NSA site installed ‘illegal’ cookies:
The National Security Agency’s Internet site has been placing files on visitors’ computers that can track their Web surfing activity despite strict federal rules banning most files of that type.
The files, known as cookies, disappeared after a privacy activist complained and The Associated Press made inquiries this week. Agency officials acknowledged yesterday that they had made a mistake.
Nonetheless, the issue raised questions about privacy at the agency, which is on the defensive over reports of an eavesdropping program.
“Considering the surveillance power the N.S.A. has, cookies are not exactly a major concern,” said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington. “But it does show a general lack of understanding about privacy rules when they are not even following the government’s very basic rules for Web privacy.”
Until Tuesday, the N.S.A. site created two cookie files that do not expire until 2035.
The question I want answered is “Why are they even installing cookies at all?” Again, I am not going to move to Montana and go off the grid because of this (add to it I have never been to the NSA site), but I do want to know why this was even done in the first place.
*** Update ***
Not sure why some of you think I thought this was a big deal, because I don’t. That is why I had quotes o’ sarcasm around ‘illegal.’ All I wanted to know was why NSA would even bother to install cookies, and this explanation from the comments seems to be the best description of what probably happened:
Their files are all .cfm, which strongly implies that their website was developed using Cold Fusion. Cold Fusion handles session state data by storing a session key in a user cookie. In all likelihood, they didn’t know or didn’t remember to turn off the creation of these session cookies.
Cookies are passed from the browser to the appropriate site when an HTTP request is made. There’s no way that a NSA cookie could give the NSA information it doesn’t already have, unless the NSA was embeddeding content in other websites. And that would be obvious, because hiding it would make it not work.
If anything, this story serves to discredit those who are bleating about it.
Bob In Pacifica
Absolute control.
TBone
Are you serious? Are you saying that a publicly accessible, government web-site can’t have cookies? Every other site on the internet has cookies, but if NSA has cookies people see conspiracy. At least NSA doesn’t have an annoying pop-up script that you can’t get rid of, directing you to kiddy porn sites. And you don’t have to worry about the webmaster selling your information to a million spam-meisters who are going to send you ads about Viagra.
This is a ridiculous subject. Why even waste the time? My suggestion to the paranoid is to highlight the cookie and press the delete button if you are worried about something.
Ancient Purple
A better question is why the NSA site needs to be placing cookies on people’s computers for any reason.
I am open to suggestions.
Blue Neponset
Read the article TBone. It isn’t about the dangers of cookies it is about the fact that the NSA was breaking the rules.
Sojourner
Don’t you Repubs ever get tired of the bullshit that continues to roll out of this administration? Spy, spy, greed, greed, lie, lie.
Enough already.
Tim Worstall
Well, at least the NSA cookies don’t live as long as those of Google.
Gary Sugar
Sure, it’s amusing to read about this while seeing my name displayed in the Amazon ad on this page. :D
Still, that has nothing to do with the point at hand, namely, that under Bush, the executive branch is so often promising one thing and doing the opposite.
Steve S
I guess i don’t understand how a cookie can allow the NSA to track everything you are doing.
I’m technically literate… I just have never understood any of the complaints regarding cookies.
Gold Star for Robot Boy
Me neither. In fact, I think they’re handy. After all, they tell me what city I’m in, then provide a link where I can find hot women here!
But I’ve shared too much…
KCinDC
Is this a joke, John? You minimize some true outrages by the government but get exercised about this ridiculous cookie paranoia? I figured this nonstory was planted to make the NSA opponents look silly.
There’s all sorts of web software that uses cookies by default, and I have no trouble believing the NSA when they say it was an accident — especially since I can’t imagine any nefarious purpose for the cookies anyway.
Zach
Y’all gotta check out Schneier today.
John Cole
What part of this post suggests I am outraged?
Because I am not.
Sojourner
They can keep a record of all the web sites you visit. They can also store your passwords.
TBone
John,
This matter is so petty, it hardly seems worth your effort to print. The real problem is the people on the Left who throw this rubbish out there for their dogs to bite on. Another BS story, filled with half-truths. Another example of fear mongering by the Left, and the attempt to smite the “Chimpy BusHitler” administration.
Sojourner
Another insightful post from the technically illiterate.
Ancient Purple
Well, TB, since you are so certain it is “BS” and “filled with half-truths,” please be so kind as to provide links, citations and the like showing the NYT story is wrong.
srv
Think the only websites the NSA “owns” have .gov at the end of them? If telecom companies were opening their switching networks to them, who’s to say webhosting companies aren’t just as patriotic?
If you wanted to datamine, the first place you’d start is google.
KCinDC
Sojourner, speaking of technical literacy, could you explain how a cookie obtained from visiting the NSA website would allow them to “keep a record of all the web sites you visit” or “store your passwords” (other than perhaps a password that you give to the NSA website in the first place)? Do you know what cookies are and do? How many people visit the NSA website anyway? If there were NSA web bugs on other websites, then that would be something to worry about.
John, the fact that you bothered to post about it at all, and used italics, indicates an inappropriately high level of outrage, as far as I’m concerned.
crg
Their files are all .cfm, which strongly implies that their website was developed using Cold Fusion. Cold Fusion handles session state data by storing a session key in a user cookie. In all likelihood, they didn’t know or didn’t remember to turn off the creation of these session cookies.
Cookies are passed from the browser to the appropriate site when an HTTP request is made. There’s no way that a NSA cookie could give the NSA information it doesn’t already have, unless the NSA was embeddeding content in other websites. And that would be obvious, because hiding it would make it not work.
Lis Riba
I guess the White House changed its mind, because according to Bruce Sterling:
Sojourner
Check out the link I posted earlier. It answers your questions.
Sojourner
Crap. My link didn’t post the last time.
worldprivacyforum.org/cookieoptout.html
Here it is.
Sojourner
Doesn’t it bother you that it’s against the law for them to do this?
demimondian
I’m going to stand up for a competitor here. There’s lots of things to complain about at Google, but that does not seem to include willing to be overly compliant with the demands of the US Government. Now, the demands of the PRC, that’s a different matter, but Google appears to have been unwilling to bend to illegal requests from the US.
(Don’t think that MSN or Yahoo behave differently about such things. I have no faith in anybody’s ability to resist “being evil” in this business.)
demimondian
Hmm. Cold Fusion adds session cookies, by default, but it was my understanding that it did not add persistent cookies.
FWIW, if you’re running XP SP2 or Firefox, the browsers won’t accept persistent cookies. The privacy implications are too serious. Also, in both cases, you can block session cookies on sites you don’t trust. (Which, ironically, include Ballon Juice — John, did you know that you have involuntary pop-ups on your site?)
OCSteve
The NYT web site installs a permanent cookie that expires in 2021. Where is the outrage?!
Crg’s technical explanation is spot on. And yes it was most likely an accident related to a software update. If having problems after a software update is illegal then I deserve 10-20.
This really is nothing.
tbrosz
I’m not sure that the OMB sending a memo is the equivalent of prohibitive Congressional legislation. In any case, it looks from the article like this was a simple oversight. There’s blood in the water, and the media are snapping at everything that moves.
Try putting some cookie tracking into your system, and just see what’s going on as you surf the web. Or go to the file where your system stores cookies and see what’s in there, and from where.
OCSteve
I take that back. There is something here. The fact that the AP and the NYT thought this was newsworthy. The entire purpose of the article is this:
It was an opportunity to get that out there one more time.
And someone explain to me how violation of a memorandum from the Office of Management and Budget rises to the category of illegal.
Richard Bottoms
Does the NYT have a fleet of planes that can fly me to Azarbarjan for “interrogation”? I know the people who control the NSA do.
capelza
It is a pain in the kiester, but I have my Mac set to tell me whenever a cookie wants on…and usually I decline.
It is kinda dumb that the NSA and the CIA (if I read that right) both didn’t bother to set the correct kind of cookies, the kind that expire after the session. I don’t think, anyway, that it was deliberate, but come on, if these guys are the suppossed to be the best and the brightest, wouldn’t that have occurred to them beofre they launched the page?
KCinDC
Sojourner, the article you link to is talking about cookies from “web bugs” in other sites — for example, from advertising.com cookies coming through images on other sites. It’s not relevant to this story unless the NSA is getting other websites to add web bugs to their pages pointing at the NSA servers, which would be obvious and stupid, and which no one has claimed is happening.
Sojourner
It’s not against the law and they’re not the government.
Perry Como
The NY Times needs an editor with a clue. That headline is a joke, cookies are not illegal. In other cookie news, Whitehouse.gov now has cookies too. TIA, bitches.
OCSteve
As I said – explain to me how violation of a memorandum from the Office of Management and Budget rises to the category of illegal.
If your boss sends you a memo saying surfing the web during work is prohibited, then you are nabbed hanging out here at John’s place – have you done something illegal? Of course not. They violated a policy, not a law.
Hardly. They are using a lame design tool (Fireworks MX Dreamweaver). Government sites in general are among the worst I’ve seen. I’ve always wondered why government puts so little money/effort into their sites.
Pooh
I’m gonna have to defer to my usual position of never assuming malice when mere incompetence would suffice on this one. (hereinafter “NAMMIS”)
John Cole
Deminomndian=- I have popups here- from what?
fwiffo
John – you don’t have popups, Deminomndian has spyware/adware on his computer.
In any event, noone’s privacy seems to have been violated by this cookie thing, even if they were there intentionally. You’d have to visit the NSA’s site to get a cookie set, and they’d only be able to track you within their web site.
The only time cookies represent a privacy risk is when they are sent by advertisers (who can track you on any site where their advertisements appear), or if some lazy programmer stores sensitive information in a cookie, like passwords (because cookies are normally not stored in any sort of secure format, and are transmitted to and from the server in the clear unless the connection is https).
Pooh
Ah well, much ado about nothing. At least I got my Zero Wing fix for the day…
(All your base…base…base…)
neil
I honestly can’t believe people are making a big deal out of this. It almost makes me think it’s a red herring put out to dilute the NSA presence in the news cycle. The NSA violating an executive order in the technical manner in which they… track people’s visits to the NSA web site? And on the other hand, we have the NSA violating a congressional law about the privacy of citizens…
If nothing else, it provides a valuable news peg upon which to hang the idea that our intelligence-gathering systems are burdened by frivolous regulatory constraints.
demimondian
Sorry, no. I checked; it is the first and most likely cause. (FWIW, I am one of the few hundred people in the world who can debug a Windows box back into the source…and have (legal) access to the source. So I think I’m pretty sure what’s on my machine.)
demimondian
John — I’ll follow up and send you mail. It means turning script back on for your site, so it may take a couple of days to get a repro.
TBone
Ancient Purple,
Please check out this link (powerlineblog.com/archives/012631.php), read it, and then present to me a reasonable and substantiated rebuttal if you doubt that the hubbub surrounding NSA’s activities is not complete BS.
The problem with alot of the citizenry is our tendency to buy into the soundbites without taking the time to do the research to see if they are correct or not. Please allow your reason and intelligence drive your mouth, not your emotion. Your ideological masters are counting on your lack of initiative and laziness…is their plan working?
The whole NSA “domestic “spying” story is another attempt by the Lefty spin-machine to discredit the President…nothing more. The law is clearly not being violated (read the link) and the purpose is pure – stop another terrorist incident before it happens. We are fighting a war against a cyber-savvy enemy who uses communications to plan attacks (remember the WTC!!); it only stands to reason that we must try to identify the terrorists, and stop them well prior to another devastating attack.
Are cookies on a website something to be worried about? I say “no”, unless you happen to be trying to hack into their networks. Did you know the Chinese make thousands of such attempts every single day? How would you handle that if you were the security administrator on the NSA network? If you freely stop at NSA’s site, then you freely acknowledge the fact that you are seen by the network security administrator as a potential adversary. If you think you are secure on the internet, no matter where you surf, then you are naive. Having said that, I think the NSA has alot more to worry about than whether you stop at a porno site after hitting their page. And tell me, who looks at the NSA site anyway? I know I don’t.