CIO site caught with 'cookies'
The redesigned Web site for the CIO Council had to be pulled off-line today after Federal Computer Week notified officials the site was using persistent cookies, a violation of government privacy rules
The redesigned Web site for the CIO Council had to be pulled off-line today after Federal Computer Week notified officials the site was using persistent cookies, a violation of government privacy rules.
The use of cookies violates the CIO Council's posted privacy policy, which flatly states, "We do not use 'persistent cookies.'" It also violates the Office of Management and Budget's much-publicized no-cookie rule issued late last year. (See snapshot, which shows the CIO Council's Web page stating its cookies policy along with the window that indicates a persistent cookie, set to expire in 2037.)
Cookies are packets of information that Web sites can put on a user's computer, often to personalize a Web site. But cookies have become a privacy concern because they potentially can be used to track how a person moves through a site or even other Web sites.
OMB has allowed agencies to use temporary "session cookies," but has prohibited permanent cookies unless they are completely necessary and are approved by the agency's senior management.
Officials from the General Services Administration, which operates the CIO Council's Web site, were surprised to find the site was using cookies, and they said they were working to determine how such a privacy violation occurred.
Susan Hinden, a member of the GSA support staff, said that the contractor, Midwest Total Internet Inc., was told several times "that the site can't set persistent cookies."
GSA tested the site off-line for some time before going live, "and there were no cookies," said Michelle Heffner, leader of the GSA team.
"If there's a persistent cookie, the site's coming down," she said this afternoon. "We want this site to be an example of the standard across government."
The site was not even scheduled to go live until June 9 or 10 so that GSA could conduct last-minute reviews, she said. "Had I known it was going up, I would have tested it," she said.
The problem with the CIO Council's Web site appeared to be fixed by late this afternoon, after GSA was notified about the problem.
OMB, which leads the CIO Council, had no specific comment today on the council's Web site. However, OMB communications director Christopher Ullman said that privacy is an important issue for President Bush and the administration will continue to focus on this area.
Most observers and privacy advocates were struck by the irony that the federal government's leading technology policy organization was caught with its hand in the Web cookie jar.
Ari Schwartz, an analyst at the Center for Democracy and Technology, said this is often a problem for an organization when it relaunches its Web site. "A lot of off-the-shelf software has the default set to use cookies," he said.
"It is problematic to have systems doing things that the policy people don't know it is doing," he said.
Roger Baker, who recently retired as the Commerce Department CIO and spearheaded privacy for the CIO Council, said the focus on cookies deflects from more substantive privacy issues.
The CIO Council's faux pas comes as the President's Council on Integrity and Efficiency is due to release a report compiling all 50 of the inspector general reports on agencies' use of cookies, said David Steensma, acting assistant inspector general for auditing at the Defense Department, which is leading the report.
NEXT STORY: Navy ramps up smart card distribution