Dozens of federal agencies are using visitor-tracking cookies that violate long-standing rules designed to protect privacy. a CNET News.com investigation shows.
From the Air Force to the Treasury Department, government agencies are using either "Web bugs" or permanent cookies to monitor their visitors' behavior, even though federal law restricts the practice.
Some departments changed their practices this week after being contacted by CNET News.com. The Pentagon said it wasn't aware that its popular Defenselink.mil portal tracked visitors--in violation of a privacy notice--and said it would fix the problem. So did the Defense Threat Reduction Agency and the U.S. Chemical Safety and Hazard Investigation Board.
"We were not aware of the cookies set to expire in 2016," a Pentagon representative said Wednesday. "All of the cookies we had set with WebTrends were to be strictly (temporary) cookies, and we are taking immediate action." WebTrends is a commercial Web-monitoring service.
The practice of tracking Web visitors came under fire last week when the National Security Agency was found to use permanent cookies to monitor visitors, a practice it halted after inquiries from the Associated Press. The White House also was criticized last week for employing WebTrends' tracking mechanism that used a tiny GIF image.
A 2003 government directive says that, in general, "agencies are prohibited from using" Web bugs or cookies to track Web visitors. Both techniques are ways to identify repeat visitors and, depending on the configuration, can be used to track browsing behavior across nongovernment Web sites too.
"It's evidence that privacy is not being taken seriously," said Peter Swire, a law professor at Ohio State University, referring to the dozens of agencies tracking visitors. "The guidance is very clear." While working in the Clinton administration in 2000, Swire helped to craft an earlier Web tracking policy.
To detect which agencies engage in electronic tracking, CNET News.com wrote a computer program that connected to every agency listed in the official U.S. Government Manual, and then evaluated what monitoring techniques were used. The expiration dates of the cookies detected ranged from 2006 to 2038, with most of them marked as valid for at least a decade or two.
Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users. "When the agency set up ColdFusion on our Web server, we set the software to its default value," said William Alberque, a spokesman for the Defense Threat Reduction Agency. "The default value, as you saw, creates individual session cookies that can last on your computer for either 30 years or until you delete them." (ColdFusion is Adobe Systems' Web development software.)
While the practice of setting permanent cookies is generally prohibited, it's usually not clear how they're being used. In the worst case, they could be used to invade privacy by correlating one person's visits to thousands of Web sites. They also can be as innocuous as permitting someone to set a Web site's default language.
Not all monitoring of Web visitors is prohibited. The 2003 directive provides an exception for federal agencies that have a "compelling