...policies on their sites and suggested model language.
Then came a public flap over the tracking technologies employed by the White House's antidrug site Freevibe.com. Shortly afterward, the White House published a directive restricting agencies from using any sort of cookies or other "automatic means of collecting information" at their sites except in narrow circumstances. The latest, 2003, directive continued the restriction on permanent (sometimes called persistent) cookies but permitted temporary ones that last only as long as the browser window is open.
Failure to follow the rules has plagued government agencies before. In 2001, the Defense Department's Inspector General reviewed the agency's 400 sites and found "persistent" cookies on 128 of them. The Central Intelligence Agency admitted in 2002 that it had also been using the proscribed cookies without proper clearance, and it stripped them from its sites.
The level of compliance with the rules appears to have changed little since a 2000 General Accounting Office survey, which revealed that at least a dozen agencies were still using cookies in apparent violation of the rules.
Persistent by default
Many of the cookies appearing on the errant Web sites were generated by ColdFusion, the popular Web authoring tool. When the software creates certain types of cookies, it automatically assigns them a default "persistent" setting, which sets them to expire about 30 years in the future, said senior project manager Tim Buntel.
ColdFusion's software architects encourage Web developers to use an application that allows them to manage and make changes to the cookie settings as they see fit, Buntel said, adding that "any ColdFusion application can be built completely without any cookie use."
Representatives at several agencies said they were astonished to see cookies on their Web sites, and they blamed their Web designer's lack of understanding of ColdFusion's default settings.
The Defense Threat Reduction Agency immediately altered the settings on discovering that its ColdFusion developers had neglected to tweak the defaults. "We never have kept a database of any such information," said spokesman William Alberque.
"Frankly, I don't think anybody here even realised they existed, but now they do, and we'll follow up on it," said Daniel Horowitz, a spokesman for the US Chemical Safety and Hazard Investigation Board.
One Smithsonian Institution Web staffer, who initially denied the existence of persistent cookies detected by CNET News.com on the National Air and Space Museum's site, said that ColdFusion settings were probably to blame. "Regardless, I can assure you that we are not currently using or distributing cookie information," the representative said in a statement sent to CNET News.com.
A few others, including the Federal Reserve Board and the US Institute of Peace, said they're independent agencies that are not bound by the 2003 directive from the Office of Management and Budget (OMB). "We are not a government agency," said Calvin Mitchell, senior vice-president at the Federal Reserve Bank of New York. "We try to fulfil the spirit of certain government regulations as we can, but we're not obliged to follow those."
A White House official suggested a different interpretation. "When it comes to federal government Web sites, the policy is clear, and so anything that ends in a .mil or a .gov would fall underneath the federal policy as outlined in the OMB guidance," said David Almacy, the White House's Internet director.
Only one federal agency contacted this week appeared to comply fully with the directive. The National Institute of Dental and Craniofacial research says it received the necessary permission in January 2005 to enable cookies on its Web site for a survey. The cookies, which expire in one month, are used to avoid asking the same people to complete the survey.
The White House says that because it only uses a 1 pixel-by-1 pixel image that loads from WebTrends' site, it complies with the 2003 directive from the Office of Management and Budget. "There are no cookies being placed either on the Web site, from the White House or from WebTrends," Almacy said. "No personal information was gleaned, no cookies were being used, but OMB guidance is pretty clear. The White House Web site is and always has been in compliance with OMB guidance."
