Want CNET to notify you of price drops and the latest stories?

Congress' hands caught in the cookie jar

First the NSA, then the Pentagon, and now Congress fesses up to undisclosed Web tracking. Infographic: Caught with hands in the cookie jar

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
6 min read

Dozens of U.S. senators are quietly tracking visits to their Web sites even though they have publicly pledged not to do so.

Sixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique, a CNET News.com investigation shows.

Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that "I do not use 'cookies' or other means on my Web site to track your visit in any way."


What's new:
Although they have promised to abstain from using cookies to track visits to their Web sites, at least 23 U.S. senators do so. Overall, 66 members of Congress use the tracking devices.

Bottom line:
Although there is no rule prohibiting members of Congress from using cookies, such practices have come under fire from privacy advocates, including from politicians who continue to employ cookie ID devices on their Web sites.

More stories on this topic

But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035.

"ColdFusion was used to design the site by a third-party vendor, and we were not aware of any cookies," McCain's office said in a statement sent to CNET News.com, referring to Adobe Systems' popular Web design software. "The information collected is not used by our office for any purpose, and we are currently in the process of deleting them."

All House members who use cookies either acknowledge it or have privacy policies that are silent on the topic. Of the 23 senators who pledged not to employ cookies but do anyway, 18 are Republicans and five are Democrats.

"It shows their lack of understanding of technology," said Sonia Arrison, director of technology studies at the Pacific Research Institute, a nonprofit group in San Francisco. "It's willful ignorance. They're complete hypocrites. How can they accuse companies of poor data management when they're not doing it on their own Web sites?"

No rule prohibits the use of Web monitoring techniques by Congress. But such a restriction does apply to executive branch agencies. The Pentagon and others scrambled this week to eliminate so-called Web bugs and cookies after inquiries from CNET News.com.

The practice of tracking Web visitors came under fire last week when the National Security Agency was found to be using cookies to monitor visitors. It halted the practice after inquiries from the Associated Press. The White House also was criticized last week for employing a tracking mechanism, created by WebTrends, that used a tiny GIF image.

Cookies are unique ID numbers that a remote Web site hands a browser, which automatically regurgitates them upon subsequent visits. They can be used for something as innocuous as permitting someone to customize a Web site's default language for return visits. In the worst case, they can be used to invade privacy by correlating one person's visits to potentially thousands of different Web sites.

(Like most online media organizations, CNET Networks, the publisher of News.com, uses cookies. That use is detailed in a privacy policy.)

"The irony is rich"
It's ironic for senators to complain about private companies setting cookies and then go ahead and do it themselves, said Jim Harper, director of information studies at the Cato Institute, a free-market think tank.

"They should definitely abide by their privacy policies," Harper said. "The irony is rich."

Cookie jar infographic

McCain, for instance, spent years warning that cookies were a problem when used by corporations. "Through the use of cookies and other technologies, network advertisers have the ability to collect and store a great deal of information about individual consumers," McCain said in 2000 (click here for PDF). "This information is collected without the consumer's knowledge or consent."

Similarly, the Senate's Governmental Affairs Committee prepared a report in 2001 saying that 64 federal agency Web sites used permanent cookies. Today, so does the Governmental Affairs Committee.

One bill was even introduced in February 2000 to target corporations' use of cookies. It died in a Senate committee.

In many cases, politicians seemed to be unaware of their use of Web tracking technology until being contacted this week.

A representative for the Senate's top Democrat, Harry Reid of Nevada, said the office's Webmaster had no idea that reid.senate.gov set two cookies scheduled to expire in 2035. After CNET News.com asked about it, the Webmaster started to dig through the code.

"Obviously our office has no idea what we're using these cookies for, because we don't even know they existed," said Ari Rabin-Havt, Reid's director of Internet communications.

One version of Reid's privacy policy is silent about cookie use, but a Spanish-language version pledged not to employ them.

Neither the House nor the Senate regulates whether its members may employ Web bugs or cookies, and neither requires privacy policies. Instead, the internal rules tend to cover topics such as restrictions on content and campaigning, design suggestions and guidelines for file names.

In general, it's up to individual Webmasters for senators' sites to set appropriate policies, said Senate Webmaster Cheri Allen.

"If there's a question as to whether something is appropriate, they would take that to the Rules Committee, which would then rule on each individual issue," Allen said.

The House also has no formal privacy requirements or cookie limitations for the sites it hosts.

"The statutes that require sites to have privacy policies or that put restrictions on the use of cookies--the E-Government Act of 2002 and the Children's Online Privacy Protection Act--do not apply to House offices," said Brian Walsh, spokesman for the House Administration Committee, which sets the Web rules.

The committee does, however, suggest that House sites post some version of a model privacy statement resembling the Senate version, which mentions statistical information that House servers collect about visitors for "site management purposes."

Inadvertent cookie invocation
The most common breed of cookie returned by the legislative sites is generated by ColdFusion, a popular Adobe Systems Web-authoring program. Many Senate Webmasters rely on the program for their Web scripting, and the central Senate.gov servers run ColdFusion, said Allen, the Senate Webmaster.

Some versions of ColdFusion appear to set certain cookies to a default "persistent" setting that causes them to expire 30 years later. But Web developers can alter the expiration date or entirely stop the use of cookies.

Another variant appeared on the site of Rep. Jim Nussle, R-Iowa, who published a chunk of JavaScript on his site that lets people click to translate the page in Altavista.com. But in doing so, it automatically sets a cookie for Altavista.com.

Some congressional staffers defended Web tracking as benign or essential to their sites' operations. (Besides Nussle's example, no third-party tracking cookies or Web bugs appeared on congressional Web sites.)

A two-year cookie lives at the home page of Sen. Ted Stevens, the Alaska Republican who presides over the Commerce Committee. The device appears to remember a visitor's screen font-size preferences, ranging from 10 point to 14 point, for subsequent visits. Spokeswoman Courtney Boone said any information collected is not used to monitor hits or visitors to the site.

"It probably was written in by a programmer unintentionally," she said. "We don't use anything from the Web site to collect information on people that use our Web site."

Federal agencies also tended to express surprise that they were using permanent cookies. A 2003 rule generally prohibits federal agencies from doing so.

"They are very old applications that have been around a long time," Janet Barnes, chief information officer for the Office of Personnel Management, said Thursday. Removing the cookies is "what we're going to do directly now that we know that they're there."

Barnes said, however, that "we don't believe we are in any way violating the intent of the policy"--and that because the information collected was never subjected to data-mining, "this is more of a technical correction" to come into compliance.

A representative of the International Broadcasting Bureau, known for its Voice of America service, also said its use of cookies was inadvertent and "the issue has been fixed."

When it comes to Congress, however, the Cato Institute's Harper said there is a lesson to learn.

"Members of Congress committed themselves to information policies that are unworkable given (anti-cookie) phobias in the past," Harper said. "The phobic response to cookies mirrors the phobic response to spam and the spyware problem. We simply can't rely on Congress to deal with difficult technology problems."