Featured eBooks
Open Season 2025 Guide
Health Tech
Space Trends
Insights & Reports
Access Management: Core to CISA’s Zero Trust Maturity Model 2.0
Presented By Carahsoft
Download Now
Identity Modernization for Government Service Excellence
Presented By Okta
Download Now
Managing Technology

Agencies Caught in the Cookie Jar

Bill Murray

|
he controversy over "cookies," the small data files that track the habits of Web site users, shows how hard it is for government managers to make more data available to the public and improve customer service while still protecting privacy. Federal managers have to walk a tightrope, balancing their legal and regulatory duties against public demand for electronic government. The Social Security Administration ran into difficulty two years ago when it tried to post retirement benefits that citizens could access using their Social Security numbers. After an uproar from privacy advocates, the SSA quickly ditched its plans and reverted to a paper-based process. So much for the Paperwork Reduction Act.
T

Any browser can place cookies in Web site visitors' hard drives to identify and track their usage patterns on the Web. Cookies come in two flavors: "session cookies" terminate shortly after a user has left a particular Web site, and "persistent cookies" stay imbedded in users' hard drives to identify them when they return.

Persistent cookies are particularly irksome to privacy advocates, but many citizens dislike the use of any cookies. These views subject the digital world to a higher privacy standard than the paper-based world. So how are federal managers to improve their Web sites-which are becoming key to delivering information to citizens-if they can't track who is visiting their sites and for what?

A recent General Accounting Office audit of 65 federal Web sites shows that 13 agencies violated a policy that the Office of Management and Budget issued in June restricting their use of cookies. Auditors found that the Office of National Drug Control Policy had allowed a company to install persistent cookies on its Web site (www.whitehousedrugpolicy.gov) without informing users. The Forest Service (www.fs.fed.us), meanwhile, allowed a company to have "co-ownership" of cookie data, also without any notice on its Web site.

It's unclear whether the officials who permitted the use of persistent cookies at the 13 agencies had the approval of their agencies' senior executives and political appointees. Failure to get permission is certainly possible, given that the Web is considered the "Wild West" of the digital frontier. Still, we don't know whether those officials acted rashly or with bad intent.

Technology can create problems for managers when a few people seize on a new idea and rush to implement it without going through the proper channels. As GAO's report showed, however, the egg is on the face of upper level managers at least as much as on anyone else.

Sally Katzen, OMB's deputy director for management, has said that the Clinton administration didn't object to session cookies, but Web site managers shouldn't use persistent cookies unless they get the agency head's personal approval. This would ensure that they don't violate the 1974 Privacy Act.

But following the law isn't so easy for federal Web officials. In a recent audit, the Transportation Department's inspector general found that many DOT agencies incorrectly reported their use of cookies. Thousands of Transportation's 200,000 Web pages had not been checked for proper cookie use, according to the IG report. And two agencies were using persistent cookies as a result of improper Web site software configurations. Web experts like Marc Andreeson, former chief technologist at Netscape Communications Corp., encourage the release of software before it's mature and bug-free. Otherwise business innovation would be stifled, he says. At the same time, federal managers are getting pressure from Congress and watchdog groups who are forcing agencies to get their Web privacy practices in line. If they don't get their acts together, they risk being laughed off Capitol Hill next time they request funding for information security projects.

Data privacy has become a sensitive political issue. Sen. Fred Thompson, R-Tenn., the Senate Governmental Affairs Committee chairman, and House Majority Leader Rep. Dick Armey, R.-Texas, joined the fray last year by requesting a GAO investigation of government agencies' Web site security practices.

Persistent cookie data can be matched up with other data to create profiles of citizens through their Internet protocol addresses, which in turn could provide access to their names, Social Security numbers and mailing addresses, wrote John Spotila, administrator of OMB's office of information and regulatory affairs, in a widely circulated letter to Roger Baker, the chief information officer of the Commerce Department. This phenomenon is potentially troubling given the volume of financial, medical and personal data contained in government records, according to Spotila. Agencies must post clear privacy policies on their principal Web sites, as well as "any other known, major entry points to sites," OMB Director Jacob Lew wrote in the June directive to agencies. Agencies must ensure that data collected by cookies are not shared with third parties, if that's their stated policy, according to the memo.

Citizens should be able to presume that agencies don't use cookies on their Web sites unless an agency clearly says it does, Lew said. The directive also applies to contractors that operate Web sites on behalf of federal agencies.

According OMB's policy, agencies need to demonstrate the following, in order to use cookies:

  • A compelling need to gather site user data.
  • Appropriate and publicly disclosed privacy safeguards for handing site data, as well as information collected through cookies.
  • Personal approval by the agency head.

OMB ordered agencies to provide with their annual budget submissions in December a description of their privacy practices and the processes they've implemented to comply with the cookies policy.

Such regulatory and legal constraints make it challenging for federal managers to introduce commercial business practices and operate more efficiently. But some agencies seem to be accomplishing those goals, according to OMB.

In fact, Spotila has praised the U.S. Mint's Web site (www.usmint.gov) on its use of session cookies to help coin collectors make purchases. The Education Department's Direct Consolidation Loan site (http://loanconsolidation.ed.gov) also follows the law in using cookies to help student loan recipients fill out loan applications online, according to Spotila.

Mint officials, who refer to coin collectors as their Web site's biggest customers, broke the $5 million sales mark for daily revenue in October, says spokeswoman Kathy Millar. During the 12-month period ending in October, the Mint's site racked up $156 million in sales, making it one of the Top 20 "e-tailers" in the world, she says.

Cookies provide the Mint with the opportunity to connect Web site users with particular servers at two "cybercenters" that process orders, says Glenn Hall, the office of electronic business director at the Mint. No other known technology allows them to make such connections, so using cookies is key to the site's success, he says. User interaction with the site is anonymous until a visitor places an order. Such an "opt in" policy, which allows site users to reveal what they want about themselves, is becoming popular among federal Web sites.

The cookies embedded in a user's hard drive at the Mint site normally expire within 20 minutes after the user has left the site, Hall says. "There can be remnants left in a hard drive's temporary file, but the browser enables you to erase that data," he says. Although the Web site has served about 500,000 users a year for the last two years, the agency has received just three written complaints about the cookies, he says.

The Mint's Web site uses persistent and session cookies. An online notice says that when users return to the Web site, identifying cookies will be sent back to the site along with the user's new request.

Commercial vendors often customize their Web sites using persistent cookies, so that users can view data that most interests them during subsequent visits. But the Mint does not engage in that practice, Hall says. The Mint's chief information office has taken what Hall calls a "strong position" in deciding they "don't have the right to go out and erase" cookie files that have been embedded in users' hard drives.

The General Services Administration, which uses the Web to conduct much of its business, uses a fee-for-service model like the Mint's. GSA doesn't track or look at usage behavior with its cookies, except when site security is endangered, according to the privacy and security policy posted at www.gsa.gov. "When we examine this data, it is always presented in an aggregate form," to determine the number of users and how to improve customer service, the notice states.

GSA officials have adopted an "opt in" strategy whereby they don't use any identification data unless site visitors fill out a data request. GSA shares data with third parties only in the case of an authorized law enforcement investigation, according to the notice.

Agencies may have more restrictions than private companies do when it comes to implementing innovative electronic business strategies, but federal managers have proved they can abide by OMB's regulations while gathering and disseminating information through their Web sites.

Federal managers, however, should move more cautiously than fearless dot-com employees who don't face the scrutiny of Congress and GAO. They should set up points of accountability in their organizations, so that it's clear who's in charge of Web site security and the sites are being checked regularly for compliance with OMB policy.

Using cookies well can benefit agencies in their electronic government initiatives, but managers have to ensure that they abide by OMB policy.

NEXT STORY: Teaching An Old Dog New Tricks