THE VIEW FROM INSIDE

As it's written, OMB policy on cookies is half-baked

Walter R. Houser

The Office of Management and Budget has loosened its ban on cookies. But it has done so in a manner that has left many webmasters confused'or at least bemused.

In its Memorandum 00-13, OMB said the small files of data known as cookies and stored on a visitor's Web browser are OK if they expire at the end of a session. But it said persistent cookies'those that last longer than a session'are bad.

Here's where the confusion starts: A Web session typically is defined by a cookie's expiration date and time, so all cookies are session cookies. If the expiration is two years, then the session lasts two years. Thus, the concept of persistent cookies has no meaning.

Does OMB approve of all cookies? Not really, but the distinction between good and bad cookies is unclear.

On June 22, OMB Director Jacob J. Lew wrote agency heads and demanded that agencies rein in their use of cookies.

The memo, 'Privacy Policies and Data Collection on Federal Web Sites,' said cookies 'should not be used at federal Web sites or by contractors when operating Web sites on behalf of agencies' unless agencies first met four criteria.

To use cookies, agencies must post clear and conspicuous notice, have a compelling need to gather the data, disclose privacy safeguards for handling the information and obtain personal approval from the agency's head.

That last item practically ensured there would be no cookies. But cookie use has persisted according to the General Accounting Office, drawing a second condemnation from the Clinton administration.

The Chief Information Officers Council questions the wisdom of the crackdown and has voiced concern that the policy might cripple agencies' efforts to deliver services via the Internet.

A fine line

Commerce Department CIO Roger Baker wrote to OMB acknowledging the privacy concerns raised by cookies but drawing a distinction between the ways in which they're used.

What are called persistent cookies are used 'to retain and correlate information about users between sessions,' and are primarily the source of privacy concerns, he wrote. 'Unfortunately, the term cookie is also commonly used to describe place-keepers used to retain context during an individual user session.' These session cookies are important because the Web is based on a stateless system in which the host system does not retain session context.

'Without this technology, true electronic-commerce applications, including electronic signatures, would be cumbersome or impossible, as a user would need to provide complete selection or authentication information on every screen submitted,' Baker noted.

The Commerce CIO is rightly concerned that the cookie ban could hamstring e-government. But the distinction between persistent and session cookies is not a technical one. Rather it is a matter of the content and duration of the cookie.

Although personal data might not become part of a cookie, the data could be kept on the Web server.

The cookie on the visitor's computer identifies the client from one Web page download to the next. The important distinction is the information content the cookie represents.

OMB deputy director John T. Spotila, in a Sept. 5 response to Baker's letter, outlined OMB's concerns about the unintended consequences of using cookies to collect data.

'Such cookies can often be linked to a person after the fact, even where that was not the original intent of the Web site operator,' Spotila said.

But information gathered for a single session, he said, 'can assist Web users in their electronic interactions with government, without threatening their privacy.'

OMB needs to make clear that cookies can be used within the bounds of the Privacy Act.

If an agency collects personal information without the appropriate Privacy Act notices and controls, such use of cookies would be illegal. Persistence has nothing to do with the law.

Walter R. Houser, who has more than two decades of experience in federal information management, is webmaster for a Cabinet agency. His personal Web home page is at www.cpcug.org/user/houser.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above