NSA Caught Serving Cookies
Illegally on White House Website
Red Herring 29dec2005
Who shall guard the guards as cookie crumbs lead to the National Security Agency?
The National Security Agency got caught with its hand in the cookie jar, literally, on Wednesday.
The NSA, which functions as the United States’ information systems watchdog, admitted it has been posting cookies on the computers of visitors to its web site, despite federal rules banning such activity.
Cookies are small files placed on computers by web programs residing on sites visited by those computers. They were originally designed to hold identifying information to make web surfing easier and faster.
Today cookies are used to store all kinds of information, including the content of a web surfer’s electronic shopping cart. Many web surfers are concerned about the lack of privacy involved in the surreptitious placement of cookies on their computer hard drives.
They are helpful, for the most part, but they carry the potential for abuse because they can monitor and document the activities of web surfers.
The NSA ended its cookie distribution when a privacy activist and the Associated Press started asking questions about the cookie placements. An NSA spokesperson told the AP that a recent software upgrade at the agency created a new cookie-producing facility. The software added cookies to web surfers’ hard drives that carried 2035 expiration dates.
Prior to the installation of the updated software, said the spokesperson, the NSA site produced relatively harmless cookies that would be deleted when users closed their web browsers.
Breaking the Cookie Law
Posting long-term cookies on web surfers’ hard drives is a direct violation of a June 2000 policy recommendation issued by the Office of Management and Budget that bans such activities.
The issue of computer security and eavesdropping has taken center stage in Washington, D.C., as the U.S. Federal Communications Commission attempts to redraw the boundaries of the Communications Assistance for Law Enforcement Act (CALEA).
The 1994 law requires telephone companies and ISPs to allow certain government agencies access to listen in or monitor phone calls or web activity unbeknownst to the user.
Back in August the FCC limited the requirement to “facilities-based broadband Internet access service providers and VoIP providers that offer services permitting users to receive calls from, and place calls to, the public switched telephone network (PSTN)” (see Wiretap Rules Split VoIP).
That, on the surface, exempts peer-to-peer architectures, including eBay’s Skype service, and instant messaging products such as Google Talk. But law enforcement agencies such as the Federal Bureau of Investigation and the Drug Enforcement Agency are reportedly up in arms over any such technical exemptions.
source: http://www.redherring.com/Article.aspx?a=15085&hed=NSA+Caught+Serving+Cookies 30dec2005
National Security Agency Breaks Cookie Rules
Security Only Applies to Other People
NICK FARRELL / The Inquirer (UK) 30dec2005
THE US information systems watchdog, the National Security Agency has been breaking its own policy on cookies by posting them onto the hard-drives of visitors to its site. The cookie distribution suddenly stopped when it was rumbled by a privacy activist and the Associated Press.
A sheepish NSA spokesman said that the agency had recently had a software upgrade and that created a new cookie-producing facility. The cookie that was placed on web surfers’ hard-drive carried a 2035 expiration date, so it was supposed to be there for a long time.
The NSA should have been instituting a policy banning long-term cookies on web surfers’ hard drives since June 2000.
The spokesNSA said that before the software upgrade, the outfit did install a cookie but that would self-destruct when users closed their browsers.
source: http://www.theinquirer.net/?article=28615 30dec2005
White House Investigates Contractor's Web Tracking by WebTrends
NEW YORK — Unbeknown to the Bush administration, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns at the White House's Web site, an official said Thursday.
David Almacy, the White House's Internet director, promised an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites.
"No one even knew it was happening," Mr. Almacy said. "We're going to work with the contractor to ensure that it's consistent with the OMB policy."
An official with the contractor, WebTrends Inc., said later Thursday, however, that although a cookie may be used, no data from it is actually sent back to the company.
The development came a day after the National Security Agency admitted it had erred in using banned "cookies" at its Web site. Cookies are small data files that can be used to track Internet users. The acknowledgments followed inquiries by The Associated Press.
The White House's Web site uses what's known as a Web bug to anonymously keep track of who's visiting and when. A Web bug is essentially a tiny graphic image — a dot, really — that's virtually invisible. In this case, the bug is pulled from a server maintained by WebTrends and lets the traffic analytic company know that another person has visited a specific page on the site.
Web bugs themselves are not prohibited.
But when these bugs are linked to a cookie — so that a site can tell if the same person has visited again — a federal agency using them must demonstrate a "compelling need," get a senior official's signoff and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.
But Jason Palmer, vice president of product management for Portland, Ore.-based WebTrends, insisted the cookies are not used in such manner.
Cookies from the White House site are not generated simply by visiting it, according to analyses by the AP and by Richard M. Smith, a security consultant in Cambridge, Mass., who first noticed the Web bug this week.
Rather, WebTrends cookies are sometimes created when visiting other WebTrends clients. Mr. Smith said his analysis of network traffic shows such preexisting cookies have then been used to recognize visitors to the White House site.
But WebTrends officials say they do not aggregate information about visitors across multiple sites. Mr. Almacy said it's possible the cookie resulted from the White House visit, adding he was awaiting further details from WebTrends.
Mr. Palmer said the browsers are designed to pull pre-existing cookies automatically, and that the company has no choice in the matter. But he insisted the company doesn't use the information.
In any case, Mr. Almacy said, no personal data are collected.
In a statement, WebTrends added that the analysis performed at the White House site is typical among organizations for improving user experience.
The Clinton administration first issued the strict rules on cookies in 2000 after its Office of National Drug Control Policy, through a contractor, had used the technology to track computer users viewing its online antidrug advertising. The rules were updated in 2003 by the Bush administration.
Although no personal information was collected at the time, Mr. Swire said, concerns were raised that one site's data could be linked later with those from the contractor's other clients.
"It all could be linked up after the fact, and that was enough to lead to the federal policy," Mr. Swire said.
Nonetheless, agencies occasionally violate the rules inadvertently. The CIA did in 2002, and the NSA more recently. The NSA disabled the cookies this week and blamed a recent upgrade to software that shipped with cookie settings already on.
White House to Investigate Contractor's Web Tracking
Technologies May Violate Policy
ANICK JESDANUN / AP 30dec2005
NEW YORK — Without the Bush administration knowing, an outside contractor has been using Internet tracking technologies that may be prohibited to analyze usage and traffic patterns at the White House's website, an official said yesterday.
David Almacy, the White House's Internet director, promised an investigation into whether the practice is consistent with a 2003 policy from the White House's Office of Management and Budget banning the use of most such technologies at government sites. "No one even knew it was happening," Almacy said. "We're going to work with the contractor to ensure that it's consistent with the OMB policy."
The acknowledgment came a day after the National Security Agency admitted it had erred in using banned "cookies" at its website. Both acknowledgments followed inquiries by the Associated Press.
The White House's website uses what is known as a Web bug to anonymously keep track of who is visiting and when. A Web bug is essentially a graphic image that is virtually invisible. In this case, the bug is pulled from a server maintained by the contractor, WebTrends Inc., and lets the traffic analytic company know that another person has visited a specific page on the site.
Web bugs themselves are not prohibited. But when these bugs are linked to a data file known as a "cookie" so that a site can tell whether the same person has visited again, a federal agency using them must demonstrate a "compelling need," get a senior official's approval, and disclose such usage, said Peter Swire, a Clinton administration official who helped draft the original rules.
In a statement, WebTrends said the analysis performed at the White House site is typical among organizations for improving user experience.
source: http://www.boston.com/news/nation/washington/articles/2005/12/30/white_house_to_investigate_contractors_web_tracking?mode=PF 30dec2005