compelling need," get a senior official's approval, and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.

Note: Links in stories have been added by me, not by the Boston Globe.

UPDATE as of 11:15a: I got this note from CDT's Ari Schwartz:

I actually don't think that the current policy is overly onerous.

Agencies need only:

1) put a policy official in charge of cookies (this can be someone who is in charge of privacy, but it could also be a CIO or someone in the CIO's office) and
2) disclose their use of cookies in their privacy policy

and then they can use cookies however they want. Considering the history of agencies not realizing that they are (or purposely) allowing third-party commercial entities to set track visitors with no controls... this doesn't seem like too much to ask.

Posted by Christopher Dorobek on Dec 30, 2005 at 12:15 PM


Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.