Slashdot Mirror
Feds Seek Input On Cookie Policy For Government Web Sites
suraj.sun sends along this quote from Information Week:
"The government wants to use cookies to offer more personalized web sites to citizens and better analytics to Webmasters. ... The federal government has drafted changes to its outdated restrictions on HTTP cookies, and wants the public's input. Under the plan, detailed in a blog post by federal CIO Vivek Kundra and... Michael Fitzpatrick, federal agencies would be able to use cookies as long as their use is lawful, citizens can opt out of being tracked, notice of the use of cookies is posted on the Web site, and Web sites don't limit access to information for those who opt out. ... The Office of Management and Budget is considering three separate tiers of cookie usage that will likely have different restrictions for each, based on privacy risks. The first tier of sites would use single-session technologies, the second multi-session technologies for use in analytics only, and the third for multi-session cookies that are used to remember data or settings 'beyond what is needed for web analytics.'"
For variety of reasons. :-)
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Just don't use cookies. Or at the very least, allow people to opt *in* rather than out.
What a concept, right?
This is a sig. Deal with it.
I know I'll be modded down for this, but if government was stocked more with intelligent engineers and scientists instead of lawyers we would never have these issues.
Content-transfer-encoding: chocolate-chunked
The World Wide Web is dying. Soon, we shall have only the Internet.
If government want my opinion on cookies, I know someone who will deal with them in a kind / compassionate way.
http://en.wikipedia.org/wiki/Cookie_Monster
Take Nobody's Word For It.
And require all access to every financial detail of your life, and people worry about web cookie opt-ins?
Seems fucking silly, but I guess the sheep would accept a cookie opt-in from one dept while 6 other depts are fully engaged up your ass.
The NSA perfoms illegal wiretaps and then the government consults the public over web cookies? What next, rapists asking their victims if they'd object to being given a hicky?
Go, go "team freedom"!
I think we can trust the government not to misuse the data, right? It's not like it doesn't know everything about you anyway. I'm sure its "privacy policies" are every bit as honorable as Google's, or Microsoft's.
For justice, we must go to Don Corleone
Cookies are evil in the first place. Tho they do taste good.
---- Booth was a patriot ----
Why even use cookies? I can't really think of any good idea for a standard, public government website to use cookies. I mean, theres not any preferences, logging in, etc. by members of the general public. If they are employees of the government, well they already sold their soul...
Taxation is legalized theft, no more, no less.
...about cookies and the dark side, but it escapes me.
[ irc.p2p-network.net -> #zomgwtfbbq ][ http://zomgwtfbbq.info ]
1. Tracking MUST be in aggregate. Any categories of users SHOULD come only from self descriptions fcrom the user. (ie clicking "i run a small business")
a
2. Preferences MUST be stored client-side in cookies, not server-side. Sites MAY use hashing to prevent tampering where appropriate. Preferences SHOULD be stored as plain text so that they can be read and perhaps changed directly by the user.
3. Users SHOULD NOT have unique ids tagged to them, and MUST not have unique id's tagged to them over more than one session without an opt-in.
4. Analytics of users/preferences and locations/IP addresses MUST be done in a way as to minimize the ability to specificly track people who do not opt-in and are unaware of tracking.
Honestly, think about it for a second.
Besides the fact that you ultimately have full control over accepting cookies anyway, this is the government we're talking about. They have the power to get into every aspect of your life far deeper than any other organization ever could. Are you honestly worried about what are 99.99% ilkely to be completely harmless cookies?
This is my general policy:
If you are incapable of developing to these standards, say, because you don't understand how session cookies should work, then please find another line of work.
Cookies are bad for the health of your website, news site, or blog. Cookies are good for the health of your web application.
I find it funny that this story's been tagged "gluten free"... My wife has celiac so I tend to think of gluten as something I have to deal with and other people aren't too aware of. :)
Bow-ties are cool.
They say public input, but what is to stop any lobby group with deep enough pockets and a large enough network from organising its own flash mob, to sway the government one way or the other.
This seems to be a common feature of modern life. We are told that policy is driven by the will of the people, but how can we be sure of that? How do you tell the difference between thousands of genuinely aggrieved people, and thousands being paid to be aggrieved? How do you tell the difference between consent, and manufactured consent?
It's our own fault really. We support a system where the people we elect to make decisions dare not sign a single paper, for fear it may cause outrage or scandal. Or at least, manufactured outrage or scandal. How convenient for producers.
May the Maths Be with you!
federal agencies would be able to use cookies as long as their use is lawful,
The feds promising to only do lawful things? What a novel concept! I wonder how they will adapt?
I work for the Department of Redundancy Department.
Cookies are as much of a privacy concern as walking down the street.
If the government wants to track you they are going to go directly to the source and track you via a data center. Trying to track someone with cookies is about the least effective way to go about it. If you're worried about cookies you might as well sit in your mom's basement with a tinfoil hat.
Cookies are however used to improve government website, by allowing users to login and save settings. It also allows the content owners to understand effective UI, how users navigate the website, what keeps user coming back for more and other key information. By not letting government websites utilize these simple tools, you're pretty much ensuring you'll have a worse experience with you visit a government website.
It's idiotic.
Here's a review of the issue from last year that isn't just about silly fear mongering:
http://blog.webanalyticsdemystified.com/weblog/2008/11/an-open-letter-to-president-elect-obama.html
Simply create one cookie for all the goverment websites by rot13ing the ssn for use as s serial number. Bonus points for assigning the SSN cookie with getting the SSN form the user. Create Central Database to hold all veriables assosated with SSN on all goverment websites. These is so simple even a two year old could implement but don't worry somebody will make the profit after the ??????
Is there anything more to say than Don't share them between sites?
If you login then of course you need a cookie. And using them for stats within one site is not much different to using IP addresses. But it's when you start including invisible images from a 3rd party site that shares the stats between multiple domains, that most people think crosses the line into creepy surveillance.
Login cookies = fine. Telling one site that you visited another site = not ok.
(or to phrase that another way: don't exploit loopholes in the security system)
The feds are not really interested in realistic input from the public. If they were, they would not require that commenters 'log in'. The cookies are being sought in order to deny the public the option of logging in...or not, simply by placing persistent 'tracking cookies' and other types of malwaaare. I checked their website cited above in the submission and you will find that indeed it does require 'logging in'. As such, only the converted choir will comment, and all these comments will be 'filtered for content' before being displayed. Such 'filtering' will be such that only sycophantic comments will be given prominent display. Comments opposing the cookies will only be displayed if they are ignorantly worded, ungrammatically constructed, and otherwise show the writers in a bad light. In this way the site can be manipulated as such that other propagandists can claim 'popular support' for internal spying. That the whole website has a flavor of Joseph Goebbels's old 'debates' when Hitler was an agitator in Great Depression Germany is lost on a younger generation that not only has no memory of National Socialism, but also has no education of it either. Modern history courses in high schools leave that out and only teach history after world war two, concentrating on multiculturalism while ignoring the culture that built the nation and the schools in it that now teach only fluff, a whole other subject worthy of its own debates.
These cookies are easily removed now, so it seems silly that the guv would take great pains to foist them on you unless they know something that we do not. Is there something new and horrible in Windows 7? Something that will give us even LESS control of our machines that we paid for with our money and get less and less use, choice, and especially control of?
Most people don't know the difference between a browser and the Internet. If you ask them if they want cookies, they will say yes. Then the website admin will have to deal with fun support calls: "You promised me cookies on your website, but I did not get any! Where are my damn cookies?"
When I examine my cookies, the first thing I do is look for anything that has an expiration date more than 5 years in the future.
Those cookies are immediately deleted and blocked permanently.
There is no reason but sloth to set a cookie with such a huge number for the time to live.
I hope the government policy sets reasonable times for their cookie policy.
IE, a session cookie should not outlive the session.
How about NO!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Yeah, right. Granny knows about cookies, privacy, and how to disable one to protect the other, while she's out there reading e-mail from the kids, checking up on the latest on Martha Stewart's site, and going to the political discussion that her smart, college-educated son directed her to on the .gov site. Sure she can just pop in and selectively disable cookies as required.
NOT!
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
"it is currently perfectly legal to use cookies"
That's the exact issue. It's currently NOT legal for the government to collect information on someone without a valid reason. Two good examples are the Watergate fiasco and recent illegal wiretapping. This is about trying to define cookies as a valid operational requirement, and set the appropriate boundaries for the collection of any information.
That is clearly The Most Important Cookie Commandment of all!
I'd give you Insightful+1 if I had mod points today.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
A cookie is acceptable if one of the following is true:
1. The user has directly requested it, such as by clicking a "remember these display settings" button.
2. The user has been warned in advance, and EXPLICITLY OPTED IN to it. Explicit means the warning was in plain, easy to read text, in a single paragraph if possible - not buried on page 7 of a EULA or shoved in a privacy policy that's linked in tiny text and no one ever reads.
3. The cookie is a session cookie, and once the user has closed his browser, it will not be possible to link any data gathered with that cookie to that user. (Aggregate data is of course, fine.)
If you're setting a cookie that doesn't meet one of those 3 conditions, then you're violating your users' privacy. Period.
You know, it's fucking ridiculous that people harp about cookies, which are entirely under the user's control, but ignore the CSS browser-history hack that allows any site to probe whether you've visited another completely unrelated site.
Wake up people! If you want security, worry about the issues that are actually dangerous, not the ones that just sound the scariest.
"Iâ(TM)m the root of all thatâ(TM)s evil, yeah, but you can call me cookie"
#!/bin/bash
#fuckallya-iceweasel-purger
if pidof firefox-bin != "" ; then .mozilla /home/bubo/.adobe ]; then /home/bubo/.adobe /home/bubo/.macromedia ]; then .macromedia /home/bubo/.mozilla /home/bubo/.mozilla /home/bubo/uaria/saveme/MOZ/mozilla/*
pkill -9 'firefox'
sleep 3
fi
cd
rm -vdr
if [ -d
rm -vdr
fi
if [ -d
rm -vdr
fi
mkdir -v
cp -at
find /home/bubo/.mozilla -name '*.sqlite' -exec sqlite3 '{}' 'VACUUM;' \;
echo done
In most GOV computers you cant delete cookies, delete history or install any software to eat the cookies. The computers are locked down. Your stuck with WindowsXP and Internet Explorer. You cant even install Firefox.
So the cookie thing "is" interesting for internal reasons. They may want to track employees more, not the public.
Have a clearly accessible page that displays the cookies you're sending, and explains what each cookie they've set is for, what data it ties to you, and most importantly have a button right there on the page to delete it.
Yeah I know most browsers have built in stuff for this already; some don't and most average users would never think to look there anyway.