From the “Oh, please” files: Evil NSA strikes again
Mercy me! The National Security Agency (NSA), which has — rightfully, IMO — come under fire lately for doing a variety of things that violate US citizens’ privacy, is now under the gun again.
Now I’m no fan of what the NSA has been doing. But this latest story is much ado about nothing. The NSA, you see, like 20-bazillion other sites (including this one) put cookies on visitors’ computers.
Read the lede of the AP story:
The National Security Agency’s internet site has been placing files on visitors’ computers that can track their web-surfing activity despite strict federal rules banning most of them.
This is pretty much false. Certainly the implication — that these cookies allow the NSA to track where you go on the Web — is wrong.
Cookies cannot let a site track where you go on other sites. If the NSA (or Kantor.com) puts a cookie on your machine, all it can do is identify you to that site. I wrote about this in my column some time ago. Here are the relevant excerpts:
A cookie is a small piece of information a Web site puts on your computer. It’s just a string of characters that identifies you to the site, something like an account number. There’s no personal information in it; it’s just an identifier.
Next time you go to the site, it can read the cookie it left there last time — and no site can read a cookie left by another site. (Although there’s an important exception to this.)
That’s all cookies do. Sites leave bits of information about you on your own computer, then retrieve the information they left when you return.
Cookies don’t track you and they don’t send information about you anywhere.
For example, Amazon.com left a cookie on my machine with the whopping content “102-0467935-2649722.” All that does is keep track of me as I browse the store — it lets me add books to my shopping cart. Without it, I couldn’t have a cart because the site would “lose” me as I went from page to page.
Note: The cookie the NSA left on my machine today was “8030ad0e9041$3F$C9$0.”
Sites use cookies to remember who you are so you don’t have to keep logging in. They use them to make sure you don’t see the same ads over and over. They use them to remember what you like to see. They use them to keep track of the number of unique visitors.
[...]
I said before that no site can read a cookie from another site. But many sites use separate companies to deliver ads — companies such as DoubleClick. So even though you’re at xyz.com, the ad you see is coming from doubleclick.net.
If you then go to another site that serves DoubleClick ads, the DoubleClick folks know that because, in a sense, you’ve gone to two DoubleClick sites.
In the NSA’s case, it’s possible that it shares its cookies with other government agencies, so if you surfed from the NSA’s site to, say, the FBI’s, it would recognize that you had been to the other place. But if you leave the NSA and go to, say, Amazon or CNN or Kantor.com, the NSA doesn’t know that. Even if you go back to the NSA site it doesn’t know where you’ve been.
I’m a huge advocate of privacy, and I’m disgusted that our government has allowed its agencies to spy on American citizens. I hope there’s a serious reckoning. But this NSA cookie business is absolutely meaningless.
braine says:
I agree that it’s not intrusive, but it is still illegal. And you’d think they could be a little more careful, unless their lawyers are all busy. To quote from some of the rest of the AP article:
In a 2003 memo, the White House’s Office of Management and Budget prohibits federal agencies from using persistent cookies — those that aren’t automatically deleted right away — unless there is a “compelling need.”
A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.
Peter Swire, a Clinton administration official who had drafted an earlier version of the cookie guidelines, said clear notice is a must, and “vague assertions of national security, such as exist in the NSA policy, are not sufficient.”
Daniel Brandt, a privacy activist who discovered the NSA cookies, said mistakes happen, “but in any case, it’s illegal. The (guideline) doesn’t say anything about doing it accidentally.”