Transportation Web sites violate 'no cookies' policy
Numerous Transportation Department Web sites are still in violation of the Office of Management and Budget's "no cookies" policy, according to a report by the department's inspector general.
Cookies are small text files that track users' movements on the Web. There are two types of cookies: "persistent" and "session." Persistent cookies remain on a user's computer for a long period of time. Session cookies expire once a user closes the Web browser.
OMB Memorandum M-00-13, released on June 22, forbids the use of persistent cookies unless approved by a department's secretary. The use of "session" cookies is allowed as long as the use is declared in a Web site's privacy policy.
The IG found two Transportation Department (DOT) agencies that did not realize persistent cookies were in use on their Web sites. "They concluded that these persistent cookies were inadvertently created as a result of improper software configuration on their Web sites," the report said.
DOT has more than 230 Web sites containing almost 202,000 Web pages and data files. The IG discovered cookie violations at Web sites operated by multiple DOT agencies, including the Federal Aviation Administration, the Federal Highway Administration and the Federal Railroad Administration.
"Because DOT is not aware of any automated tools that can be used to systematically identify all use of cookies, each Web page has to be manually accessed and examined," the report said. "This is a labor-intensive process. Until all Web pages have been checked, DOT cannot be assured that its use of cookies is in compliance with DOT and OMB policies."
Transportation's chief information officer, George Molaski, agrees with the IG's report. "The IG's right on," Molaski said. "A lot of software comes out with cookies already set up."
The report recommended that Molaski take steps to ensure that persistent cookies are disabled and that DOT's agencies check every Web page for the potential use of cookies. The report also recommends that Molaski accelerate the development and release of a Web configuration checklist concerning the use and approval of cookies.
Molaski said that now every CIO within DOT is responsible for certifying that new and existing Web sites meet OMB and DOT cookie policies. "There was no single point of accountability within our agencies," Molaski said. "We've now established points of accountability."