DOD still misuses 'cookies'

DOD IG report: "DOD Internet Practices and Policies"

Many military Web sites still collect personal information from visitors because Defense Department officials remain unaware of privacy policies and the department fails to hold the site managers accountable for not complying, according to an inspector general report.

The audit, conducted between December 2000 and May 2001, found that more than 25 percent of the sites reviewed did not meet DOD or Office of Management and Budget policies regulating the use of "persistent cookies" and other information-gathering technology. Persistent cookies are small pieces of software a Web server stores on a user's hard drive and are used to identify the user on return visits to the site.

DOD and OMB policies prohibit using such technologies unless the site administrator has permission from the agency head, has an overriding need to use the technology and has posted notification within the site's privacy statement.

But the multitude of regulations issued by the Pentagon every year is not read by many people, from Webmasters to senior officials, said David Steensma, acting DOD assistant inspector general for auditing.

Although DOD Web privacy guidance is "adequate," the inspector general audit found that most Webmasters were unaware the cookies were there. And the fact that almost half of Webmasters were unaware of the DOD policy or how to comply shows "a lot of this is [related to] awareness," Steensma said.

Pentagon officials plan to hold organization leaders accountable for making their Web sites comply with DOD policy, wrote J. William Leonard, deputy assistant secretary of Defense for security and information operations. He also is requiring DOD components to report by Aug. 31 on what they are doing to educate Webmasters about meeting governmentwide policies.