Report: Govt. Web Sites Invade Privacy

W A S H I N G T O N, April 17, 2001 -- Dozens of federal Web sites use unauthorizedsoftware that tracks Internet users despite policy rules that bansuch information-gathering, according to a report to Congress.

The true scope of the problem has not been identified. Thereport said the National Aeronautics and Space Administration couldnot even determine how many Web sites it operates, so investigatorscould not say how many of them might be using the trackingsoftware.

The report was culled from 16 agency audits, a third of theaudits in the works. The other agencies are expected to releasetheir findings within a few months, said Sen. Fred Thompson,R-Tenn., chairman of the Senate Governmental Affairs Committee.

Government Sites Track Users

Thompson released the report Monday. It said investigators found64 federal Web sites that used unauthorized files that allowed themto track the browsing and buying habits of Internet users.

In many instances, the agencies said they did not know thetracking technology was being used. But some agencies say theybenefit from the data gathered by the electronic "cookies," asthe technology is called.

A cookie is a small software file that allows an Internet siteto identify a specific computer that logs on to the site. Cookiescan make browsing more convenient by letting sites distinguish userpreferences, but the device has been attacked as an intrusion onprivacy because they can track the kinds of Web sites frequented bya specific computer.

The U.S. Mint uses the software to operate an online shoppingcart that is similar to what can be found on many e-commerce sites.

The departments of Education, Treasury, Energy, Interior andTransportation used unauthorized cookies, as did NASA and theGeneral Services Administration, the report said.

It did not estimate how many people visited the sites during theaudit, which occurred late last year and early this year.

The company Jupiter Media Metrix, which tracks Internet usage,said government sites are popular. The company estimates that 3.5million Internet users went to NASA's Web site in March, and 2.2million people visited the Education Department's site.

Ari Schwartz, senior policy analyst for the Center for Democracyand Technology, which follows privacy issues, called the reporttroubling.

The Challenge of Privacy

"Generally when we think about privacy and the government, wewant to make sure that the government is transparent and doesprotect privacy over and above the rest of the Internet and therest of the private and nonprofit sector," Schwartz said.

His organization was among several that signed a letter Mondayurging the Bush administration to fill quickly a post created byPresident Clinton that heads an office to keep tabs on agenciesensuring they adhere to privacy policies.

Congress ordered all agency inspectors general to investigatethe use of cookies after the General Accounting Office reported inOctober that about a dozen agency Web sites were using the softwareeven though a Clinton administration memorandum in June restrictedthe practice.

The only acceptable use of cookies is in case of compelling needand with the approval of the agency head. In those instances, Websites must inform Internet users of the practice.

Contractors operating Web sites for government agencies alsomust abide by the policy.

The White House referred questions to the Office of Managementand Budget, where spokesman Chris Ullman said the Clinton-erapolicy remains in effect.

"Privacy issues are of great importance to the president,"Ullman said.

Because 11 Energy Department Web sites used the unauthorizedfiles, Inspector General Gregory Friedman said the department"cannot provide reasonable assurance" the privacy of Web sitevisitors would be protected.

General Services Administration Inspector General William Bartonreported a contractor managed business operations of an agency sitethat used the tracking files. He said the agreement gave thecontractor ownership of any information gathered about Internetusers who visited the site.

Of agencies surveyed, the Transportation Department was mostlikely to use the tracking files, according to the report. It hadthem on 23 Web pages, but the devices have since been removed,according to John Meche, the agency's deputy assistant inspectorgeneral.

He said cookies were inadvertently added to agency sites whenWeb pages were reconfigured. "Protecting Web privacy is an ongoingchallenge because Web sites are constantly revised orreconfigured," Meche said in his report.