Much Ado About (NSA) Cookies (Updated)

By Michael Santo
Contributing Writer, RealTechNews

Cookies, cookies, cookies. You get them all the time at many, if not most of the sites you visit. Most of these are used to track your shopping carts, preferences, etc. Yesterday it was revealed that the National Security Agency (NSA) website has been using cookies as well, and a great furor arose. But are these any different from what you usually are subjected to?

The answer is “probably” not, but after the New York Times revealed the Bush administration’s secret domestic spying program … well, this sort of thing doesn’t sit well with most people, and especially not with privacy advocates. In fact, session cookies are OK; it’s persistent cookies, those that survive ending the browser session, that are not.

In a 2003 memo, the White House’s Office of Management and Budget prohibits federal agencies from using persistent cookies — those that aren’t automatically deleted right away — unless there is a “compelling need.”

A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.

Peter Swire, a Clinton administration official who had drafted an earlier version of the cookie guidelines, said clear notice is a must, and `vague assertions of national security, such as exist in the NSA policy, are not sufficient.”

Daniel Brandt, a privacy activist who discovered the NSA cookies, said mistakes happen, “but in any case, it’s illegal. The (guideline) doesn’t say anything about doing it accidentally.”

Don Weber, an NSA spokesman, said in a statement Wednesday that the cookie use resulted from a recent software upgrade. “After being tipped to the issue, we immediately disabled the cookies,” he said. Source: AP via Yahoo! News

Update: The White House Friday announced its website would continue to use cookies and Web bugs, deciding that they aren’t prohibited after all under 2003 federal privacy guidelines.

We Say: It’s not like the Administration is installing spyware but, as I said, in light of recent developments this is bound to set off a storm … and perhaps, based on the domestic spying story, it’s not unjustified. Personally, I don’t like persistent cookies anyway, and you can set your browser to block cookies at specific sites (in the Privacy settings). This story isn’t going to go away, though. Today it was revealed that the White House website also uses persistent cookies. We’ll probably see a lot more coverage in the next several days.