LinuxPlanet - Print - .comment: Big Brother's Cookies

.comment: Big Brother's Cookies

By: Dennis E. Powell
Monday, November 6, 2000 01:03:53 PM EST
URL: http://www.linuxplanet.com/linuxplanet/opinions/2592/1/

We're From the Government and We're Here to Help You

All of us who are online (and who have a clue) take precautions to keep the uninvited from gaining access to our machines, from shutting down unneeded servers to closing down ports to installing ipchains and firewalls.

But I've long been of the opinion that things we willingly allow into our boxen are potentially just as damaging, especially to anyone who places any value on privacy.

A new government report proves my point. Not to overstate the case, but the U.S. government is using cookies to spy on you.

According to a report done by the General Accounting Office at the request of Sen. Fred Thompson, Republican of Tennessee and chairman of the Committee on Government Affairs, and made public though not publicized last week, government agency websites of all kinds are trying to write cookies to your hard drive. Not just the little memory-resident cookies that are employed in "shopping cart" types of sites, but saved, persistent ones that report back to the site later.

The GAO surveyed 65 government websites and found that 11 of them put cookies on your hard drive--seven without disclosure, and three of them sending their results to undisclosed third parties. The agency did not, for some reason, include the Central Intelligence Agency and the National Security Agency in its survey.

Is this a problem? You bet it is!

The cookies, said the GAO in the report's cover letter, "can be used to track users' browsing behavior . . ."

Who's Doing It?

According to the report, you can pick up government cookies in surprising places. The government sites that toss their cookies onto your machine, with the information returned to their own domains but without bothering to tell you about it include the Office of Personnel Management, the U.S. Trade and Development Agency, the Ames Laboratory, and the Bureau of Labor Statistics.

Those who give you undisclosed cookies who offer their reports to unspecified third parties include the U.S. Customs Service, the Federal Emergency Management Agency, and even the U.S. Forest Service.

And government web sites that do disclose somewhere that they are placing cookies and whose cookies report back only to the domains that placed them include the U.S. Postal Service, the General Services Administration, the Small Business Administration, and the Institute of Museum and Library Services.

Bear in mind that the report covered only 65 of the hundreds of government websites, chosen largely at random. It found that about one site in six writes a cookie to your drive, and one in about 20 sends you one that reports to an off-domain site. Who? We don't know, nor can we find out.

Left unexplored is the question whether the government has its own third-party cookies that you could acquire from non-government websites.

What information is being gathered, and what is it being used for? Well, we just don't know, and the report doesn't tell us. My personal tendency is to assume the worst when dealing with the government, but in that this notion may be overly harsh; perhaps it is being used for more benign purposes. What might those be? In the last few years we've seen unprecedented politicization of government, so perhaps it's thought just fine to use this information to target voters. Maybe it's even to make government more efficient and responsive, though that would be a first.

The report, entitled "Internet Privacy: Federal Agency Use of Cookies," speaks loudest in some respects where it tells us nothing, but leaves us to assume that the situation is ominous.

Confronted with this information, the administration (yes, the Clinton-Gore administration) said it was shocked, shocked to learn that cookies are being used.

"There are particular privacy concerns when web technology can track the activities of users over time and across different websites," wrote Sally Katzen of the White House Office of Management and Budget. "In light of the unique laws and traditions about government access to the personal information of citizens, the Director stated [on June 22, 2000] that the presumption should be that cookies will not be used at Federal websites or or by contractors when operating websites on behalf of agencies." Oh, those pesky agencies. We keep telling them not to use cookies, and they keep using cookies.

Wink wink, nudge nudge, say no more.

What Can You Do About It?

Any online security policy has to take cookies into account. Popular browsers for Linux give the user control, though not as much control as any reasonably concerned user would want. Netscape, for instance, gives you the choice of turning off cookies entirely--a good choice, but one that prevents you from visiting many sites (such as the extremely high-cookied New York Times) and from engaging in online shopping at a lot of sites. Or it lets you turn off third-party cookies. Or it lets you allow all cookies. In addition, it allows you to be notified everytime a site wants to place a cookie on your machine, a useful exercise if only to give you the sense of just how bad the problem is.

With Netscape, though, there's a good solution available: just make your ~/.netscape/cookies a symbolic link to /dev/null, and tell Netscape to enable all cookies. Then cookies are neatly transported to the bit bucket. The ones you need for shopping and the like are typically memory resident, meaning that they'll stick around until you close the browser. And yes, close your browser every so often to dump the memory resident cookies you no longer need.

With other browsers you can do much the same thing, finding whereever it is that the cookies are stored and symlinking it to /dev/null.

There's a certain satisfaction, having set up a pathway to oblivion for cookies, in knowing that you've confounded people who want to put encrypted crap on your computer.

In that this piece is about government cookies, I suppose that the ghost of Mrs. Koehler, my ninth-grade civics teacher, insists that I mention that you can also raise hell with the government, write letters, send email complaints, and so on. Consider it mentioned, but consider, too, that the White House itself claims that it can't keep its agencies from spying on you.

And keep in mind this unhappy fact: the cookie situation, inside government and especially outside it, is not likely to get better. It is likely to get worse. Yes, crackers are bad. So are cookies.