More agencies use cookies to track Web activity

Some federal departments have obtained waivers to sidestep a long-standing policy that bars government Web sites from tracking visitor activity on the Internet.

In 2000, the Office of Management and Budget issued a federal policy banning the use of persistent cookies, files that a Web site deposits on a user's computer to collect information about how the visitor navigates the site to provide more personal interaction.

The policy was established to protect personal privacy, but it hinders the government's ability to provide richer online experiences for the public, say critics of the ban.

They add the ban is outdated and stymies efforts to solicit and respond to what the public wants, noting commercial sites routinely employ cookies to enhance their public outreach. Even civil liberties advocates favor the use of agency cookies as long as they allow visitors to opt-out and do not collect personally identifiable information. White House officials began considering a new cookie framework last summer, but they have not instituted changes yet.

Some Obama administration officials and many open government activists have urged OMB to rewrite the policy so Web managers can tailor agency sites to visitors' preferences and conduct other traffic analysis that the public now typically expects from private sector sites.

In the meantime, some departments, including the General Services Administration and NASA, have used a little-noticed provision in the original cookie policy that allows agency heads to authorize the use of the tracking technologies if they have a "compelling need." OMB is not required to sign off on the waivers, nor are agencies required to tell OMB if managers have granted waivers. A 2003 revision to the cookie policy stated agencies must report the use of tracking technology to OMB, and identify the circumstances, safeguards and approving official.

But OMB officials said subsequent memos instructing agencies on how to update OMB on e-government activities dropped the notification rule, so currently agencies are not required to inform OMB about waivers.

GSA in January approved a waiver for a governmentwide Web tool to use cookies to speed the sign-in process for citizens who want to participate in online debates about open government. Departments now are using the application, called IdeaScale, to seek recommendations for plans due on April 7 that will incorporate the principles of public participation, agency transparency and private sector collaboration into government's daily operations. The plans are the centerpiece of a directive the White House issued in December.

NASA sought a sanctioned work around to the cookie ban to make it easier for visitors to maneuver through its many images, videos and other online activities related to its high-profile missions, agency officials said on Monday.

Since 2005, NASA has used tracking technology to observe where people travel on the site, collect aggregate search results and follow user clicks to recommend sites to other visitors. For example, a user might see a message when visiting a Hubble space telescope page that states, "People who read this also read . . . ." The suggestions are based on previous users' click patterns. The cookies also store preferences for users who create "myNASA" personal accounts.

In addition, the technology is deployed to "remember when a user has been offered the customer-satisfaction survey so that frequent visitors are not constantly peppered with it," NASA spokesman David Steitz said on Monday. "Though individual click paths are observed, none is associated with an IP address the series of numbers that identifies a user's computer or anything else that might help to identify an individual."

The process of obtaining a waiver from the NASA administrator took only a few months, Steitz said. Ultimately, it was approved by the chief information officer, assistant administrator for public affairs and, as required by OMB, the administrator. More recent waivers were approved by the CIO in a matter of days, he added.

Like NASA's sites, many pages operated by the National Institutes of Health automatically issue surveys that rely on cookies, according to an NIH privacy notice. The cookies only record that the visitor was offered the chance to answer questions and they expire within 90 days of being deposited on a computer.

IdeaScale's cookies give users the option of letting the tool save their login information so users don't have to re-enter passwords every time they have a suggestion or want to comment on other users' recommendations. Cookies also allow users to sign in with an existing ID from outside Web service providers, including Google, Yahoo and AOL.

"No personal information is saved in either of these two cookies set by IdeaScale, nor can these cookies be used to track user activities across other Web sites," said Gwynne Kostin, who works at the Center for New Media and Public Engagement at GSA.

Ari Schwartz, vice president and chief operating officer at the privacy group Center for Democracy and Technology, said the center has met with OMB officials to retool the online tracking policy under the rubric of open government. The center is one of the civil liberties organizations that supports federal cookies within limits.

The center has concerns about the current waiver provision and looks forward to an overhaul of the whole policy, he said.

The waiver process "was meant to be a roadblock to prevent rapid spread of cookies," Schwartz said. "If we stick to this waiver policy, over time it's going to deteriorate. . . . It won't be based on whether privacy threats have been addressed but will be based on how quickly an agency can get approval from a senior official."