Thursday, March 21, 2002

cia agrees to stop giving out cookies
It was all a misunderstanding, say CIA spokespeople.

A memo from the White House Office of Management and Budget, dated June 22, 2000, gives instructions regarding federal government web sites and privacy policies. Among the instructions are the following:
Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. These concerns are especially great where individuals who have come to government web sites do not have clear and conspicuous notice of any such tracking activities. "Cookies" -- small bits of software that are placed on a web user's hard drive -- are a principal example of current web technology that can be used in this way. The guidance issued on June 2, 1999, provided that agencies could only use "cookies" or other automatic means of collecting information if they gave clear notice of those activities.
The memo also lists some other restrictions to the use of files placed upon a visitors computer:
"cookies" should not be used at Federal web sites, or by contractors when operating web sites on behalf of agencies, unless, in addition to clear and conspicuous notice, the following conditions are met: a compelling need to gather the data on the site; appropriate and publicly disclosed privacy safeguards for handling of information derived from "cookies"; and personal approval by the head of the agency. In addition, it is federal policy that all Federal web sites and contractors when operating on behalf of agencies shall comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 with respect to the collection of personal information online at web sites directed to children.
The page from the CIA that was placing these "tracking files" upon visitor's computers was their Electronic Reading Room, where you can find out more about the Freedom of Information Act, and can look through de-classified documents.

Some other federal web sites that have been seen giving out cookies include the portal, the FBI's jobs site, as well as the main sites operated by the Small Business Administration, the Department of Education and the Selective Service.

Checking these, I see a section from the Selective Service that very reasonably explains what cookies are, and how they are used on the site.

The Department of Education makes no mention of cookies on their front page, but does have a registration process which allows you to personalize the site for your visits, and probably uses some type of file like a cookie.

I say "like a cookie" in the previous paragraph, because when I read over the Small Business Administration's Privacy Policy, they explained how they don't use cookies, but rather use small files known as "session variables" which are stored in the visiting computer's memory but not upon its hard drive. So, it looks like a cookie, and smells like a cookie, but it isn't because it isn't placed upon the user's hard drive.

I'd rather see a good reason for a "session variable's" use than an something that reads like a shortcut around the cookie/privacy tracking requirements.

Of concern to some people visiting the Electronic Reading Room was that you can view the most frequently requested documents that they are willing to disclose, from the page, or perform a keyword search. Keeping track of whom is performing which keyword searches is a little like spying upon your visitors.

A contractor who redesigned the CIA site had inadvertently added the cookie technology at the end of January.

No comments: