NSA inadvertently uses banned data-tracking ``cookies'' at Web site

http://www.miami.com/mld/mercurynews/business/technology/13502038.htm?source=rss&channel=mercurynews_technology

NEW YORK (AP) - The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most of them.

These files, known as ``cookies,'' disappeared after a privacy activist complained and The Associated Press made inquiries this week, and agency officials acknowledged Wednesday they had made a mistake.

Nonetheless, the issue raises questions about privacy at a spy agency already on the defensive amid reports of a secretive eavesdropping program in the United States.

``Considering the surveillance power the NSA has, cookies are not exactly a major concern,'' said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington, D.C. ``But it does show a general lack of understanding about privacy rules when they are not even following the government's very basic rules for Web privacy.''

Until Tuesday, the NSA site created two cookie files that do not expire until 2035 -- likely beyond the life of any computer in use today.

After dropping some serious acid.

It's their job, nothing technical at NSA happens by chance or mistake.

Then there's the executive order saying that a FOIA request means you can be tracked without limit.

I see the witch walking up to Snow White with a chocolate chip macadamia nut bar in her hand saying, "Want a cookie?"

You know what I laughed at "privacy activist". Who would think you would need to be an championing the cause for privacy in the USA.

doesn't seem like a "mistake" to me.

ColdFusion sets this cookie automatically to 2035. You have to change settings if you want it to expire earlier.

The default is that the cookie expires when the user closes the browser. 'Never' (aka 30 years from now) needs to be specifically programmed.

Delete your cookies and clear out your browser cache on a regular basis.

Is a simple delete all of your internet cookies or temp files be a solution? Or do these cookies embed themselves and continue to track your activity unknown to the user?

I use Norton System Works 2005, which now includes both "Norton Clean Sweep" and "Norton Cleanup" which takes care of most of them.

Another good program is AdSubtract, which will block most of them and let's you select any you want to allow or keep. <http://www.intermute.com/products/adsubtract.html>

no browser supports hidden unremovable cookies. If Internet Explorer (for example) did support some sort of unremovable cookie I think we would very likely have heard about it by now. Website developers couldn't use it if they didn't know about it, so it couldn't be kept very secret.

Certainly the cookies mentioned in this article aren't secret in any way, otherwise the "privacy activist" wouldn't have noticed them. From the description they sound like standard browser cookies, which can be deleted.

I believe that IE, Firefox, and Opera all have the capability to delete cookies, cache, and history from within the browser.

:eyes:

Been learning much about the Appalachian Trail lately? I'll try to mix it up a little bit more, I'm sure that it gets awfully boring reading about my preplanning of my future endevours to thru-hike that A.T.

With that said, enjoy the signature line...

"mistakes" is now the newspeak for crimes

THAT DON'T EXPIRE' til 2015!!!

And TWO kerry.senate.gov cookies that expire til 2035!

This is the dumbest article ever. Cookies are good.

"In a 2003 memo, the White House's Office of Management and Budget prohibits federal agencies from using persistent cookies -- those that aren't automatically deleted right away -- unless there is a ``compelling need.''"

Tracking visitors use of a website is a "compelling need".

I see the rule as ridiculous ... one can do the same tracking using the server log files.

Were it not for the Internet, you'd have to request the same info via snail-mail.

Cookies are good.

No, some cookies are good.

I have no problem with any website owner tracking my use of their site any way they wish.

Asking to do it completely anonymously is like asking for a magazine subscription without telling them your address.

Do they really truly believe what they say? Good grief!

Sorry about the fact that we got CAUGHT, maybe we shall investi...naw....haha...

So I can track and destroy them since they are illegal. Of course I want a screen shot of their existence on my hard drive for future use so I can add our site to the lawsuit or whatever..

Gee, I somehow created a line of 1's and 0's that somehow controls YOUR computer. My bad.

NASA? Seems chimpy can't get it right, maybe the rest of the government has gotten it wrong too! :)

there's nothing that you can store in a cookie on the user's computer that you can't store on an nsa computer instead, ....

With Chimpy at the helm, we'll soon be run like Planet of the Apes.

Interestig little use of a word there, eh? Oops, I was spying! Didn't mean to! Yeah, right.

I concur with Ari Schartz... "Cookies are not exactly a major concern."

I think they are just digging for more and more NSA stories and that's a good thing. At DU we can understand that it's harmless but most people won't and maybe it's enough to tip them. Just a thought. If I were working in the media I would be hunting down ANYTHING to do with the wiretap-NSA-Spy-Bush story. The more articles like this, the merrier I say.

:rofl:

Unless we're talking about blowjobs. Then that only applies to Democrats.

:sarcasm:

As others have stated it requires a specific entry to set an expiration date for a cookie.


FORMAT:
Set-Cookie: name=value; expires=date; path=pathname; domain=domain name; secure

Each cookie has six definable attributes: a name, a value, an expiration date, the domain for which the cookie can be read, the path in which the cookie can be read, and a Boolean security setting.

Name: The name of the cookie.

Value: The value associated with the cookie.

**EXPIRES: The date that, when reached, invalidates the cookie. The date must be given in the following format: Wdy, DD-Mon-YYYY HH:MM:SS GMT. If an expiration date is NOT specifically defined, the cookies will EXPIRE AT THE END OF THE SESSION (when the browser is closed) by DEFAULT. If the cookie's expiration date is set to the current date/time or any date/time already passed, the cookie will be immediately expired and deleted.

Path: The path attribute defines a subset of directories in a domain for which the cookie is valid. The path will default to the root directory ("/") unless otherwise defined.

Domain: The domain for which the cookie is valid. A domain string of ".aol.com" would define "http://aol.com," "webmaster.info.aol.com," and in fact all sub-domains of aol.com as valid domains for the cookie. Be aware that a domain setting must have at least two periods. A cookie can only be read and modified by an object in the valid domain and path defined in the cookie when it was created. The domain path can not be set to send cookies to a domain outside of the domain where the server creating the cookie resides. The domain attribute is set to the domain of the document sending the cookie by default.

Secure: The secure attribute is Boolean. If the attribute is defined, there must be a secure https connection present in order for the cookie to be sent. If the attribute is not defined, the cookie will not require a secure connection to be sent.


Interesting tidbit: When I visited the NSA's official website, my browser warned me that I was "about to enter a site that is not secure." Ain't that the truth.
:)

"inadvertantly" instead of cookies? I mean really. What a crock that they didn't mean to track people.

Even if the unlikely scenario that this was inadvertent turns out to be true, "Ignorance of the law is no excuse."