home

NSA Gets Caught With Hand in Cookie Jar

The National Security Agency has admitted keeping persistent cookies on visitors to its website. It will discontinue the illegal practice, and says it was a mistake.

Don Weber, an agency spokesman, said in a statement yesterday that the use of the so-called persistent cookies resulted from a recent software upgrade.

Normally, Mr. Weber said, the site uses temporary cookies that are automatically deleted when users close their Web browsers, which is legally permissible. But he said the software in use was shipped with the persistent cookies turned on. "After being tipped to the issue, we immediately disabled the cookies," Mr. Weber said.

As to why it's illegal:

In a 2003 memorandum, the Office of Management and Budget at the White House prohibited federal agencies from using persistent cookies - those that are not automatically deleted right away - unless there is a "compelling need."

A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.

This isn't the first agency to engage in the practice:

The government first issued strict rules on cookies in 2000 after disclosures that the White House drug policy office had used them to track computer users viewing its online antidrug advertising. Even a year later, a Congressional study found 300 cookies still on the Web sites of 23 agencies.

< ACLU Calls for Special Counsel To Investigate NSA Warrantless Surveillance | Woman Sues After Arrest For Carrying Flour in Condoms >
  • The Online Magazine with Liberal coverage of crime-related political and injustice news

  • Contribute To TalkLeft


  • Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#1)
    by Dadler on Thu Dec 29, 2005 at 08:14:46 AM EST
    This was a mistake like breathing is a mistake. They got caught. Period.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#2)
    by DonS on Thu Dec 29, 2005 at 08:16:54 AM EST
    "The National Security Agency . . . says it was a mistake." Bwaaaaaaahaaaa. And I'll bet "the Agency" said it with a straight face.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#3)
    by Punchy on Thu Dec 29, 2005 at 08:17:40 AM EST
    Uh huh. We're supposed to believe that the NSA--the most secretive, clandestine, and reliable group of spies our gov't uses--doesn't know what their software is doing? Like they just installed it without checking it out for bugs first? This never ends. Seemingly every day we find something illegal is being done. And it's always a "mistake". It stretches credibility to believe the NSA doesn't know exactly what it's servers are doing. And to whom.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#4)
    by MikeDitto on Thu Dec 29, 2005 at 08:27:25 AM EST
    Eh, Bush probably fired the qualified computer lackey because he or she wasn't a line toeing Republican sycophant. He's done that at every agency--gone on a witch hunt for liberals and eliminated them from the Federal payroll. Who cares if the replacements are qualified as long as they agree with President Bush on every issue?

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#5)
    by swingvote on Thu Dec 29, 2005 at 08:30:54 AM EST
    MD, Do you have any evidence to back that claim up? He seems to have missed the State Department.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#6)
    by Talkleft Visitor on Thu Dec 29, 2005 at 09:13:52 AM EST
    Jeralyn - Off-topic (sort of) - but it would be wonderful to get your take on the Bush's Solicitor General's recent appeal to the SCOTUS and how it might be resolved. Today's emptywheel post and the comments are alarming to say the least. link to emptywheel's post

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#7)
    by Talkleft Visitor on Thu Dec 29, 2005 at 09:24:24 AM EST
    Obsessed, TChris wrote about Padilla last night here.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#8)
    by SeeEmDee on Thu Dec 29, 2005 at 09:32:34 AM EST
    From dKos's Website: Former NSA Intelligence Analyst & Action Officer - wants to talk about the use of Soviet-style purges via 'psych evaluations' to remove those who objected to the politicization of the Agency by the Bush Administration sycophants running it presently...the same bunch who knuckled under and broke the US laws against spying on Americans. First they purge the ones who knew that what was being done with the pre-Iraq War intel used to justify the invasion was wrong, then they cowed the rest with the 'examples'. Now the domestic spying revelations. Just like LeCarre's fictional spy George Smiley said in one of his books: "...I've listened to all the excellent argument for doing nothing, and reaped the consequent frightful harvest. I've watched people hop up and down and call it progress. I've seen good men go to the wall and the idiots get promoted with a dazzling regularity..." Sounds an awful lot like what happened in Langley and Ft. Meade under Mr. Bush's minion's stewardship.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#9)
    by kdog on Thu Dec 29, 2005 at 09:41:08 AM EST
    There was a mistake all right, letting the NSA run roughshod over the law for years and years and years.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#10)
    by Talkleft Visitor on Thu Dec 29, 2005 at 09:58:27 AM EST
    Oh please people. I really could not care less if they drop a cookie in my browser. They can't really expect to get any information from browsers visiting their PUBLIC site. I'm pretty sure the people who admin that site have absolutely nothing to do with any other operations. How many of you have even visited the site? I have for SELinux (and to the spooks: thanks, that is great stuff!). Google, Yahoo and MSN know way more about your browsing habits.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#11)
    by desertswine on Thu Dec 29, 2005 at 10:17:17 AM EST
    Oh please people. I really could not care less if they drop a cookie in my browser.
    It's illegal.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#12)
    by Sailor on Thu Dec 29, 2005 at 10:36:06 AM EST
    Oh please people. I really could not care less if they drop a cookie in my browser. They can't really expect to get any information from browsers visiting their PUBLIC site. 1) It's illegal. 2) The cookies report back to them where you surf after that. 3) If you have a fixed IP, they know who you are can and add that to their wiretapping and data mining. Rule of Life #21: Anytime an organization consistently makes a mistake in their favor ... it isn't a mistake.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#13)
    by MikeDitto on Thu Dec 29, 2005 at 10:44:23 AM EST
    justpaul, the fact that you haven't been following the news is your problem, not mine. I'm not going to write a paper for your edification, but as it happens, I did write one once on covert propaganda that addresses some of it with regards to the ideological purges at CIA and NASA among other government agencies.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#14)
    by Talkleft Visitor on Thu Dec 29, 2005 at 10:45:38 AM EST
    Cookies? Hell, you should see what they're doing with coffee!

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#15)
    by manish on Thu Dec 29, 2005 at 11:21:33 AM EST
    This is much ado about nothing. Persistant cookies can't track what other websites you've been to. They can only track repeat visits to the NSA site. Generally, this is used by website operators to better understand their repeat visitors rather than anything nefarious.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#16)
    by Talkleft Visitor on Thu Dec 29, 2005 at 12:18:31 PM EST
    Sorry Manish, but you are misinformed. First off, cookies aren't "dropped into your browser." They are placed on your harddrive. Second, cookies can be programmed to do just about anything the developer wants them to do, including tracking what sites you might visit, and then report that information back. Indeed, most cookies are benign, and aid you on return visits to a particular website...but they most certainly can also be nefarious.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#17)
    by jimakaPPJ on Thu Dec 29, 2005 at 12:21:14 PM EST
    Manish - Careful. You are destroying a myth. And that is not tolerated. Sailor - Meet Manish. et al - Stati/dynamic IPs

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#18)
    by jimakaPPJ on Thu Dec 29, 2005 at 12:28:22 PM EST
    B John - Anything can be designed... Provide me with an example of a cookie that is in use and tells the site that dropped it on you what other sites you have visited. And does it do it only when you revisit the orginal (droper) site? Or does the dropee site contact the droper and rat the computer out?

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#19)
    by Edger on Thu Dec 29, 2005 at 12:34:46 PM EST
    Jim: Provide me with an example of a cookie that is in use and tells the site that dropped it on you what other sites you have visited. Claria Go to their site, products/software/GAIN page and install it on your computer. Let me know how you like it.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#20)
    by jimakaPPJ on Thu Dec 29, 2005 at 01:07:17 PM EST
    Dearest Charlie.. And here I thought we had decided to be rational.... As I noted to B. John, anything can be designed. As for trust... as Reagan said... but verify. edger - I took a look at it. Best I can tell it is a search engine you can install on your computer. It doesn't meet the criteria: 1. Capable of being installed (infected) on another computer without the knowledge of that computer. 2. Capable of reporting from the infected computer to the installer (host) of the websites and individual IP adressess visited whenever: a. Queried from the host. b. Automatically from the infected computer.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#21)
    by SeeEmDee on Thu Dec 29, 2005 at 01:14:50 PM EST
    Spyware is deposited on your system courtesy of the 'cookies' which Internet Explorer accepts automatically thanks to its' security level being set to "Medium"...and which nearly all Websites require you to allow happen to see their content. If there's any doubt of this, go to "Tools" at the Toolbar above your browser window, click on "Internet Options" and then click on the "Privacy" tab then run the slide indicator all the way up. Then visit the sites you used to before you did so. You will find in just about every instance that you will be informed that you must allow their cookies to view their content. Cookies which serve little purpose now than acting as funnels for data mining...or worse. A good tutorial on spyware can be found here

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#22)
    by Edger on Thu Dec 29, 2005 at 01:16:45 PM EST
    Jim, That was mean of me. Do NOT install it please. It used to be known as Gator. It is malicicious adware/scumware that will embed so deeply into your operating system and degrade your machines performance so badly, while it tracks every URL you ever visit, runs in the background and squirts that info back to Claria so that they can popup ads on your desktop that are relevant to the subjects you are reading, that you will want to come hunting me down. Don't install it. I was using it as an example of how malicious software can be, and Claria "ain't got nuthin" on NSA capabilities.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#23)
    by Edger on Thu Dec 29, 2005 at 01:22:45 PM EST
    Claria most often gets installed on a users computer through the user downloading and installing fake "antispyware/antiadware" products that carry with them, unknown to the user, a small program thta gets installed at the same time, that runs in the background and bit by bit, slowly over time, connects to Claria, downloads their scumware and installs it. By then your machine performance is degraded and the Claria stuff so deeply embedded that it's quite difficult to get rid of. In many cases the only way is complete wipe of the hard drive and reinstall of your system. Truly evil stuff.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#24)
    by DonS on Thu Dec 29, 2005 at 01:45:44 PM EST
    Hey, what happened to the "its illegal" factor? Oh, I forgot, that's for others to concern themselves with, not Bush and cronies. And, IF it was negligence or incompetence, I guess that shouldn't concern me either. Sorry I wasn't keeping up with the misdirection of the apologists here.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#25)
    by swingvote on Thu Dec 29, 2005 at 02:52:44 PM EST
    MD, Interesting tactic. You make a bold claim about a general policy of purging liberals from all government agencies, then when asked for anything to back that up you get huffy and then quote yourself. Imagine the uproar if PPJ did something like that. I do read the news, MD, and I haven't seen anything about this from any source that could be considered objective. I'll take your general inability to provide any independent evidence of this, along with your hostility over being asked about it, as reason enough to file this in the "dubious claims" folder. And still, if it's going on, they've clearly missed the State Department and much of the CIA.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#26)
    by Edger on Thu Dec 29, 2005 at 03:23:06 PM EST
    Claria collects information from the user with the help of their ad-delivery software. The information is silently sent back to Claria’s servers. This information is collected: - visited URL’s - web forms - search queries - information about how long a web page was viewed - system configuration - country - zip code Claria uses a “trickler” to delay installation of the ad-delivery software. More info on Claria...

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#27)
    by Sailor on Thu Dec 29, 2005 at 03:48:00 PM EST
    jim, this is my field, so unless you are just panting for attention as usual you must realize that a STATIC IP is registered to a person. Easy to look up. Cookies can be programmed to continually send back to 3rd parties what sites you visit. But I agree with the original point; this isn't near as disturbing as bush tapping americans phone and internet traffic.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#28)
    by Lis Riba on Thu Dec 29, 2005 at 05:51:26 PM EST
    It's not just the NSA. Apparently, Whitehouse.gov is dropping cookies, too

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#29)
    by jimakaPPJ on Thu Dec 29, 2005 at 06:20:10 PM EST
    sailor - I have never claimed to be an IP expert, I will, however, team with you if you want to bring in the telecom network... we could be the odd couple. My link gives what I think is a reasonable explanation of static versus dynamic. Got a better one? You make an interesting point re cookies sending information continuously to a third party. To me a cookie isn’t a program, and the function you describe requires a program. Not being obtuse, just a a question. And, of course, this would be a spyware situation as opposed to the type of cookie described in the post. Yes? BTW - Your insult was not as good as usual... having a bad day? Et al - I recommend Webroot for both history cleaning and spyware. Anyone have a better one? Edger - My curiosity about your recommendation was tempered with caution. I wonder why? ;-) charlie wrote:
    Loosely translated, it means "get some new material."
    I think you missed a word or two. What he said was, "Damn. Reagan just won the Cold War."

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#30)
    by Edger on Thu Dec 29, 2005 at 06:29:59 PM EST
    Edger - My curiosity about your recommendation was tempered with caution. I wonder why? ;-) I though, and actually hoped, that it would be. ;-) Alexa is another one to be wary of, though not quite as malicious as Claria. And there are others. As Sailor said, cookies also can be programmed to execute and send packets out, though they usually are just small benign text files. Another way spyware like Claria and others can get installed on your computer is just by visiting a web site. Java and Javascript, quite often embedded in the HTML code for a web page, can be programed to install programs. Usually this is done by deceiving you into clicking on something, such as a "No" or "Close" button that in reality is the activator for malicious code. All this kind of stuff is childs play compared to what the NSA can do.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#31)
    by MikeDitto on Thu Dec 29, 2005 at 07:41:41 PM EST
    JP: Obviously you didn't read the paper. It's a peer-reviewed academic research paper in which every fact comes from somewhere other than myself, and it's all documented. And I scored 398/400 points on it, two points being lost due to a formatting detail in the bibliography. The next highest score was 295. And I spent 8 weeks researching it.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#32)
    by Talkleft Visitor on Thu Dec 29, 2005 at 08:44:13 PM EST
    I actually had a couple of nsa.gov cookies when I checked ;-) Ooo, I'm so scared now.... www.nsa.gov FALSE / FALSE 2081707510 CFTOKEN 72560813 www.nsa.gov FALSE / FALSE 2081707510 CFID 112480 Now, some people upstream are claiming that one can "program" a cookie to "transmit" information about subsequent sites I visit. Fine, prove it. Give me an URL that gives me your magic cookie and tell me where I go from there. Just post your URL here and post a couple sites I visited afterwards.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#33)
    by Strick on Thu Dec 29, 2005 at 10:36:47 PM EST
    Illegal? The Office of Management and Budget has the ability to pass laws and make things illega.? My God, the White House has gone too far! You folks should drop by Captain's Quarters, where they've listed the news organizations that reported this story and how long the cookies their site last. The NSA is a piker by comparison. BTW, if you think the NSA cookies are so dangerous, perhaps someone could explain how again to me. Not how some hypothetical cookie might be dangerous, mind you, specifically how the NSA's cookies are different from the one the NY Times put on my computer and what exactly what about the NSA cookie that's so dangerous. Sony putting spyware on your hard drive when you played their CDs, that was important. This? Good grief, some people aren't happy unless they've got something stupid to worry about.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#34)
    by MikeDitto on Thu Dec 29, 2005 at 10:51:39 PM EST
    There's a lot of misplaced paranoia here about cookies. And some paranoia which is not misplaced. Here is how a cookie can track you from site to site: Site A and Site B each include a resource from Site C. Site C sets a persistent cookie on your machine when you visit site A. It reads the cookie when you visit site B. So Site C now knows that you have visited both site A and Site B. It also knows how you got to either Site A or Site B, and even the search terms you may have used to get there, because it can track the "referrer" header. The more sites who include resources from Site C, the more penetration Site C has into the web, and the more they can glean from your surfing habits. The typical case for this is ad networks such as Doubleclick. By tracking the sites you visit, how you get there, and how often you visit, they can target ads to you more effectively. They can also use that data for more nefarious purposes. So there is a genuine privacy concern if every Federal site is setting persistent cookies, particularly if the government is sharing or aggregating server logs. And of course the real issue is that, whether or not NSA's intentions were nefarious or whether they are just hapless morons who don't know how to configure their web servers, it is illegal for them to be setting persistent cookies and they were rightly called on the carpet for it. NSA is not the only offender however.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#35)
    by jimakaPPJ on Fri Dec 30, 2005 at 08:56:57 AM EST
    Michael - Is this service very accurate?? Would subscribing to this site be worthwhile? Would it work? (I assume a real sharp dedicatded hacker/designer could break it, but how easy?) Thanks

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#36)
    by MikeDitto on Fri Dec 30, 2005 at 10:01:00 AM EST
    Jim, it depends on your ISP. For most ISP's it will be roughly accurate (i.e. it will probably at least identify the correct metropolitan area). It's certainly not going to be accurate to three decimal places on latitude and longitude unless you're sitting at the address where your ISP's POP is located. On the other thing I guess that depends on what your level of paranoia is and how cheap you are. :-)

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#37)
    by Edger on Fri Dec 30, 2005 at 10:35:33 AM EST
    Jim, (1) If the NSA wants to they can monitor every single data packet (and the originating IP addresses) that comes into or out of TalkLeft, by tapping into the telecom (or) that carries traffic in and out of the ISP that TalkLeft uses. (2) They can also, by the same method, scoop and read every email that traverses the ISP's that serve the IP addresses they found with the above method. So they can, without touching your computer, look at posts here, and (for example) see that one of them is posted by "JimakaPPJ", compare that to the emails they can read using method 2, and if you've ever sent or received an email with "JimakaPPJ" in it, bingo - they know who your ISP is. At this point they have you narrowed down to a fairly small area, and if you are using a static IP they have your name, address, and probably more.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#38)
    by Edger on Fri Dec 30, 2005 at 10:36:43 AM EST
    Did I get that right, MD? As one scenario?

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#39)
    by MikeDitto on Fri Dec 30, 2005 at 10:44:37 AM EST
    Edger-- yes, that's technically feasible, and is the main idea behind Carnivore and other data mining projects which we thought had been tossed out, but apparently haven't been. But that doesn't involve cookies, which is really the topic of this conversation.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#40)
    by Edger on Fri Dec 30, 2005 at 10:51:14 AM EST
    Thanks, Mike. I know it had nothing to do with cookies, but it's all related capability. Th point I wanted to make is that it is virtually impossible to hide from the NSA without going "off-net" completely, and disappearing into the woods.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#41)
    by Edger on Fri Dec 30, 2005 at 10:55:28 AM EST
    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#42)
    by jimakaPPJ on Fri Dec 30, 2005 at 01:27:54 PM EST
    Thanks Mike. T'm not cheap. Just money disadvantaged. ;-) Edger - Yes, I understand the capabilities, very well. The issue is how they can access the network, and the obvious place is at the ISP.

    Re: NSA Gets Caught With Hand in Cookie Jar (none / 0) (#43)
    by Sailor on Fri Dec 30, 2005 at 04:18:03 PM EST
    jim, the first link was very accurate for me, but I have a fixed IP. Regarding the second link, I generally don't trust any site that would claim to do that. For one thing, under the Pat Act, they can tap anything and the company wouldn't be able to tell you. BTW, your ISP is the final provider, kind of like the retail outlet for the internet. There are several levels that 'provide' to the ISP. The cookies aren't that big of a deal compared to everything else the NSA is doing, but IT IS ILLEGAL! And it wasn't a mistake. Let me rephrase that ... if the NSA made a dumb mistake like not checking whether their supplier was implementing illegal procedures, they were incompetent. (feel better;-) If they were doing it conciously, it was a premeditated crime, and one that just happens to exist on several gov't sites. Regards to some poster who asked me to prove that cookies can have these properties. I would, but that would be illegal. I have a higher standard than the NSA. To another poster who opined that cookies weren't programs; they can be. Imbed java or JS coding into them and they can be triggered when accessed by a website you visit. Caveat: Not if you pay strict attention to security settings on your browser, and DO NOT use IE!