The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most files of that type.
The files, known as cookies, disappeared after a privacy activist complained and The Associated Press made inquiries this week. Agency officials acknowledged yesterday that they had made a mistake.
Nonetheless, the issue raised questions about privacy at the agency, which is on the defensive over reports of an eavesdropping program.
"Considering the surveillance power the N.S.A. has, cookies are not exactly a major concern," said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington. "But it does show a general lack of understanding about privacy rules when they are not even following the government's very basic rules for Web privacy."
Until Tuesday, the N.S.A. site created two cookie files that do not expire until 2035.
Don Weber, an agency spokesman, said in a statement yesterday that the use of the so-called persistent cookies resulted from a recent software upgrade.
This begs a pair of questions. If NSA is being careless about features in their software, how careless are they being in all the other aspects of their operations? Moreover, what does it say about government oversight when it takes a privacy advocacy group to catch a secret government agency breaking the law?
But there may be an even more important question. Who's making up the rules?
In a 2003 memorandum, the Office of Management and Budget at the White House prohibited federal agencies from using persistent cookies - those that are not automatically deleted right away - unless there is a "compelling need."
Are rules for use of persistent cookies by federal agencies really being made by the executive branch's Office of Management and Budget? And what senior official has to sign off for their use? Whatever GS-12 happens to be around?