A government watchdog organization has learned that three federal agencies'
Web sites were using
cookies to retrieve information about citizens using
the sites.
According to the report by OMB
Watch, a nonprofit research and advocacy group, the Web sites for the
Federal Emergency Management Agency
(FEMA), National Science Foundation
(NSF), and Department of Veterans
Affairs were using the data-retrieving devices to find information
about users visiting the sites.
The report, "A Delicate Balance: The Privacy and Access Practices of
Federal Government World Wide Web Sites," found that 31 of the 70
government agencies studied gather some type of information about the
visitors to their sites. Some ask users to sign guest books,
feedback forms, or surveys; others use cookies.
Cookies are data files that can track user information such as passwords,
pages that have been visited, and the date a page was last visited.
However, in at least two of the departments, the cookies that were being
used were set by software products for benign tasks such as checking what
browser was being used, and for Web traffic projections.
Many privacy experts are wary of cookies because they track users'
movements throughout the Internet. However, they are necessary to set user
preferences on many Web sites.
"We're not saying that they shouldn't do it," said Ari Schwartz, author of
the report, referring to the practice of using cookies. "But I think they should give the reason why they're doing it."
According to Schwartz, all three of the sites have dismantled the cookies
since the report was published.
The NSF apparently has a policy against using cookies, but was employing a
statistical log program called Web Trends that was setting the cookies by
default. The cookies were programmed to remain on users' hard drives
until the year 2010, but were dismantled as soon as the NSF received a copy
of the report, Schwartz said.
"We lent our expertise to the agency by providing directions to turn the
default off," Schwartz writes in the report.
The Department of Veterans Affairs also blamed the cookies on
a software program. "We were using an off-the-shelf product that had
cookies in it," said Daniel Maloney, director of technology innovations for
the VA. "We were sending out cookies to determine Web traffic."
Maloney said that the cookies were only in effect for two weeks this
summer, and that the VA is reviewing other methods for performing the same
tasks.
No one from FEMA was available for comment.
This isn't the first time the federal government has come under fire
for lax security on one of its agencies' sites. In April, the Social Security Administration abandoned its
plan to list citizens' employment histories online amid public outcry over
security concerns.
Schwartz believes that despite incidents like these, the federal government
is doing a good job of respecting individuals' privacy when it comes to the
Internet. "The government is held to a higher standard, and it's always
going to be that way," he said.