Hand in the cookie jar...
This was a post I started way back in June, but I never finished it. But then, I saw this story about the NSA using permanent cookies
... and decided it was time to revisit the issue because the NSA is not alone.
Here is the never posted post as I wrote it back then.
And just to make sure I was being fair to the Senate, I have continued to look at sites. Of the sites I went through, GPO and the Government Accountability Office's privacy policies were the only one to actually talk about cookies.
But my search continues.
I have since come across more government Web sites that use permanent cookies including many of the Smithsonian museum's Web sites, including the main Web site
and the National Zoo
I also heard from Ari Schwartz
, deputy director of the Center for Democracy and Technology
, who is quoted in AP's NSA story
Meanwhile the White House has acknowledged that its Web site was using Web bugs
. White House officials said a contractor, WebTrends
, was responsible. I'm curious that I didn't see this because I often check my Web bug scanner, which Yahoo has loaded on its toolbar
White House to investigate contractor's Web tracking [Boston Globe, 12.30.2005]Note: Links in stories have been added by me, not by the Boston Globe.UPDATE as of 11:15a: I got this note from CDT's Ari Schwartz:
Technologies may violate policy
NEW YORK -- Without the Bush administration knowing, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns at the White House's website, an official said yesterday.
David Almacy, the White House's Internet director, promised an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites. ''No one even knew it was happening," Almacy said. ''We're going to work with the contractor to ensure that it's consistent with the OMB policy."
The White House's website uses what is known as a Web bug to anonymously keep track of who is visiting and when. A Web bug is essentially a graphic image that is virtually invisible. In this case, the bug is pulled from a server maintained by the contractor, WebTrends Inc., and lets the traffic analytic company know that another person has visited a specific page on the site.
Web bugs themselves are not prohibited. But when these bugs are linked to a data file known as a ''cookie" so that a site can tell whether the same person has visited again, a federal agency using them must demonstrate a ''compelling need," get a senior official's approval, and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.
I actually don't think that the current policy is overly onerous.
Agencies need only:
1) put a policy official in charge of cookies (this can be someone who is in charge of privacy, but it could also be a CIO or someone in the CIO's office) and
Posted by Christopher Dorobek on Dec 30, 2005 at 12:15 PM