Cookies persist on federal sites

Nearly a year after the White House ordered federal agencies to stop secretly collecting information on people who visit their Internet sites, the practice remains widespread.

From the Federal Aviation Administration to the Treasury and Education Departments, agencies continue to employ "persistent cookies" to monitor Web page visitors. Inspectors general reported that as of mid-February, 64 Web sites operated by seven federal agencies were still using persistent cookies.

But dozens of other agencies have yet to file Web site audit reports, so the number of sites violating a general ban on the use of cookies is undoubtedly higher, said Chris Hoofnagle of the Electronic Privacy Information Center.

Persistent cookies are pieces of computer code planted on a user's computer by a Web site. They track the user's movement from page to page through the Web site, and some can track movement from site to site.

Use of persistent cookies on federal Web sites has been banned in most instances by rules imposed last June by the Office of Management and Budget.

Many privacy advocates worry that cookie use gives the government too much ability to monitor individuals. They fear that monitoring a taxpayer's visits to IRS pages on tax deductions, for example, might lead to audits.

However, John Spotila, head of the Office of Information and Regulatory Affairs during the Clinton administration, said he was never aware of any instances of cookies being used for that sort of surveillance. "I was never aware of anything sinister," he said. Cookies can help improve Web pages by providing information about what pages visitors like and don't like on Web sites, Spotila said. Government Web sites that were designed by contractors may include cookies simply because they are common on commercial sites, he said. In other cases, agency Web managers may be unaware that cookies essentially have been banned, he said.

Cookies aren't the only violations the inspectors general reported. Numerous sites fail to post privacy policies as required.

The inspectors general findings were made public this week by Sen. Fred Thompson (R-Tenn.), chairman of the Senate Governmental Affairs Committee. Among the violations:

Half the Education Department's Web sites that collect personal information lack posted privacy policies, and nine pages were linked to servers that collect e-mail addresses without the user's knowledge. Eleven of the Treasury Department's 30 main Web sites had no privacy statements. Nineteen of the Treasury's sites weren't listed on the agency's Web site inventory. The General Services Administration had 15 Web sites that used forbidden cookies. One of them operated under an arrangement in which a contractor owned all of the data collected. The Transportation Department had 23 Web sites using cookies. Twenty were FAA sites, and three were collecting personal data for private contractors. Thompson said he planned to introduce legislation that would create a commission to examine government privacy practices.