Cookie monster rears its head

OMB 2003 Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002

So what's the big deal about Web cookies? It's just a data file locked on to your computer, right? Privacy advocates and the Office of Management and Budget don't think they are so innocent, and some people say cookies are the gateway to greater privacy concerns.

The oft-overlooked cookie practice has been in headlines recently because the Associated Press recently caught the National Security Agency using cookies on its Web site. NSA has since stopped using cookies on its Web site, adhering to OMB policy. But the issue raised concerns about how agencies use cookies.

Since the Clinton administration, the government has had an explicit policy that bans persistent cookies — a text file that a Web site can place on a user's computer to track a user's Internet travels.

Unlike session cookies, which disappear when a user closes the browser, persistent cookies can remain in computer files indefinitely. OMB's policy allows agencies to use session cookies.

"Cookies make Internet browsing convenient," said Jason Johns, a senior Web developer for Kansas-based NIC. Cookies can save users' passwords for online e-mail accounts and online shopping.

Cookies store users' unique identifying information on the computer to save their preferences, Johns said. For security, session cookies can ensure that the same logged-in user is completing an online form, such as a license renewal form. Keeping track of users' purchases using cookies can allow a Web site to cater to shoppers based on their past purchases.

"The spirit of the e-government initiative is providing the best service to the citizens," said Brent Hieggelke, vice president of corporate marketing at WebTrends in Portland, Ore. But with restrictive policies regarding cookies, he said, the government is attempting to become more efficient with "one hand tied behind its back."

Hieggelke said cookies allow the departments to review their site's service to their constituents by the volume of Web site traffic and visitors' responses to the site. Persistent cookies can determine if the Web site's visitors frequent the site or are first-time guests. If they visit frequently, Web designers can learn what content visitors seek and if they can find it.

Hieggelke said cookies are a performance measurement, which the e-government initiative emphasizes.

The original 2000 policy was written after the Office of National Drug Control Policy was found placing cookies on the computers of visitors to the office's drug-education Web sites. The Bush administration adopted the OMB policy in 2003 when Director Joshua Bolten signed the E-Government Act of 2002 privacy implementation policy, which prohibits government agencies from using persistent cookies on their sites, unless a top agency official approves them.

"The administration is committed to protecting the privacy of the American people," the 2003 OMB policy memo states.

According to the 2003 OMB policy instructions, the Bush administration requires agencies to review how they handle information collected from a Web site and ensure the security of personal information submitted by visitors. OMB also requires each agency Web site to have a privacy policy statement, clearly labeled and written in understandable language.

The White House's Web site states: "We will collect no personal information about you when you visit our Web site unless you choose to provide that information to us."

The E-Government Act of 2002 also mandates that agencies must complete a privacy impact assessment report, reviewing the effects of data collection. Agencies must complete the report before buying or using data-collecting technology. According to the legislation, agencies must explain what information they will collect and why, how they intend to use the information and with whom they will share the information. The report should also detail the security of the information and how someone can refuse to share information.

Privacy advocates often do not oppose cookies, and they acknowledge their usefulness. However, other privacy concerns remain.

"Following the events of Sept. 11, [2001], there is a common false belief that in order for America to be safe, the public must give up its privacy," said Latanya Sweeney in June 2005 before the Homeland Security Department's Privacy and Integrity Advisory Committee.

"Our work suggests that ubiquitous technologies...can be deployed while maintaining privacy," said Sweeney, an associate professor and the director of the Data Privacy Laboratory at Carnegie Mellon University.

Lance Hoffman, a computer science professor at George Washington University, agreed. "Mention privacy in a research proposal and it is too often the kiss of death." Most agencies are unwilling to devote the time necessary to arrive at a solution preserving liberty and also building accountability, he said. "The old question 'Who watches the watchers?' is important," said Hoffman, a member of DHS' Privacy and Integrity Advisory Committee.