Thursday, December 29, 2005

The Cookie Monsters

If you haven't seen it yet, here's the Associated Press story in the New York Times about the cookies in the NSA web site.
The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most files of that type.

The files, known as cookies, disappeared after a privacy activist complained and The Associated Press made inquiries this week. Agency officials acknowledged yesterday that they had made a mistake.

Nonetheless, the issue raised questions about privacy at the agency, which is on the defensive over reports of an eavesdropping program.

"Considering the surveillance power the N.S.A. has, cookies are not exactly a major concern," said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington. "But it does show a general lack of understanding about privacy rules when they are not even following the government's very basic rules for Web privacy."

Until Tuesday, the N.S.A. site created two cookie files that do not expire until 2035.

Don Weber, an agency spokesman, said in a statement yesterday that the use of the so-called persistent cookies resulted from a recent software upgrade.

This begs a pair of questions. If NSA is being careless about features in their software, how careless are they being in all the other aspects of their operations? Moreover, what does it say about government oversight when it takes a privacy advocacy group to catch a secret government agency breaking the law?

But there may be an even more important question. Who's making up the rules?
In a 2003 memorandum, the Office of Management and Budget at the White House prohibited federal agencies from using persistent cookies - those that are not automatically deleted right away - unless there is a "compelling need."

A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.

Are rules for use of persistent cookies by federal agencies really being made by the executive branch's Office of Management and Budget? And what senior official has to sign off for their use? Whatever GS-12 happens to be around?

26 comments:

  1. I'm amazed you think this incident was "accidental". The only accident in the entire permanent cookie even was that it has been disclosed.

    Consider: The NSA uploads what is reportedly vendor software without taking apart line by line to examine it?

    Surely you're not that naive.

    ReplyDelete
  2. As lurch says, and this from an insider, there are no accidents at the NSA especially with respect to software and how the technology they are using works and is implemented.
    Note also that in my years with the NSA I never saw anyone concerned very much with "rules" such as the no persistent cookie prohibition. The attitude in these rarefied groups is that they are above rules or rather that rules are for the peons. The working hypothesis was that everything we are doing is Top Secret and therefore nobody will know if we follow the rules or not.

    ReplyDelete
  3. Guys,

    Thanks for pitching in on this issue. I too strongly believe that the only accident was getting caught, and have seen too much of the "rules are for peons" in other branches of government.

    As always, power is not to be trusted.

    ReplyDelete
  4. Anonymous10:24 AM

    Can anyone explain to me what exactly is wrong here (except for a minor breach of OMB recommendations)?

    Cookies are harmless. You can't "track ... Web surfing activity" except for explicit visits to the NSA website.

    I'm all for reining in the NSA, but let's focus on the real threats (eg Carnivore or Magic Lantern), not cookies.

    ReplyDelete
  5. What's wrong?

    1) These things are being regulated by the White House budget office.

    2) Agencies like NSA don't even follow the rules of their own branch of government.

    ReplyDelete
  6. I think the cookies themselves are a relatively minor issue, but they seem to me to be symptomatic of larger problems with attitudes and practices at the NSA.

    ReplyDelete
  7. I think we agree on this. A low fever is a minor symptom, but it can be a symptom of a life threatening disease.

    ReplyDelete
  8. It is embarrassing that the NSA can't even get their own privacy policy right -- but I don't really care.

    For one, this probably really is just a technical goof, because any geek could have detected in a second that this had happened.

    For another, there isn't *that* much you can do with a cookie.

    But when Americans are having their phones illegally tapped, when hundreds of millions of dollars are being profiteered from the taxpayers' pockets, when men are being tortured anonymously in secret prison cells all over the world, we should of course publicize small errors like this but quickly get back to the matter at hand: the impeachment and consequent criminal trials of Bush and Cheney.

    ReplyDelete
  9. Tom,

    Yeah. But it makes me wonder what's happening at the big spy in the sky headquarters when I browse the Al Jazirra site to see what's being said there.

    Do I get marked as a terrorist sympathizer?

    ReplyDelete
  10. Tom:

    I wouldn't hold my breath for either of those things (impeachment and criminal trials), especially if the GOP retains the House in '06.

    ReplyDelete
  11. And just to show you can't count on the American voters to remove the Republicans - Gallup poll came out: in spite of everything (NSA spying scandal etc.), Bush's approval rating is back up to 53%, AND he was polled as the most admired man in the country (with Hilary Clinton being the most admired woman).

    ReplyDelete
  12. Someone better. People wonder why I vote third party. I have absolutely no faith in the Democrats or Republicans, and little to no faith in the people who keep electing them to public office.

    Oh well.

    ReplyDelete
  13. Jeff:

    As a complete aside, we talk about media bias from time to time. I'm one of those who thinks Fox is biased, and who also thinks CNN is biased in the other direction (i.e. they are more or less counterparts of one another.

    So I came across this CNN article today:

    http://www.cnn.com/2005/POLITICS/12/29/bush.popularity/index.html

    Now ask yourself why, on the same day you've got a Gallup poll released showing Bush being the most "admired" man (or some such nonsense) and showing his approval rating climbing and most recently at 53%, you've got CNN running a story about a poll anywhere from 11 to 13 days old showing bad numbers for him?

    That's about as clear a case as I can remember of a news outlet ignoring a story that doesn't have the political spin they want and instead reporting a negative one. Wouldn't you agree?

    ReplyDelete
  14. Jeff:

    I made a mistake in my previous posts - approval is at 46%, disapproval at 53%, not vice versa. Hat's off to Capitola for correcting me.

    ReplyDelete
  15. In any case, what's actually happened to change the polling numbers?

    And yeah, Cap will keep you honest on that kind of stuff.

    ReplyDelete
  16. Gallup is supposed to be related to the Bush family in some fashion. I have never put too much stock in their veracity. What they are reluctant to say too loudly is that the approval rating was on Bush as a "guy" not as a Commander In Chief. Personal approval rating, not performance. This then means that these are some of his lowest number yet to date. Not the Happy Chocolate news it was initially touted as on some news sites.

    ReplyDelete
  17. I don't put much stock in conspiracy theories (i.e. Gallup is in bed with the bushes, etc.).

    Jeff:

    I don't know. The numbers are climbing. Why? The Iraqi elections are one factor, I think, but I would expect that to be short lived. Oddly enough, out here in red-state land there are people who are more favorably disposed toward Bush AFTER the facts came out about NSA spying. I think it makes them feel like he's doing something to protect them. Bizarre, that.

    ReplyDelete
  18. Does the NSA provide free milk with it's complimentary cookies?

    ReplyDelete
  19. Scott,

    I'd be surprised if the numbers weren't climbing. After that all out media campaign, I'm surprised they're not better. As to consipiracy theories, there's nothing I'd discount with this crowd.

    Fuzzflash,

    Uh, Kool Aid, maybe.

    ReplyDelete
  20. Jeff:

    Gallup posts their actual questions. They're fairly transparent as far as polling institutions go.

    I suppose you're right about the media campaign, but what you're basically saying the a good portion of the populace can be hoodwinked with clever (or not so clever) media events. That doesn't surprise me at all, but I do find it disheartening.

    ReplyDelete
  21. Anonymous3:03 PM

    Who would be the most admired man? As bad as Bush is, there are still about 35% of the people in America who love him no matter what he does. Who would be more admired that the other 65% of the people in the country can all agree on one person to admire? Some might choose Bono, others might choose Warren Buffett, still others Bill Gates. Him being the most admired person only shows that the 35% who support him are completely and utterly monolithic in their views.

    ReplyDelete
  22. PghMike6:42 AM

    I have to agree that this is a trivial issue. I doubt the NSA puts much effort into the administration of an unclassified web site.

    You're welcome to piss into the wind if you want, but it makes you look like a fool who's unable to distinguish between a trivial invasion of privacy that occurs when you visit nearly any web site, and a constitution crisis provoked when the President of the United States puts himself above the law and assumes unlimited and unreviewed security powers.

    ReplyDelete
  23. Anonymous,

    I think monolithic is a good term for it: massive, slow to change.

    pghmike,

    Pissing in the wind is what we used to refer to as a German Shower (I'm German, fill in your own ethnicity).

    The cookie caper is indeed just a minor sidebar in a much larter issue, which I think you aptly identify as a constitutional crisis. If you look around this site for long, you'll find that's been the major subject covered here in the past month or so.

    ReplyDelete
  24. Uh, guys.

    Gallup says that Bush's disapproval number is 53%. His approval number is 43%, which is about where it's been since Katrina. Life is hard enough without you granting Bush an extra 10 points.

    ReplyDelete
  25. Imagine where Bush would be without his obediant followers distorting facts for him.

    ReplyDelete