The storm brewed up after a report published last week by web security specialist Richard Smith and the Associated Press, which suggested that the prominent US government web site was buggy and issued cookies to monitor and document log visitor activity.
The White House had contracted WebTrends Inc to provide hosted web analytics (called WebTrends OnDemand) to better manage its web site performance. But according to the AP report the White House might have landed itself in hot water over possible illegal web tracking and analysis of Internet traffic at its site.
The fuss centers on the use of cookies, which are small data files placed on computer hard drives by web programs hosted on web sites to track and log the activities of internet users.
Under a 2003 directive issued by the White House’s Office of Management and Budget, the use of advanced internet tracking technologies like cookies is banned at US government web sites.
Cookies can help companies log and store all kinds of personal information and are now extensively used to enhance e-commerce sites. The widespread practice of surreptitious placement of adware cookies has now raised concerns over abuse of online privacy.
David Almacy, the White House’s internet director, denied the report’s claims, saying in a statement that the White House’s web site does not issue cookies to visitors. However he did acknowledge that the web site, with the help of WebTrends’ software, does glean certain types of user information like what pages are being viewed and for how long.
We don’t track any personal information about the user. No information is gleaned from cookies on a user’s computer on our web site, he said.
Predictably, WebTrends backed up Almacy’s claims saying that the White House employs aggregated and non-personally identifiable data analysis to drive greater web site performance.
The analysis performed is typical among organizations seeking to improve the user experience on their web sites, a statement by the company read.
WebTrends believes its software is in full functional compliance with the strict federal regulations that govern user tracking on government web sites, including those run by the White House which it says has been a customer for several years.
Federal government organizations have the choice to use no cookies or session cookies [which link an anonymous visitor’s actions together within a single visit]… the Whitehouse.gov web site adheres to these guidelines and does not use either persistent or session cookies.
It seems the confusion arises from software referred to as a web bug which the White House’s web site uses to anonymously keep track of online activity, like when a specific page is viewed. A web bug is a small graphic image that’s pulled from a server maintained by WebTrends that feeds into WebTrends analyses.
Technically, web bugs are not prohibited by government web sites. But their use is still controversial since they can feasibly be linked to cookies, and therefore be used to reveal if the same person has revisited a web site.
According to an earlier statement by Almacy: What was happening was that users that visited other WebTrends sites picked up WebTrends cookies from these other sites.
He said that a packet sniffer program used by Smith during his network analysis had wrongly assumed that the White House’s web site had placed cookies on his hard drive.
WebTrends officials said that cookies are not used in such a way.
The browsers are designed to pull preexisting cookies automatically, and that the company has no choice in the matter.
However officials insisted the company doesn’t use the information and that in any case no personal data is collected.
The company also reiterated that it doesn’t allow customers to view any visitor data from any other customer.
If a visitor has visited other sites that utilize WebTrends On Demand and use the WebTrends cookie for tracking repeat visits, prior to visiting the Whitehouse.gov site, the web browser is designed to automatically request any cookies that belong to the domain statse.webtrendslive.com, regardless of whether the site actually reads or writes to these cookies.
However since the White House does not use any cookies, no information is utilized from or written to the cookie.
Smith however called the White House’s rebuttal as very predictable, pointing out that even third-party cookies still allow for tracking across multiple web sites including the White House’s.
He maintains that analysis of network traffic shows that preexisting WebTrends cookies created when visiting other WebTrends clients can be used to recognize visitors to the White House site.
It’s no coincidence that the furor comes on the heels of an announcement by the US National Security Agency (NSA) that it had wrongfully used banned cookies at its web site.
Smith and the AP had reported last week that the NSA’s web site was indeed serving up cookies to web visitors. The NSA said it wasn’t aware that cookies were being distributed, and pointed to the finger of blame at a recent software upgrade. It says it has now disabled the cookies.
Although the White House’s policy does not specifically mention cookies or web bugs, any federal agency using these tracking technologies must get sign-off and disclosure from a senior official before they can be used.
The US government online privacy policies have come under scrutiny in the past. Under the Clinton administration the Office National Drug Control was found to have employed cookie tracking technology to monitor and document users accessing its online anti-drug advertisement pages. The Central Intelligence Agency also violated the rules governing cookies in 2002, saying it do so inadvertently.
Nevertheless this resulted in strict federal rules on cookies in 2000, which were subsequently updated under the Bush administration in 2003.
WebTrends is one of the pioneers of web log analysis software. The company was bought by security infrastructure firm NetIQ in 2001 for the princely sum of $1bn. After languishing in its infrastructure management portfolio for several years, NetIQ finally agreed to sell the web analytics division to equity fund Francisco Partners last March.
Last May WebTrends announced unique support for first-party cookies which it says improves analytic accuracy.
Conventional web analytics wisdom relies on third-party cookies, that either originate on or are sent to a web site different from the one currently being viewed, to track visitor behavior on a web site, for example their response to an online marketing campaign.
But new industry research sponsored by WebTrends shows that third-party cookie deletion (usually happens after the visitor has picked up a cookie from a web site) and cookie rejection (refers to visitors blocking cookies on their machines) distorts metrics and hampers efforts to get an accurate analysis.
