IGs: Agencies' sites remain cookie jars

IGs: Agencies' sites remain cookie jars

BY TONY LEE ORR | GCN STAFF

Designers revamping federal Web sites often turn agencies' servers into cookie monsters, a posse of inspectors general found in a review for lawmakers.

Although most sites that had been planting persistent cookies no longer are gathering data, cookie factories continue to pop up because site designers improperly configure Web software, according to IG audits written in February and recently released by the Senate Appropriations Subcommittee on Treasury and General Government.

Strict diet

The Office of Management and Budget last year directed agencies to make sure their Web sites did not use persistent cookies, which reside on a visitor's system for a long period of time collecting data [GCN, July 3, 2000, Page 3]. Agencies could use persistent cookies only for justifiable projects approved by agency chiefs and if the sites clearly informed visitors, OMB said.

Session cookies, which expire after visitors close their browsers, were deemed acceptable and are used by many agencies.

Of the agencies reviewed, only the Interior Department had no sites in violation of the OMB directive.

At the Transportation Department, where 23 sites were planting session cookies, a designer reconfigured a Web server, which then began planting persistent cookies on visitors' systems, according to an IG report.

The Federal Aviation Administration had its hand deepest in the cookie jar, maintaining 20 of the 23 Transportation cookie-planting sites. The sites have been fixed, and officials periodically check them to make sure they comply with the OMB rule, FAA spokeswoman Rebecca Trexler said.

An IG audit of General Services Administration Web pages found 15 sites planting cookies. GSA has reconfigured 12 of its sites to prevent the collection of visitor information, GSA spokesman Bill Bearden said.

Sites maintained by GSA's Federal Supply Service, Federal Technology Service and Public Buildings Service still plant cookies and gather information, Bearden said.

Former GSA administrator David Barram approved the use of cookies on those sites, he said.
Managers of 11 Energy Department Web sites that were found collecting data said they were unaware in some cases that servers were planting persistent cookies. Some Energy officials also told the department's IG that they didn't know OMB prohibited the practice.

'Several others expressed awareness of the requirements but chose to use the data collection method because they believed that there was a valid requirement for the information,' noted the department's IG Office in its report, Internet Privacy.

All Energy Web sites have now been fixed, department officials said.

Six sites run by Treasury Department bureaus were collecting data using persistent cookies, according to a Treasury IG report, Information Technology: Treasury Web Sites Substantially Comply with OMB Privacy Policies and Data Collection Standards.

On the up-and-up

Treasury chief information officer James Flyzik said he believed department bureaus were using cookies for valid business reasons and would work with them to get approval for the practice.
The Education Department's inspector general found four servers planting cookies, but department officials were unaware that three of the servers were planting anything.

Department officials told the IG that they thought the fourth server had been planting session cookies, not persistent cookies set to expire in 36 years.

At NASA, auditors said the space agency was not in full compliance because it lacked a policy regarding the use of persistent cookies.

The agency typically collects IP addresses of visitors for security purposes, auditors reported.

inside gcn

  • artificial intelligence (vs148/Shutterstock.com)

    Government leans into machine learning

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above