FCW Insider

Blog archive

Hand in the cookie jar...

This was a post I started way back in June, but I never finished it. But then, I saw this story about the NSA using permanent cookies... and decided it was time to revisit the issue because the NSA is not alone.

Here is the never posted post as I wrote it back then.

I'm not big into got-ya' journalism. I don't think it is good for us... and I don't think it is good for you. That being said, it is somehow ironic that I go to the Senate Committee on Homeland Security and Governmental Affairs... guess who asks for permanent cookies! Yes, the same committee that is austensibly responsible for the oversight of e-government and federal privacy rules. We understand that Congress doesn't play by the same rules that agencies do, but when we last checked, which was some time ago, I admit, permanent cookies were banned from agency Web sites. The committee Web site doesn't even have a privacy policy on it. The House's Web site, we should note, does. As does the House Government Reform Committee's Web site -- although the policy itself is not coming up at the moment on my Mac using Firefox. But the thought is there!

The White House Web site posts its privacy policy... and the U.S. Supreme Court's Web site, operated by the Government Printing Office, has a "proprietary and security notice." I guess that is the same thing, right?

And just to make sure I was being fair to the Senate, I have continued to look at sites. Of the sites I went through, GPO and the Government Accountability Office's privacy policies were the only one to actually talk about cookies.

But my search continues.

I have since come across more government Web sites that use permanent cookies including many of the Smithsonian museum's Web sites, including the main Web site and the National Zoo.

I also heard from Ari Schwartz, deputy director of the Center for Democracy and Technology, who is quoted in AP's NSA story, who said that the no permanent cookie policy still exists and that it was "reconfirmed (and slightly changed) as part of the E-Government Act privacy implementation in 2002."

Meanwhile the White House has acknowledged that its Web site was using Web bugs. White House officials said a contractor, WebTrends, was responsible. I'm curious that I didn't see this because I often check my Web bug scanner, which Yahoo has loaded on its toolbar.

White House to investigate contractor's Web tracking [Boston Globe, 12.30.2005]
Technologies may violate policy

NEW YORK -- Without the Bush administration knowing, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns at the White House's website, an official said yesterday.

David Almacy, the White House's Internet director, promised an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites. ''No one even knew it was happening," Almacy said. ''We're going to work with the contractor to ensure that it's consistent with the OMB policy."

The White House's website uses what is known as a Web bug to anonymously keep track of who is visiting and when. A Web bug is essentially a graphic image that is virtually invisible. In this case, the bug is pulled from a server maintained by the contractor, WebTrends Inc., and lets the traffic analytic company know that another person has visited a specific page on the site.

Web bugs themselves are not prohibited. But when these bugs are linked to a data file known as a ''cookie" so that a site can tell whether the same person has visited again, a federal agency using them must demonstrate a ''compelling need," get a senior official's approval, and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.

Note: Links in stories have been added by me, not by the Boston Globe.

UPDATE as of 11:15a: I got this note from CDT's Ari Schwartz:

I actually don't think that the current policy is overly onerous.

Agencies need only:

1) put a policy official in charge of cookies (this can be someone who is in charge of privacy, but it could also be a CIO or someone in the CIO's office) and
2) disclose their use of cookies in their privacy policy

and then they can use cookies however they want. Considering the history of agencies not realizing that they are (or purposely) allowing third-party commercial entities to set track visitors with no controls... this doesn't seem like too much to ask.

Posted by Christopher Dorobek on Dec 30, 2005 at 12:15 PM


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.