Feds' Hands Caught in Cookie Jar 

Feds' Hands Caught in Cookie Jar 
Posted by FoM on July 01, 2000 at 08:21:22 PT
By Declan McCullagh 
Source: Wired Magazine
 Federal agencies are ignoring stern White House instructions not to use cookies on government websites. Dozens of U.S. government sites, including ones operated by the Justice Department, the Defense Department, and the Energy Department continue sending cookies to the computers of unsuspecting visitors. 
An investigation by Wired News shows that these agencies and many others appear to be violating a Clinton administration directive that halted the controversial practice last week. Cookies track what people do online, and government use of them may also run afoul of a 1974 privacy law. "'Cookies' should not be used at federal websites, or by contractors when operating websites on behalf of agencies," Jacob Lew, director of the White House's Office of Management and Budget (OMB), wrote in a memo to agencies last Thursday. Lew's memo came after news reports revealed the White House's drug policy office used cookies to surreptitiously track behavior. But the agencies aren't paying attention. In the Defense Department, at least 13 websites continue to use cookies, including the U.S. European Command, the Air Force Space Command, a Pentagon records agency, and the Army's training command. So do Federal Reserve banks, the U.S. Mint, the Federal Deposit Insurance Corporation, and the Immigration and Naturalization Service. Wired News conducted its investigation by writing a Perl program to connect to the website of every agency and commission listed in the U.S. Government Manual, an official government publication. After connecting, the program recorded whether or not each website used cookies, and if the cookies were temporary or permanent. "We sent this memo out because we clearly wanted to send a message to agencies that we mean business," said Linda Ricci, a spokeswoman for OMB. "We expect agencies to clean things up. But in an organization as large as the government, I'm not sure that that can be accomplished in the span of eight or nine days." "We're taking it seriously," she said. "We don't think there's any ambiguity about that."In its letter, OMB said that agencies could continue to use cookies in some precisely defined circumstances: When there is "a compelling need," when the public is informed of the practice, and after the agency head personally approved the tracking. Of 18 agencies contacted on Thursday by Wired News, not one was able to say whether or not the proper person had OK'd the use of cookies. The National Endowment for the Humanities, which said they disclose that information is gathered "for statistical purposes," came closest to meeting the cookie use requirements. Meredith Hindley, assistant webmaster, said that she expects approval: "We will get that from the agency head. He is on vacation right now." "Ive seen the memo from the OMB, and were all familiar with that," said Susan Hanson, a Defense Department public relations officer. "We will be getting back in touch with them to see if our guidelines are acceptable with their guidelines. But we want to make clear from the get-go that were not collecting any personalized information, but just for purposes of making our website better." Most government sites that set cookies do not inform visitors of the practice -- which OMB says is necessary. The Army Review Boards Agency, which has cookies that expire in December 2010, does not even include a privacy policy, a practice required by a June 1999 OMB memorandum. Permanent cookies reside in a file on your hard drive and allow websites to monitor your behavior over time. Temporary cookies are ephemeral: They're discarded when you close a browser window or reboot. OMB does not differentiate between temporary and permanent cookies. The General Services Administration seems to be unusually upfront about telling visitors that cookies are in use. The GSA home page, its Federal Consumer Information Center, and the GSA Federal Supply Service all have policies that say "we may use a cookie" or similar language. The Federal Energy Regulatory Commission, on the other hand, says "we generally do not use cookies" -- even though anyone who stops by the FERC home page will receive one that will stay active until December 2010. Four websites at the National Institutes of Health use cookies: The Center for Information Technology, the National Eye Institute, the Institute of General Medical Sciences, and the National Institute of Mental Health. Not one of the four sites mentioned this was taking place, and just two had privacy policies. Instead of a privacy policy, NIMH simply said: "By accessing this computer system you are consenting to system monitoring by law enforcement and other purposes." It appears that many sites using cookies may do so inadvertently: Some Microsoft server products, for example, turn on the technology by default. But OMB's Ricci again stressed that agencies needed to justify the cookie use. "The directive is essentially saying that except in certain compelling cases, this should not be happening," Ricci said. "They would have to present a compelling case not only to us, but to the head of their agency why they would need to continue this." "The force of this memo is very much linked to another OMB function: Approval of budget requests," she said. "We will hold compliance with this memo as a test when funding requests take place." Although OMB did not draw a distinction between temporary and permanent cookies, privacy advocates say they're not too worried about the former. However, about one-third of the government sites that sent cookies used permanent ones. "I don't think there's anything wrong from a privacy viewpoint with session cookies," says Marc Rotenberg, director of the Electronic Privacy Information Center. "The privacy concern of ours is when tracking takes place between discrete Web activities." Last week, Rotenberg sent a letter to Congress asking for an investigation of the "tracking practices" of federal agencies. He said tracking might violate the Privacy Act of 1974, which regulates agency collections of "identifying number, symbol, or other identifying particulars assigned" to an individual. That definition could cover cookies. A free-market group was more critical. "It's typical. Governments think the rules don't apply to them," said Erick Gustafson, director of technology policy at Citizens for a Sound Economy. "They're historically the worst offenders of privacy and the rights of citizens." "At the end of the day, consumers have to look out for themselves. you can't trust the government any more than you can throw it," Gustafson said. A Department of Energy spokesman who asked not to be identified said that he was familiar with the OMB memo and stressed that the DOE homepage did not use cookies. The spokesman said he would investigate the four DOE sites that do, including the Office of the Deputy Administrator for Defense Programs and the DOE science office. Nicholas Morehead contributed to this report. Direct Link To Above Article:,1283,37314,00.htmlWeb Posted: June 30, 2000Copyright  2000 Wired Digital Inc. Related Articles: White House on Cookies: Doh! Web Site Tracks Visitors House Drug Office Tracks Computer Visitors 
Home Comment Email Register Recent Comments Help

Comment #1 posted by dddd on July 02, 2000 at 03:35:19 PT
I have a theory that I've entertained for several years. I have logged hundreds of hours websurfing.I have a 56k modem/dial-up connection.I'm used to the variations in the length of time that different websites take to load.I'm sure there are a number of factors that affect loading times,like;Speed of the servers computersComplexity of the websiteInternet congestionISPs' connection.. I'm sure the list could go on...Anyway,after reading about this cookie bust,and then seeing the fake surprize and scripted response from the bustees,,,,,,I'm convinced that this little cookie thing,is extremely questionable.I think it's quite likely that the cookies they are talking about are are just one,outdated way,of cyber-tracking.I'm sure there are numerous types of newer,hi-tech ways of tracking targeted websurfers,without using an accepted,or any other old type of cookie.I'll bet you that there are many new 'cookie recipes',that are top secret,classified software technologies,that are regularly used by federal snoops. I think it's quite possible,that this cookie bust story,was perhaps welcomed by certain factions in the government,as a way to make it appear there is no longer a problem,and to make it seem as if "cookies",were the only way for someone to monitor a web users behavior.After all,the cookies they are talking about,would be a rather clumsy way to gather info,when you consider the fact that they are detectable by most browsers,and a user preferences can easily be configured to ;"warn before accepting a cookie",or,"reject all cookies",,,etc. Why do I say all this?......My browser is set up to;"warn me before accepting a cookie"...I almost always reject cookies.I rejected all cookies when I was doing my amateur research experiments for the last year or so. Out of curiosity,I started taking note,and comparing the behavior of my modem,computer,browser,when looking at various sites. Now it's possible that I could be way off on this,in some sort of paranoic illusion,but I'd like to know if anyone else has had similar experiences,,and I encourage you to check it out for yourself,if you dare. I think that there are many drug related websites,including .gov and .org sites,,online headshops,anti drug war sites,,etc..that go through a curious,and unusual phase when they are loading.This consists of an abnormally long sequence,when the info bar on the browser will say"Reading File",,or something like;"12k of 355k at 3.7k per minute"......Now normally,if you are accessing a site,and it is taking too long,you can "stop loading" on your browser.,,,and 'normally',this will stop the site from loading.The sites I'm talking about,go through a phase where they will not respond normally to a "stop loading"command.The keyboard,and/or mouse will freeze up,the browser will refuse to "force quit"..etc... Am I imagining things?Is this a crackpot,paranoic theory?Has anyone had similar experiences?Does anyone know if such programs exsist that dont rely on cookies?.....dddd  
[ Post Comment ]

Post Comment

Name: Optional Password: 
Comment: [Please refrain from using profanity in your message]
Link URL: 
Link Title: