THE VIEW FROM INSIDE
As it's written, OMB policy on cookies is half-baked
Walter R. Houser
The Office of Management and Budget has loosened its ban on cookies. But it has done so in a manner that has left many webmasters confused'or at least bemused.
In its Memorandum 00-13, OMB said the small files of data known as cookies and stored on a visitor's Web browser are OK if they expire at the end of a session. But it said persistent cookies'those that last longer than a session'are bad.
Here's where the confusion starts: A Web session typically is defined by a cookie's expiration date and time, so all cookies are session cookies. If the expiration is two years, then the session lasts two years. Thus, the concept of persistent cookies has no meaning.
Does OMB approve of all cookies? Not really, but the distinction between good and bad cookies is unclear.
The memo, 'Privacy Policies and Data Collection on Federal Web Sites,' said cookies 'should not be used at federal Web sites or by contractors when operating Web sites on behalf of agencies' unless agencies first met four criteria.
That last item practically ensured there would be no cookies. But cookie use has persisted according to the General Accounting Office, drawing a second condemnation from the Clinton administration.
The Chief Information Officers Council questions the wisdom of the crackdown and has voiced concern that the policy might cripple agencies' efforts to deliver services via the Internet.A fine line
Commerce Department CIO Roger Baker wrote to OMB acknowledging the privacy concerns raised by cookies but drawing a distinction between the ways in which they're used.
What are called persistent cookies are used 'to retain and correlate information about users between sessions,' and are primarily the source of privacy concerns, he wrote. 'Unfortunately, the term cookie is also commonly used to describe place-keepers used to retain context during an individual user session.' These session cookies are important because the Web is based on a stateless system in which the host system does not retain session context.
'Without this technology, true electronic-commerce applications, including electronic signatures, would be cumbersome or impossible, as a user would need to provide complete selection or authentication information on every screen submitted,' Baker noted.
The Commerce CIO is rightly concerned that the cookie ban could hamstring e-government. But the distinction between persistent and session cookies is not a technical one. Rather it is a matter of the content and duration of the cookie.
Although personal data might not become part of a cookie, the data could be kept on the Web server.
The cookie on the visitor's computer identifies the client from one Web page download to the next. The important distinction is the information content the cookie represents.
OMB deputy director John T. Spotila, in a Sept. 5 response to Baker's letter, outlined OMB's concerns about the unintended consequences of using cookies to collect data.
'Such cookies can often be linked to a person after the fact, even where that was not the original intent of the Web site operator,' Spotila said.
But information gathered for a single session, he said, 'can assist Web users in their electronic interactions with government, without threatening their privacy.'
OMB needs to make clear that cookies can be used within the bounds of the Privacy Act.