The Central Intelligence Agency (CIA) has been caught with its hand in the digital cookie jar in an apparent violation of national policy on the use of persistent cookies on federal Web sites. The agency has admitted it was using a cookie, marking visitors with a unique identification tag, on its Electronic Reading Room (ERR)site, which offers access to previously released CIA documents.
When questioned about the practice by the Texas-based non-profit group Public Information Research(PIR) on Friday, the CIA removed the cookie and said it was “unaware” and “embarrassed” by the situation. The agency laid the blame on a former contractor. The cookie was used to track an individual visitor’s search requests.
In June 2000, the Office of Management and Budget (OMB) issued at guidance that addresses the use of cookies on federal Web sites. The guidance established a presumption that persistent cookies would not be used on federal Web sites. Further, it provided that persistent cookies could be used only when agencies (1.) provide clear and conspicuous notice of their use; (2.) have a compelling need to gather the data on-site; (3.) have appropriate and publicly disclosed privacy safeguards for handling information derived from cookies; and (4.) have personal approval by the head of the agency.
The memo further states that cookies on federal sites are appropriate only when there is a “compelling need to gather the data on the site.” It also requires “appropriate and publicly disclosed privacy safeguards for handling of information derived from cookies.”
All of which prompted David Brandt, president of PIR, to write the CIA on Friday.
“I am writing about the cookie issued by this site. I realize that someone may have added the cookie plug-in at the server, and that you have nothing to do with this cookie,” Brandt stated in his letter. ” Moreover, the privacy notice on the site makes no mention of this persistent cookie. And, I presume, you are unable to show that the Director of Central Intelligence has authorized your use of persistent cookies on this site.”
Mike S. [last name deleted], the CIA’s webmaster promptly responded with, “I’m the site manager for the DCI/CIA public website and was asked to investigate your observations and reply to you. You are absolutely right: that part of the DCI/CIA website at www.foia.ucia.gov, which is hosted separately from the main site, has been setting persistent cookies — unbeknownst to us. And because we were unaware this was occurring, neither our overall site notices nor the Electronic Reading Room’s specific notices contained information about these cookies. I am very familiar with Federal policy on cookie use, and prior to your note, I believed that our website was in full compliance.”
Mike S. further explained, “Here’s what happened: The Central Intelligence Agency’s former Electronic Document Release Center site was completely redesigned by a contractor with whom we no longer do business and reposted as the Electronic Reading Room on January 29, 2002. As you surmised, the contractor incorporated into the site a popular commercial software program for analyzing Electronic Reading Room log files containing information about visitor traffic. Neither the contractor nor the ERR site manager nor I were aware that this particular program, apparently by default, sets a persistent cookie to determine if a visitor is a repeat visitor, information the software then uses in producing statistical reports regarding site traffic. I’ve been assured that this cookie contained no personal information. It was not a third-party cookie. And the ERR’s host server does not set cookies.”
When Brandt checked the site on Monday, he found the persistent cookie had been removed and the privacy statement updated. However, he discovered the site was still setting session cookies, which expire after the reader leaves the site.
In another communications with Mike S., Brandt thanked Mike S. and said the use of session cookies were not a concern to him. Apparently it was to the CIA’s webmaster.
“I’m personally very embarrassed to find out that we are still setting session cookies after I said we are not — a fact I became painfully aware of after sending you my response. With the perfect clarity of hindsight, I should have personally checked what I had been told before I pressed ‘send,'” he wrote to Brandt. “The Electronic Reading Room website contractor is unsure what is generating the session cookie. He is going to call the company hosting the site to ask, again, if their server software is setting a session cookie. In the end, depending on what’s generating it, he said the session cookies may turn out to be a function of some of the software used (he was not specific) and that we may not be able to turn session cookies off. If that turns out to be the case, we will determine the session cookie’s use and modify our legal notices to accurately reflect that they are in use on the Electronic Reading Room site and their purpose.”