Agencies warned on cookies

Bush administration officials are promising "to light a fire" under agency Web managers who violate privacy regulations that forbid the use of cookies that track the activities of Web site visitors.

The cookie ban imposed last June by the Clinton administration "is still in effect, and we expect [agencies] to be in compliance with it," said Chris Ullman, a spokesman for the Office of Management and Budget. "We will work with them on that."

Reports submitted to Congress by inspectors general from 16 agencies showed that as of March 30, seven agencies operated 64 federal Web sites that continued to use persistent cookies. Sen. Fred Thompson (R-Tenn.) released the findings April 17.

The 16 agencies, including the Federal Aviation Administration and the Treasury Department, represent about a third of the agencies required to send Web audit reports to Congress. With dozens of agencies yet to file reports, the number of sites violating the ban likely will be higher, said Chris Hoofnagle of the Electronic Privacy Information Center.

OMB banned persistent cookies from federal Web sites in all but the most unusual circumstances. Persistent cookies were deemed a violation of Web users' privacy when it was discovered that the Office of Drug Control Policy was using them to track visitors to its Web site.

Persistent cookies are pieces of computer code placed on an Internet user's computer by a Web site. They track the user's movement from page to page through the Web site, and some track movement from site to site.

In the private sector, companies use cookies to tie online activity to data such as names, addresses and buying habits.

Many privacy advocates worry that cookies give the government too much monitoring ability. For example, they fear that monitoring a taxpayer's visits to Internal Revenue Service pages about tax deductions might lead to audits.

But John Spotila said he was "never aware of anything sinister" about cookies being used on government Web sites. Until last year, Spotila was head of the Office of Information and Regulatory Affairs.

He said cookies can help improve Web pages by providing information about what site visitors like and don't like. In addition, government Web sites that were designed by commercial contractors may include cookies simply because they are common on commercial sites, Spotila said. In other cases, agency Web managers may be unaware that cookies have essentially been banned on government sites.

The ban on cookies does not apply to "session cookies," which disappear from the user's computer when an Internet session ends.

Cookies aren't the only violations the inspectors general reported. Many sites fail to post privacy policies as required.

Half the Education Department's Web sites that collect personal information lack posted privacy policies, and nine pages were linked to servers that collect e-mail addresses without the user's knowledge.

The Trasportation Department said April 20 that it had removed all cookies from its 23 Web sites after its IG reported finding them in mid-February. The agency created a checklist for Web managers to follow to prevent cookies from being used on DOT Web sites in the future, a spokesman said.

"For the most part, they were inadvertent," he said. The cookies were added to Web sites during upgrades — often automatically by software — and unbeknownst to agency Web managers.

Thompson, who is chairman of the Senate Governmental Affairs Committee, said the discovery of such widespread cookie use was disturbing because agencies "should be setting the standard for privacy protection in the Information Age." Thompson said he planned to introduce legislation that would create a commission to examine government privacy practices.