Forgot your password?
typodupeerror
Government The Internet United States Your Rights Online News

Feds Seek Input On Cookie Policy For Government Web Sites 74

Posted by Soulskill
from the om-nom-nom dept.
suraj.sun sends along this quote from Information Week: "The government wants to use cookies to offer more personalized web sites to citizens and better analytics to Webmasters. ... The federal government has drafted changes to its outdated restrictions on HTTP cookies, and wants the public's input. Under the plan, detailed in a blog post by federal CIO Vivek Kundra and... Michael Fitzpatrick, federal agencies would be able to use cookies as long as their use is lawful, citizens can opt out of being tracked, notice of the use of cookies is posted on the Web site, and Web sites don't limit access to information for those who opt out. ... The Office of Management and Budget is considering three separate tiers of cookie usage that will likely have different restrictions for each, based on privacy risks. The first tier of sites would use single-session technologies, the second multi-session technologies for use in analytics only, and the third for multi-session cookies that are used to remember data or settings 'beyond what is needed for web analytics.'"
This discussion has been archived. No new comments can be posted.

Feds Seek Input On Cookie Policy For Government Web Sites

Comments Filter:
  • Oreos (Score:4, Funny)

    by oldhack (1037484) on Saturday July 25, 2009 @01:25PM (#28819869)
    For variety of reasons. :-)
    • by FooAtWFU (699187) on Saturday July 25, 2009 @01:27PM (#28819889) Homepage
      Content-transfer-encoding: chocolate-chunked
    • by jmckinney (68044)

      I don't have kids, and I haven't watched the show for 30 years, so why do I hear it in Cookie Monster's voice every time I read the phrase 'cookie policy'? (Coo-kie Po-li-cy!)

    • Re: (Score:3, Funny)

      by basementman (1475159)

      Oreos are a symbol of black power and the racist ideals Obama is trying to indoctrinate our wonderful nation with. The pure Aryan nation is represented by clean white filling of the Oreo, with the other less pure races as the hard cookie, squeezing on both sides ever last bit of culture the white man has left. We must rise against and elect Vanilla Wafers as or government cookie. White power! /s

  • How about no? (Score:5, Insightful)

    by DoktorSeven (628331) on Saturday July 25, 2009 @01:25PM (#28819875) Homepage Journal

    Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.

    What a concept, right?

    • Re: (Score:3, Informative)

      by jonbryce (703250)

      I don't see any problem with a "remember these settings" check box on a web page which sends a cookie if ticked.

    • Re: (Score:3, Interesting)

      by sakdoctor (1087155)

      Cookies expire at end of session according to my preference.
      That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time.
      Then I leave and never return.

      • Cookies expire at end of session according to my preference. That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time. Then I leave and never return.

        How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

        • Re: (Score:3, Insightful)

          by kdemetter (965669)

          Cookies expire at end of session according to my preference. That's fine for session management, but when sites start storing preferences, I get reset to the bone-headed defaults every time. Then I leave and never return.

          How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

          on a database , like it should ? And then retrieve the preferences after logging in. I don't see the problem.

          • by blueg3 (192743)

            If you'd read the person you responded to, you'd see that he specifically said that a cookie is a lesser evil than requiring you to make an account in order to preserve settings.

            Of course, regardless of whether it's by login or by cookie, the settings have to be stored in a database of some sort, unless there are so few preferences that the preferences themselves are stored in a cookie.

            • If you'd read the person you responded to, you'd see that he specifically said that a cookie is a lesser evil than requiring you to make an account in order to preserve settings.

              It need not be a full-blown account - "e-mail address and all" - just a username and password that your browser can automatically memorize and fill in each time you start a new "session."

              After all, if you don't need "e-mail address and all" for a cookie, then you don't need it for any other identification mechanism either.

              Furthermore, any site that requires cookies for full usability is doing its users' a disservice because it is one more site that encourages them to use cookies. Until web-browsers come wi

              • So you want your browser to send the site a key and value every time so the site can track your preferences. Congratulations, you just invented cookies.

                So basically, you're blaming the web sites for the fact that the browsers do not implement the exact functionality you want. Did I get all that?

                • So basically, you're blaming the web sites for the fact that the browsers do not implement the exact functionality you want. Did I get all that?

                  Nope. I am blaming websites for encouraging users to avoid good security practices.

                  • by POWRSURG (755318)

                    What about Web sites that send cookies using the HTTPonly flag so that cookies aren't readable via JavaScript?

                    Have the Feds, or any other major service, looked at using DOM Storage as an alternative to cookies? DOM Storage allows for more data to be stored, and it removes extra data being transferred via every HTTP request. Yes, it is only available in modern browsers, but that need not stop its use, or at least making policy towards its use.

        • by dkf (304284)

          How else do you expect a site to store your preferences, then? I'd rather have a cookie on my computer than have the site force me to make an account (e-mail address and all) with them and store it on their server. (Of course, "bone-headed defaults" are another story...)

          I think it would be good if sites that store cookies on your computer (especially keys into a server-side databases) were required to describe what information was associated with that cookie, both client-side and server-side. I don't mind them storing preferences for what skin to use for the website UI (OK, I mind that none of them are tasteful, but that's a whole 'nother story) but if there's a large profile of me behind it all, I'd like to know!

          I'd also like to know that information for session cookies.

    • I was certain pretty much all gov sites that allow logins use cookies. Now I'm wondering how they track sessions... Hmm...

    • by Z00L00K (682162)

      Everyone already worried about the cookie-tracking habits are already using web browsers and add-ins that deletes the cookies after the end of the session.

      So what's left is standalone sessions with a certain habit, but no easy way to detect a re-visit.

    • by Phroggy (441)

      Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.

      What a concept, right?

      You're an idiot.

      HTTP is a stateless protocol. That's fine if all you're doing is looking at documents, but the Web can do much more than that. There are services that I want the government to be able to provide over the Internet that involve more than just looking at documents. These require tracking state, which is what cookies were designed for. You can fake it if you have to, by putting session variables in query strings, but that makes all of your links ugly and makes it rather awkward to send links

  • Yeah OK (Score:2, Insightful)

    by sonicmerlin (1505111)
    I know I'll be modded down for this, but if government was stocked more with intelligent engineers and scientists instead of lawyers we would never have these issues.
    • Re:Yeah OK (Score:5, Insightful)

      by FrostDust (1009075) on Saturday July 25, 2009 @02:23PM (#28820265)

      This is a legal issue, not a technical one. Replacing lawyers with engineers wouldn't do anything here.

      The government isn't trying to engineer a new "cookie" paradigm or anything, they're investigating the legalities of a federally-owned website tracking users.
      Cookies have been used by websites forever, but there may be a difference between your browsing history and preferences being recorded by bestbuy.com versus whitehouse.gov, at least in the eyes of the law. That is what the article is talking about.

    • True but we'd have other issues [xkcd.com].
  • If government want my opinion on cookies, I know someone who will deal with them in a kind / compassionate way.

    http://en.wikipedia.org/wiki/Cookie_Monster [wikipedia.org]

  • by Anonymous Coward

    The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?

    Go, go "team freedom"!

    • Re: (Score:3, Insightful)

      by oldhack (1037484)
      What the AC wrote. This absurd universe we live in.
      • The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?

        Go, go "team freedom"!

        What the AC wrote. This absurd universe we live in.

        It gives the public (electorate) the impression that there is transparency and freedom to choose. I am grateful for every piece of illusion that makes reality more bearable. It sure beats the frontal lobotomies [npr.org] that were popular in the 1940s and 50s to treat moodiness and hyperactivity in children.

    • Re: (Score:2, Interesting)

      by hedwards (940851)
      There's a significant distinction to be made there. First off, these agencies aren't the NSA and secondly it is currently perfectly legal to use cookies. The two aren't really connect at all.

      There is a significant amount of justified mistrust in the government right now, but the thing is that if they were up to something nefarious, I'd assume they'd use a method that was much less easily dodged by people
      • "it is currently perfectly legal to use cookies"

        That's the exact issue. It's currently NOT legal for the government to collect information on someone without a valid reason. Two good examples are the Watergate fiasco and recent illegal wiretapping. This is about trying to define cookies as a valid operational requirement, and set the appropriate boundaries for the collection of any information.

  • I think we can trust the government not to misuse the data, right? It's not like it doesn't know everything about you anyway. I'm sure its "privacy policies" are every bit as honorable as Google's, or Microsoft's.

  • Privacy (Score:3, Funny)

    by nurb432 (527695) on Saturday July 25, 2009 @01:48PM (#28820039) Homepage Journal

    Cookies are evil in the first place. Tho they do taste good.

    • by oldhack (1037484)
      Don't hate. All things have a tasty side and a dark side. Sometimes they are the same side.
  • Why even use cookies? I can't really think of any good idea for a standard, public government website to use cookies. I mean, theres not any preferences, logging in, etc. by members of the general public. If they are employees of the government, well they already sold their soul...
    • by dlsmith (993896)

      I mean, theres not any preferences, logging in, etc. by members of the general public

      Three federal government programs that do/should provide a Web interface to authenticated users:

      • Student loans
      • Income taxes
      • Social security

      These are off the top of my head. I'm not trying very hard.

  • ...about cookies and the dark side, but it escapes me.
  • Suggestions (Score:2, Interesting)

    by asdfndsagse (1528701)

    1. Tracking MUST be in aggregate. Any categories of users SHOULD come only from self descriptions fcrom the user. (ie clicking "i run a small business")
    a
    2. Preferences MUST be stored client-side in cookies, not server-side. Sites MAY use hashing to prevent tampering where appropriate. Preferences SHOULD be stored as plain text so that they can be read and perhaps changed directly by the user.

    3. Users SHOULD NOT have unique ids tagged to them, and MUST not have unique id's tagged to them over more than one s

  • Honestly, think about it for a second.

    Besides the fact that you ultimately have full control over accepting cookies anyway, this is the government we're talking about. They have the power to get into every aspect of your life far deeper than any other organization ever could. Are you honestly worried about what are 99.99% ilkely to be completely harmless cookies?

    • Besides the fact that you ultimately have full control over accepting cookies anyway

      Yeah, right. Granny knows about cookies, privacy, and how to disable one to protect the other, while she's out there reading e-mail from the kids, checking up on the latest on Martha Stewart's site, and going to the political discussion that her smart, college-educated son directed her to on the .gov site. Sure she can just pop in and selectively disable cookies as required.

      NOT!

  • by OverZealous.com (721745) on Saturday July 25, 2009 @02:15PM (#28820213) Homepage

    This is my general policy:

    1. Don't ever store a cookie by default on websites that don't have a login.
    2. Don't ever, ever, ever store cookies on a different domain than the one in the address bar.
    3. If you want to store something in a cookie, make it opt-in (as mentioned above).
    4. If you want to store something in a cookie, but I block it, make sure the website still works correctly.
    5. If you "need" to store a cookie, but I block it, make it obvious what has happened, and on what domain. Make sure I can see that domain in the address bar, and decide whether to unlock it.
    6. Be aware that forcing a cookie on me has about a 75% guarantee that I'll leave and never return.

    If you are incapable of developing to these standards, say, because you don't understand how session cookies should work, then please find another line of work.

    Cookies are bad for the health of your website, news site, or blog. Cookies are good for the health of your web application.

    • If you want to store something in a cookie, but I block it, make sure the website still works correctly.

      That is clearly The Most Important Cookie Commandment of all!

      I'd give you Insightful+1 if I had mod points today.

    • by Phroggy (441)

      Cookies are bad for the health of your website, news site, or blog.

      Are you retarded? Slashdot would suck ass without cookies.

    • by dkf (304284)

      Don't ever store a cookie by default on websites that don't have a login.

      But they're an excellent way to tell apart humans from bots, which is important for performance reasons since they've got completely different browsing profiles. You'd think that using the browser version string from the HTTP request header would work, but it doesn't. Some bots are stealthed. However, a session cookie is fine for these purposes; if you're distinguishing between session cookies and expiring cookies, then you need to make that clearer; both are still cookies.

      Don't ever, ever, ever store cookies on a different domain than the one in the address bar.

      Does that even work at all? Should

  • I find it funny that this story's been tagged "gluten free"... My wife has celiac so I tend to think of gluten as something I have to deal with and other people aren't too aware of. :)

  • They say public input, but what is to stop any lobby group with deep enough pockets and a large enough network from organising its own flash mob, to sway the government one way or the other.

    This seems to be a common feature of modern life. We are told that policy is driven by the will of the people, but how can we be sure of that? How do you tell the difference between thousands of genuinely aggrieved people, and thousands being paid to be aggrieved? How do you tell the difference between consent, and manuf

  • federal agencies would be able to use cookies as long as their use is lawful,

    The feds promising to only do lawful things? What a novel concept! I wonder how they will adapt?

  • Don't share them (Score:3, Insightful)

    by legirons (809082) on Saturday July 25, 2009 @02:56PM (#28820537)

    Is there anything more to say than Don't share them between sites?

    If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses. But it's when you start including invisible images from a 3rd party site that shares the stats between multiple domains, that most people think crosses the line into creepy surveillance.

    Login cookies = fine. Telling one site that you visited another site = not ok.

    (or to phrase that another way: don't exploit loopholes in the security system)

    • If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses.

      While I agree that there a significant benefit in using login cookies, they are not remotely âoenecessaryâ. Java-based servers have had a fantastic technique using a little-known part of the URI shceme [wikipedia.org] where every segment can have parameters. It looks like this:

      http://www.example.com/app;sessionid=ABC123DEF456/<whatever>

      This allows cookie-like storage in a way that isn't able to be tracked across multiple domains.

      • by legirons (809082)

        If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses.

        While I agree that there a significant benefit in using login cookies, they are not remotely âoenecessaryâ. Java-based servers have had a fantastic technique using a little-known part of the URI shceme [wikipedia.org] where every segment can have parameters. It looks like this:

        This allows cookie-like storage in a way that isn't able to be tracked across multiple domains.

        great, so every time someone follows a link from your site (or you include an external image) their session key is transmitted via the referer header...

  • by Anonymous Coward

    The feds are not really interested in realistic input from the public. If they were, they would not require that commenters 'log in'. The cookies are being sought in order to deny the public the option of logging in...or not, simply by placing persistent 'tracking cookies' and other types of malwaaare. I checked their website cited above in the submission and you will find that indeed it does require 'logging in'. As such, only the converted choir will comment, and all these comments will be 'filtered for c

  • Most people don't know the difference between a browser and the Internet. If you ask them if they want cookies, they will say yes. Then the website admin will have to deal with fun support calls: "You promised me cookies on your website, but I did not get any! Where are my damn cookies?"
  • by Anonymous Coward

    When I examine my cookies, the first thing I do is look for anything that has an expiration date more than 5 years in the future.
    Those cookies are immediately deleted and blocked permanently.

    There is no reason but sloth to set a cookie with such a huge number for the time to live.

    I hope the government policy sets reasonable times for their cookie policy.

    IE, a session cookie should not outlive the session.

  • How about NO!
  • A cookie is acceptable if one of the following is true:
    1. The user has directly requested it, such as by clicking a "remember these display settings" button.
    2. The user has been warned in advance, and EXPLICITLY OPTED IN to it. Explicit means the warning was in plain, easy to read text, in a single paragraph if possible - not buried on page 7 of a EULA or shoved in a privacy policy that's linked in tiny text and no one ever reads.
    3. The cookie is a session cookie, and once the user has closed his browser, i

  • Cookie Paranoia (Score:5, Insightful)

    by QuoteMstr (55051) <dan.colascione@gmail.com> on Saturday July 25, 2009 @03:57PM (#28821033)

    You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack [ckers.org] that allows any site to probe whether you've visited another completely unrelated site.

    Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.

  • "Iâ(TM)m the root of all thatâ(TM)s evil, yeah, but you can call me cookie"
  • Have a clearly accessible page that displays the cookies you're sending, and explains what each cookie they've set is for, what data it ties to you, and most importantly have a button right there on the page to delete it.

    Yeah I know most browsers have built in stuff for this already; some don't and most average users would never think to look there anyway.

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...