Got cookies?

"Privacy Policies and Data Collection on Federal Web Sites"

A simple step that anyone using a Web browser can perform would help federal agencies determine whether their Web sites are making inappropriate use of "persistent cookies."

According to the Office of Management and Budget, agencies may not use such cookies — small data files stored on a user's computer to track subsequent visits to a Web site — unless they have a clear reason to do so, have approval from the agency head and have disclosed the use of cookies in their posted privacy policy.

But many federal Web sites violate the policy. A recent summary of reports from 51 agency inspectors general found nearly 300 persistent cookies in use without approval. Most of the IG reports determined that the agencies' Webmasters were aware of the OMB policy, but did not know that the cookies were in use on their sites.

Today's Web browsers, however, offer an easy way to test for these "inadvertent cookies" — a method most of the IGs used but agency Webmasters apparently did not, said Roger Baker, former chairman of the CIO Council's privacy subcommittee.

The IGs first used utility programs to delete cookies from computer hard drives, then changed the security settings on their Web browsers to warn the user whenever a Web server tried to place a cookie on a computer. The cookie- warning setting is found in the Security/Custom Level area under Tools/Internet Options in Microsoft Corp.'s Internet Explorer 5, and in the Advanced settings under Edit/Preferences in Net.scape Communications Corp.'s Navigator 4.7.

Once the setting is enabled in either browser, the user is notified whenever a site wants to store a cookie on the computer. The user can allow or deny the cookie.

Congress started paying attention to the use of cookies at agencies in June 2000. Since then, Linda Koontz, director of information management issues at the General Accounting Office, has led several audits on the subject. She has found that a lack of awareness is the biggest culprit in the inappropriate use of cookies.

One problem, she said, is that agencies use commercial Web page devel.opment software, in which "the default is to use a persistent cookie, and the system administrator just doesn't turn off that feature."

Baker said agency chief information officers should update their internal Internet privacy policies to include a requirement that cookies be disabled during the Web page development process.