The CIA's Cookie Jar Via NY Transfer News * All the News That Doesn't Fit [A letter from pir.org's Daniel Brandt to the CIA about their Internet cookies. See the complete page, including some very interesting info about the CIA's internet presence, at http://www.pir.org/ciascan.html] March 15, 2002 Mr. David E. Wheelock davidw@ucia.gov Dear Mr. Wheelock: I presume that you know who is responsible for the CIA's website at http://www.foia.ucia.gov. I tried to contact the Olympus Group, the purported designers of this page, but they don't seem to exist these days. The server for this page is apparently outsourced to Digex, Inc. I am writing about the cookie issued by this site. I realize that someone may have added the cookie plug-in at the server, and that you have nothing to do with this cookie. If that's the case, I'd appreciate the name and contact information of someone else who is responsible. As you no doubt are aware, in June 2000, the Office of Management and Budget (OMB) issued guidance that addresses the use of cookies on federal Web sites. This guidance established a presumption that persistent cookies would not be used on federal Web sites. Further, it provided that persistent cookies could be used only when agencies (1) provide clear and conspicuous notice of their use, (2) have a compelling need to gather the data on-site, (3) have appropriate and publicly disclosed privacy safeguards for handling information derived from cookies, and (4) have personal approval by the head of the agency. When visiting this site today, I received the following cookie: www.foia.ucia.gov FALSE / FALSE 1293753656 EGSOFT_ID 12.34.567.89-1019205920.29477230 The "1293753656" is an expiration date of December 31, 2010. The 12.34.567.89, which I have edited for my own privacy (I am posting a copy of this email on my website), was my Internet IP number. The "1012597920.29477980" is apparently a unique ID number, since it changes with each new cookie issued. I have also made some changes in this number, otherwise someone would be able to look up my IP number. The EGSOFT_ID presumably identifies this cookie as part of a web log analysis program. However, there is no guarantee that this is in fact the purpose of the cookie, as this ID could be easily forged by anyone with access to the server. Even assuming that the EGSOFT_ID is authentic, the use of a persistent cookie for log analysis and statistical reporting does not qualify as a "compelling need" as outlined in the OMB policy (point 2 above). Moreover, the privacy notice on the site makes no mention of this persistent cookie (points 1 and 3). And, I presume, you are unable to show that the Director of Central Intelligence has authorized your use of persistent cookies on this site (point 4). Regards, Daniel Brandt PIR President http://www.pir.org/ ================================================================= NY Transfer News Collective * A Service of Blythe Systems Since 1985 - Information for the Rest of Us 339 Lafayette St., New York, NY 10012 http://www.blythe.org e-mail: nyt@blythe.org ================================================================= nytmed-03.16.02-13:54:51-14172