First the NSA, then the Pentagon, and now Congress fesses up to undisclosed Web tracking. Infographic: Caught with hands in the cookie jar
Dozens of U.S. senators are quietly tracking visits to their Web sites even though they have publicly pledged not to do so.
Sixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique, a CNET News.com investigation shows.
Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that "I do not use 'cookies' or other means on my Web site to track your visit in any way."
Although there is no rule prohibiting members of Congress from using cookies, such practices have come under fire from privacy advocates, including from politicians who continue to employ cookie ID devices on their Web sites.
But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035.
"ColdFusion was used to design the site by a third-party vendor, and we were not aware of any cookies," McCain's office said in a statement sent to CNET News.com, referring to Adobe Systems' popular Web design software. "The information collected is not used by our office for any purpose, and we are currently in the process of deleting them."
"It shows their lack of understanding of technology," said Sonia Arrison, director of technology studies at the Pacific Research Institute, a nonprofit group in San Francisco. "It's willful ignorance. They're complete hypocrites. How can they accuse companies of poor data management when they're not doing it on their own Web sites?"
No rule prohibits the use of Web monitoring techniques by Congress. But such a restriction does apply to executive branch agencies. The Pentagon and others scrambled this week to eliminate so-called Web bugs and cookies after inquiries from CNET News.com.
The practice of tracking Web visitors came under fire last week when the National Security Agency cookies to monitor visitors. It halted the practice after inquiries from the Associated Press. The White House also last week for employing a tracking mechanism, created by WebTrends, that used a tiny GIF image.
Cookies are unique ID numbers that a remote Web site hands a browser, which automatically regurgitates them upon subsequent visits. They can be used for something as innocuous as permitting someone to customize a Web site's default language for return visits. In the worst case, they can be used to invade privacy by correlating one person's visits to potentially thousands of different Web sites.
"The irony is rich"
It's ironic for senators to complain about private companies setting cookies and then go ahead and do it themselves, said Jim Harper, director of information studies at the Cato Institute, a free-market think tank.
"They should definitely abide by their privacy policies," Harper said. "The irony is rich."
Similarly, the Senate's Governmental Affairs Committee prepared a report in 2001 saying that 64 federal agency Web sites used permanent cookies. Today, so does the Governmental Affairs Committee.
In many cases, politicians seemed to be unaware of their use of Web tracking technology until being contacted this week.
A representative for the Senate's top Democrat, Harry Reid of Nevada, said the office's Webmaster had no idea that reid.senate.gov set two cookies scheduled to expire in 2035. After CNET News.com asked about it, the Webmaster started to dig through the code.
"Obviously our office has no idea what we're using these cookies for, because we don't even know they existed," said Ari Rabin-Havt, Reid's director of Internet communications.
Neither the House nor the Senate regulates whether its members may employ Web bugs or cookies, and neither requires privacy policies. Instead, the internal rules tend to cover topics such as restrictions on content and campaigning, design suggestions and guidelines for file names.
In general, it's up to individual Webmasters for senators' sites to set appropriate policies, said Senate Webmaster Cheri Allen.
"If there's a question as to whether something is appropriate, they would take that to the Rules Committee, which would then rule on each individual issue," Allen said.
The House also has no formal privacy requirements or cookie limitations for the sites it hosts.
The committee does, however, suggest that House sites post some version of a model privacy statement resembling the Senate version, which mentions statistical information that House servers collect about visitors for "site management purposes."
Inadvertent cookie invocation
The most common breed of cookie returned by the legislative sites is generated by ColdFusion, a popular Adobe Systems Web-authoring program. Many Senate Webmasters rely on the program for their Web scripting, and the central Senate.gov servers run ColdFusion, said Allen, the Senate Webmaster.
Some congressional staffers defended Web tracking as benign or essential to their sites' operations. (Besides Nussle's example, no third-party tracking cookies or Web bugs appeared on congressional Web sites.)
A two-year cookie lives at the home page of Sen. Ted Stevens, the Alaska Republican who presides over the Commerce Committee. The device appears to remember a visitor's screen font-size preferences, ranging from 10 point to 14 point, for subsequent visits. Spokeswoman Courtney Boone said any information collected is not used to monitor hits or visitors to the site.
"It probably was written in by a programmer unintentionally," she said. "We don't use anything from the Web site to collect information on people that use our Web site."
Federal agencies also tended to express surprise that they were using permanent cookies. A 2003 rule generally prohibits federal agencies from doing so.
"They are very old applications that have been around a long time," Janet Barnes, chief information officer for the Office of Personnel Management, said Thursday. Removing the cookies is "what we're going to do directly now that we know that they're there."
Barnes said, however, that "we don't believe we are in any way violating the intent of the policy"--and that because the information collected was never subjected to data-mining, "this is more of a technical correction" to come into compliance.
When it comes to Congress, however, the Cato Institute's Harper said there is a lesson to learn.
"Members of Congress committed themselves to information policies that are unworkable given (anti-cookie) phobias in the past," Harper said. "The phobic response to cookies mirrors the phobic response to spam and the spyware problem. We simply can't rely on Congress to deal with difficult technology problems."