All of us who are online (and who have a clue) take precautions to keep the uninvited from gaining access to our machines, from shutting down unneeded servers to closing down ports to installing ipchains and firewalls.

But I've long been of the opinion that things we willingly allow into our boxen are potentially just as damaging, especially to anyone who places any value on privacy.

A new government report proves my point. Not to overstate the case, but the U.S. government is using cookies to spy on you.

According to a report done by the General Accounting Office at the request of Sen. Fred Thompson, Republican of Tennessee and chairman of the Committee on Government Affairs, and made public though not publicized last week, government agency websites of all kinds are trying to write cookies to your hard drive. Not just the little memory-resident cookies that are employed in "shopping cart" types of sites, but saved, persistent ones that report back to the site later.

The GAO surveyed 65 government websites and found that 11 of them put cookies on your hard drive--seven without disclosure, and three of them sending their results to undisclosed third parties. The agency did not, for some reason, include the Central Intelligence Agency and the National Security Agency in its survey.

Is this a problem? You bet it is!

The cookies, said the GAO in the report's cover letter, "can be used to track users' browsing behavior . . ."

Who's Doing It?

According to the report, you can pick up government cookies in surprising places. The government sites that toss their cookies onto your machine, with the information returned to their own domains but without bothering to tell you about it include the Office of Personnel Management, the U.S. Trade and Development Agency, the Ames Laboratory, and the Bureau of Labor Statistics.

Those who give you undisclosed cookies who offer their reports to unspecified third parties include the U.S. Customs Service, the Federal Emergency Management Agency, and even the U.S. Forest Service.

And government web sites that do disclose somewhere that they are placing cookies and whose cookies report back only to the domains that placed them include the U.S. Postal Service, the General Services Administration, the Small Business Administration, and the Institute of Museum and Library Services.

Bear in mind that the report covered only 65 of the hundreds of government websites, chosen largely at random. It found that about one site in six writes a cookie to your drive, and one in about 20 sends you one that reports to an off-domain site. Who? We don't know, nor can we find out.

Left unexplored is the question whether the government has its own third-party cookies that you could acquire from non-government websites.

What information is being gathered, and what is it being used for? Well, we just don't know, and the report doesn't tell us. My personal tendency is to assume the worst when dealing with the government, but in that this notion may be overly harsh; perhaps it is being used for more benign purposes. What might those be? In the last few years we've seen unprecedented politicization of government, so perhaps it's thought just fine to use this information to target voters. Maybe it's even to make government more efficient and responsive, though that would be a first.

The report, entitled "Internet Privacy: Federal Agency Use of Cookies," speaks loudest in some respects where it tells us nothing, but leaves us to assume that the situation is ominous.

Confronted with this information, the administration (yes, the Clinton-Gore administration) said it was shocked, shocked to learn that cookies are being used.

"There are particular privacy concerns when web technology can track the activities of users over time and across different websites," wrote Sally Katzen of the White House Office of Management and Budget. "In light of the unique laws and traditions about government access to the personal information of citizens, the Director stated [on June 22, 2000] that the presumption should be that cookies will not be used at Federal websites or or by contractors when operating websites on behalf of agencies." Oh, those pesky agencies. We keep telling them not to use cookies, and they keep using cookies.

Wink wink, nudge nudge, say no more.

Next: What Can You Do About It? »