Internet Privacy: Federal Agency Use of Cookies (Correspondence,
10/20/2000, GAO/GAO-01-147R).

A cookie is a short string of text, not a program, that is sent from a
web server to a web browser when the browser accesses a web page. GAO
reviewed 65 federal web sites to determine: (1) which of the selected
federal sites were using cookies; (2) the type of cookies used; and (3)
whether the privacy policy disclosed that the site may or does use
cookies.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  GAO-01-147R
     TITLE:  Internet Privacy: Federal Agency Use of Cookies
      DATE:  10/20/2000
   SUBJECT:  Computer security
	     Computer networks
	     Right of privacy

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-01-147R

Federal Agency Use of Cookies

United States General Accounting Office Washington, DC 20548

October 20, 2000 The Honorable Fred Thompson Chairman, Committee on
Governmental Affairs United States Senate

Subject: Internet Privacy: Federal Agency Use of Cookies Dear Mr. Chairman:
As requested by your office, we have been reviewing selected federal
agencies' use of cookies on their web sites. A cookie is a short string of
text- not a program- that is sent from a web server to a web browser when
the browser accesses a web page. The use of cookies allows the server to
recognize returning users, track on- line purchases, or maintain and serve
customized web pages. Domain cookies are cookies placed by the visited web
site. However, some web sites also allow the placement of third- party
cookies- cookies placed on a visitor's computer by a domain other than the
site being visited. The domain and thirdparty cookies may be further grouped
into session cookies and persistent cookies. Session cookies are short-
lived, are used only during the browsing session, and expire when the user
quits the browser. Persistent cookies specify expiration dates, remain
stored on the client's computer until the expiration date, and can be used
to track users' browsing behavior by identifying their Internet addresses
whenever they return to a site.

The purpose of this letter is to respond to your request for interim
information on federal agency use of cookies as of September and October
2000. Specifically, you asked us to identify agency web sites that used
cookies but did not disclose this use in their privacy policies and to
identify the type of cookie used. In addition, you asked us to identify
agency web sites that use persistent cookies. Enclosure I provides this
information.

We reviewed 65 web sites. This total consisted of (1) the web sites operated
by the 32 highimpact agencies, which handle the majority of the government's
contact with the public; (2) 32 web sites randomly selected from the General
Services Administration's government domain registry data base; and (3) the
Federal Trade Commission's web site. See enclosure II for a list of the
sites we reviewed. We reviewed certain web sites twice. During our August
through September 2000 review, we visited all 65 web sites to determine (1)
which of the selected federal sites were using cookies, (2) the type of
cookies used, and (3) whether the privacy policy disclosed that the site may
or does use cookies. We again reviewed sites that used cookies on October
17, 2000. We conducted our review from August through October 2000 in
accordance with generally accepted government auditing standards.

GAO- 01- 147R Federal Agency Use of Cookies Page 2 On October 18, 2000, we
requested comments on a draft of this letter from the Office of

Management and Budget. In a letter dated October 19, 2000, OMB's Deputy
Director for Management said that OMB appreciates the helpful information
provided and plans to contact these agencies to reinforce administration
policy. She also noted that OMB has required agencies to report directly to
OMB in this year's budget requests about the steps they have taken to comply
with administration policy concerning privacy, cookies, and federal web
sites. OMB's letter is reprinted in enclosure III.

As agreed with your office, unless you publicly announce the contents of
this letter earlier, we will not distribute it until 30 days from its date.
At that time, we will send copies of this letter to the Honorable Joseph I.
Lieberman, Ranking Minority Member, Senate Committee on Governmental
Affairs; and the Honorable Dan Burton, Chairman, and the Honorable Henry A.
Waxman, Ranking Minority Member, House Committee on Government Reform. We
are also providing a copy of this letter to the Honorable Jacob J. Lew,
Director, Office of Management and Budget. We will also provide copies to
interested parties upon request.

Please contact me at (202) 512- 6240 if you or your staff have any
questions. I can also be reached by e- mail at koontzl@ gao. gov. Key
contributors to this report were Scott A. Binder, Mirko J. Dolak, and M.
Yvonne Sanchez.

Sincerely yours, Linda D. Koontz Director, Information Management Issues

Enclosures

GAO- 01- 147R Federal Agency Use of Cookies Page 3 ENCLOSURE I ENCLOSURE I

COOKIES ON SELECTED FEDERAL WEB SITES Table 1: Federal Web Sites Giving
Domain Cookies Without Disclosure

Web Site Web Address Session Cookie Persistent

Cookie Found in Sept. 2000

Found in Oct. 2000

http:// www. opm. gov/ demos/ index. htm ï¿½ w w Office of Personnel
Management

http:// www. opm. gov ï¿½ w

U. S. Trade and Development Agency

http:// www. tda. gov/ forms/ guestbook. cfm ï¿½ w w

Bureau of Land Management http:// www. blm. gov ï¿½ w

Federal Aviation Administration

http:// jobs. faa. gov/ forms. asp ï¿½ w w

Ames Laboratory http:// www. ameslab. gov/ overview/ glance .html

ï¿½ w w

http:// www. bls. gov/ search/ search. asp ï¿½ w Bureau of Labor Statistics

http:// www. bls. gov ï¿½ w

Health Care Financing Administration

http:// www. hcfa. gov/ search/ ï¿½ w w

National Park Service http:// reservations. nps. gov/ ï¿½ w w

Central Federal Lands Highway Division

http:// www. cflhd. gov ï¿½ w w

Table 2: Federal Web Sites Giving Third- party Cookies Without Disclosure

Web Site Web Address Session Cookie Persistent

Cookie Found in Sept. 2000

Found in Oct.

2000

U. S. Customs Service http:// www. customs. gov ï¿½ w

Federal Emergency Management Agency

http:// www. fema. gov/ media/ index. htm ï¿½ w w

http:// www. fs. fed. us/ global/ ï¿½ w w U. S. Forest Service

http:// www. fs. fed. us/ reinvention/ enterprise ï¿½ w w

GAO- 01- 147R Federal Agency Use of Cookies Page 4 ENCLOSURE I ENCLOSURE I

Table 3: Federal Web Sites Giving Persistent Domain Cookies With Disclosure

Web Site Web Address Session Cookie

Persistent Cookie

Found in Sept.

2000 Found

in Oct. 2000

U. S. Postal Service http:// new. usps. com/ cgibin/ uspsbv/ scripts/ front.
jsp

ï¿½ w w

General Service Administration

http:// pub. fss. gsa. gov/ fm/ current ï¿½ w w

Small Business Administration http:// app1. sba. gov/ buscard/ ï¿½ w w

Institute of Museum and Library Services

http:// www. imls. gov/ utility/ contact. htm when clicking on “About
IMLS”

ï¿½ w w

GAO- 01- 147R Federal Agency Use of Cookies Page 5 ENCLOSURE II ENCLOSURE II

LIST OF FEDERAL WEB SITES REVIEWED

Agency/ Department Web Site Address Group Department of Agriculture

Animal and Plant Health Inspection Service www. aphis. usda. gov High-
Impact Agency Food Safety and Inspection Service www. fsis. usda. gov High-
Impact Agency Food, Nutrition, and Consumer Service www. fns. usda. gov
High- Impact Agency National Agricultural Library www. nalusda. gov Random
Sample National Genetic Resources Program www. ars- grin. gov Random Sample
USDA Forest Service www. fs. fed. us High- Impact Agency

Department of Commerce

FedWorld www. fedworld. gov Random Sample National Weather Service www. nws.
noaa. gov High- Impact Agency The Official U. S. Time www. time. gov Random
Sample U. S. Census Bureau www. census. gov High- Impact Agency U. S.
Commercial Service www. usatrade. gov High- Impact Agency U. S. Patent and
Trademark Office www. uspto. gov High- Impact Agency

Department of Defense

ACQWeb www. acq. osd. mil High- Impact Agency

Department of Education

Office of Student Financial Assistance Programs www. ed. gov/ offices/ OSFAP
High- Impact Agency

Department of Energy

Albuquerque Operations Office www. doeal. gov Random Sample Ames Laboratory
www. ameslab. gov Random Sample Fernald Environmental Management Project
www. fernald. gov Random Sample Southeastern Power Administration www. sepa.
fed. us Random Sample

Department of Health and Human Services

Administration for Children and Families www. acf. dhhs. gov High- Impact
Agency Health Care Financing Administration www. hcfa. gov High- Impact
Agency IGnet www. ignet. gov Random Sample National Institute of Allergy and
Infectious Diseases www. hsroad. gov Random Sample National Institute on
Drug Abuse www. drugabuse. gov Random Sample U. S. Food and Drug
Administration www. fda. gov High- Impact Agency

Department of Housing and Urban Development

Code Talk 1 www. codetalk. gov Random Sample

Department of the Interior

Bureau of Land Management www. blm. gov High- Impact Agency National Park
Service www. nps. gov High- Impact Agency

Department of Justice

Federal Bureau of Investigation www. fbi. gov Random Sample Immigration &
Naturalization Service www. ins. usdoj. gov High- Impact Agency

Department of Labor

Bureau of Labor Statistics www. bls. gov Random Sample Occupational Safety &
Health Administration www. osha. gov High- Impact Agency

1 Code Talk is an interagency site that is hosted but not owned by HUD.

GAO- 01- 147R Federal Agency Use of Cookies Page 6 ENCLOSURE II ENCLOSURE II

Department of State

Bureau of Consular Affairs www. travel. state. gov High- Impact Agency
International Information Programs www. usia. gov Random Sample

Department of Transportation

Central Federal Lands Highway Division www. cflhd. gov Random Sample Federal
Aviation Administration www. faa. gov High- Impact Agency

Department of the Treasury

Customs Service www. customs. gov High- Impact Agency Financial Management
Service www. fms. treas. gov High- Impact Agency Internal Revenue Service
www. irs. ustreas. gov High- Impact Agency

Department of Veterans Affairs . Veterans Benefits Administration www. vba.
va. gov High- Impact Agency Veterans Health Administration www. va. gov/
About_ VA/ Orgs/

VHA/ index. htm High- Impact Agency

Independent Agencies

African Development Foundation www. adf. gov Random Sample Environmental
Protection Agency www. epa. gov High- Impact Agency Farm Credit
Administration www. fca. gov Random Sample Farm Credit System Insurance
Corporation www. fcsic. gov Random Sample Federal Communications Commission
www. fcc. gov Random Sample Federal Emergency Management Agency www. fema.
gov High- Impact Agency Federal Retirement Thrift Investment Board www.
frtib. gov Random Sample Federal Trade Commission www. ftc. gov Special
Selection FinanceNet www. financenet. gov Random Sample General Services
Administration www. gsa. gov High- Impact Agency Institute of Museum and
Library Services www. imls. fed. us Random Sample National Aeronautics and
Space Administration www. nasa. gov High- Impact Agency National Credit
Union Administration www. ncua. gov Random Sample National Science
Foundation CISE www. cise. nsf. gov Random Sample Occupational Safety and
Health Review Commission www. oshrc. gov Random Sample Office of the Federal
Environmental Executive www. ofee. gov Random Sample Office of Personnel
Management www. opm. gov High- Impact Agency Small Business Administration
www. sba. gov High- Impact Agency Social Security Administration www. ssa.
gov High- Impact Agency The Access Board www. access- board. gov Random
Sample The White House Fellows Program www. whitehousefellows. gov Random
Sample Thrift Savings Plan www. tsp. gov Random Sample U. S. Nuclear
Regulatory Commission www. nrc. gov Random Sample U. S. Postal Service new.
usps. com High- Impact Agency U. S. Trade and Development Agency www. tda.
gov Random Sample

GAO- 01- 147R Federal Agency Use of Cookies Page 7 ENCLOSURE III ENCLOSURE
III

COMMENTS FROM THE OFFICE OF MANAGEMENT AND BUDGET

GAO- 01- 147R Federal Agency Use of Cookies Page 8

ENCLOSURE III ENCLOSURE III

(310304)
*** End of document. ***