CIO Council serving 'cookies' guide

GAO report: "Internet Privacy: Federal Agency Use of Cookies"

The CIO Council is putting together a guide that will allow agencies to

use "cookies" while following administration policy and privacy advocates'

recommendations on the touchy issue.

The council's action results from a decision in June by the Office of

Management and Budget to issue a revised privacy policy by the Clinton administration.

The policy forbids agencies from using persistent cookies — software a Web

server places on a user's hard drive for a certain amount of time to identify

the user on return visits.

Agencies may only use persistent cookies if they notify visitors, demonstrate

a clear need to use the technology and get the approval of the agency head.

Agencies are allowed to use session cookies, which are erased when the user's

Web browser is closed, without special conditions.

"We think we've taken major measures, and we're working with the CIO

Council to find ways to make sure privacy policies are followed all the

way through [agencies'] sites and not just at the top level," said Peter

Swire, chief counselor for privacy at OMB.

OMB gave agencies until December to remove persistent cookies from their

Web sites and to detail how they are using the technology. But unhappy members

of Congress are holding hearings and a recent General Accounting Office

study found that agencies still use cookies, so OMB has stepped up its attention.

Agencies are trying to use technologies to enhance their Web-based services

to citizens, and it's understandable that citizens are wary, said Roger

Baker, co- chairman of the CIO Council's privacy committee. "A service the

CIO Council could provide is to say, "Here are valid reasons and rationales

for using cookies.' "

By putting all the different agency methods together and allowing everyone

to see and use them, agencies will not have to be afraid of pressure from

Congress or a reprimand from OMB, Baker said.

There are legitimate uses for persistent cookies. The most cited example

is the online shopping cart on the U.S. Mint's site to buy coins, but agencies

using such cookies must indicate their use in privacy policies, according

to Baker. So Congress and agencies should not act too quickly and throw

the baby out with the bathwater, he said.

"I understand why we ought to be really careful in the federal government

with any tracking that we do...but privacy is the issue, not cookies," he

said.

The underlying issue is ensuring that agencies follow both the administration's

policy and their own, agreed Baker and Ari Schwartz, senior policy analyst

for the Center for Democracy and Technology. So, on behalf of the CIO Council,

Baker is collecting information from all agencies on whether they are electing

to retain their persistent cookies, for what reason and how they justified

that use to their administrator and OMB.

"If we all say it the same way and make sure that we've all got ourselves

in a row, then it will be much easier for people to understand," Baker said.