Federal rules bar 'cookies'; spy agency says it was a mistake
The National Security Agency's Internet site has been placing files
on visitors' computers that can track their Web surfing activity despite strict
federal rules banning most of them.
These files, known as "cookies," disappeared after a privacy activist
complained and The Associated Press made inquiries this week, and agency officials
acknowledged Wednesday they had made a mistake.
Nonetheless, the issue raises questions about privacy at a spy agency already
on the defensive amid reports of a secretive eavesdropping program in the United
"Considering the surveillance power the NSA has, cookies are not exactly
a major concern," said Ari Schwartz, associate director at the Center for
Democracy and Technology, a privacy advocacy group in Washington, D.C. "But
it does show a general lack of understanding about privacy rules when they are
not even following the government's very basic rules for Web privacy."
Until Tuesday, the NSA site created two cookie files that do not expire until
2035 — likely beyond the life of any computer in use today.
Don Weber, an NSA spokesman, said in a statement Wednesday that the cookie
use resulted from a recent software upgrade. Normally, the site uses temporary,
permissible cookies that are automatically deleted when users close their Web
browsers, he said, but the software in use shipped with persistent cookies already
"After being tipped to the issue, we immediately disabled the cookies,"
Strict federal rules
Cookies are widely used at commercial Web sites and can make Internet browsing
more convenient by letting sites remember user preferences. For instance, visitors
would not have to repeatedly enter passwords at sites that require them.
But privacy advocates complain that cookies can also track Web surfing, even
if no personal information is actually collected.
In a 2003 memo, the White House's Office of Management and Budget prohibits
federal agencies from using persistent cookies — those that aren't automatically
deleted right away — unless there is a "compelling need."
A senior official must sign off on any such use, and an agency that uses them
Peter Swire, a Clinton administration official who had drafted an earlier version
of the cookie guidelines, said clear notice is a must, and "vague assertions
of national security, such as exist in the NSA policy, are not sufficient."
Daniel Brandt, a privacy activist who discovered the NSA cookies, said mistakes
happen, "but in any case, it's illegal. The (guideline) doesn't say anything
about doing it accidentally."