Comments on: Government Web sites are keeping an eye on you

Dozens of federal agencies are using visitor-tracking cookies that violate long-standing rules designed to protect privacy.

[perfrog]

Government Tracking Cookies

The American public still has not taken this lesson to heart. Whenever Uncle Sam opens the door, invading our privacy, he always abuses the privilage. Remember"Temporary Income Tax?" How about the collection of 30 year old child support, plus 30 years of 12% interest. You can not fight because you can not receive records from the government agencies past 7 years. Yet you are expected to have your records from 30 years ago. The people of this country have to take control and hold these politicians in check, before they suck democracy out of this country.

[sanenazok]

child support?

Umm child support is not money paid to the government, it's to the kid you sired. Should have kept the receipts, that's what I think. In fact, wouldn't you be worried if the 'evil' government kept every payment you made? Isn't keeping a record of your agreement for as much as seven years invading your privacy? Next time settle.

[ddesy]

Government web developers incompetent?

It seems to me that the people who are setting up these sites for the US Federal Government should be reading up on the software that they are installing. Just because some server software created persistent cookies by default does not mean that the agencies are not to blame. They should be checking the settings on these things before putting them in place!

[Stating]

That's Why The Sites Are Hacked

The large number of reported break-ins of government sites (as reported by CNET and others) is reflective of a lack of competancy of the individuals running these sites. Why should we be surprised they don't have cookies configured properly?

[signalops]

Media tracks users across the web

Cnet leaves about a dozen cookies in my browser by reading the
above story. Three of those appear to belong to advertising
tracking networks. The NY Times leaves over two dozen tracking
cookies on my computer. The Washington Post? About a dozen.
CNN? You guess it ... another pile of cookies.

The only reason I can think the media is so scared of some
government web sites using cookies is because the media knows
well of bad things the media may be doing with cookies and
assumes the worst for the government.

All for now - I need to delete my cookies.

[declan00]

Government tracking

The point of the story was to evaluate whether government Web sites are following federal regulations limiting what they can do to track users.

In many cases, as we found, they're not. You can argue about whether the regulation is wise or silly, but it seems reasonable to say that the government should follow the rules. After all, it expects that we do.

[wbenton]

Very good point

You called it like it is... everybody and his brother... (including CNET and other major news agencies) do this.

So if you're going to blow the whistle on the government... then the whole wall of secrecy about everybody who does it needs to be blown.

It's not like you can't block cookies or request confirmation of cookies prior to allowing them OR like you cannot delete cookies.

This who article stinks of one-sidedness.

Walt

[Bill Dautrive]

Cookies

Not all cookies are used for tracking, since you don't know what cookies are, I doubt you can tell the difference.

*gasp*!

I'm shocked, I tell you, shocked, that their webservers are using cookies. Whats next? PHP? AJAX? Is there no end to this insanity?

[wbenton]

Is there no end to this insanity?

Is there no end to this insanity?

Have you looked at what cookes you've been collecting from where and for how long they're valid? Cookies aren't evil! Regardless of what else you want to believe.

And if you don't want to be tracked on the internet... they you shouldn't connect. Because everytime you connect... you give out your IP address which you want to claim is private information... but it's not... it's your ISP's globally available IP address which you personally give to everybody on the internet whom you visit!

Walt

[My-Self]

Auto erasing them & a better cookie system.

What I'd like to see is a special class of short cookies. Those would not be suitable for tracking, but could be used for preferences (language, start page, options, etc ...). Browsers would then have a setting to erase long (tracking) cookies and keep short ones. To be effective, those short cookies would need other rules, such as a unique name to prevent a bunch of short cookies being used and a 'same domain as the page/top frame' restriction.

In the meantime, I did setup Firefox & Mozilla to accept all cookies, but for the current session only, so I don't need to worry about them.

[wbenton]

Cookie Cleaners

There are oodles of cookie cleaning software which purge cookies older than xx hours or days.

Many of them are freeware while some of them are share ware.

You can also easily go in and manually delete your own cookies as you like without the need for any other software.

Cookies aren't a problem. Why CNET thinks they are is beyond me!!!

Walt

[casper2004]

The excuse is so lame

Those federal agencies following visitor's movements at government web sites knew what they were doing from the jump. It's because they were caught that they come up with excuses. Most criminals do!

[David Arbogast]

So is the problem

What web site doesn't use cookies??? Even RSS feeds use web bugs to track syndication. It isn't as if the END USER can't turn them off themselves for crying out loud. Lets just beat up the government for doing something that EVERYBODY else does legally anyway. Yeah... that'll be fun. We can probably get the ACLU to side with us on this one. Sheesh...

[jluchford]

Did Bush sign another "Wiretap" document?

Obviously, tracking people on the internet is legal because of 9/11...if you use Bush's wiretapping arguement. Not right, just legal.

It makes me wonder if we aren't emulating, the worst of the Communist ideoligy....

[David Arbogast]

Study your history

<<It makes me wonder if we aren't emulating, the worst of the Communist ideoligy....>>

I venture to say that if you knew anything at all about communism, you would stop spreading this ridiculous scare tactic. Name one significant company that doesn't track its users. Just one. You know that CNet is tracking you right now, don't you?? Those crazy commies!!

[wbenton]

Cookies...

Cookies have been valid since they were first developed. They're not something that just popped up since 9/11 and there is nothing illegal about them. Microsoft sets them, EVERY news site you visit sets them and most non-news sites even set them.

As for whether they're valid for 1 minute, 1 hour, 1 day, 1 year, 1 millinium matters not!

If you don't want to be tracked... don't connect to the internet... because if you do... you're going to be tracked by 99.9999998% of the sites you visit!

So where is the problem?

[OneWithTech]

You think there only using cookies?

Check out the BCA site here where they actually tell you to
download a Secure Certificate to gain public information.

https://cch.state.mn.us/Common/BCAHome.aspx

Of course the policy clearly state that the usage of the certificate
is for your own good. FYI, I'm looking for Criminals not trying to
be one let alone create one.

Thousands and thousands of websites allow authority to
databases without the need for Certificates while still
maintaining a secure presence.

Thousands of websites can't be wrong so why is the BCA using
this type of technology. Well think of it. Certificates allow more
control over a users computers than cookies would ever allow.

HMMMM. Just something to think about!

~Justin

[OneWithTech]

Here is a way to make sure your cookies and temp..

...files are deleted every time you close Internet Explorer

http://www.techviewstoday.us/?p=70

~Justin

[OneWithTech]

Common Sense Award

Goes to this gentleman for pointing out the obvious. You are
100 percent right in every fashion. It is the responsibility of the
people maintaining the governments networks to understand
there software and use it in it's intended fashion.

This was just the Governments way of blowing Virtual Smoke up
everybody's *****. Kind of like what Microsoft does everyday.

One more point to add to this, since Microsoft finds it necessary
to wait till January 10 to deploy it's fix to a major problem it has
not only left consumer's at risk, they have left our Government
at risk too.

Thanks Billy, from all of US.

[gordone_smith]

Monitoring Easy to Detect

It has been a well known fact that government websites monitor the activities and e-mails of those who visit their sites. People from the Middle East are well aware of this because the monitoring operation has been severely bungled. Obviously, al Queda operatives who were involved in 911 or the Oklahoma City bombing will be using other methods. For example some months ago, I attempted to establish an account with a BLM employment site that I had previously established in Portland, ORegon. When I restablished contact with this site, the government e-mailed me my current address book and the address book I had in Portland, ORegon in 2001 when 9-11 occured. I lived across from the mosque and know people from that part of the world. Minutes later no one could establish contact with the BLM website-technical difficulties. Well of course I immediately knew I was being monitored because I had sent e-mails to the Chinese embassy and their e-mail was in the address book that the government had sent me. I fear that our intelligence agencies may have a keystone cop mentality in dealing with the domestic threats if there are any. They are wasting their time and spending alot of money doing it.

[chriskobar]

VERY slipshod and misleading reporting

Um, I'm a web person at a govt. agency in DC that was contacted by the reporters yesterday. We use ColdFusion, like many agencies (hell, it's a great product). Yes, CF by default places a CFTOKEN/CFID cookie on any machine that hits a CF (.cfm) webpage. This contains NO information of any value; it's like being given a number at a deli. It's just a number for the application to "potentially" use should someone wish to programatically take advantage of it. Few do.

There is NO data gathering at our agency, despite this absurd cookie being "baked." So, technically, our agency -- almost assuredly like most of the others -- isn't doing anything wrong. There is no gathering of data or tracking of visitors. None. To do so, we would have to actively write scripts to do just that, which we do not. We (yes, contractors) would get fired in a second if we dared to do that without direct authorization from the agency CIO. Believe me, it ain't worth it. What would we do with the data? It's absurd.

Point is, these little cookies can be turned off. But also, most browsers can be adjusted to block them...and it won't have any effect on your visit to these sites, since the cookies do nothing at all.

These reporters have skewed their article to suggest that agencies like ours are flouting the law by collecting and/or using visitor info. This is entirely false. In fact, like other agencies, we investigated and directly informed the reporters of this. Seems they can't understand the reality of what cookies are and how they are used or not used when the more exciting prospect of stirring undue fear and paranoia are possible.

Shame on these reporters. The refusal to listen and learn about the truth from IT professionals only demonstrates their real intent: hype and readers, not facts to serve the public.

Too bad.

Oh, and thanks, CNET, for requiring me to fill out a registration form and accept cookies that do keep track of me in order to post this simple comment. Interesting. Very interesting.

[declan00]

.gov cookies

Christopher:
Sorry you didn't like our article. You apparently don't like the White House OMB regulation that restricts .gov agencies from using permanent cookies.

If you don't like the regulation or think it's silly or ridiculous or a pain to comply with, well, why don't you take it up with the White House instead of choosing not to comply with it?

It's not like the rest of us get a choice of whether or not to follow laws that we think are silly or ridiculous or a pain to comply with.

..But...

I think the point of the article is not that government agencies monitor use, but it highlights the fact that the web development/security practices at these agencies are bad enough that there is a potential, even without malicious intent, to use the practice to spy on people.

For example, the CFID/CFTOKEN cookies, if stored indefinitely, allows you to cross-reference the website user, based on their cookie with their other visits to the site. Because CFID/CFTOKEN matching information is stored on the ColdFusion server, such matching (call it "spying" if you want) is possible. True, you will have to write scripts or mine the data in another way, but the point is that 25 years after visiting a site, my site visit can be tracked and matched to the old one.

[kenny-J]

Point is.....

with the current vogue of secrecy in the US Government as evidenced by Bush's (possibly illegal, if not immoral) use of the NSA, the problems with DHS/TSA, placing people on suspect lists without verifying they are the ones that should be on the list, and so on, any use of cookies, however technically minor, is prohibited by the OMB policy, but has sneaked into use by the incomptence of the so-called IT people who designed the websites. This is prima facie evidence that the Government cannot be trusted with any information and certainly can't be trusted with denials of the use of information potentially gathered. Just because you don't know of it personally doesn't mean it doesn't happen. At least when you signed up for this forum you were told what to expect in the way of cookies, those visiting US Government websites aren't accorded the same respect.

[BenForta]

Grossly inaccurate reporting

This story is so full of inaccuracies, speculation, and sensationalism that the authors should be ashamed of themselves.

I have posted a detailed response at http://www.forta.com/blog/index.cfm/2006/1/5/CNet-Newscom-Writers-Demonstrate-Desire-For-Sensationalism-And-Poor-Technical-Understanding.

[coldfury.us]

a 30 year cookie, you must be joking?!

my goodness, most people don't even hold on to a computer for three years, let alone formatting it once a year. where's them cookies then? I just thought the whole cookie debate was over, and someone had to dig up some nonsense again. uuuaaah.

[genericbrandx]

you just got tagged by com.com

yup and if you check you'll notice that com.com just tagged you for the next 32 years

Missing the point

As a dual citizen of both the USA and UK this is where I really appreciate the idea of the UK/EU legally enshrined protection of privacy. The problem is not cookies, it is a lack of a legal concept of privacy beyond the requirement of a warrant. If it was not cookies it might be a Flash storedObject or some other technology which might be harder to find and remove. If this stuff bothers you write your representatives in Congress and push for the legal right to privacy.

[jsamland]

What about CNET?

Meanwhile viewing this article set 21 cookies on my machine, many expiring in 2009 or 2037.

This article's full of inexpert quotes and the writers putting an evil twist on it, such as the quote from William Alberque. Alberque says ColdFusion was set up with the default settings, which the writers imply to mean that ColdFusion by default is creating cookies to track user activity. Let's just ignore the fact that the Defense Threat Reduction Agency is installing software without paying attention to how it's set up to operate. ColdFusion will only create cookies if the web site developer programs it that way. And if the developer explicitly stores some information in a cookie "with the default settings", it will expire at the end of the browser session. The blame here is put on the technologies being employed, but those technologies are just acting as they were set up and programmed.

[c|net_loses]

c|net's declan publishes using 30-year cookies

In today's news, Declan McCullagh's articles have been found to place J2EE cookies, the same type used by Adobe's popular ColdFusion development platform. It was also discovered that Declan's articles set cookies that have expiration dates of up to 30 years in the future. Declan's comments on the subject seem to prove his ignorance of any relevant topics and came off as ludicrous and purile.

Declan even went so far as to invoke ColdFusion team members in an attempt to give his position a bit of credibility, but even that failed... leaving him high and dry as the truth came out. In the end, it was discovered that his very own articles left cookies (some of which actually DID store data) on the computer that were found to have the following expiration dates:

Nov 10, 2006
session
Feb 8, 2006
session
Jan 8, 2006
session
Dec 10, 2037
session
session
session
April 10, 2006
Dec 31, 2009
Dec 31, 2009
Dec 10, 2037

Look! 31 years in the future... but when the servers in question will cease to recognize them as valid is an entirely different question.

[aabcdefghij987654321]

What insipid drivel.

For years, I have used Jason's Cookie Jar to sort and eliminate obnoxious or unwanted cookies. I also use the good folks at www.bugmenot.com to access sites that require registration and passwords. It works for me.

[mmichaels]

calming down now.

defenselink DOES have an error in it's privacy statement. They should not have stated that they don't use persistent cookies. All they really have to do to comply with govt regs is to modify their privacy statement to say that persistent cookes ARE used to assist with site useablility.

http://www.whitehouse.gov/omb/memoranda/text/m03-22.html

states that:
"Tracking and customization activities. Agencies are directed to adhere to the following modifications to OMB Memorandum 00-13 and the OMB follow-up guidance letter dated September 5, 2000:
Tracking technology prohibitions:
agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors? activity on the Internet except as provided in subsection (b) below;
agency heads may approve, or may authorize the heads of sub-agencies or senior official(s) reporting directly to the agency head to approve, the use of persistent tracking technology for a compelling need. When used, agency?s must post clear notice in the agency?s privacy policy of:
the nature of the information collected;
the purpose and use for the information;
whether and to whom the information will be disclosed; and
the privacy safeguards applied to the information collected.
agencies must report the use of persistent tracking technologies as authorized for use by subsection b. above (see section VII)20."


Now naturally our fine govt agencies will most probably overreact, fire a bunch of developers, and spend lots of money removing all traces of cookies from their sites.

It seems to me they can simply tweak their privacy statement to be in compliance.

At http://www.defenselink.mil/warning/warn-dl.html
Article 9 states that:
Cookie Disclaimer - DefenseLINK does not use persistent cookies (persistent tokens that pass information back and forth from the client machine to the server). DefenseLINK may use session cookies (tokens that remain active only until you close your browser) in order to make the site easier to use. The Department of Defense DOES NOT keep a database of information obtained from these cookies.

Just change article 9 to read that you DO use persistent cookies, but not for any purpose of tracking and you're all done.

I guess I can see how this may be worth pointing out to them, but I don't think we should be slamming politicians for this. There are plenty of other legit things we can slam them for.

[gerhard_schroeder]

CNET IS KILLING US WITH BUSH KOOKIES

CNET IS A BUSH AGENT

THEY HAVE THE KOOKIEZ TOO!!!!

AHHHH AHHHH AHHHH!!!!!!!!!!! I"M ON FIRE!!!!! THE KOOKIEZ!!!!!!!!!!!!!!

!!!!!!!!!!!!!!

[wbenton]

What a Farce

What a farce... what a farce... what a farce...

Browsers can be set up to either allow or disallow automatic cookies and they can also be set to prompt you prior to setting cookies.

Likewise... privacy and the internet are oxymorons... anybody who claims otherwise is quacked up!!!

Everybody and his brother uses tracking cookies... thus is there any surprise why official government sites WOULD NOT?!?!

If you're going to go after the good guys... just make sure you don't leave out all the bad guys too. (* ROFLOL *)

CNET just went down a notch in my rating system on this one!

Way overboard on matters which shouldn't really matter as there is no real method to prevent such from occuring!!!

Is CNET that hard up for news?

A Disgruntled Reader,

Walt