Friday, December 30, 2005

mmm... NSA Cookies...

For once! A news article about the NSA placing cookies on your browser that is free of communist propaganda!!!

Roanoke Times writer Andrew Kantor wrote this article for today’s edition of his paper. It is available here.

Cookies don't threaten privacy, experts explain

The National Security Agency can't track your Internet use with them, several experts said.

By Andrew Kantor 981-3384The Roanoke Times

The National Security Agency is using “cookies” on its Web site. It's a story that's circulating through the news and on blogs after a news item from The Associated Press ran in The Roanoke Times and other newspapers.

Despite initial concerns -- and recent revelations about other NSA activity within the United States -- cookies do not present a privacy issue.

Cookies are small text files, usually only a dozen or two characters, that a Web site can place in a special folder on your computer.

They identify you to the site, something like a visitor's badge. There's no personal information in them; an NSA cookie looks like “8030ad0e9041$3F$C9$0.”

And most importantly, one site cannot read a cookie left by another site -- cookies can't be used to track your travels on the Web. They can only tell a site that you've been there before, not where else you've been.

Still, said the AP story yesterday, “Privacy advocates complain that cookies can also track Web surfing, even if no personal information is actually collected.” It could have given readers the impression that the NSA could track anyone who visited its site, following their every movement across the Web.

But can cookies be used that way? Can the NSA -- or any organization -- use them to track your Internet travels?

The short answer is: No. As one computer expert put it, “It's much ado about little.”

“Except for some advertising companies, sites can't use cookies to track where you go outside their sites,” said Marty Martin, owner of CroakingToad, a Roanoke Web-hosting company. “So the NSA knows where you go on its site, but once you leave, you disappear.”

An important exception that Martin noted: Advertising networks such as DoubleClick have ads on many sites. Those ads can leave cookies that can be read by other sites in the DoubleClick network. The NSA site does not have advertising.

Some cookies only last as long as you're visiting the site. Called “session cookies,” they're useful for online stores that have shopping carts -- they make sure your cart follows you as you view different pages. They can also be used to remember information you filled out in a form so you don't have to re-enter it.

Other sites use “persistent cookies” that remain on your computer even after you leave a site.

The Roanoke Times' Web site,, uses persistent cookies so registered users don't have to enter their user names and passwords every time they return to the site.

In the case of the NSA, the site was setting persistent cookies instead of session cookies, which is against federal government policy.

Those cookies were used simply to remember whether a visitor wanted to view the NSA's home page as a standard Web page (HTML), or with animation (Flash), according to NSA spokesman Don Weber.

It's a practice used by thousands of Web sites. As Weber put it, “The use of cookies for session management, specifically ease of navigation, is an industry standard.”
The NSA uses software from San Jose, Calif.-based Adobe called ColdFusion to deliver its public Web pages.

When it upgraded to a new version, the agency's staff did not set the cookies' behavior properly, Weber said, but has since fixed the error.

The cookies still serve the same function -- remembering visitors' preferences -- but now they are erased when users shut their Web browsers.

Angela Gunn, editor of ComputerWorld's security Web site, and who made the “much ado about little” comment, said that even if the NSA used persistent cookies there's no privacy concern.

“Online privacy is important. But it's also important to know that even the most persistent cookies can't deliver that much information -- they're not a wiretap, they're not able to maintain a log of what you type in,” she said.

Still, the organization was deciding whether or not to remove the cookies entirely because of the ruckus.

Although Gunn said that “there's no excuse for the NSA's sloppy Web construction,” she didn't see the need for the agency to stop using cookies.

“People are panicking over something that's low-tech and low-yield in terms of what it can actually find out,” she said. “The public thinks cookies are a problem and, because it's the NSA, inflates the problem into a crisis. It's not.”

Or, as Martin put it, “There are much better ways for the NSA to spy on you. They're not going to use cookies.”

No comments: