CIO Council serving 'cookies' guide

Featured eBooks
CDM
Read Now

Future-Ready Workforce

Read Now

Health Tech

Read Now
Insights & Reports
Redefining Mission Security
Presented By Babel Street
Download Now
Defending government cloud against advancing threats
Presented By CrowdStrike
Download Now
By Diane Frank,
FCW

By Diane Frank,
FCW

|

The CIO Council is putting together a guide that will allow agencies to use 'cookies' while following administration policy and privacy advocates' recommendations on the touchy issue.

GAO report: "Internet Privacy: Federal Agency Use of Cookies"

Related Links

OMB June 1999 privacy policy

OMB June 2000 privacy policy

OMB September correspondence on cookies

"Cookies prove persistent"

"Congress: Stay out of the cookie jar"

The CIO Council is putting together a guide that will allow agencies to

use "cookies" while following administration policy and privacy advocates'

recommendations on the touchy issue.

The council's action results from a decision in June by the Office of

Management and Budget to issue a revised privacy policy by the Clinton administration.

The policy forbids agencies from using persistent cookies — software a Web

server places on a user's hard drive for a certain amount of time to identify

the user on return visits.

Agencies may only use persistent cookies if they notify visitors, demonstrate

a clear need to use the technology and get the approval of the agency head.

Agencies are allowed to use session cookies, which are erased when the user's

Web browser is closed, without special conditions.

"We think we've taken major measures, and we're working with the CIO

Council to find ways to make sure privacy policies are followed all the

way through [agencies'] sites and not just at the top level," said Peter

Swire, chief counselor for privacy at OMB.

OMB gave agencies until December to remove persistent cookies from their

Web sites and to detail how they are using the technology. But unhappy members

of Congress are holding hearings and a recent General Accounting Office

study found that agencies still use cookies, so OMB has stepped up its attention.

Agencies are trying to use technologies to enhance their Web-based services

to citizens, and it's understandable that citizens are wary, said Roger

Baker, co- chairman of the CIO Council's privacy committee. "A service the

CIO Council could provide is to say, "Here are valid reasons and rationales

for using cookies.' "

By putting all the different agency methods together and allowing everyone

to see and use them, agencies will not have to be afraid of pressure from

Congress or a reprimand from OMB, Baker said.

There are legitimate uses for persistent cookies. The most cited example

is the online shopping cart on the U.S. Mint's site to buy coins, but agencies

using such cookies must indicate their use in privacy policies, according

to Baker. So Congress and agencies should not act too quickly and throw

the baby out with the bathwater, he said.

"I understand why we ought to be really careful in the federal government

with any tracking that we do...but privacy is the issue, not cookies," he

said.

The underlying issue is ensuring that agencies follow both the administration's

policy and their own, agreed Baker and Ari Schwartz, senior policy analyst

for the Center for Democracy and Technology. So, on behalf of the CIO Council,

Baker is collecting information from all agencies on whether they are electing

to retain their persistent cookies, for what reason and how they justified

that use to their administrator and OMB.

"If we all say it the same way and make sure that we've all got ourselves

in a row, then it will be much easier for people to understand," Baker said.

NEXT STORY: Healthy choice