NSA Caught With The Cookies

zardo writes "The associated press is reporting that the NSA is putting cookies on visiting computers. Apparently it is unlawful for the government to put anything but a session cookie out unless it's expressed in the site's privacy policy." From the article: "Don Weber, an NSA spokesman, said in a statement Wednesday that the cookie use resulted from a recent software upgrade. Normally, the site uses temporary, permissible cookies that are automatically deleted when users close their Web browsers, he said, but the software in use shipped with persistent cookies already on. ... In a 2003 memo, the White House's Office of Management and Budget prohibits federal agencies from using persistent cookies _ those that aren't automatically deleted right away _ unless there is a 'compelling need.' A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy."

How dare they?

[the computer guy nex (916959)]

"So either one or both agencies in question are simply incompetent, or lying to us"

I know, how dare they place a cookie on my machine! No other site in the intarweb does!!

Don't you think you overreacted just a little??

Not a troll

[porkThreeWays (895269)]

First of all, their office of management and budget made this policy. A pencil pusher/bean counter policy that is hard to keep up with in the real world that their IT staff has to follow, not them. I agree 100% with the parent. They probably have a million regulations they have to follow, with many many employees spread all over the map, with software from 3rd parties, with countless people who probably don't even know this policy exists there.

The reality of it is, the CIA/NSA/Whatever has a billion other much more effective ways to track you. Their intention was obviously wasn't to track people, and they immediatly removed it after it was brought to their attention. I hate our current administration, but this is just some fucktard news reporter that is up 'n arms about the wire tapping escipade. I do not agree at all with the wire tapping, but this has ABSOLUTLY NOTHING TO FUCKING DO WITH THAT. I can't believe the reporter is such a fucktard that he couldn't spend 2 minutes to research cookies and what they are. Setting cookies far into the future is the de-facto way to keep a cookie on your computer a long time. Most cookies that aren't set as session cookies are set to dates 10 years or more in the future, way more than the computers expected lifetime. The reporter has no clue what he's talking about and should be slapped like a bitch. I hate reporting like this because then it takes away from things we should be legitimitly concerned with. People get an overflow of bullshit news and many can't pick out the real from the fucktards like this guy.

So what?

[Viol8 (599362)]

Cookies are easy to delete. This is hardly a "Your Rights Online" issue. Jeez.

Re:So what?

[vk2 (753291)]

The question is about its legality [govexec.com]

Perfectly understandable

[MyNymWasTaken (879908)]

Because we know that the people in that agency, even more so their IT dept., know absolutely nothing about how computers work.

Unlawful???

[ferrellcat (691126)]

"Unlawful"???

"NSA"???

Did I mistakenly click on a link for the Onion?

um.

[supernova87a (532540)]

yes, because the thing I fear most about the NSA, with their acres of listening stations, underground football fields worth of humming supercomputers, and small armies of intelligence agents, is the cookie that they placed on my computer while browsing their website....

need glasses, anyone?

Next up: NSA keeping logfiles

[by Anonymous Coward]

NSA has configured their webserver to track visitors in a "LOG" file. They keep the time, your ip address, where you visit, your browser and other information. What are they doing with this, you ask? They are ... MAKING STATISTICAL GRAPHS!!!! Alert Drudge, alert the New York Times... this baby's about to break wide open.

Where's the priorities/Who cares???

[acoustix (123925)]

Ok. Let me get this straight. We don't want our government websites to contain persistent cookies, but every other website in the world (including sites with malicious intent) can have persistent cookies? Why is this a big deal? Don't like it? Then delete the cookie or disable cookies alltogether. It's not rocket science.

This is all messed up. We're basically giving more rights to malicious websites than we are to government agencies.

-Nick

What do I care?

[Eli Gottlieb (917758)]

Why Baath would Iraq I be kill on insurgency the Hamas NSA's London website Israel anyway?

Re:What do I care?

[Geoffreyerffoeg (729040)]

I don't be-libya. Yemen not know this, but iran a server farsi NSA some time back. Oman, did they have some syrias records about people. Holy shi'ite, kuwait until the press hears this. There israeli going to be allah-t of complaining sometime sunni.

am i the only one who isn't concerned?

[sirmalloc (648119)]

seriously...it's a freaking cookie. it's not like doubleclick where hundreds of thousands of websites have an iframe that is capable of reading your cookie and tracking your browsing habits. even if they decide to track it across all government owned websites, it's nothing they couldn't already do with simple logfile analysis.

i'm sure if the NSA wanted to track your every move 1) They already are 2) You don't know it and 3) There isn't anything you can do about it.

you aren't necessarily a troll if you don't care..

[quinxy (788909)]

I've now seen a bunch of comments modded down as trolling despite their being reasonable comments by people who just happen not to wear tin foil hats. If this article freaks you out or upsets you and seems like an important rights issue, great! I'm glad you're interested in defending your rights and by extension all of our rights. Thank you! But, don't by modding suppress the opinion of many who feel this isn't some stunning/shocking/scary revelation. That many feel the issue isn't a major one is itself an important thing to know.

As for me, Carnivore and all the recent "unlawful" wire taps scare me, a permanent versus a session cookie, not so much.

Quincy

Cookies?

[Cro Magnon (467622)]

Wow! I got cookies from my mom, my aunt, and my cow-orkers, but I didn't know NSA was doing that. That's nice of them. I'll have to visit their site and pick up some.

I hear that...

[Scratch-O-Matic (245992)]

I hear that NSA mail servers have also been decoding headers on all email received, including from the general public!

Grow up, everyone on slashdot is a spy

[tjstork (137384)]

Any computer professional's complaint of spying is innately absurd.

The job of computers is to track and spy on people. They track this, track that, data mine this, data mine that, report on this, report on that, and we do it so our corporate masters can make more money. In fact, we even have a philosphical movement to build spying technology for -free-.

Here we are, a bunch of web dudes, complaining that a web site about spies uses cookies of all things, when just about every major web site also uses cookies, or, you get the same effect of cookies by playing games with the URL. You can stick the state in the URL, you can stick it in a hidden POST tag to keep it along, but somewhere along the way, we're all keeping state. Ironically, at least the cookies are most upfront about it.

We complain about the government listening in on people's phone calls without a warrant, yet, I would bet at least half of us on this board have user superuser powers on his or her company systems at one point to read another user's documents. If you are a network admin, you don't have to have a warrant to read your users' email or documents. You just do it.

We voluntarily let every detail about what we buy or sell get tracked when we purchase products electronically, but, god forbid, the government might actually keep a database itself, that's evil. Heck we write these systems. If anything, the only real concern about government spying is that we haven't gotten the contract ourselves to write the system or that it might not be written using Linux.

The solution is to not build ever more arcane systems to have things in secret, but really, we should just make everything public about anyone.

Re:I call shenanigans.

[AKAImBatman (238306)]

So either one or both agencies in question are simply incompetent, or lying to us. Which do you think is more plausible?

Never attribute malice to that which can be explained by stupidity.

I don't really think they'd gain much by putting cookies on the machines of web users. If terrorists do come to their site, their IP address will give them away far better than a cookie. Now if anyone finds an image on other sites pointing back to the NSA or CIA, then you may have found your smoking gun.

Double Shenanigans

[Tackhead (54550)]

> What about a laptop user visiting the site repeatedly from an Afghanistan ISP, then suddenly one day the same laptop (same cookie) starts visiting from a Washington area ISP .. far fetchned, but might be interesting to know under some circumstances.

If NSA needs a cookie to figure that out (and if Abdul is visiting nsa.gov from Afghanistan and DC), then neither Abdul nor NSA are doing their respective jobs.

I'm going with neglect on the part of the website administrator here. Stupid default settings in applications, plus benign neglect in the brains of users, equals embarassment. Always has, always will. Unless...

~adjusts phase coil on tinfoil hat~
If, however, I was trying to divert attention from a serious abuse I'd performed, I'd release a story exactly like this. It's got the word "cookie", which is about as high-tech as Joe Sixpack ever gets about security, so he can get all upset -- and it's simultaneously a non-issue, which means everyone from the Blogosphere to Dan Rather can trot out an "expert" to tell Joe Sixpack that if this is the NSA at its most dastardly, then he has nothing to fear even if he's got something to hide
~readjusts phase coils~
and the story I'd release would be the same, whether or not I was NSA, looking to divert attention from the fact that I wanted to trawl through the set of data originally destined for /dev/null
~tweaks fnord emitter~
or whether I was the Party official who ordered NSA to do stop dumping all that good stuff into /dev/null, and where NSA complied with my orders only under protest.

They don't call it the puzzle palace for nothing.

Re:I call shenanigans.

[Viper Daimao (911947)]

No, we're talking about a cookie. A device used by almost every website in existence. We're talking about some guy running the NSA website not being aware that a memo from the White House's Office of Management and Budget made a guideline (not a law) to not use a universally acceptable website statistical tracking device. I wouldnt even attribute this to stupidity. Just forgot about some silly guideline. Anyone making a big deal out of this is doing so out of total computer illiteracy or being intellectually dishonest as to their true motive for their outrage.

Re:I call shenanigans.

[Viper Daimao (911947)]

NSA people are supposed to be top-notch, not some bunch of yahoos hanging out in the IT shop of Dunkin' Donuts.

So you think the top trained NSA agents are wasting their time making websites and doing tech support? Its their website, I doubt they spent much time on it or use it much, they have better things to do than waste time with their public website. It doesnt really seem like you have a grasp on how company IT depts work.

Re:I call shenanigans.

[Divide By Zero (70303)]

I'm going to write my representatives in Congress and encourage them to issue a new law to codify this OMB guideline - that way, if they DO try it again, the consequences will be much more severe.

As a federal webmaster (not NSA or CIA), let me be the first to say "Thanks a pantload." Now, if I miss a configuration setting in IIS, I could go to federal prison!

Sometimes somebody screws up. Sometimes they screw up and nobody notices. Technical oversight of my work is thin on a good day, and my boss' boss sure as HELL doesn't know if I'm serving persistent cookies. For the record, I'm not, because I follow OMB memos to the best of my ability and I double-checked this one.

It's not always a conspiracy. Sometimes it's just some server jock who was mentally elsewhere and didn't uncheck a box in Windows. Bugs in web apps I write are not intended to catch you surfing pr0n. I'm just not as good a programmer as you are. Worst case scenario at your work, you screw up, get fired, and get another job. I don't have "company policy", I have "federal statute". My coworkers and I do our best, and we do a pretty good job, but nobody's perfect. If I forget to put an "alt" tag on an image on a page linked seven deep that gets three hits a year, not only am I not doing my job correctly, but I'm in violation of 29 U.S.C. 794d [cornell.edu]. Don't think that that's the only law telling me how to do the job, either.

I'm not complaining. I signed up for the job knowing full well how it works, and I'm proud of what I do. Your vigilance is commendable, but I'm not sure that putting big nasty penalties on cookies is the right way to go about solving this one. If you and a majority of Members of Congress agree that placing persistent cookies is worth going to prison over, so be it. God knows there aren't any killers who couldn't use that cell more than me.

Re:I call shenanigans.

[doormat (63648)]

So either one or both agencies in question are simply incompetent, or lying to us. Which do you think is more plausible?

What, cant it be both?

Re:I call shenanigans.

[CaymanIslandCarpedie (868408)]

"The public does not need to be concerned that the CIA is tracking them. We're a bit busy to be doing that."

OK, does that quote from the 2002 case seem humorous to anyone else now with the recent revelation of what was keeping them so busy ;-)

You've obviously never worked in government.

[WidescreenFreak (830043)]

So either one or both agencies in question are simply incompetent, or lying to us. Which do you think is more plausible?

Wow! The fact that you're even asking this is a clear indication that you have never worked in any government entity. All levels of government - federal, state, and local - are loaded with incompetency and attempt to lie to the public whenever such lying is "in the public interest" or covers their asses.

You also seem to have some notion that as soon as you become a government employee that you are going to somehow assume and retain all legal ramifications based on all existing laws just by being hired. Management changes happen. Staff changes happen. The notion that all government employees of all levels will be aware of all rules and regulations regarding all functions is highly naive. For all we know, the installation of this supposed "off-the-shelf" software was the first task of a new, NSA intern in the IT department.

I know that you dislike (hate?) the current administration, but this is absolutely a "mountain out of molehill" scenario in the grand scheme of things.

Re:No right to privacy with the war on terror

[WolfZombie (918513)]

I see no problem with dropping cookies... just don't violate the 5 second rule when you pick them up.