A government watchdog organization has learned that three federal agencies' Web sites were using cookies to retrieve information about citizens using the sites.
According to the report by OMB Watch, a nonprofit research and advocacy group, the Web sites for the Federal Emergency Management Agency (FEMA), National Science Foundation (NSF), and Department of Veterans Affairs were using the data-retrieving devices to find information about users visiting the sites.
Cookies are data files that can track user information such as passwords, pages that have been visited, and the date a page was last visited. However, in at least two of the departments, the cookies that were being used were set by software products for benign tasks such as checking what browser was being used, and for Web traffic projections.
Many privacy experts are wary of cookies because they track users' movements throughout the Internet. However, they are necessary to set user preferences on many Web sites.
"We're not saying that they shouldn't do it," said Ari Schwartz, author of the report, referring to the practice of using cookies. "But I think they should give the reason why they're doing it."
According to Schwartz, all three of the sites have dismantled the cookies since the report was published.
The NSF apparently has a policy against using cookies, but was employing a statistical log program called Web Trends that was setting the cookies by default. The cookies were programmed to remain on users' hard drives until the year 2010, but were dismantled as soon as the NSF received a copy of the report, Schwartz said.
"We lent our expertise to the agency by providing directions to turn the default off," Schwartz writes in the report.
The Department of Veterans Affairs also blamed the cookies on a software program. "We were using an off-the-shelf product that had cookies in it," said Daniel Maloney, director of technology innovations for the VA. "We were sending out cookies to determine Web traffic."
Maloney said that the cookies were only in effect for two weeks this summer, and that the VA is reviewing other methods for performing the same tasks.
No one from FEMA was available for comment.
This isn't the first time the federal government has come under fire for lax security on one of its agencies' sites. In April, the Social Security Administration abandoned its plan to list citizens' employment histories online amid public outcry over security concerns.
Schwartz believes that despite incidents like these, the federal government is doing a good job of respecting individuals' privacy when it comes to the Internet. "The government is held to a higher standard, and it's always going to be that way," he said.