Feds Seek Input On Cookie Policy For Government Web Sites

suraj.sun sends along this quote from Information Week: "The government wants to use cookies to offer more personalized web sites to citizens and better analytics to Webmasters. ... The federal government has drafted changes to its outdated restrictions on HTTP cookies, and wants the public's input. Under the plan, detailed in a blog post by federal CIO Vivek Kundra and... Michael Fitzpatrick, federal agencies would be able to use cookies as long as their use is lawful, citizens can opt out of being tracked, notice of the use of cookies is posted on the Web site, and Web sites don't limit access to information for those who opt out. ... The Office of Management and Budget is considering three separate tiers of cookie usage that will likely have different restrictions for each, based on privacy risks. The first tier of sites would use single-session technologies, the second multi-session technologies for use in analytics only, and the third for multi-session cookies that are used to remember data or settings 'beyond what is needed for web analytics.'"

How about no?

[DoktorSeven]

Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.

What a concept, right?

Yeah OK

[sonicmerlin]

I know I'll be modded down for this, but if government was stocked more with intelligent engineers and scientists instead of lawyers we would never have these issues.

I think this is great

[Anonymous Coward]

The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?

Go, go "team freedom"!

Re:I think this is great

[oldhack]

What the AC wrote. This absurd universe we live in.

This should be the universal Cookie Policy

[OverZealous.com]

This is my general policy:

1. Don't ever store a cookie by default on websites that don't have a login.
2. Don't ever, ever, ever store cookies on a different domain than the one in the address bar.
3. If you want to store something in a cookie, make it opt-in (as mentioned above).
4. If you want to store something in a cookie, but I block it, make sure the website still works correctly.
5. If you "need" to store a cookie, but I block it, make it obvious what has happened, and on what domain. Make sure I can see that domain in the address bar, and decide whether to unlock it.
6. Be aware that forcing a cookie on me has about a 75% guarantee that I'll leave and never return.

If you are incapable of developing to these standards, say, because you don't understand how session cookies should work, then please find another line of work.

Cookies are bad for the health of your website, news site, or blog. Cookies are good for the health of your web application.

Re:Yeah OK

[FrostDust]

This is a legal issue, not a technical one. Replacing lawyers with engineers wouldn't do anything here.

The government isn't trying to engineer a new "cookie" paradigm or anything, they're investigating the legalities of a federally-owned website tracking users.
Cookies have been used by websites forever, but there may be a difference between your browsing history and preferences being recorded by bestbuy.com versus whitehouse.gov, at least in the eyes of the law. That is what the article is talking about.

Don't share them

[legirons]

Is there anything more to say than Don't share them between sites?

If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses. But it's when you start including invisible images from a 3rd party site that shares the stats between multiple domains, that most people think crosses the line into creepy surveillance.

Login cookies = fine. Telling one site that you visited another site = not ok.

(or to phrase that another way: don't exploit loopholes in the security system)

Re:How about no?

[kdemetter]

Cookies expire at end of session according to my preference. That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time. Then I leave and never return.

How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

on a database , like it should ? And then retrieve the preferences after logging in. I don't see the problem.

Expiration date on cookies

[Anonymous Coward]

When I examine my cookies, the first thing I do is look for anything that has an expiration date more than 5 years in the future.
Those cookies are immediately deleted and blocked permanently.

There is no reason but sloth to set a cookie with such a huge number for the time to live.

I hope the government policy sets reasonable times for their cookie policy.

IE, a session cookie should not outlive the session.

Cookie Paranoia

[QuoteMstr]

You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack [ckers.org] that allows any site to probe whether you've visited another completely unrelated site.

Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.