Spy Agency Removes Illegal Tracking Files

By The Associated Press The National Security Agency's Internet site has
been placing files on visitors' computers that can track their Web surfing
activity despite strict federal rules banning most files of that type.

The files, known as cookies, disappeared after a privacy activist complained
and The Associated Press made inquiries this week. Agency officials
acknowledged yesterday that they had made a mistake.

Nonetheless, the issue raised questions about privacy at the agency, which
is on the defensive over reports of an eavesdropping program.

"Considering the surveillance power the N.S.A. has, cookies are not exactly
a major concern," said Ari Schwartz, associate director at the Center for
Democracy and Technology, a privacy advocacy group in Washington. "But it
does show a general lack of understanding about privacy rules when they are
not even following the government's very basic rules for Web privacy."

Until Tuesday, the N.S.A. site created two cookie files that do not expire
until 2035.

Don Weber, an agency spokesman, said in a statement yesterday that the use
of the so-called persistent cookies resulted from a recent software upgrade.

Normally, Mr. Weber said, the site uses temporary cookies that are
automatically deleted when users close their Web browsers, which is legally
permissible. But he said the software in use was shipped with the persistent
cookies turned on.

"After being tipped to the issue, we immediately disabled the cookies," Mr.
Weber said.

Cookies are widely used at commercial Web sites and can make Internet
browsing more convenient by letting sites remember user preferences. For
example, visitors would not have to repeatedly enter passwords at sites that
require them.

Privacy advocates point out that cookies can also track Web surfing, even if
no personal information is collected.

In a 2003 memorandum, the Office of Management and Budget at the White House
prohibited federal agencies from using persistent cookies - those that are
not automatically deleted right away - unless there is a "compelling need."

A senior official must sign off on any such use, and an agency that uses
them must disclose and detail their use in its privacy policy.

Peter Swire, a Clinton administration official who had drafted an earlier
version of the cookie guidelines, said that clear notice was a must, and
that "vague assertions of national security, such as exist in the N.S.A.
policy, are not sufficient."

Daniel Brandt, a privacy activist who discovered the N.S.A. cookies, said
mistakes happen, "but in any case, it's illegal."

Richard M. Smith, a security consultant in Cambridge, Mass., questioned
whether persistent cookies would even be of much use to the security agency.
They are great for news sites and others with repeat visitors, Mr. Smith
said, but the agency's site does not appear to have enough fresh content to
warrant more than occasional visits.

The government first issued strict rules on cookies in 2000 after
disclosures that the White House drug policy office had used them to track
computer users viewing its online antidrug advertising. Even a year later, a
Congressional study found 300 cookies still on the Web sites of 23 agencies.

In 2002, the C.I.A. removed cookies it had inadvertently placed at one of
its sites after Mr. Brandt called it to the agency's attention.

You are a subscribed member of the infowarrior list. Visit 
www.infowarrior.org for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to