******** Some samples from the output of my "cookiebot" program: http://www.politechbot.com/docs/cookies.dod.0600.html http://www.politechbot.com/docs/cookies.house.0600.html http://www.politechbot.com/docs/cookies.sample.0600.html ******** http://www.wired.com/news/politics/0,1283,37314,00.html Feds' Hands Caught in Cookie Jar by Declan McCullagh ([EMAIL PROTECTED]) 3:00 a.m. Jun. 30, 2000 PDT WASHINGTON -- Federal agencies are ignoring stern White House instructions not to use cookies on government websites. Dozens of U.S. government sites, including ones operated by the Justice Department, the Defense Department, and the Energy Department continue sending cookies to the computers of unsuspecting visitors. An investigation by Wired News shows that these agencies and many others appear to be violating a Clinton administration directive that halted the controversial practice last week. Cookies track what people do online, and government use of them may also run afoul of a 1974 privacy law. "'Cookies' should not be used at federal websites, or by contractors when operating websites on behalf of agencies," Jacob Lew, director of the White House's Office of Management and Budget (OMB), wrote in a memo to agencies last Thursday. Lew's memo came after news reports revealed the White House's drug policy office used cookies to surreptitiously track behavior. But the agencies aren't paying attention. In the Defense Department, at least 13 websites continue to use cookies, including the U.S. European Command, the Air Force Space Command, a Pentagon records agency, and the Army's training command. So do Federal Reserve banks, the U.S. Mint, the Federal Deposit Insurance Corporation, and the Immigration and Naturalization Service. Wired News conducted its investigation by writing a Perl program to connect to the website of every agency and commission listed in the U.S. Government Manual, an official government publication. After connecting, the program recorded whether or not each website used cookies, and if the cookies were temporary or permanent. "We sent this memo out because we clearly wanted to send a message to agencies that we mean business," said Linda Ricci, a spokeswoman for OMB. "We expect agencies to clean things up. But in an organization as large as the government, I'm not sure that that can be accomplished in the span of eight or nine days." "We're taking it seriously," she said. "We don't think there's any ambiguity about that." In its letter, OMB said that agencies could continue to use cookies in some precisely defined circumstances: When there is "a compelling need," when the public is informed of the practice, and after the agency head personally approved the tracking. Of 18 agencies contacted on Thursday by Wired News, not one was able to say whether or not the proper person had OK'd the use of cookies. The National Endowment for the Humanities, which said they disclose that information is gathered "for statistical purposes," came closest to meeting the cookie use requirements. Meredith Hindley, assistant webmaster, said that she expects approval: "We will get that from (the agency head). He is on vacation right now." "Ive seen the memo from the OMB, and were all familiar with that," said Susan Hanson, a Defense Department public relations officer. "We will be getting back in touch with them to see if our guidelines are acceptable with their guidelines. But we want to make clear from the get-go that were not collecting any personalized information, but just for purposes of making our website better." Most government sites that set cookies do not inform visitors of the practice -- which OMB says is necessary. The Army Review Boards Agency, which has cookies that expire in December 2010, does not even include a privacy policy, a practice required by a June 1999 OMB memorandum. Permanent cookies reside in a file on your hard drive and allow websites to monitor your behavior over time. Temporary cookies are ephemeral: They're discarded when you close a browser window or reboot. OMB does not differentiate between temporary and permanent cookies. The General Services Administration seems to be unusually upfront about telling visitors that cookies are in use. The GSA home page, its Federal Consumer Information Center, and the GSA Federal Supply Service all have policies that say "we may use a cookie" or similar language. The Federal Energy Regulatory Commission, on the other hand, says "we generally do not use cookies" -- even though anyone who stops by the FERC home page will receive one that will stay active until December 2010. Four websites at the National Institutes of Health use cookies: The Center for Information Technology, the National Eye Institute, the Institute of General Medical Sciences, and the National Institute of Mental Health. Not one of the four sites mentioned this was taking place, and just two had privacy policies. Instead of a privacy policy, NIMH simply said: "By accessing this computer system you are consenting to system monitoring by law enforcement and other purposes." It appears that many sites using cookies may do so inadvertently: Some Microsoft server products, for example, turn on the technology by default. But OMB's Ricci again stressed that agencies needed to justify the cookie use. "(The directive) is essentially saying that except in certain compelling cases, this should not be happening," Ricci said. "They would have to present a compelling case not only to us, but to the head of their agency why they would need to continue this." "The force of this memo is very much linked to another OMB function: Approval of budget requests," she said. "We will hold compliance with this memo as a test when funding requests take place." Although OMB did not draw a distinction between temporary and permanent cookies, privacy advocates say they're not too worried about the former. However, about one-third of the government sites that sent cookies used permanent ones. "I don't think there's anything wrong from a privacy viewpoint with session cookies," says Marc Rotenberg, director of the Electronic Privacy Information Center. "The privacy concern of ours is when tracking takes place between discrete Web activities." Last week, Rotenberg sent a letter to Congress asking for an investigation of the "tracking practices" of federal agencies. He said tracking might violate the Privacy Act of 1974, which regulates agency collections of "identifying number, symbol, or other identifying particulars assigned" to an individual. That definition could cover cookies. A free-market group was more critical. "It's typical. Governments think the rules don't apply to them," said Erick Gustafson, director of technology policy at Citizens for a Sound Economy. "They're historically the worst offenders of privacy and the rights of citizens." "At the end of the day, consumers have to look out for themselves. you can't trust the government any more than you can throw it," Gustafson said. A Department of Energy spokesman who asked not to be identified said that he was familiar with the OMB memo and stressed that the DOE homepage did not use cookies. The spokesman said he would investigate the four DOE sites that do, including the Office of the Deputy Administrator for Defense Programs and the DOE science office. Nicholas Morehead contributed to this report.
