Skip to main content

Full text of "DTIC ADA383637: Internet Privacy: Federal Agency Use of Cookies"

See other formats


Accountability * Integrity » Reliability 


United States General Accounting Office 
Washington, DC 20548 


October 20, 2000 


The Honorable Fred Thompson 

Chairman, Committee on Governmental Affairs 

United States Senate 


Subject: Internet Privacy: Federal Agency Use of Cookies 


Dear Mr. Chairman: 


As requested by your office, we have been reviewing selected federal agencies’ use of 
cookies on their web sites. A cookie is a short string of text—not a program—that is sent 
from a web server to a web browser when the browser accesses a web page. The use of 
cookies allows the server to recognize returning users, track on-line purchases, or maintain 
and serve customized web pages. Domain cookies are cookies placed by the visited web site. 
However, some web sites also allow the placement of third-party cookies—cookies placed on 
a visitor’s computer by a domain other than the site being visited. The domain and third- 
party cookies may be further grouped into session cookies and persistent cookies. Session 
cookies are short-lived, are used only during the browsing session, and expire when the user 
quits the browser. Persistent cookies specify expiration dates, remain stored on the client’s 
computer until the expiration date, and can be used to track users’ browsing behavior by 
identifying their Internet addresses whenever they return to a site. 

The purpose of this letter is to respond to your request for interim information on federal 
agency use of cookies as of September and October 2000. Specifically, you asked us to 
identify agency web sites that used cookies but did not disclose this use in their privacy 
policies and to identify the type of cookie used. In addition, you asked us to identify agency 
web sites that use persistent cookies. Enclosure I provides this information. 

We reviewed 65 web sites. This total consisted of (1) the web sites operated by the 32 high- 
impact agencies, which handle the majority of the government’s contact with the public; 

(2) 32 web sites randomly selected from the General Services Administration’s government 
domain registry data base; and (3) the Federal Trade Commission’s web site. See enclosure 
II for a list of the sites we reviewed. We reviewed certain web sites twice. During our 
August through September 2000 review, we visited all 65 web sites to determine (1) which of 
the selected federal sites were using cookies, (2) the type of cookies used, and (3) whether 
the privacy policy disclosed that the site may or does use cookies. We again reviewed sites 
that used cookies on October 17, 2000. We conducted our review from August through 
October 2000 in accordance with generally accepted government auditing standards. 


STIC QUALIFY jEjlm 4 

20001101 017 


GAO-01-147R Federal Agency Use of Cookies 

DISTRIBUTION STATED* i a 
A pproved for Public Release 
Distribution Unlimited 




On October 18,2000, we requested comments on a draft of this letter from the Office of 
Management and Budget. In a letter dated October 19, 2000, OMB’s Deputy Director for 
Management said that OMB appreciates the helpful information provided and plans to 
contact these agencies to reinforce administration policy. She also noted that OMB has 
required agencies to report directly to OMB in this year’s budget requests about the steps 
they have taken to comply with administration policy concerning privacy, cookies, and 
federal web sites. OMB’s letter is reprinted in enclosure III. 

As agreed with your office, unless you publicly announce the contents of this letter earlier, 
we will not distribute it until 30 days from its date. At that time, we will send copies of this 
letter to the Honorable Joseph I. Lieberman, Ranking Minority Member, Senate Committee 
on Governmental Affairs; and the Honorable Dan Burton, Chairman, and the Honorable 
Henry A. Waxman, Ranking Minority Member, House Committee on Government Reform. 
We are also providing a copy of this letter to the Honorable Jacob J. Lew, Director, Office of 
Management and Budget. We will also provide copies to interested parties upon request. 

Please contact me at (202) 512-6240 if you or your staff have any questions. I can also be 
reached by e-mail at koontzl@gao.gov. Key contributors to this report were Scott A. Binder, 
Mirko J. Dolak, and M. Yvonne Sanchez. 

Sincerely yours, 

Linda D. Koontz 

Director, Information Management Issues 


Enclosures 


Page 2 


GAO-01-147R Federal Agency Use of Cookies 



ENCLOSURE I ENCLOSURE I 

COOKIES ON SELECTED FEDERAL WEB SITES 
Table 1: Federal Web Sites Giving Domain Cookies Without Disclosure 


Office of Personnel 
Management 


Web Address 

http :/A \ ’mv. ovm. gov/demos/index. h tm 


http://w r ww. opm.gov 


Persistent Found in Found in 

Cookie Sept. Oct. 

2000 2000 




U.S. Trade and Development I http://www.Ida.eov/forms/ guestbook,cfm 
Agency _ 


Bureau of Land Management 


Federal Aviation 
Administration 


Ames Laboratory 


Bureau of Labor Statistics 


Health Care Financing 

Administration _ 

National Park Service 


http://www. ameslab. gov/overview/glance 
.html 


http://www. bis, sov/search/search, as 
http://wm\\bls.gov 


http://www.hcfa. gov/search/ 
h ttp://reservations, nps. gov/ 



s 







U.S. Forest Service 


http://www. fs. fed, m/gtobau 
htto://www. fs. fed, us/rein vent ion / 


Page 3 




















ENCLOSURE I 


ENCLOSURE I 


Table 3: Federal Web Sites Giving Persistent Domain Cookies With Disclosure 


Web Site 

Web Address 

Session 

Cookie 

Persistent 

Cookie 

Found in 
Sept. 
2000 

Found 
in Oct. 
2000 

U.S. Postal Service 

httv://new. usds, com/cm- 
bin/usDsbv/scriDts/fronl.isD 


✓ 

♦ 

♦ 

General Service 

Administration 

h ttv ://vub. fss. zsa. zov/fmfcurrent 


✓ 

♦ 

♦ 

Small Business Administration 

h ttD’J/avv l.sba. zo v/buscard/ 


A 


♦ 

Institute of Museum and 

Library Services 

http: //www. imls. zovfutility/contact. htm 
when clicking on "About IMLS" 


/ 


♦ 


Page 4 


GAO-01-147R Federal Agency Use of Cookies 









ENCLOSURE II 


ENCLOSURE II 


LIST OF FEDERAL WEB SITES REVIEWED 


Agency/Department 

Web Site Address 

Group 

Department of Agriculture 

Animal and Plant Health Inspection Service 

www.aphis.usda.gov 

High-Impact Agency 

Food Safety and Inspection Service 

www.fsis.usda.gov 

High-Impact Agency 

Food, Nutrition, and Consumer Service 

www.fhs.usda.gov 

High-Impact Agency 

National Agricultural Library 

www.nalusda.gov 

Random Sample 

National Genetic Resources Program 

www.ars-grin.gov 

Random Sample 

USDA Forest Service 

www.fs.fed.us 

High-Impact Agency 

department of Commerce 

FedWorld 

www.fedworld.gov 

Random Sample 

National Weather Service 

wwAv.nws.noaa.gov 

High-Impact Agency 

The Official U.S. Time 

wwwLtime.gov 

Random Sample 

U.S. Census Bureau 

www.census.gov 

High-Impact Agency 

U.S. Commercial Service 

wwwLUsatrade.gov 

High-Impact Agency 

U.S. Patent and Trademark Office 
department of Defense 

ACQWeb 

Department of Education 

Office of Student Financial Assistance Programs 

www.uspto.gov 

wwwLacq.osd.mil 

wwwLed.gov/offices/OSFAP 

High-Impact Agency 

High-Impact Agency 

High-Impact Agency 

Department of Energy v; : | ? ••; f ^ 

Albuquerque Operations Office 

www.doeal.gov 

Random Sample 

Ames Laboratory 

WAVw.ameslab.gov 

Random Sample 

Femald Environmental Management Project 

wwwLfemald.gov 

Random Sample 

Southeastern Power Administration 

www.sepa.fed.us 

Random Sample 

Department of Health and Human Services 
Administration for Children and Families 

wAvw.acf.dhhs.gov 

High-Impact Agency 

Health Care Financing Administration 

wwAv.hcfa.gov 

High-Impact Agency 

IGnet 

www.ignet.gov 

Random Sample 

National Institute of Allergy and Infectious Diseases 

www.hsroad.gov 

Random Sample 

National Institute on Drug Abuse 

www.dmgabuse.gov 

Random Sample 

U.S. Food and Drug Administration 

www.fda.gov 

High-Impact Agency 

Department of Housing and Urban Development 

Code Talk 1 

Department of the InfeSyr 

Bureau of Land Management 

wAVAv.codetalk.gov 

www.blm.gov 

Random Sample 

'yJjlk'E: ^ i 

High-Impact Agency 

National Park Service 

www.nps.gov 

High-Impact Agency 

Department of Justice 

Federal Bureau of Investigation 

www.fbi.gov 

Random Sample 

Immigration & Naturalization Service 

Department of Labor 

Bureau of Labor Statistics 

www.ins.usdoj .gov 

www.bls.gov 

High-Impact Agency 

Random Sample 

Occupational Safety & Health Administration 

www.osha.gov 

High-Impact Agency 


'Code Talk is an interagency site that is hosted but not owned by HUD. 


Page 5 


GAO-01-147R Federal Agency Use of Cookies 







ENCLOSURE II 


ENCLOSURE II 


Department of State 

Bureau of Consular Affairs 

www.travel.state.gov 

High-Impact Agency 

International Information Programs 

www.usia.gov 

Random Sample 

[Department ofTransportation 

Central Federal Lands Highway Division 

www.cflhd.gov 

Random Sample 

Federal Aviation Administration 

Department of the Treasury 

Customs Service 

www.faa.gov 

www.customs.gov 

High-Impact Agency 

High-Impact Agency 

Financial Management Service 

www.fms.treas.gov 

High-Impact Agency 

Internal Revenue Service 

www.irs.ustreas.gov 

High-Impact Agency 

^Department of Veterans Affairs 

Veterans Benefits Administration 

www.vba.va.gov 

High-Impact Agency 

Veterans Health Administration 

www.va.gov/About_VA/ Orgs/ 
VHA/index.htm 

High-Impact Agency 

[Independent Agencies 

African Development Foundation 

www.adf.gov 

Random Sample 

Environmental Protection Agency 

www.epa.gov 

High-Impact Agency 

Farm Credit Administration 

www.fca.gov 

Random Sample 

Farm Credit System Insurance Corporation 

www.fcsic.gov 

Random Sample 

Federal Communications Commission 

www.fcc.gov 

Random Sample 

Federal Emergency Management Agency 

www.fema.gov 

High-Impact Agency 

Federal Retirement Thrift Investment Board 

www.frtib.gov 

Random Sample 

Federal Trade Commission 

www.ftc.gov 

Special Selection 

FinanceNet 

www.fmancenet.gov 

Random Sample 

General Services Administration 

www.gsa.gov 

High-Impact Agency 

Institute of Museum and Library Services 

www.imls.fed.us 

Random Sample 

National Aeronautics and Space Administration 

www.nasa.gov 

High-Impact Agency 

National Credit Union Administration 

www.ncua.gov 

Random Sample 

National Science Foundation CISE 

www.cise.nsf.gov 

Random Sample 

Occupational Safety and Health Review Commission 

www.oshrc.gov 

Random Sample 

Office of the Federal Environmental Executive 

www.ofee.gov 

Random Sample 

Office of Personnel Management 

www.opm.gov 

High-Impact Agency 

Small Business Administration 

www.sba.gov 

High-Impact Agency 

Social Security Administration 

www.ssa.gov 

High-Impact Agency 

The Access Board 

www.access-board.gov 

Random Sample 

The White House Fellows Program 

www.whitehousefellows.gov 

Random Sample 

Thrift Savings Plan 

www.tsp.gov 

Random Sample 

U.S. Nuclear Regulatory Commission 

www.nrc.gov 

Random Sample 

U.S. Postal Service 

newMisps.com 

High-Impact Agency 

U.S. Trade and Development Agency 

www.tda.gov 

Random Sample 


Page 6 


GAO-01-147R Federal Agency Use of Cookies 










ENCLOSURE III 


ENCLOSURE III 


COMMENTS FROM THE OFFICE OF MANAGEMENT AND BUDGET 


EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON, D.C. 20503 


DEPUTY DIRECTOR 
FOR MANAGEMENT 


October 19,2000 


Ms. Linda Koontz 

Associate Director, Government-Wide 
and Defense Information Systems 
General Accounting Office 
Washington, DC 20548 

Dear Ms. Koontz: 

Thank you for providing your draft report entitled Internet Privacy: Federal Use of 
Cookies (GAO-01-147R), which I received this morning. I am pleased to present comments 
from the Office of Management and Budget on this report. 

As you know, OMB issued guidance on June 22,2000 (Memorandum M-00-13) 
concerning privacy policies and data collection on Federal web sites. There are particular 
privacy concerns when web technology can track the activities of users over time and across 
different web sites. In light of the unique laws and traditions about government access to the 
personal information of citizens, the Director stated that the presumption should be that cookies 
will not be used at Federal web sites or by contractors when operating web sites on behalf of 
agencies. Under this policy, cookies should not be used unless there is: clear and conspicuous 
notice; a compelling need to gather the data on the site; appropriate and publicly disclosed 
privacy safeguards for handling of information derived from cookies; and personal approval by 
the head of the agency. 

This policy was explained in more detail in a letter on September 5,2000 from OMB’s 
Administrator of the Office of Information and Regulatory Affairs to the Chief Information 
Officer at the Department of Commerce. As you correctly differentiate in your draft report, there 
is an important distinction between so-called "persistent" cookies and "session" cookies. The 
latter, which retain information only during a single session, do not collect information in ways 
that raise privacy concerns. These session cookies also have important advantages for electronic 
government, and do not fall within the scope of Memorandum 00-13. 

Concerning your report, we appreciate the useful information that you have provided 
about federal web sites that have not yet come into compliance with OMB policy. We will 
contact those agencies promptly, to reinforce Administration policy. 



Page 7 


GAO-01-147R Federal Agency Use of Cookies 






ENCLOSURE III 


ENCLOSURE III 


As you know, the June 22,2000, memorandum from OMB also required agencies to 
report directly to OMB in this year’s budget requests, as part of the submission on information 
technology, about the steps they have taken to comply with Administration policy concerning 
privacy, cookies, and federal web sites. We will receive these reports from the agencies in 
December, and use the data from these reports to make certain that the policy is being 
implemented appropriately. 

Thank you once again for providing us with the draft report, which assists our continuing 
efforts to assure that web sites across the government are held to the highest standards of 
protecting citizens' privacy. 


Sincerely, 




Sally Katzen 


2 


(310304) 


Page 8 


GAO-01-147R Federal Agency Use of Cookies