White House Website Tracking Under Fire
Websites for the National Security Agency (NSA) and White House have been found to track visitors with cookies. Online privacy watchdogs say the practice could violate govt.-wide computing guidelines, demonstrating the difficulty of carrying out the Office of Management & Budget’s (OMB) cookie policy in practice. Although the Administration and WebTrends, the analytics firm hired to monitor Whitehouse.gov, told Washington Internet Daily the site complies with govt. rules, Cambridge, Mass. security consultant Richard Smith disagrees.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The NSA’s cookies vanished this week after complaints from privacy activists and inquiries from news outlets. The agency admitted to the Associated Press Wed. it erred by creating 2 cookie files set to expire in 2035. A NSA spokesman said the agency’s persistent cookie usage resulted from an improper software upgrade.
Whitehouse.gov doesn’t use cookies itself but Smith’s Web analysis tools discovered a permanent 3rd party cookie from WebTrends. The national Centers for Disease Control(CDC) had a similar problem with Omniture several years ago, he said. The agency quietly fixed the issue after Smith inquired about the tracking technology.
The security expert said the White House’s predicament is worse than NSA’s because the 3rd party cookie can track users on other websites that use WebTrends, and many more Web surfers visit whitehouse.gov than NSA.gov. According to Alexa.com traffic rankings, whitehouse.gov is the 1,541th most popular site on the Internet. NSA.gov ranks 36,918th. The other difference is that the White House’s site reportedly uses Web bugs, Smith said. These invisible elements of code have many uses, including identifying suspects in criminal investigations, he said.
A pre-9/11 govt. policy said cookies weren’t appropriate for federal govt. sites. The Clinton Administration laid down that principle “because of the unique laws and traditions about government access to citizens’ personal information,” according to a June 2000 memo from OMB Dir. Jacob Lew. But 2002’s E-Gov Act required the Administration to update the policy, an OMB spokesman told us. Provisions specifically on privacy implications were released in Sept. 2003, and revised language went out in Dec. 2004. That paperwork incorporated and updated older privacy policies, including the old persistent tracking policy, OMB said.
In its guidance, OMB said agencies can’t use persistent cookies or any other means, like Web bugs (also known as Web beacons), to track visitors’ activity. Some exceptions exist. Agency chiefs can approve the use of persistent tracking technology for a “compelling need,” OMB said. When it’s used, an agency must make known in its privacy policy: The nature of the information collected, the purpose and use for the information, to whom the information will be disclosed and the privacy safeguards applied to the information collected.
WebTrends CEO Greg Drew said the White House, which has been a customer “for years,” doesn’t use cookies and complies with federal regulations on tracking Web activity. “Organizations utilize this type of aggregate, non-personally identifiable analysis to improve the user experience on their websites,” he said, saying his company doesn’t aggregate information about visitors across multiple websites or collect or store personal information. Federal offices have a choice of using no cookies or session cookies, which link an anonymous visitor’s actions throughout an occasion, in compliance with OMB’s policies, Drew said.
Smith’s analysis, along with inquiries from Washington Internet Daily, prompted an internal investigation Thurs. into whether WebTrends’ services violate OMB policy, White House Internet Dir. David Almacy said. At some point, the Administration told its contractor to start tracking the number of visitors rather than just visits, he said. That resulted in WebTrends’ placing a persistent cookie on visitors’ machines. Almacy, who has been running whitehouse.gov only since last spring, said no information collected other than basic statistics -- like most popular pages, hits and page views -- was used. “No other personal information was gleaned from this at all,” he said.
If the investigation finds that WebTrends violated OMB guidance and White House information from the firm is changed, Almacy’s ability to tell whether the site is reaching new audiences could be reduced. Nevertheless, he pledged to find a solution to the problem swiftly.
Meanwhile, Internet Explorer flagged the WebTrends technology associated with whitehouse.gov as one that collects “unique identifiers issued by a website or service for the purpose of identifying an individual over time.” “Over time” is the red flag, Smith told us. The White House’s homepage, news section, issue-specific pages and even Bush’s bio page use WebTrends’ analytics, an examination of source code found. According to whitehouse.gov’s privacy policy, the site tracks a user’s Web domain, IP address, browser type, operating system, date and time accessed, pages visited and whether the user was linked to whitehouse.gov from another website. The policy doesn’t mention cookies, Web bugs or beacons by name.
The White House and NSA cases speak to a larger problem with the amount of attention the Administration gives to privacy issues, Center for Democracy & Technology (CDT) Assoc. Dir. Ari Schwartz told us. One employee is handling privacy matters at OMB, whereas the Clinton Administration employed 3 privacy experts, he said. “The fact that there are more issues being raised now than in last Administration that tells you something,” Schwartz said: “They don’t really have the manpower to deal with it.”
Enforcing cookie policies is “chief privacy officer 101,” Schwartz said. Still, CDT has heard about dozens of cases over the years where “agencies just set up a server and the server by default uses cookies,” he said. That’s fine in a commercial setting, and in some govt. settings, but the tracking methods must be disclosed to the public, Schwartz said. “This is the easiest of the privacy rules to follow.”
* * * * *
In his digging, Smith found another curious spot on the White House’s site. He uncovered a lengthy list of URLs in a “robots.txt” file, which prevents search engines from scouring certain whitehouse.gov directories. “It’s like this big ‘keep out’ sign,” he said. The safeguard also prevents Web annals like the Wayback Machine from preserving portions of the site for archival purposes. Most govt. sites don’t have such stringent precautions, Smith said. The CIA site, for example, has only a few directories that bar search engine crawls. Whitehouse.gov’s robots.txt file includes more than 2,000 listings.
Questions about robots.txt have been brought to the White House Web team’s attention before. “It’s one of those stories that just won’t go away,” Almacy said. Most of the pages in question are text files, javascript or site utilities, he said: “If the implication is that we're hiding something, that’s not the case.” Shielding some content from Google, Yahoo and others prevents Web searchers from finding outdated or duplicative information, he said. Still, Almacy asked his staff to determine whether all the files listed under robots.txt are masked from search engines for good reason. That analysis will begin in the new year, he said.