White House and NSA website illegally track
visitors
Yahoo News/AP
U.S. to Probe Contractor's Web Tracking
By ANICK JESDANUN, AP Internet Writer
December 29, 2005
NEW YORK - Unbeknown to the Bush administration, an outside contractor has
been using Internet tracking technologies that may be prohibited to analyze
usage and traffic patterns at the White House's Web site, an official said
Thursday.
David Almacy, the White House's Internet director, promised an investigation
into whether the practice is consistent with a 2003 policy from the White
House's Office of Management and Budget banning the use of most such
technologies at government sites.
"No one even knew it was happening," Almacy said. "We're going to work with
the contractor to ensure that it's consistent with the OMB policy."
The acknowledgment came a day after the National Security Agency admitted it
had erred in using banned "cookies" at its Web site. Both acknowledgments
followed inquiries by The Associated Press.
The White House's Web site uses what's known as a Web bug to anonymously
keep track of who's visiting and when. A Web bug is essentially a tiny graphic
image — a dot, really — that's virtually invisible. In this case,
the bug is pulled from a server maintained by the contractor, WebTrends Inc.,
and lets the traffic analytic company know that another person has visited a
specific page on the site.
Web bugs themselves are not prohibited.
But when these bugs are linked to a data file known as a "cookie" so that a
site can tell if the same person has visited again, a federal agency using them
must demonstrate a "compelling need," get a senior official's signoff and
disclose such usage, said Peter Swire, a Clinton administration official who
helped draft the original rules.
The White House's privacy policy does not specially mention cookies or Web
bugs, and Almacy said the signoff was never sought because one was not thought
to be required. He said his team was first informed of the cookie use by the
AP.
In any case, Almacy said, no personal information was collected, and the
cookie was used only to determine whether a visitor was a new or returning
user.
It's not entirely clear how the cookies are created.
Cookies from the White House site do not appear to be generated simply by
visiting it, according to analyses by the AP and by Richard M. Smith, a
security consultant in Cambridge, Mass., who first noticed the Web bug this
week.
Rather, WebTrends cookies are sometimes created when visiting other
WebTrends clients. Smith said his analysis of network traffic shows such
preexisting cookies have then been used to recognize visitors to the White
House site.
But WebTrends officials say they do not aggregate information about visitors
across multiple sites, and when presented with Smith's data, referred inquiries
to the White House. Almacy said it's possible the cookie resulted from the
White House visit, adding he was awaiting further details from WebTrends.
In a statement, the company added that the analysis performed at the White
House site is typical among organizations for improving user experience.
But Swire said a similar use of cookies had prompted the federal
guidelines.
The Clinton administration first issued the strict rules on cookies in 2000
after its Office of National Drug Control Policy, through a contractor, had
used the technology to track computer users viewing its online anti-drug
advertising. The rules were updated in 2003 by the Bush administration.
Although no personal information was collected at the time, Swire said,
concerns were raised that one site's data could be linked later with those from
the contractor's other clients.
"It all could be linked up after the fact, and that was enough to lead to
the federal policy," Swire said.
Nonetheless, agencies occasionally violate the rules inadvertently. The CIA
did in 2002, and the NSA more recently. The NSA disabled the cookies this week
and blamed a recent upgrade to software that shipped with cookie settings
already on.
|