A Web site operated by the Central Intelligence Agency is marking visitors with a unique identification tag or "cookie" that violates federal privacy guidelines and the agency"s own privacy policy, according to Public Information Research, a non-profit group.
The CIA"s Electronic Reading Room site, which provides online access to previously released CIA documents, places a "persistent" cookie on visitors" computers when they visit the site.
Designed to remain on the visitor"s computer until December 2010, the cookie contains the user"s Internet protocol address as well as a unique identification number, Newsbytes has confirmed.
A spokesperson for the CIA said the agency was still analyzing the report and had no immediate comment.
In a June 2000 memorandum to all government agencies, the director of the White House Office of Management and Budget advised operators of government sites and their contractors that "the presumption should be that "cookies" will not be used at Federal web sites."
"The keywords you put in for searching on FOIA documents can reveal a lot about you. The CIA can use these cookies to reconstruct who is interested in what. Even if you browse from several different ISPs, they can use your cookie"s unique ID to tie all your searches together," said Daniel Brandt, founder of Public Information Research (PIR), who first discovered the use of persistent cookies at the site.
According to the privacy policy at the CIA"s Electronic Reading Room, the site does not use persistent cookies and instead only uses temporary "session cookies" that expire when the user closes his browser.
A review of some federal sites today by Newsbytes revealed that several are placing session cookies on visitors" computers. Such sites include the FirstGov.gov portal, the FBI"s jobs site, as well as the main sites operated by the Small Business Administration, the Department of Education and the Selective Service.
The privacy policy at the main CIA Web site, located at https://www.cia.gov, states that the CIA Web site "does not use the "cookies" that some Web sites use to gather and store information about your visits to their sites."
Brandt said it is likely that the CIA Electronic Reading Room site was created by a contractor using a standard Web hosting package that included a Web traffic analysis program, and that the CIA may not even be aware of it.