NSA Caught With The Cookies

zardo writes "The associated press is reporting that the NSA is putting cookies on visiting computers. Apparently it is unlawful for the government to put anything but a session cookie out unless it's expressed in the site's privacy policy." From the article: "Don Weber, an NSA spokesman, said in a statement Wednesday that the cookie use resulted from a recent software upgrade. Normally, the site uses temporary, permissible cookies that are automatically deleted when users close their Web browsers, he said, but the software in use shipped with persistent cookies already on. ... In a 2003 memo, the White House's Office of Management and Budget prohibits federal agencies from using persistent cookies _ those that aren't automatically deleted right away _ unless there is a 'compelling need.' A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy."

Re:So what?

[vk2]

The question is about its legality

Re:I call shenanigans.

[Divide+By+Zero]

I'm going to write my representatives in Congress and encourage them to issue a new law to codify this OMB guideline - that way, if they DO try it again, the consequences will be much more severe.

As a federal webmaster (not NSA or CIA), let me be the first to say "Thanks a pantload." Now, if I miss a configuration setting in IIS, I could go to federal prison!

Sometimes somebody screws up. Sometimes they screw up and nobody notices. Technical oversight of my work is thin on a good day, and my boss' boss sure as HELL doesn't know if I'm serving persistent cookies. For the record, I'm not, because I follow OMB memos to the best of my ability and I double-checked this one.

It's not always a conspiracy. Sometimes it's just some server jock who was mentally elsewhere and didn't uncheck a box in Windows. Bugs in web apps I write are not intended to catch you surfing pr0n. I'm just not as good a programmer as you are. Worst case scenario at your work, you screw up, get fired, and get another job. I don't have "company policy", I have "federal statute". My coworkers and I do our best, and we do a pretty good job, but nobody's perfect. If I forget to put an "alt" tag on an image on a page linked seven deep that gets three hits a year, not only am I not doing my job correctly, but I'm in violation of 29 U.S.C. 794d. Don't think that that's the only law telling me how to do the job, either.

I'm not complaining. I signed up for the job knowing full well how it works, and I'm proud of what I do. Your vigilance is commendable, but I'm not sure that putting big nasty penalties on cookies is the right way to go about solving this one. If you and a majority of Members of Congress agree that placing persistent cookies is worth going to prison over, so be it. God knows there aren't any killers who couldn't use that cell more than me.