recommended reading

More agencies use cookies to track Web activity

Some federal departments have obtained waivers to sidestep a long-standing policy that bars government Web sites from tracking visitor activity on the Internet.

In 2000, the Office of Management and Budget issued a federal policy banning the use of persistent cookies, files that a Web site deposits on a user's computer to collect information about how the visitor navigates the site to provide more personal interaction.

The policy was established to protect personal privacy, but it hinders the government's ability to provide richer online experiences for the public, say critics of the ban.

They add the ban is outdated and stymies efforts to solicit and respond to what the public wants, noting commercial sites routinely employ cookies to enhance their public outreach. Even civil liberties advocates favor the use of agency cookies as long as they allow visitors to opt-out and do not collect personally identifiable information. White House officials began considering a new cookie framework last summer, but they have not instituted changes yet.

Some Obama administration officials and many open government activists have urged OMB to rewrite the policy so Web managers can tailor agency sites to visitors' preferences and conduct other traffic analysis that the public now typically expects from private sector sites.

In the meantime, some departments, including the General Services Administration and NASA, have used a little-noticed provision in the original cookie policy that allows agency heads to authorize the use of the tracking technologies if they have a "compelling need." OMB is not required to sign off on the waivers, nor are agencies required to tell OMB if managers have granted waivers. A 2003 revision to the cookie policy stated agencies must report the use of tracking technology to OMB, and identify the circumstances, safeguards and approving official.

But OMB officials said subsequent memos instructing agencies on how to update OMB on e-government activities dropped the notification rule, so currently agencies are not required to inform OMB about waivers.

GSA in January approved a waiver for a governmentwide Web tool to use cookies to speed the sign-in process for citizens who want to participate in online debates about open government. Departments now are using the application, called IdeaScale, to seek recommendations for plans due on April 7 that will incorporate the principles of public participation, agency transparency and private sector collaboration into government's daily operations. The plans are the centerpiece of a directive the White House issued in December.

NASA sought a sanctioned work around to the cookie ban to make it easier for visitors to maneuver through its many images, videos and other online activities related to its high-profile missions, agency officials said on Monday.

Since 2005, NASA has used tracking technology to observe where people travel on the site, collect aggregate search results and follow user clicks to recommend sites to other visitors. For example, a user might see a message when visiting a Hubble space telescope page that states, "People who read this also read . . . ." The suggestions are based on previous users' click patterns. The cookies also store preferences for users who create "myNASA" personal accounts.

In addition, the technology is deployed to "remember when a user has been offered the customer-satisfaction survey so that frequent visitors are not constantly peppered with it," NASA spokesman David Steitz said on Monday. "Though individual click paths are observed, none is associated with an IP address the series of numbers that identifies a user's computer or anything else that might help to identify an individual."

The process of obtaining a waiver from the NASA administrator took only a few months, Steitz said. Ultimately, it was approved by the chief information officer, assistant administrator for public affairs and, as required by OMB, the administrator. More recent waivers were approved by the CIO in a matter of days, he added.

Like NASA's sites, many pages operated by the National Institutes of Health automatically issue surveys that rely on cookies, according to an NIH privacy notice. The cookies only record that the visitor was offered the chance to answer questions and they expire within 90 days of being deposited on a computer.

IdeaScale's cookies give users the option of letting the tool save their login information so users don't have to re-enter passwords every time they have a suggestion or want to comment on other users' recommendations. Cookies also allow users to sign in with an existing ID from outside Web service providers, including Google, Yahoo and AOL.

"No personal information is saved in either of these two cookies set by IdeaScale, nor can these cookies be used to track user activities across other Web sites," said Gwynne Kostin, who works at the Center for New Media and Public Engagement at GSA.

Ari Schwartz, vice president and chief operating officer at the privacy group Center for Democracy and Technology, said the center has met with OMB officials to retool the online tracking policy under the rubric of open government. The center is one of the civil liberties organizations that supports federal cookies within limits.

The center has concerns about the current waiver provision and looks forward to an overhaul of the whole policy, he said.

The waiver process "was meant to be a roadblock to prevent rapid spread of cookies," Schwartz said. "If we stick to this waiver policy, over time it's going to deteriorate. . . . It won't be based on whether privacy threats have been addressed but will be based on how quickly an agency can get approval from a senior official."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.


When you download a report, your information may be shared with the underwriters of that document.