January 5, 2006 4:00 AM PST

Government Web sites are keeping an eye on you

This is the first story in a two-part investigation. Read the second part here.

Dozens of federal agencies are tracking visits to U.S. government Web sites in violation of long-standing rules designed to protect online privacy, a CNET News.com investigation shows.

From the Air Force to the Treasury Department, government agencies are using either "Web bugs" or permanent cookies to monitor their visitors' behavior, even though federal law restricts the practice.

Chart: Federal Web tracking

Some departments changed their practices this week after being contacted by CNET News.com. The Pentagon said it wasn't aware that its popular Defenselink.mil portal tracked visitors--in violation of a privacy notice--and said it would fix the problem. So did the Defense Threat Reduction Agency and the U.S. Chemical Safety and Hazard Investigation Board.

"We were not aware of the cookies set to expire in 2016," a Pentagon representative said Wednesday. "All of the cookies we had set with WebTrends were to be strictly (temporary) cookies, and we are taking immediate action." WebTrends is a commercial Web-monitoring service.

The practice of tracking Web visitors came under fire last week when the National Security Agency was found to use permanent cookies to monitor visitors, a practice it halted after inquiries from the Associated Press. The White House also was criticized last week for employing WebTrends' tracking mechanism that used a tiny GIF image.

A 2003 government directive says that, in general, "agencies are prohibited from using" Web bugs or cookies to track Web visitors. Both techniques are ways to identify repeat visitors and, depending on the configuration, can be used to track browsing behavior across nongovernment Web sites too.

"It's evidence that privacy is not being taken seriously," said Peter Swire, a law professor at Ohio State University, referring to the dozens of agencies tracking visitors. "The guidance is very clear." While working in the Clinton administration in 2000, Swire helped to craft an earlier Web tracking policy.

To detect which agencies engage in electronic tracking, CNET News.com wrote a computer program that connected to every agency listed in the official U.S. Government Manual, and then evaluated what monitoring techniques were used. The expiration dates of the cookies detected ranged from 2006 to 2038, with most of them marked as valid for at least a decade or two.

Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users. "When the agency set up ColdFusion on our Web server, we set the software to its default value," said William Alberque, a spokesman for the Defense Threat Reduction Agency. "The default value, as you saw, creates individual session cookies that can last on your computer for either 30 years or until you delete them." (ColdFusion is Adobe Systems' Web development software.)

While the practice of setting permanent cookies is generally prohibited, it's usually not clear how they're being used. In the worst case, they could be used to invade privacy by correlating one person's visits to thousands of Web sites. They also can be as innocuous as permitting someone to set a Web site's default language.

Not all monitoring of Web visitors is prohibited. The 2003 directive provides an exception for federal agencies that have a "compelling

CONTINUED: Failure to follow the rules…
Page 1 | 2 | 3

See more CNET content tagged:
WebTrends Corp., agency, visitor, practice, privacy


Join the conversation!
Add your comment
Government Tracking Cookies
The American public still has not taken this lesson to heart. Whenever Uncle Sam opens the door, invading our privacy, he always abuses the privilage. Remember"Temporary Income Tax?" How about the collection of 30 year old child support, plus 30 years of 12% interest. You can not fight because you can not receive records from the government agencies past 7 years. Yet you are expected to have your records from 30 years ago. The people of this country have to take control and hold these politicians in check, before they suck democracy out of this country.
Posted by perfrog (10 comments )
Reply Link Flag
child support?
Umm child support is not money paid to the government, it's to the kid you sired. Should have kept the receipts, that's what I think. In fact, wouldn't you be worried if the 'evil' government kept every payment you made? Isn't keeping a record of your agreement for as much as seven years invading your privacy? Next time settle.
Posted by sanenazok (3449 comments )
Link Flag
Government web developers incompetent?
It seems to me that the people who are setting up these sites for the US Federal Government should be reading up on the software that they are installing. Just because some server software created persistent cookies by default does not mean that the agencies are not to blame. They should be checking the settings on these things before putting them in place!
Posted by ddesy (4336 comments )
Reply Link Flag
That's Why The Sites Are Hacked
The large number of reported break-ins of government sites (as reported by CNET and others) is reflective of a lack of competancy of the individuals running these sites. Why should we be surprised they don't have cookies configured properly?
Posted by Stating (869 comments )
Link Flag
Media tracks users across the web
Cnet leaves about a dozen cookies in my browser by reading the
above story. Three of those appear to belong to advertising
tracking networks. The NY Times leaves over two dozen tracking
cookies on my computer. The Washington Post? About a dozen.
CNN? You guess it ... another pile of cookies.

The only reason I can think the media is so scared of some
government web sites using cookies is because the media knows
well of bad things the media may be doing with cookies and
assumes the worst for the government.

All for now - I need to delete my cookies.
Posted by signalops (9 comments )
Reply Link Flag
Government tracking
The point of the story was to evaluate whether government Web sites are following federal regulations limiting what they can do to track users.

In many cases, as we found, they're not. You can argue about whether the regulation is wise or silly, but it seems reasonable to say that the government should follow the rules. After all, it expects that we do.
Posted by declan00 (848 comments )
Link Flag
Very good point
You called it like it is... everybody and his brother... (including CNET and other major news agencies) do this.

So if you're going to blow the whistle on the government... then the whole wall of secrecy about everybody who does it needs to be blown.

It's not like you can't block cookies or request confirmation of cookies prior to allowing them OR like you cannot delete cookies.

This who article stinks of one-sidedness.

Posted by wbenton (522 comments )
Link Flag
Not all cookies are used for tracking, since you don't know what cookies are, I doubt you can tell the difference.
Posted by Bill Dautrive (1179 comments )
Link Flag
I'm shocked, I tell you, shocked, that their webservers are using cookies. Whats next? PHP? AJAX? Is there no end to this insanity?
Posted by (402 comments )
Reply Link Flag
Is there no end to this insanity?
Is there no end to this insanity?

Have you looked at what cookes you've been collecting from where and for how long they're valid? Cookies aren't evil! Regardless of what else you want to believe.

And if you don't want to be tracked on the internet... they you shouldn't connect. Because everytime you connect... you give out your IP address which you want to claim is private information... but it's not... it's your ISP's globally available IP address which you personally give to everybody on the internet whom you visit!

Posted by wbenton (522 comments )
Link Flag
Auto erasing them & a better cookie system.
What I'd like to see is a special class of short cookies. Those would not be suitable for tracking, but could be used for preferences (language, start page, options, etc ...). Browsers would then have a setting to erase long (tracking) cookies and keep short ones. To be effective, those short cookies would need other rules, such as a unique name to prevent a bunch of short cookies being used and a 'same domain as the page/top frame' restriction.

In the meantime, I did setup Firefox & Mozilla to accept all cookies, but for the current session only, so I don't need to worry about them.
Posted by My-Self (242 comments )
Reply Link Flag
Cookie Cleaners
There are oodles of cookie cleaning software which purge cookies older than xx hours or days.

Many of them are freeware while some of them are share ware.

You can also easily go in and manually delete your own cookies as you like without the need for any other software.

Cookies aren't a problem. Why CNET thinks they are is beyond me!!!

Posted by wbenton (522 comments )
Link Flag
The excuse is so lame
Those federal agencies following visitor's movements at government web sites knew what they were doing from the jump. It's because they were caught that they come up with excuses. Most criminals do!
Posted by casper2004 (267 comments )
Reply Link Flag
So is the problem
What web site doesn't use cookies??? Even RSS feeds use web bugs to track syndication. It isn't as if the END USER can't turn them off themselves for crying out loud. Lets just beat up the government for doing something that EVERYBODY else does legally anyway. Yeah... that'll be fun. We can probably get the ACLU to side with us on this one. Sheesh...
Posted by David Arbogast (1709 comments )
Link Flag
Did Bush sign another "Wiretap" document?
Obviously, tracking people on the internet is legal because of 9/11...if you use Bush's wiretapping arguement. Not right, just legal.

It makes me wonder if we aren't emulating, the worst of the Communist ideoligy....
Posted by jluchford (23 comments )
Reply Link Flag
Study your history
<<It makes me wonder if we aren't emulating, the worst of the Communist ideoligy....>>

I venture to say that if you knew anything at all about communism, you would stop spreading this ridiculous scare tactic. Name one significant company that doesn't track its users. Just one. You know that CNet is tracking you right now, don't you?? Those crazy commies!!
Posted by David Arbogast (1709 comments )
Link Flag
Cookies have been valid since they were first developed. They're not something that just popped up since 9/11 and there is nothing illegal about them. Microsoft sets them, EVERY news site you visit sets them and most non-news sites even set them.

As for whether they're valid for 1 minute, 1 hour, 1 day, 1 year, 1 millinium matters not!

If you don't want to be tracked... don't connect to the internet... because if you do... you're going to be tracked by 99.9999998% of the sites you visit!

So where is the problem?
Posted by wbenton (522 comments )
Link Flag
You think there only using cookies?
Check out the BCA site here where they actually tell you to
download a Secure Certificate to gain public information.

<a class="jive-link-external" href="https://cch.state.mn.us/Common/BCAHome.aspx" target="_newWindow">https://cch.state.mn.us/Common/BCAHome.aspx</a>

Of course the policy clearly state that the usage of the certificate
is for your own good. FYI, I'm looking for Criminals not trying to
be one let alone create one.

Thousands and thousands of websites allow authority to
databases without the need for Certificates while still
maintaining a secure presence.

Thousands of websites can't be wrong so why is the BCA using
this type of technology. Well think of it. Certificates allow more
control over a users computers than cookies would ever allow.

HMMMM. Just something to think about!

Posted by OneWithTech (196 comments )
Reply Link Flag
Here is a way to make sure your cookies and temp..
...files are deleted every time you close Internet Explorer

<a class="jive-link-external" href="http://www.techviewstoday.us/?p=70" target="_newWindow">http://www.techviewstoday.us/?p=70</a>

Posted by OneWithTech (196 comments )
Reply Link Flag
Common Sense Award
Goes to this gentleman for pointing out the obvious. You are
100 percent right in every fashion. It is the responsibility of the
people maintaining the governments networks to understand
there software and use it in it's intended fashion.

This was just the Governments way of blowing Virtual Smoke up
everybody's *****. Kind of like what Microsoft does everyday.

One more point to add to this, since Microsoft finds it necessary
to wait till January 10 to deploy it's fix to a major problem it has
not only left consumer's at risk, they have left our Government
at risk too.

Thanks Billy, from all of US.
Posted by OneWithTech (196 comments )
Reply Link Flag
Monitoring Easy to Detect
It has been a well known fact that government websites monitor the activities and e-mails of those who visit their sites. People from the Middle East are well aware of this because the monitoring operation has been severely bungled. Obviously, al Queda operatives who were involved in 911 or the Oklahoma City bombing will be using other methods. For example some months ago, I attempted to establish an account with a BLM employment site that I had previously established in Portland, ORegon. When I restablished contact with this site, the government e-mailed me my current address book and the address book I had in Portland, ORegon in 2001 when 9-11 occured. I lived across from the mosque and know people from that part of the world. Minutes later no one could establish contact with the BLM website-technical difficulties. Well of course I immediately knew I was being monitored because I had sent e-mails to the Chinese embassy and their e-mail was in the address book that the government had sent me. I fear that our intelligence agencies may have a keystone cop mentality in dealing with the domestic threats if there are any. They are wasting their time and spending alot of money doing it.
Posted by gordone_smith (6 comments )
Reply Link Flag
VERY slipshod and misleading reporting
Um, I'm a web person at a govt. agency in DC that was contacted by the reporters yesterday. We use ColdFusion, like many agencies (hell, it's a great product). Yes, CF by default places a CFTOKEN/CFID cookie on any machine that hits a CF (.cfm) webpage. This contains NO information of any value; it's like being given a number at a deli. It's just a number for the application to "potentially" use should someone wish to programatically take advantage of it. Few do.

There is NO data gathering at our agency, despite this absurd cookie being "baked." So, technically, our agency -- almost assuredly like most of the others -- isn't doing anything wrong. There is no gathering of data or tracking of visitors. None. To do so, we would have to actively write scripts to do just that, which we do not. We (yes, contractors) would get fired in a second if we dared to do that without direct authorization from the agency CIO. Believe me, it ain't worth it. What would we do with the data? It's absurd.

Point is, these little cookies can be turned off. But also, most browsers can be adjusted to block them...and it won't have any effect on your visit to these sites, since the cookies do nothing at all.

These reporters have skewed their article to suggest that agencies like ours are flouting the law by collecting and/or using visitor info. This is entirely false. In fact, like other agencies, we investigated and directly informed the reporters of this. Seems they can't understand the reality of what cookies are and how they are used or not used when the more exciting prospect of stirring undue fear and paranoia are possible.

Shame on these reporters. The refusal to listen and learn about the truth from IT professionals only demonstrates their real intent: hype and readers, not facts to serve the public.

Too bad.

Oh, and thanks, CNET, for requiring me to fill out a registration form and accept cookies that do keep track of me in order to post this simple comment. Interesting. Very interesting.
Posted by chriskobar (1 comment )
Reply Link Flag
.gov cookies
Sorry you didn't like our article. You apparently don't like the White House OMB regulation that restricts .gov agencies from using permanent cookies.

If you don't like the regulation or think it's silly or ridiculous or a pain to comply with, well, why don't you take it up with the White House instead of choosing not to comply with it?

It's not like the rest of us get a choice of whether or not to follow laws that we think are silly or ridiculous or a pain to comply with.
Posted by declan00 (848 comments )
Link Flag
I think the point of the article is not that government agencies monitor use, but it highlights the fact that the web development/security practices at these agencies are bad enough that there is a potential, even without malicious intent, to use the practice to spy on people.

For example, the CFID/CFTOKEN cookies, if stored indefinitely, allows you to cross-reference the website user, based on their cookie with their other visits to the site. Because CFID/CFTOKEN matching information is stored on the ColdFusion server, such matching (call it "spying" if you want) is possible. True, you will have to write scripts or mine the data in another way, but the point is that 25 years after visiting a site, my site visit can be tracked and matched to the old one.
Posted by (3 comments )
Link Flag
Point is.....
with the current vogue of secrecy in the US Government as evidenced by Bush's (possibly illegal, if not immoral) use of the NSA, the problems with DHS/TSA, placing people on suspect lists without verifying they are the ones that should be on the list, and so on, any use of cookies, however technically minor, is prohibited by the OMB policy, but has sneaked into use by the incomptence of the so-called IT people who designed the websites. This is prima facie evidence that the Government cannot be trusted with any information and certainly can't be trusted with denials of the use of information potentially gathered. Just because you don't know of it personally doesn't mean it doesn't happen. At least when you signed up for this forum you were told what to expect in the way of cookies, those visiting US Government websites aren't accorded the same respect.
Posted by kenny-J (53 comments )
Link Flag
Grossly inaccurate reporting
This story is so full of inaccuracies, speculation, and sensationalism that the authors should be ashamed of themselves.

I have posted a detailed response at <a class="jive-link-external" href="http://www.forta.com/blog/index.cfm/2006/1/5/CNet-Newscom-Writers-Demonstrate-Desire-For-Sensationalism-And-Poor-Technical-Understanding" target="_newWindow">http://www.forta.com/blog/index.cfm/2006/1/5/CNet-Newscom-Writers-Demonstrate-Desire-For-Sensationalism-And-Poor-Technical-Understanding</a>.
Posted by BenForta (2 comments )
Reply Link Flag
a 30 year cookie, you must be joking?!
my goodness, most people don't even hold on to a computer for three years, let alone formatting it once a year. where's them cookies then? I just thought the whole cookie debate was over, and someone had to dig up some nonsense again. uuuaaah.
Posted by coldfury.us (2 comments )
Reply Link Flag
you just got tagged by cbsi.com
yup and if you check you'll notice that cbsi.com just tagged you for the next 32 years
Posted by genericbrandx (3 comments )
Link Flag
Missing the point
As a dual citizen of both the USA and UK this is where I really appreciate the idea of the UK/EU legally enshrined protection of privacy. The problem is not cookies, it is a lack of a legal concept of privacy beyond the requirement of a warrant. If it was not cookies it might be a Flash storedObject or some other technology which might be harder to find and remove. If this stuff bothers you write your representatives in Congress and push for the legal right to privacy.
Posted by (1 comment )
Reply Link Flag
What about CNET?
Meanwhile viewing this article set 21 cookies on my machine, many expiring in 2009 or 2037.

This article's full of inexpert quotes and the writers putting an evil twist on it, such as the quote from William Alberque. Alberque says ColdFusion was set up with the default settings, which the writers imply to mean that ColdFusion by default is creating cookies to track user activity. Let's just ignore the fact that the Defense Threat Reduction Agency is installing software without paying attention to how it's set up to operate. ColdFusion will only create cookies if the web site developer programs it that way. And if the developer explicitly stores some information in a cookie "with the default settings", it will expire at the end of the browser session. The blame here is put on the technologies being employed, but those technologies are just acting as they were set up and programmed.
Posted by jsamland (3 comments )
Reply Link Flag
c|net's declan publishes using 30-year cookies
In today's news, Declan McCullagh's articles have been found to place J2EE cookies, the same type used by Adobe's popular ColdFusion development platform. It was also discovered that Declan's articles set cookies that have expiration dates of up to 30 years in the future. Declan's comments on the subject seem to prove his ignorance of any relevant topics and came off as ludicrous and purile.

Declan even went so far as to invoke ColdFusion team members in an attempt to give his position a bit of credibility, but even that failed... leaving him high and dry as the truth came out. In the end, it was discovered that his very own articles left cookies (some of which actually DID store data) on the computer that were found to have the following expiration dates:

Nov 10, 2006
Feb 8, 2006
Jan 8, 2006
Dec 10, 2037
April 10, 2006
Dec 31, 2009
Dec 31, 2009
Dec 10, 2037

Look! 31 years in the future... but when the servers in question will cease to recognize them as valid is an entirely different question.
Posted by c|net_loses (3 comments )
Link Flag
What insipid drivel.
For years, I have used Jason's Cookie Jar to sort and eliminate obnoxious or unwanted cookies. I also use the good folks at www.bugmenot.com to access sites that require registration and passwords. It works for me.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
calming down now.
defenselink DOES have an error in it's privacy statement. They should not have stated that they don't use persistent cookies. All they really have to do to comply with govt regs is to modify their privacy statement to say that persistent cookes ARE used to assist with site useablility.

<a class="jive-link-external" href="http://www.whitehouse.gov/omb/memoranda/text/m03-22.html" target="_newWindow">http://www.whitehouse.gov/omb/memoranda/text/m03-22.html</a>

states that:
"Tracking and customization activities. Agencies are directed to adhere to the following modifications to OMB Memorandum 00-13 and the OMB follow-up guidance letter dated September 5, 2000:
Tracking technology prohibitions:
agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors activity on the Internet except as provided in subsection (b) below;
agency heads may approve, or may authorize the heads of sub-agencies or senior official(s) reporting directly to the agency head to approve, the use of persistent tracking technology for a compelling need. When used, agencys must post clear notice in the agencys privacy policy of:
the nature of the information collected;
the purpose and use for the information;
whether and to whom the information will be disclosed; and
the privacy safeguards applied to the information collected.
agencies must report the use of persistent tracking technologies as authorized for use by subsection b. above (see section VII)20."

Now naturally our fine govt agencies will most probably overreact, fire a bunch of developers, and spend lots of money removing all traces of cookies from their sites.

It seems to me they can simply tweak their privacy statement to be in compliance.

At <a class="jive-link-external" href="http://www.defenselink.mil/warning/warn-dl.html" target="_newWindow">http://www.defenselink.mil/warning/warn-dl.html</a>
Article 9 states that:
Cookie Disclaimer - DefenseLINK does not use persistent cookies (persistent tokens that pass information back and forth from the client machine to the server). DefenseLINK may use session cookies (tokens that remain active only until you close your browser) in order to make the site easier to use. The Department of Defense DOES NOT keep a database of information obtained from these cookies.

Just change article 9 to read that you DO use persistent cookies, but not for any purpose of tracking and you're all done.

I guess I can see how this may be worth pointing out to them, but I don't think we should be slamming politicians for this. There are plenty of other legit things we can slam them for.
Posted by mmichaels (85 comments )
Reply Link Flag


AHHHH AHHHH AHHHH!!!!!!!!!!! I"M ON FIRE!!!!! THE KOOKIEZ!!!!!!!!!!!!!!

Posted by gerhard_schroeder (311 comments )
Reply Link Flag
What a Farce
What a farce... what a farce... what a farce...

Browsers can be set up to either allow or disallow automatic cookies and they can also be set to prompt you prior to setting cookies.

Likewise... privacy and the internet are oxymorons... anybody who claims otherwise is quacked up!!!

Everybody and his brother uses tracking cookies... thus is there any surprise why official government sites WOULD NOT?!?!

If you're going to go after the good guys... just make sure you don't leave out all the bad guys too. (* ROFLOL *)

CNET just went down a notch in my rating system on this one!

Way overboard on matters which shouldn't really matter as there is no real method to prevent such from occuring!!!

Is CNET that hard up for news?

A Disgruntled Reader,

Posted by wbenton (522 comments )
Reply Link Flag
Remember the movie Demolition Man?
Let's face it, big brother is spying on us and it will probably get worse. Like to the point where anyone with impeccable status can have you tuned into satellite so that when you do something other than what's expected of you, they can call you on it right then and there.
Posted by casper2004 (267 comments )
Reply Link Flag
And the Rest?
Why zero in on the government? Yes, the government should be held accountable. But what about ALL the businesses out there using ADWARE?! Not only do we as citizens need to take control of our politicians, we need to stop businesses from taking advantage of us.
Posted by eln01 (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.