- Related Stories
-
Study: Cookies in security crosshairs
March 15, 2005 -
Is your e-mail watching you?
April 4, 2002 -
FTC drops probe into DoubleClick privacy practices
January 22, 2001 -
Online stalwarts beef up privacy initiatives
July 21, 2000 -
Nearly undetectable tracking device raises concern
July 12, 2000 -
New Web tracking service raises old privacy concerns
June 16, 2000
Dozens of federal agencies are tracking visits to U.S. government Web sites in violation of long-standing rules designed to protect online privacy, a CNET News.com investigation shows.
From the Air Force to the Treasury Department, government agencies are using either "Web bugs" or permanent cookies to monitor their visitors' behavior, even though federal law restricts the practice.
Some departments changed their practices this week after being contacted by CNET News.com. The Pentagon said it wasn't aware that its popular Defenselink.mil portal tracked visitors--in violation of a privacy notice--and said it would fix the problem. So did the Defense Threat Reduction Agency and the U.S. Chemical Safety and Hazard Investigation Board.
"We were not aware of the cookies set to expire in 2016," a Pentagon representative said Wednesday. "All of the cookies we had set with WebTrends were to be strictly (temporary) cookies, and we are taking immediate action." WebTrends is a commercial Web-monitoring service.
The practice of tracking Web visitors came under fire last week when the National Security Agency was found to use permanent cookies to monitor visitors, a practice it halted after inquiries from the Associated Press. The White House also was criticized last week for employing WebTrends' tracking mechanism that used a tiny GIF image.
A 2003 government directive says that, in general, "agencies are prohibited from using" Web bugs or cookies to track Web visitors. Both techniques are ways to identify repeat visitors and, depending on the configuration, can be used to track browsing behavior across nongovernment Web sites too.
"It's evidence that privacy is not being taken seriously," said Peter Swire, a law professor at Ohio State University, referring to the dozens of agencies tracking visitors. "The guidance is very clear." While working in the Clinton administration in 2000, Swire helped to craft an earlier Web tracking policy.
To detect which agencies engage in electronic tracking, CNET News.com wrote a computer program that connected to every agency listed in the official U.S. Government Manual, and then evaluated what monitoring techniques were used. The expiration dates of the cookies detected ranged from 2006 to 2038, with most of them marked as valid for at least a decade or two.
Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users. "When the agency set up ColdFusion on our Web server, we set the software to its default value," said William Alberque, a spokesman for the Defense Threat Reduction Agency. "The default value, as you saw, creates individual session cookies that can last on your computer for either 30 years or until you delete them." (ColdFusion is Adobe Systems' Web development software.)
While the practice of setting permanent cookies is generally prohibited, it's usually not clear how they're being used. In the worst case, they could be used to invade privacy by correlating one person's visits to thousands of Web sites. They also can be as innocuous as permitting someone to set a Web site's default language.
Not all monitoring of Web visitors is prohibited. The 2003 directive provides an exception for federal agencies that have a "compelling
See more CNET content tagged:
WebTrends Corp.,
agency,
visitor,
Allaire ColdFusion,
practice
above story. Three of those appear to belong to advertising
tracking networks. The NY Times leaves over two dozen tracking
cookies on my computer. The Washington Post? About a dozen.
CNN? You guess it ... another pile of cookies.
The only reason I can think the media is so scared of some
government web sites using cookies is because the media knows
well of bad things the media may be doing with cookies and
assumes the worst for the government.
All for now - I need to delete my cookies.
In many cases, as we found, they're not. You can argue about whether the regulation is wise or silly, but it seems reasonable to say that the government should follow the rules. After all, it expects that we do.
So if you're going to blow the whistle on the government... then the whole wall of secrecy about everybody who does it needs to be blown.
It's not like you can't block cookies or request confirmation of cookies prior to allowing them OR like you cannot delete cookies.
This who article stinks of one-sidedness.
Walt
Have you looked at what cookes you've been collecting from where and for how long they're valid? Cookies aren't evil! Regardless of what else you want to believe.
And if you don't want to be tracked on the internet... they you shouldn't connect. Because everytime you connect... you give out your IP address which you want to claim is private information... but it's not... it's your ISP's globally available IP address which you personally give to everybody on the internet whom you visit!
Walt
In the meantime, I did setup Firefox & Mozilla to accept all cookies, but for the current session only, so I don't need to worry about them.
Many of them are freeware while some of them are share ware.
You can also easily go in and manually delete your own cookies as you like without the need for any other software.
Cookies aren't a problem. Why CNET thinks they are is beyond me!!!
Walt
It makes me wonder if we aren't emulating, the worst of the Communist ideoligy....
I venture to say that if you knew anything at all about communism, you would stop spreading this ridiculous scare tactic. Name one significant company that doesn't track its users. Just one. You know that CNet is tracking you right now, don't you?? Those crazy commies!!
As for whether they're valid for 1 minute, 1 hour, 1 day, 1 year, 1 millinium matters not!
If you don't want to be tracked... don't connect to the internet... because if you do... you're going to be tracked by 99.9999998% of the sites you visit!
So where is the problem?
download a Secure Certificate to gain public information.
https://cch.state.mn.us/Common/BCAHome.aspx
Of course the policy clearly state that the usage of the certificate
is for your own good. FYI, I'm looking for Criminals not trying to
be one let alone create one.
Thousands and thousands of websites allow authority to
databases without the need for Certificates while still
maintaining a secure presence.
Thousands of websites can't be wrong so why is the BCA using
this type of technology. Well think of it. Certificates allow more
control over a users computers than cookies would ever allow.
HMMMM. Just something to think about!
~Justin
http://www.techviewstoday.us/?p=70
~Justin
100 percent right in every fashion. It is the responsibility of the
people maintaining the governments networks to understand
there software and use it in it's intended fashion.
This was just the Governments way of blowing Virtual Smoke up
everybody's *****. Kind of like what Microsoft does everyday.
One more point to add to this, since Microsoft finds it necessary
to wait till January 10 to deploy it's fix to a major problem it has
not only left consumer's at risk, they have left our Government
at risk too.
Thanks Billy, from all of US.
There is NO data gathering at our agency, despite this absurd cookie being "baked." So, technically, our agency -- almost assuredly like most of the others -- isn't doing anything wrong. There is no gathering of data or tracking of visitors. None. To do so, we would have to actively write scripts to do just that, which we do not. We (yes, contractors) would get fired in a second if we dared to do that without direct authorization from the agency CIO. Believe me, it ain't worth it. What would we do with the data? It's absurd.
Point is, these little cookies can be turned off. But also, most browsers can be adjusted to block them...and it won't have any effect on your visit to these sites, since the cookies do nothing at all.
These reporters have skewed their article to suggest that agencies like ours are flouting the law by collecting and/or using visitor info. This is entirely false. In fact, like other agencies, we investigated and directly informed the reporters of this. Seems they can't understand the reality of what cookies are and how they are used or not used when the more exciting prospect of stirring undue fear and paranoia are possible.
Shame on these reporters. The refusal to listen and learn about the truth from IT professionals only demonstrates their real intent: hype and readers, not facts to serve the public.
Too bad.
Oh, and thanks, CNET, for requiring me to fill out a registration form and accept cookies that do keep track of me in order to post this simple comment. Interesting. Very interesting.
Sorry you didn't like our article. You apparently don't like the White House OMB regulation that restricts .gov agencies from using permanent cookies.
If you don't like the regulation or think it's silly or ridiculous or a pain to comply with, well, why don't you take it up with the White House instead of choosing not to comply with it?
It's not like the rest of us get a choice of whether or not to follow laws that we think are silly or ridiculous or a pain to comply with.
For example, the CFID/CFTOKEN cookies, if stored indefinitely, allows you to cross-reference the website user, based on their cookie with their other visits to the site. Because CFID/CFTOKEN matching information is stored on the ColdFusion server, such matching (call it "spying" if you want) is possible. True, you will have to write scripts or mine the data in another way, but the point is that 25 years after visiting a site, my site visit can be tracked and matched to the old one.
I have posted a detailed response at http://www.forta.com/blog/index.cfm/2006/1/5/CNet-Newscom-Writers-Demonstrate-Desire-For-Sensationalism-And-Poor-Technical-Understanding.
This article's full of inexpert quotes and the writers putting an evil twist on it, such as the quote from William Alberque. Alberque says ColdFusion was set up with the default settings, which the writers imply to mean that ColdFusion by default is creating cookies to track user activity. Let's just ignore the fact that the Defense Threat Reduction Agency is installing software without paying attention to how it's set up to operate. ColdFusion will only create cookies if the web site developer programs it that way. And if the developer explicitly stores some information in a cookie "with the default settings", it will expire at the end of the browser session. The blame here is put on the technologies being employed, but those technologies are just acting as they were set up and programmed.
Declan even went so far as to invoke ColdFusion team members in an attempt to give his position a bit of credibility, but even that failed... leaving him high and dry as the truth came out. In the end, it was discovered that his very own articles left cookies (some of which actually DID store data) on the computer that were found to have the following expiration dates:
Nov 10, 2006
session
Feb 8, 2006
session
Jan 8, 2006
session
Dec 10, 2037
session
session
session
April 10, 2006
Dec 31, 2009
Dec 31, 2009
Dec 10, 2037
Look! 31 years in the future... but when the servers in question will cease to recognize them as valid is an entirely different question.
http://www.whitehouse.gov/omb/memoranda/text/m03-22.html
states that:
"Tracking and customization activities. Agencies are directed to adhere to the following modifications to OMB Memorandum 00-13 and the OMB follow-up guidance letter dated September 5, 2000:
Tracking technology prohibitions:
agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors? activity on the Internet except as provided in subsection (b) below;
agency heads may approve, or may authorize the heads of sub-agencies or senior official(s) reporting directly to the agency head to approve, the use of persistent tracking technology for a compelling need. When used, agency?s must post clear notice in the agency?s privacy policy of:
the nature of the information collected;
the purpose and use for the information;
whether and to whom the information will be disclosed; and
the privacy safeguards applied to the information collected.
agencies must report the use of persistent tracking technologies as authorized for use by subsection b. above (see section VII)20."
Now naturally our fine govt agencies will most probably overreact, fire a bunch of developers, and spend lots of money removing all traces of cookies from their sites.
It seems to me they can simply tweak their privacy statement to be in compliance.
At http://www.defenselink.mil/warning/warn-dl.html
Article 9 states that:
Cookie Disclaimer - DefenseLINK does not use persistent cookies (persistent tokens that pass information back and forth from the client machine to the server). DefenseLINK may use session cookies (tokens that remain active only until you close your browser) in order to make the site easier to use. The Department of Defense DOES NOT keep a database of information obtained from these cookies.
Just change article 9 to read that you DO use persistent cookies, but not for any purpose of tracking and you're all done.
I guess I can see how this may be worth pointing out to them, but I don't think we should be slamming politicians for this. There are plenty of other legit things we can slam them for.
THEY HAVE THE KOOKIEZ TOO!!!!
AHHHH AHHHH AHHHH!!!!!!!!!!! I"M ON FIRE!!!!! THE KOOKIEZ!!!!!!!!!!!!!!
!!!!!!!!!!!!!!
- What a Farce
-
by wbenton
January 7, 2006 8:21 AM PST
- What a farce... what a farce... what a farce...
-
Reply to this comment
-
See all 42 Comments >>Browsers can be set up to either allow or disallow automatic cookies and they can also be set to prompt you prior to setting cookies.
Likewise... privacy and the internet are oxymorons... anybody who claims otherwise is quacked up!!!
Everybody and his brother uses tracking cookies... thus is there any surprise why official government sites WOULD NOT?!?!
If you're going to go after the good guys... just make sure you don't leave out all the bad guys too. (* ROFLOL *)
CNET just went down a notch in my rating system on this one!
Way overboard on matters which shouldn't really matter as there is no real method to prevent such from occuring!!!
Is CNET that hard up for news?
A Disgruntled Reader,
Walt