Federal cookies track Internet users

The federal government is collecting cookies from your computer, in
violation of its own policy, according to a newly released General
Accounting Office report.

Titled "Internet Privacy: Federal Agency Use of Cookies," the report
shows that the government is collecting "persistent" cookies to track
Internet users.

Cookies are files stored on a computer by Internet browser software
when a website is visited. According to the GAO report, persistent
cookies "can be used to track users' browsing behavior by identifying
their Internet addresses."

The federal agencies that collect cookies include the Federal
Emergency Management Agency, U.S. Customs Service, U.S. Postal Service,
Small Business Administration, U.S. Forest Service and Office of
Personnel Management. Agencies not checked in the random survey include
the Central Intelligence Agency, National Security Agency and Department
of Defense.

The White House responded to the report by noting that the
administration had banned the collection of Internet cookies in June.

"Cookies should not be used unless there is clear and conspicuous
notice, a compelling need to gather the data on the site; appropriate
and publicly disclosed privacy safeguards for handling of information
derived from cookies; and personal approval by the head of the agency,"
wrote Sally Katzen, the deputy director of the Executive Office of the
President in an Oct. 19 letter to the General Accounting Office.

The letter from the White House drew a sharp response from privacy
advocates, one of which said the federal cookies policy failure is a
small example of a much larger problem.

"Cookies are something very public and easy to monitor," noted David
Kopel, research director for the Colorado-based Independence Institute.
"Just what is going on when nobody is watching is a better question.

"Despite the White House mandate, you have to wonder whether there
are other things going on behind the scenes -- projects withheld from
the public view such as the recent FBI 'Carnivore' program, secret ATF
databases on firearms owners and numerous secret wiretaps. Who knows
what is going on?" said Kopel.

"The report is very disturbing and shows how far behind federal
agencies are at understanding the technological and civil-liberties
issues underlying Internet privacy," stated Barry Fagin, a privacy and
telecommunications adviser working for RMI.NET.

"If a commercial website does something with a cookie that you don't
like, or if they don't disclose their privacy policy to your
satisfaction, you don't have to use it. Government sites, however, are
often the sole source of information and have legal force behind them.
So the standards for privacy protection should be much more rigorous
than the private sector. In practice, at least right now, things are
exactly backwards," he said.

"The present administration's commitment to civil liberties and
privacy issues has been, in a word, terrible," asserted Fagin.

There is evidence supporting Fagin's assessment of the Clinton-Gore
administration. For example, Vice President Al Gore has previously
endorsed federal government monitoring of computer communications. In
1994, Gore endorsed a government-designed computer "Clipper" chip
intended to monitor all secure computer communications, according to a
letter written by the vice president.

"We also want to assure users of key escrow encryption products that
they will not be subject to unauthorized electronic surveillance," noted
the vice president in his July 20, 1994, letter to Cantwell.

"As we have done with the Clipper chip, future key escrow schemes
must contain safeguards to provide for key disclosures only under legal
authorization and should have audit procedures to ensure the integrity
of the system. Escrow holders should be strictly liable for releasing
keys without legal authorization," wrote Gore.

Yet, in 1994, government officials were keenly aware that the Clipper
chip design that Gore endorsed did not have safeguards against
unauthorized surveillance.

According to a top secret 1992 memo, FBI official J. R. Davis, wrote,
"The most serious concern is that the scenario regarding the use of the
'exploitable' chip could surface publicly."

In 1993, Benita A. Cooper, NSA associate administrator for management
systems and facilities, wrote "There is no way to prevent the NSA from
routinely monitoring all (CLIPPER) encrypted traffic. Moreover,
compromise of the NSA keys, such as in the Walker case, could compromise
the entire (CLIPPER) system."

The GAO cookie report drew no reaction from the various political
camps. Maria Cantwell, a well-known dot-com millionaire is currently
the Democratic candidate running in a close bid against Sen. Glade
Gordon, R-Wash. Neither Cantwell's Senate campaign office in Washington
nor Gordon's campaign office both responded to requests for a comment.

The Republican National Committee headquarters and the Democratic
National Committee headquarters also declined to comment on the cookies
report. The lack of response from both major political parties comes as
no surprise to privacy experts like Fagin.

"Neither major party really seems to 'get it.' That's why we need to
take more responsibility for our own Web surfing and online privacy
protection," noted Fagin.

"If a website doesn't display their privacy policy, e-mail them to
ask why, and tell them you won't give them your business until they do.
If they have a privacy policy link (most reputable sites display one
proudly), click on it, read it and understand it. Finally, learn how to
control the privacy settings in your browser. If you don't want any
websites to track any information about your site visits, it's easy to
do."

"Like it or not, when it comes to online privacy, we're on our own,"
concluded Fagin. "I think in the long run, we're better off that way."