Government Web Sites Caught in the Cookie Jar

Nearly a dozen federal agencies are silently using technology that tracks Internet use of their Web sites' visitors, despite a four-month-old White House order against the practice.

As of this month, 11 of the 65 Web sites reviewed by the General Accounting Office were depositing software cookies on visitors' Web browsers, including three sites that were passing along the information to third parties without disclosure, according to a report released by the office Friday. Four additional agencies, including the U.S. Postal Service and Small Business Administration, were using cookies but disclosing the practice, the report found.

"How can this administration talk about protecting privacy when its own agencies jeopardize some of the public's most private information?" Senate Governmental Affairs Chair Fred Thompson, R-Tennessee, who requested the GAO report, says in a statement. "The federal government should set the standard for privacy protection." (See "Privacy Debate Lands in the Senate.")

In June the Clinton administration issued strict privacy rules regulating federal use of the Internet to surreptitiously collect personal information. The order came after the White House Office of National Drug Control Policy placed cookies on the browsers of visitors to its flashy Freevibe anti-drug Web site. (See "Is Government's Future Electronic?")

Cookies are text files saved in a browser's directory or folder and stored in memory while the browser is running. Some Web sites use cookies to store personal preferences or track visitors.

The agencies still found to be using cookies without disclosures are the Office of Personnel Management, U.S. Trade and Development Agency, Federal Aviation Administration, Ames Laboratory, Bureau of Labor Statistics, Health Care Financing Administration, National Park Service, Central Federal Lands Highway Division, Federal Emergency Management Agency, and U.S. Forest Service.

Cookie Compliance

Peter Swire, chief counselor for privacy at the White House Office of Management and Budget, which issued the June order, says that 6 of the 15 sites found to be using cookies in October have responded to the GAO report or are in the process of responding.

He also notes that six sites are, in fact, not in violation of the White House order because they were using a "session cookie" versus the more egregious "persistent cookie." Session cookies do not violate privacy because they live only as long as the browsing session and expire when the user quits the browser. Persistent cookies remain on a visitor's computer until a set expiration date and can be used to track behavior.

Government agencies will be required to explain how they complied with the White House order on cookies when they submit budget requests in December, Swire adds.

Marc Rotenberg, executive director of the Electronic Privacy Information Center, a public interest research organization in Washington, D.C., agrees that only persistent cookies are cause for concern. Session cookies can be useful, he says, but persistent cookies raise a red flag because they can be used for profiling.