Feds May Soon Be Allowed To Use Cookies

fast66 writes "The White House may lift its policy barring federal Web sites from tracking users' online behavior. In place since 2000, the cookie policy issued by the Office of Management and Budget was intended to protect citizen privacy but has sparked criticism — even from White House officials — for hampering citizen outreach. On Friday, Bev Godwin, the director of online resources and interagency development at the White House's new media office, blogged on the White House Web site, 'We want to use cookies for good, not evil' — and invited the public to comment on cookies through various online channels, including the Office of Science and Technology Policy blog."

Well...

[Rewind]

The Cookie monster will most certainly be displeased...

Re:For the computer savvy, this isn't even an issu

[bheer]

> such that all the Flash cookies (yes Flash cookies) are also deleted.

Good point. Too few people even know about Flash cookies. There's also a Firefox extension called BetterPrivacy that'll do this, for those that can't be bothered with scripts.

I know that some shadier ad networks also use Java local storage to store tracking info, if your browser has a Java plugin. Solution: disable storing temporary files on your computer using the Java control panel icon.

Honestly, I do all of this, but I wonder how many others would even bother. It's almost like Scott "You have no privacy. Get over it." McNealy was right.

We're donediddily done for

[hugi]

yup, now our privacy is completely gone. I heard ECHELON is mostly based on cookies.

Re:No problem

[Actually,+I+do+RTFA]

If you don't like cookies, block them... What's the problem with that?

I block cookies, javascript and all plugins (with the exception of my whitelist). The problem is that more and more sites annoyingly (and uselessly) require these to work. I'm fine not having a draggable map, but ever since GoogleMaps, every map site has become reliant on Javascript. Half the random sites bitch if I have cookies off. Etc.

Much like the "works best in [Browser X]" these annoying additions are being used in the place of, not as a suppliment to, standard webfare.

Whew, that was a close one

[Hojima]

Thanks for telling me this. You see, I am an inept and computer illiterate terrorist. We all are, since none of us are smart enough to get an education. Hell, I barely managed to read this web page, and all my dumb terrorist buddies simply couldn't. We go to www.I-AM-A-TERRORIST.com all the time, and if I didn't get the heads-up, we would all be in jail now. You guys were smart to allocate resources to this sure-fire way to catch us. Oh well, time to get back to using the internet for evil, not good.

Re:No problem

I posted a response to a comment on the parent griping about flash and javascript--they are a security risk. I'll ignore cookies--that gets a bit...difficult to explain.

But because you don't seem to get it--let's make the javascript answer so simple even a programmer can understand it...

1) go to www.slashdot.org
2) hit view source
3) search for "ad.doubleclick.net"
4) you should see a call to document.write at a dynamic URL slashdot doesn't control
5) understand that a LOT of these go out through resellers--who go through other resellers--and so on...and all you have to do is buy a single script that gets into an ad rotation at a site like CNN or /. to be loading content off of another site--that can edit my DOM and run the driveby exploit du-jour.

Even if the script was safe when they checked it--it might not be safe five hours later when my browser pulls it down from a different IP address or netblock. The javascript isn't the risk--the third party javascript writing to my DOM to open an iframe with a driveby exploit is.

(and FWIW, there are actual javascript vulnerabilities--but I figured I'd stick to the obvious in this post)

As long as people continue to use things this way--they're a security risk.

Re:No problem

[Excelcior]

Cookies should be replaced by a standard for web page preferences, where the web page specifies which options there are and what the possible values are. Then the users can set the preferences they care about in their browser and leave others (like tracking IDs) unset. Logins should never be implemented with cookies.

Not to sound trollish, but seriously, are you a web coder? Strict online security in connection with login-protected content is simply not possible without a cookie*. Cookies are so standard that ASP even places cookies without telling the coder it's doing so (the 'application' variables).
Cookies are a necessary part of the Internet. The only problems with them is that they 1) aren't encoded by default, 2) can be set to expire whenever the coder wants, which can fill directories quickly if you do much browsing, and 3) can be made accessible to websites other than those who issued them.

If web browsers would just encode all cookies by default, then decode them whenever sending them back to a server, that would keep spyware from reading their contents from your computer. Then, if the browsers would store a 'touched date', and automatically delete all cookies over X age (configurable by the user?), many useless cookies would go away automatically. Finally, if cookies were only able to be read/written to by their issuing server, there would be no possibility for exploit (except to track your movements through pages which contain some content served by the issuing server, such as the much beloved doubleclick.net cookies -- which could easily be done-away-with by adding the rule that cookies cannot be accessed by any page displayed within an iframe/object/etc.)
Everyone always seems to believe that cookies are small programs or some such nonsense. Cookies are nothing but tiny databases stored on the user's computer. How much damage can that do?

* If you think you can have strict security by only tracking a user's IP address and/or passing a variable from one page to the next, you are sorely mistaken.

p.s. I know, I know.... ASP is m$ft. Get over it. :-P ;-)