<body><iframe src="http://www.blogger.com/navbar.g?targetBlogID=14550857&amp;blogName=David+Francis+personal+web+log&amp;publishMode=PUBLISH_MODE_FTP&amp;navbarType=BLUE&amp;layoutType=CLASSIC&amp;homepageUrl=http%3A%2F%2Fblog.davidfrancis.org%2Fdefault.asp&amp;searchRoot=http%3A%2F%2Fblogsearch.google.com%2F" marginwidth="0" marginheight="0" scrolling="no" frameborder="0" height="30px" width="100%" id="navbar-iframe" title="Blogger Navigation and Search"></iframe> <div id="space-for-ie"></div>

Saturday, December 31, 2005

NSA Web Site Places 'Cookies' on Computers

During my morning rounds, I discovered this "shock and awe" story by the Associated Press. It opens with "The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most of them. " While accurate, it touches a nerve that is raw because of recent catch phrase reporting by the NYT.

More specifically, and the term that will mostly likely be "heard" and repeated by the masses is "The NSA has been placing files on visitors' computers." Well doesn't that sound much more ominous?

NSA Web Site Places 'Cookies' on Computers
Dec 29, 7:24 AM (ET)
By ANICK JESDANUN

NEW YORK (AP) - The National Security Agency's Internet site has been placing files on visitors' computers that can track their Web surfing activity despite strict federal rules banning most of them.

These files, known as "cookies," disappeared after a privacy activist complained and The Associated Press made inquiries this week, and agency officials acknowledged Wednesday they had made a mistake. Nonetheless, the issue raises questions about privacy at a spy agency already on the defensive amid reports of a secretive eavesdropping program in the United States.

"Considering the surveillance power the NSA has, cookies are not exactly a major concern," said Ari Schwartz, associate director at the Center for Democracy and Technology, a privacy advocacy group in Washington, D.C. "But it does show a general lack of understanding about privacy rules when they are not even following the government's very basic rules for Web privacy."

http://apnews.myway.com/.../D8EPTAU80.html

For me, this story raises a few issues;

1) Almost every single website places files on visitors' computers. The NSA is not special.

2) The media is typically irresponsible in their presentation of fact or even their purpose for selecting a story/headline.

3) People who are responsible for publishing information online, especially Federal Government Agencies need to put procedures in place that ensure 1) compliance with federal mandates and 2) effective and accurate communications.

But first: What the heck is a Cookie? It's a small text file that is sent from the website to your temporary internet file folder (cache) that helps the website remember information about you. That sounds terrible, but a cookie cannot hold any information that you don't offer it other than basic information like IP address, pages visited, type of browser and so forth. A cookie can hold things like passwords you enter AT THAT SITE ONLY, as well as any selected preferences. You can turn off cookies in your software however this will like effect your ability to browse many websites. In short, the small text files are typically harmless.

If you are concerned about these little files called cookies, I recommend that you read your help files in your browser of choice on the topic of security, privacy and cookies.

1) Almost every single website places files on visitors' computers. The NSA is not special. Even this website sets cookies to help you in your browsing experience. They are quite typical, and mostly harmless to the general user. The wording of the article, especially the opening line is "scary" and I think on purpose. Which leads to point #2

2) The media is typically irresponsible in their presentation of fact or even their purpose for selecting a story/headline. It's my opinion that topics, headlines and even the wording chose in reports are slanted in one way or another to accomplish an editorial opinion. It's truly sad because a fair and balanced reporting of the news is not very exciting, but would serve the American public the best. The fact the NSA broke "strict" guidelines is news, the way it is presented in this article borders on the fringe of irresponsibility because it feeds the fears and perpetuates the agenda to bash Bush.

3) People who are responsible for publishing information online, especially Federal Government Agencies need to put procedures in place that ensure 1) compliance with federal mandates and 2) effective and accurate communications. Now we're getting somewhere. I've seen so many sites that do not comply with government guidance and in my opinion, a new method of accountability is required. Having published government websites, I know how over complicated it can be and even with those checks and balances, there are still issues from identification of key personnel, to exposing critical (though not classified) information that should not be published.

Government websites are required by US law to be accessible to people with disabilities, it's section 508 of the rehabilitation act. ( http://www.section508.gov/index.cfm?FuseAction=Content&ID=3  ) Military website have more stringent requirements to prevent the publishing of sensitive/classified information. Unfortunately, the skills and talents to publish in compliance with section 508 are commonly not shared by those with the skills and talents ensure information security (infosec) requirements are met. Typically, the public affairs officer (PAO) has info to publish and it's sent to the webmaster, (page master) who in turn edits/formats the information to comply with section 508 as well as other web standards who then publishes it online. If the PAO or the webmaster are not familiar with the infosec requirements (recent changes) then the information is published and received by the general public including enemies of the United States.

I was trained by the Air Force in 1995 when I was serving as Superintendent of Public Affairs in HTML and the internet. Since that time, there have been a number of changes (including section 508). I think the Department of Defense as well as other government agencies mean well in their intent, there just seems to be a problem getting that guidance distributed and implemented. I hate to suggest that more checks and balances need to be in place because it does complicate and slow the timely release of good information, but to prevent "bad press", someone should look at the process and make a decision.

If it were me making the decision, it would be simple. All that is needed is an internal registry of .gov sites and a Public Affairs/Information Security component would monitor the sites for new information. If the sites are built in compliance with 508, html valid, a program can crawl the entire registry constantly to look for new or changed information and that would flag a page to be reviewed by the component. If a possible conflict of interest is discovered, the webmaster/publisher would be contacted and suggested changes made. It really is that simple. Requiring publishing points to jump through more loops, or trying to educated the tens of thousands of publishing points in new requirements is not the answer. A customer service oriented internal monitoring of gov sites is all that is needed. Well... in my opinion.

For corporate websites the issue is similar. Usually there are many departments putting information on the web and one wrong move can bring a high cost of bad press. The web publishing effort should be overseen by a staff level public affairs / marketing person who would monitor and ensure the company is being represented online as well as in other media (or better). Since I will assume that corporations have already established the common identity, their marketing plan and their communications policy are in place, ensuring that publishing points are in compliance with this guidance can be delegated to a good content editor in the PA/Marketing office. Again, in my opinion.

Politicians, public officers, local governments and those who serve them should all look closely at the the information that is being published online on their behalf. The person in charge should look at their online presence closely and say ask a few simple questions:

1) Does this resource represent me well? (Is it something I'm proud of?)

2) Is the resource compliant with local and federal requirements? (Find out.)

3) What methods are in place to ensure that all information published is done so...

      a) in my best interest

      b) in the best interest of those I represent

      c) in a manner that is beneficial to me and those I represent (editorially and accuracy)

      d) in a manner that is easily navigated and compliant with web standards

      e) page load speed, image quality, user interfaces and server security issues should be explored as well.

 

When I read the article the first time, I was disgusted with the presentation of the facts, but the fact remains that there is an issue that needs to be address as well as a lesson for the corporate, public service and small business person. The lesson is, take care in your online presence.

posted by Soky at 9:00 AM

Links to this post:

Create a Link

<< Home