Congress' hands caught in the cookie jar

This is the second story in a two-part investigation. Read the first part here.

Dozens of U.S. senators are quietly tracking visits to their Web sites even though they have publicly pledged not to do so.

Sixty-six politicians in the U.S. Senate and House of Representatives are setting permanent Web cookies even though at least 23 of them have promised not to use the online tracking technique, a CNET News.com investigation shows.

Sen. John McCain, R-Ariz., for instance, has been a longtime advocate of strict privacy laws to restrict commercial Web sites' data collection practices. In a statement posted on his own Web site, McCain assures visitors that "I do not use 'cookies' or other means on my Web site to track your visit in any way."

News.context

What's new:
Although they have promised to abstain from using cookies to track visits to their Web sites, at least 23 U.S. senators do so. Overall, 66 members of Congress use the tracking devices.

Bottom line:
Although there is no rule prohibiting members of Congress from using cookies, such practices have come under fire from privacy advocates, including from politicians who continue to employ cookie ID devices on their Web sites.

More stories on this topic

But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035.

"ColdFusion was used to design the site by a third-party vendor, and we were not aware of any cookies," McCain's office said in a statement sent to CNET News.com, referring to Adobe Systems' popular Web design software. "The information collected is not used by our office for any purpose, and we are currently in the process of deleting them."

All House members who use cookies either acknowledge it or have privacy policies that are silent on the topic. Of the 23 senators who pledged not to employ cookies but do anyway, 18 are Republicans and five are Democrats.

"It shows their lack of understanding of technology," said Sonia Arrison, director of technology studies at the Pacific Research Institute, a nonprofit group in San Francisco. "It's willful ignorance. They're complete hypocrites. How can they accuse companies of poor data management when they're not doing it on their own Web sites?"

No rule prohibits the use of Web monitoring techniques by Congress. But such a restriction does apply to executive branch agencies. The Pentagon and others scrambled this week to eliminate so-called Web bugs and cookies after inquiries from CNET News.com.

The practice of tracking Web visitors came under fire last week when the National Security Agency was found to be using cookies to monitor visitors. It halted the practice after inquiries from the Associated Press. The White House also was criticized last week for employing a tracking mechanism, created by WebTrends, that used a tiny GIF image.

Cookies are unique ID numbers that a remote Web site hands a browser, which automatically regurgitates them upon subsequent visits. They can be used for something as innocuous as permitting someone to customize a Web site's default language for return visits. In the worst case, they can be used to invade privacy by correlating one person's visits to potentially thousands of different Web sites.

(Like most online media organizations, CNET Networks, the publisher of News.com, uses cookies. That use is detailed in a privacy policy.)

"The irony is rich"
It's ironic for senators to complain about private companies setting cookies and then go ahead and do it themselves, said Jim Harper, director of information studies at the Cato Institute, a free-market think tank.

"They should definitely abide by their privacy policies," Harper said. "The irony is rich."

McCain, for instance, spent years warning that cookies were a problem when used by corporations. "Through the use of cookies and other technologies, network advertisers have the ability to collect and store a great deal of information about individual consumers," McCain said in 2000 (click here for PDF). "This information is collected without the consumer's knowledge or consent."

Similarly, the Senate's Governmental Affairs Committee prepared a report in 2001 saying that 64 federal agency Web sites used permanent cookies. Today, so does the Governmental Affairs Committee.

One bill was even introduced in February 2000 to target corporations' use of cookies. It died in a Senate committee.

In many cases, politicians seemed to be unaware of their use of Web tracking technology until being contacted this week.

A representative for the Senate's top Democrat, Harry Reid of Nevada, said the office's Webmaster had no idea that reid.senate.gov set two cookies scheduled to expire in 2035. After CNET News.com asked about it, the Webmaster started to dig through the code.

"Obviously our office has no idea what we're using these cookies for, because we don't even know they existed," said Ari Rabin-Havt, Reid's director of Internet communications.

One version of Reid's privacy policy is silent about cookie use, but a Spanish-language version pledged not to employ them.

[aabcdefghij987654321]

Cookies not necessarily "online tracking"

Cookies are a basic web technology used for many purposes. Of
course, you can "track" people with cookies, but most cookies
these days are to allow session tracking, for internal navigation
of sites, remembering preferences between pages, and other
purposes.

You'd think C|Net would be more sophisticated than the normal
media in this regard. Are they advocating the elimination of
cookies? How can web sites of any sophistication be made
without cookies these days. Anti-cookie hysteria is so 1995.

[lewissalem]

I know...

...Cnet is drifting away.. off into the land of scare reporting.. pandering to mainstream for pagehits... bye...bye...

[skepticoverlord]

Cookie confusion?

Reporting on cookies as "user tracking" is simply misleading the
public, and reads more like something from main consumer
media, than the more sophisticated CNET.

This, and the AP story about cookies from the NSA website,
promote the idea that "cookies are bad". This line of reasoning
seems to be perpetuated by the "security scanning" software
firms that classify the Alexa cookie as a potential malicious MS-
DOS application (as an example).

Confusing the public about the reality of Internet technology
doesn't seem to be a good place for CNET to be.

[fafafooey]

Utterly ridiculous

This article is utterly ridiculous. Blindly linking cookies to something nefarious is silly.

Does the author really think John McCain or Dirty Harry Reid know if or why their sites use cookies? Does the author really think they are being used for some type of "spying" or being sold to spammers? Come on! I'm no fan of big government and look at government with a wary eye, but even I don't think they are doing this. What type of useful information would they even get out of it?

It's getting to the point where CNet news.com is becoming totally irrelevent to me - a bunch of uninformed, media-hype, fear mongering articles.

[Mortimer14]

Pay Attention Now

The point of the article is NOT that cookies are or may be used to track people accessing a web site.
The POINT of the article is that McCain and others are slamming those who use cookies and claiming that they don't when in fact the DO use them.
Personally, I value information such as this, if I ever get a chance to vote for or against McCain or one of the others, I will remember that he/she lies through their teeth. I know that all politicians do that, but I now have proof of it in this case.

[mmichaels]

Pretty silly

Ohhh....18 Republicans and 5 Democrats.....guess it's just a "culture of cookie corruption" here! I'm sure glad you to made that point clear.

By the way, I noticed this suspicious cookie on my computer called "Cookie:marc@cnet.com" that expires on 12/30/2037. I guess CNET may be part of this vast right-wing conspiracy.

[arluthier]

C-NET has put a probe in my computer!

<SARCASM>
I always wondered how C-NET was figuring out what articles would get me riled up... must be this cookie-probe they stuck on my computer... reading my thoughts through the keyboard.

I need to invest in thicker aluminium foil, and glue it to my finger tips.
</SARCASM>

[nopieinthesky]

C-NET monitoring?

I wonder if C-Net place cookies for the same purposes?
Is it a crime with malice or just good marketing strategy?
www.nopieinthesky.net

[zaznet]

You fell victim...

The alluminum foil trick actually enhances mind-scanning technologies by focusing the brain wave activity and in so doing making it a stronger signal to read.

The entire idea of using foil to protect yourself from mind-readers was put out by those agencies who employ the practice of reading minds.

You have played right into their hands...

[DaClyde]

perfectly legitimate and very common practice

There's nothing sneaky about the service WebTrends offers, it's primarily a way to see how users are using a website to help the site owners better maintain and design the site. It's not about clandestinely watching a users every move to use against them later, it's about seeing what they use, how often they use it and how they got there in an effort to improve site navigation and content.

Now if they were installing some sort of tracking cookie that was reporting all the users' activities OFF the government sites, THAT would be a concern.

[casper2004]

I thought cookies were something we ate

It is a tracking cookie. All cookies probably are. Why else would someone shove one up somebody elses computer?

[cristianodiaz]

Talk about FUD and fear mongering

I am really disappointed that c|net would post such a technically inaccurate, incendiary article. The presence of a cookie does not mean the user is being tracked. There are all kinds of legitimate, beneficial uses of them, and it is ridiculous tripe like this story that just causes confusion and fear about them. The authors of the article don't have the first clue what they are talking about, and have decided just to make lurid and vague statements to make it seem like Congress members are doing something nefarious. If c|net has any integrity, they will revise the article and the cheap, cliched title and can the authors.

[chance1298]

I don't think this was the intent of the article

At least, I hope that the intent of the article was not to misconstrue the purpose of cookies. I believe that it was more of an intent to point out that Congress is all for passing laws to try to control technology uses, but often has little understanding of the technology, or even compliance with their own set technology policies. Yet Congress has no problem with nailing corporations to the wall with ill-conceived technology laws. That's my interpretation of this article anyway.

[Bennet_McGovern]

You dont seem to get it

<rant>
C-NET IS NOT SAYING THE COOKIES ARE TRACKING YOU.

Please for the love of whatever God you subscribe to, read the artical with a incling of inteligence, please. The point of the artical is that these senators said they wouldn't use persistant cookies, and these government agencies are legally not allowed to, but yet they do. It doesn't say they are using these tracking cookies to actually track you, but they could.

I am not an American, but i always thought that law was law, thats it, maybe i am nieve in thinking that a government that went to war for no particular reason and allowed a illeterate retard like G.W.B into the whitehouse would even resemble a real goverment, not the Fisher Price "My First Government" it does now, where the guy who owns it can change the rules half way through because they are losing.

Grow up america, realise that not everyone thinks the same as you and not every artical is merely taking shots at the government

</rant>

[Akakadak]

Much ado about nothing

Why is this even on the front page?? This is just as dumb as saying that God has smitten Sharone...

The privacy policies state that cookies aren't used to track visitiors, not that cookies aren't used.

Rest assured, no one is using cold fusion session cookies to track users!

[BobVila]

Silly c|net, cookies are your friend and you are the enemy

Dear c|net,

How could you? I thought you were better than this. How much longer must cookies endure the bad rap. Your article is irresponsible and inflammatory, but I'll forgive you if you can step out of the pre-2000 cookie phobic timewarp you are living in.

Stop being an anti-cookite. The existence of a persistant cookie in your browser's cache does not mean you are being tracked. Period.

Embrace technology and educate the masses, instead of trying to send them into hysteria. No longer shall cookies share the plight of the spam burger, let the cookies live free of harassment and prejudice!

And if you don't want cookies set, disable them in your browser. Maybe you could have even included a helpful link?

In the meantime, please post more intelligent, informed, and earnest articles that I might actually enjoy reading.

PS: You need to take your "News of Change" slogan to heart and let's start by changing the name and/or existence of this article and replacing the author with someone who actually gives a damn about technology and your readers.

[jeffmar]

Not Enough Homework

"Although they have promised to abstain from using cookies to
track visits to their Web sites, at least 23 U.S. senators do so."

-Had this been a true statement there might be need for
concern!

When I read this article I had to wonder if c|net and/or the
authors were trying to build up the "cookie fear" or raise
negative hype for Senators and Congress by writing a catchy
headline.

Unfortunately the quoted statement above is completely
inaccurate. There is a difference between malicious and non-
malicious cookies. The cookies used here do NOT store user
information, do NOT track visits, and do NOT intrude on the
user's privacy. The porpose of the cookies used here is to
improve site navigation and usabilty while browsing the site.

I personally am not concerned, nor do I believe that my Senator
is being malicious to me through cookies.

[rightturnclyde]

Whale of an issue

While this may not have been the porpose of the article, cnet is doing a great job of making a whale of an issue.

[rightturnclyde]

Holy mackerel! Have you no sole?

I think the moral here is that you can tune a piano but you can't tuna fish. But all of this floundering around is getting ridiculous. In fact, the whole article smells fishy to me.

[PaulMann]

Are you guys real journalists?

I'm just curious if you understand grammer or anything about cookies?

First, on the privacy statement, as I read it, it says that they are not putting cookies or other means to track visits. I assume if you are a journalist, you took an english class? I'll help you out here. This is a compound statement, making the point that they do not use cookies to track or other means to track. Come on now, are you just acting stupid so you can create an issue? If so, then you are a GOOD journalist!

On the cookies themselves, did you even take the time to look at the content? If so, and you continue to call it a "tracking cookie" then you are dishonest and VERY GOOD journalist.

Seriously though, go take a grammer class and a basic webmaster class. Your reporting will improve ten fold (that means a lot).

[Michael Grogan]

How do you know they're not tracking?

The point of this story was that government agencies were violating rules by using cookies at all. The rule was made so they coulcn't deploy cookies that could be used for tracking because government entities have a very extensive track record of abusing every thing they can. I wouldn't be a bit surprised if the NSA and the CIA, in particular, were using them for tracking.

[skepticoverlord]

How?

In what way could they use cookies for "tracking"?

[Bennet_McGovern]

Thank you...there is light in this tunnel

Exactly, exactly, exactly. All these anti C-Net people are looking at this from the wrong direction. It is like looking at gun laws from the point of the bullets, please, READ, if you still dont get it READ again, and stop posting your "C-net is scaremongering" and "maybe then you will be a GOOD journalist" etc. Another tip is to read the whole artical, not the big bold by-line and then form an opinion. I know you have a short attention span but give it a go, maybe your should try taking a day to read it or something. Think people, think

I thought CNET was a tech site?

First off, let me say that the CNET Asia site leaves a cookie on your machine which expires in 2010.

Secondly, this article is just plain irresponsible on the part of CNET. There is a HUGE difference between tracking users and session management. Coldfusion servers default to using cookies for session management. Of course, I shouldn't have to explain this to CNET. I do remember hearing this short of dialog about cookies before...it was 1995. Well done CNET.

[ErvServer]

Congressional Cookies

Congress people lie about most everything why wouldn't they be expected to lie about cookies on their websites? I don't visit their sites so they can cookie all they want to.

[BenForta]

Get the facts

I have blogged responses to both parts of this story:

Part 1: http://www.forta.com/blog/index.cfm/2006/1/5/CNet-Newscom-Writers-Demonstrate-Desire-For-Sensationalism-And-Poor-Technical-Understanding

Part 2: http://www.forta.com/blog/index.cfm/2006/1/6/CNet-Newscom-Sensationalism-And-Fearmongering-Part-II

Nail on the head

I think you've hit the nail right on the head with those blog entries. Maybe you should start a tech news site!

[fafafooey]

I can't look at your blog...

It uses cookies and Cnet said they are very bad. Why are you trying to track me on the Internet! Are you a spy? :-)

CNET becoming a joke?

Not that I've ever believed CNET's reporting was first rate, but c'mon, this is getting rediculous even for them.

Why has this topic now gotten TWO articles? This is a totally fabricated, irrelevant 'issue'. Is CNET so desperate for ad views that they feel they have to start making up 'controversial' stories? Or is there some sort of jealosy involved with the CNET 'journalists' (term used loosely) being envious of the the mainstream media and wanting to come up with a scoop of their own?

[David Arbogast]

Yes - they are

CNet is obviously a left-leaning liberal pseudo-news wannabe organization. They have correctly associated the majority of open-source proponents with left-wing liberalism, and they are catering to their base.

[genericbrandx]

reasons for this story?

Are the cookie stories being used to help sell more anti-spyware/ anti-cookie software listed on Download.com or sponsoring C|Net?

[n3td3v]

CNET Editor shouldnt let this story run

The people you interviewed aren't people who even know what cookies are. The people you've questioned in asking about whats used on a website isn't the person the site is representing, but the people who have designed the site. It's probably the same people designing all of these web sites. Those are the guys you should be questioning, not unsavy members of congress. On another note, corporations using cookies is a whole different ball game from a member of congress's website. I'm anti the U.S gov for the war on Iraq and I am the last person to stick up for them, but on a technical basis, this story is unfair to all parties mentioned. Including that of the way corporate web sites use cookies in comparison to whats going on with congressional sites. Have a good day CNET. Your editor has alot to answer for. I just hope this doesn't turn into another Google, where CNET get snubbed from future press interviews. We'll see I agree congressional websites are wrong to use certain cookie based tactics, but this story is poking at all the wrong angles. Take care next time if you want to win over public opinion on gov site technical affairs.

[n3td3v]

CNET's investigative journalism

The more I review the structure of this story the poorer the whole thing sounds. This is a valid story and important subject, but the arguments and quotes used don't give the topic the justice it deserves. I don't know whats going on at CNET HQ, but you should be hiring "I.T and Security Advisors" to help you with your stories to fight a story on a technical side. This story requires more information into what the cookies are doing in comparison to corporate cookies. Both are completely different. Present your story with technical knowledge next time. This is all just heresay from whats been said in your article. I hope CNET hires some technical advisors next time. Maybe people who have analyised all sites, and researched the people who implemented the cookie functionality, and take them to task over it, not members of congress!

[jsamland]

Cookies != Tracking

--- McCain assures visitors that "I do not use 'cookies' or other means on my Web site to track your visit in any way." But visiting mccain.senate.gov implants a cookie on the visitor's PC that will not expire until 2035. ---

McCain here says the cookies aren't being used for tracking, he doesn't say that cookies aren't being used. Read the quotes before trying to point fingers, McCullagh. Between this and yesterday's article, you're trying to uncover some cookie tracking conspiracy without any evidence other than to say cookies are present. If the overall point is to say that no government site should set any cookies at all, then that should be it. Say "cookies are being created, they can't do that" rather than "they're setting cookies, so they must be tracking everything we do". But I'll agree, reporting that sites are setting cookies would be very boring, so putting a antitrust spin on it will generate more page clicks.

[Bennet_McGovern]

trying to sound smart are we

the point is, and i dont know how many times i am going to have to expalin this to you people, he said he wouldnt use cookies to track, how do you know what his cookies do, how do you know what information they collect, how do you know what that information is used for, maybe the other side put those cookies on there to see how many people were against them, maybe some script kiddie put it there to have a laugh, who knows. they shouldn't be there, and if they are, people should be informed. as far as i am concerned, anything that installs or copies without your consent is at the leaset spyware and at worst a virus