'Cookies' policy violated on CIO Council site

CIO Council Web site

The redesigned Web site for the federal CIO Council was pulled off-line June 8 after Federal Computer Week notified officials that the site was using persistent cookies, a violation of government privacy rules.

The use of cookies violates the CIO Council's posted privacy policy, which flatly states, "We do not use "persistent cookies.' " It also violates the Office of Management and Budget's publicized no-cookie rule issued late last year.

Cookies are packets of information that Web sites can put on a user's computer and are often used to personalize a Web site. But cookies have raised privacy concerns because they potentially enable Web sites to track how a person moves through a Web site or even other Web sites visited.

Officials at the General Services Administration, which operates the council's Web site, said they were surprised to find the site used cookies and they were working June 8 to determine how such a privacy violation occurred.

The council changed nothing in the privacy policy from the old site, including the decision to not use persistent cookies, officials said. In fact, the contractor, Midwest Total Internet Inc., was told several times "that the site can't set persistent cookies," said Susan Hinden, a member of the GSA support staff.

GSA tested the site off-line for some time before going live, "and there were no cookies," said Michelle Heffner, leader of the GSA team. "If there's a persistent cookie, the site's coming down," she said. "We want this site to be an example of the standard across government."

The site was not even scheduled to go live until June 9 or 10 so GSA could conduct last-minute reviews.

"Had I known it was going up, I would have tested it," Heffner said.