CNet’s News.com is running a story by staff writers Declan McCullagh and Anne Broache with the sensational title Government Web sites are keeping an eye on you.
The key points of the article are:

  • A 2003 directive makes it illegal for federal agency web sites to track user activity or monitor user behavior.
  • Some government agencies are using cookies on their sites (although there is no report of what those cookies are and what it is that is stored in them).
  • “Many of the cookies appearing on the errant Web sites were generated by ColdFusion, the popular Web authoring tool … which sets them to expire about 30 years in the future”.
  • WebTrends and ColdFusion are the only products mentioned as the ones creating cookies.
  • The article does not actually state that ColdFusion is doing bad things (with the exception of “one Smithsonian Institution Web staffer, who initially denied the existence of persistent cookies detected by CNET News.com on the National Air and Space Museum’s site, said that ColdFusion settings were probably to blame”), but there is a sense of guilt-by-association here.

This is yet another alarmist article, decrying the presence of cookies without any explanation of what they are used for and what is stored in them. Blanket statements about cookies are irresponsible. But that is not my real concern here. The bigger issue is ColdFusion, cookies, and “30 year” persistence.
So, what are these “30 year” cookies? Where does that number come from, and what does it actually mean?
First let me make this very clear: ColdFusion does not store any data in cookies. Ever.
But ColdFusion does create cookies for you. How? If you use CLIENT or SESSION variables then identifier cookies are created. These contain an id and a token (the combination of which make up a unique client identifier) but no actual data is ever stored in cookies. These cookies are persistent cookies, they don’t expire, although the SESSION or CLIENT that they identify does indeed expire.
Granted, the presence of CFID and CFTOKEN (or jsessionid) cookies may alarm some users, but the fact of the matter is that these cookies present neither a privacy nor a security concern.
This is all explained quite clearly in the ColdFusion documentation. As is how to a) maintain session-state without using cookies at all, and b) how to make these identifier cookies persist only until the end of the browser session.
So, to clarify, ColdFusion does create cookies if you use session-state management, but these store simple identifiers (a number or a UUID, and no actual data), and cookie use can be disabled altogether (although this is not the default behavior).
So, is there an actual risk here? Can cookies contain more sensitive information and persist for “30 year”?
Well, no, not if they are ColdFusion generated cookies. But developers can indeed opt to do so.
The ColdFusion tag is used to create (and update and delete) cookies. ColdFusion developers can use this tag to store data in cookies, and they can (although they should not) store sensitive data in these cookies. The tag EXPIRES attribute specifies how long the cookie should persist for. By default, cookies expire when the browser closes. But it is also possible to specify an actual date and time for them to expire, as well as “never” which (as the documentation explains) makes the cookie expire “in 30 years from the time it was created (effectively never in web years).”.
In other words, ColdFusion developers can create cookies that do indeed have a “30 year” lifetime, but that is not the default behavior, that is something a developer must consciously decide to make happen. As such, this scenario cannot be what the story refers to (ColdFusion tracking occurring without anyone knowing that it was going on).
So, we are back to CFID and CFTOKEN, the identifier cookies, which we know store no user data and do no monitoring.
Now, it could be argued that ColdFusion should not use cookie identifiers by default. There are two primary ways to identify sessions, cookies and URL tokens, and the default could indeed be to use the latter. This would be a valid suggestion, but as any developer who has opted to go down this road knows, this makes development far more complex. As such, I believe that the default behavior is what it should be (because, the identifier cookies do not store anything sensitive, they store no data at all).
It could also be argued that the default lifetime of these cookies should be lower. That is something we need to consider, although I suspect that as dramatic as “30 year” sounds, the same article would have been written even for a shorter duration.
The only way around this (without defaulting to URL tokens) would be for the identifier cookies to be browser cookies (expiring when the browser closes), and that is an option worth considering. This would not actually make any real difference (because, once again, these are identifier cookies only), but it could help placate ignorant alarmists.
But ColdFusion is still creating cookies. Do these violate the OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002?
The text reads: “agencies are prohibited from using persistent cookies or any other means (e.g., web beacons) to track visitors’ activity on the Internet“. It does not prohibit all persistent cookies, only those used to “track visitors’ activity on the Internet“. The text does not explain what “track” actually means, but the context is clear, cookies are prohibited when used for the tracking of user activity. Indeed, the text goes on to say that persistent cookies may be used (subject to approval and authorization) so long as the agency posts “clear notice in the agency’s privacy policy of the nature of the information collected, the purpose and use for the information, whether and to whom the information will be disclosed; and the privacy safeguards applied to the information collected.“. This clarifies things quite a bit, and explains what the concern is; the collection of information (and possible subsequent disclosure).
ColdFusion’s identifier cookies track nothing, they identify a session which quickly times out (the default time out is 20 minutes, and the default server imposed maximum is 2 days). No data is collected, there is no risk of future disclosure, there is no tracking. And as such, these identifier cookies do not violate the privacy provisions!
With all of this in context, consider the following quotes from the story:

  • “Many of the cookies appearing on the errant Web sites were generated by ColdFusion, the popular Web authoring tool. When the software creates certain types of cookies, it automatically assigns them a default persistent setting.” The only cookies that persist by default are the identifier cookies, which store no data and do no tracking.
  • “Many agencies appeared to have no inkling that their Web sites were configured to record the activities of users.” Configured to record the activities of users?
  • “Representatives at several agencies said they were astonished to see cookies on their Web sites, and they blamed their Web designer’s lack of understanding of ColdFusion’s default settings.” Again, if developers did not put the cookies there, then the only cookies are the identifier cookies.

My big problem with this story is that it leaves the impression that ColdFusion performs tracking and stores data, and that this occurs whether or not developers are aware of it. And this is just blatantly false!
Unless a developer opts to do so, there is no recording of user activity, there is no sensitive data stored in cookies, and there is no risk or violation of federal directives. It is as simple as that.
By weaving together partial facts, incomplete explanations, and tales of panicked reactions, Declan McCullagh and Anne Broache have traded journalist integrity and technical understanding for ignorant alarmist sensationalism. They should be ashamed of themselves!

26 thoughts

  1. The cookie FUD never went away. Go search for ‘cookie’ on Slashdot and I’m sure you’ll find tons of articles.
    I am not afraid of cookies, and I use them all the time in my apps (including my blog, but it’s for admin purposes). However, someone has to correct my knowledge here (if I’m wrong).
    One time I downloaded the trial of CF to put on my Wife’s laptop. I just followed the defaults with the install. I created a simple app that solved a simple problem. My app didn’t have any client/session management built in. I didn’t even create an Application.cfm or anything like that. My wife has Firefox set to warn her about all cookies, because she /is/ paranoid about cookies. She got the CFID/CFTOKEN cookies from my app.
    Is it not true that ColdFusion creates these cookies by default? I realize there is no data storage in these, but they do identify an individual (at least their PC), and that is what the paranoid types don’t like. Personally, I could care less about cookies, and I prefer to use them in sites like Ben’s blog (so it remembers my information and I don’t have to type in my name/email addy). 🙂

  2. Brian, thanks for that information. It would appear that DoD policy is far more restrictive than the OMB guideance. I have to assume that the policy was probably a reaction (or overreaction) to the media hype and paranoia. But, be that as it may, it would appear that DoD sites had better instruct ColdFusion to expire cookies when the browser closes, or use URL tokens instead.
    — Ben

  3. Didn’t I read on CNet that Bill Gate’s and Microsoft would send you $100 for each chain-email you forwarded?
    The CNet article (as well as other media outlets, but CNet should know better) about cookies and Coldfusion tells me that despite the best efforts of a few the majority are still in the dark about how the web works.

  4. Ugh I thought the cookie FUD was over years ago, but here it is again back in all of its glory. Funny to see it coming from a supposed Tech Experts journalism center like CNET. I guess the whole premise of the government tracking you on their website is just too irresistable not to post.
    Too bad that ColdFusion and Cookies have to take a bad rap when its the developers fault.

  5. Declan’s usually pretty cool, but I’m baffled by the media campaign on this — my only guess is partisan peer-pressure from the people he lunches with, something like that, ’cause the facts sure don’t support such umbrage.
    For what it’s worth, that CNET article sets a ton of cookies, some of which don’t expire until 2009, others not until 2020, 2025.
    That page also contains cross-site ads which function as web bugs.
    More observations of the double-standard here:
    http://www.captainsquartersblog.com/mt/archives/006038.php
    Thanks for nailing the ColdFusion assertions there, Ben. 🙁
    jd/adobe

  6. Thanks for this Ben!
    I do alot of gov websites in CF…who has time to do all of this "tracking"…the only one’s we should worry about is the NSA 🙂 Most of the agency folks I work with (Interior) are already doing 2+ peoples jobs plus the gov. workforce is retiring quicker than rehiring (if that happens). The only agencies that have a decent budget right now is DoD and Homeland Security and Fire (at least out here in the West). The NSA and Homeland Security *might* have the personnel to "track" web users, maybe DoD too. The rest of the agencies would never have the time or the personnel.
    CFID/CFTOKEN are harmless!
    I’ve said enough!
    Tim

  7. I’m still willing to bet it is more of a Web Trends issue than a CF issue.
    And with the NSA, I’m not worried. Just like the phone-taps issue, they would use technology to filter out the billions of page views and emails before human’s get involved.

  8. Ben,
    The problem with the DoD policy is that as each subordinate organization interprets it, the policy becomes more restrictive. To wit:
    The Air Force’s Instruction 33-129, Web Policy, states the following:
    9.1. Persistent Cookie. Persistent cookies are authorized only when the Secretary of Defense has personally approved use of the cookie, clear and conspicuous notice is given, there is a compelling need to gather the data on the site, and appropriate technical procedures have been established to safeguard
    the data. Send requests for approval to use persistent cookies at least 60 days prior to operational need date through the MAJCOM DAA to HQ USAF/ILC. The request will describe the need and safeguards to be used to protect the data, provide an explanation of why other technical approaches are inadequate, and include a copy of the privacy notice(s) proposed for use. HQ USAF/ILC will coordinate all waiver requests with AF-CIO/P before forwarding to the Assistant Secretary of Defense (Network and Information Integration (ASD[NII]) for Secretary of Defense approval.
    9.2. DOD Web Site Administration Policies & Procedures policy, however, does permit the use of “session cookies” or other Web technology to collect or store information, but only if users are advised of what information is collected or stored. Lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency or intelligence agency of the Air Force are exempt from this policy.
    An Air Force Webmaster isn’t about to walk in to the Secretary of Defense’s office to ask for a waiver, and in fact when the policy was announced it was passed verbally that don’t use any persistents, and don’t ask cause it won’t be approved.
    <shrug> So we’re in a bind if we want to do any client-based sessions unless we pre-expire the cookies…and heaven help those that don’t change the defaults.

  9. This Cnet ignorance is so massive that one should worry about the overall quality of their articles.
    Maybe someone should direct Cnet’s attention to the european community that is planning to log / track all Internet traffic (hoping to find some terrorist needles in the haystack).
    That should keep ‘m busy for a while.

  10. All of the cnet bashers,
    I have been a cnet fan for years, since probably about 1997 or so. They have a lot of really good content beyond news (shopper.com, downloads.com, and yes news.com). As far as their news, I do see a bias sometimes when it comes to privacy issues, and sometimes an anti Microsoft bias (what’s wrong with that? ;)). But news.com has some very professional reporters, and I for one really respect and admire them for not being afraid of offending their advertisers (like Microsoft).
    I do disagree with this cookie/privacy nonsense everybody keep spouting about (it should be mentioned that Declan McCullagh is a commentary columnist? He is supposed to write about his opinions, similar to John Stewart or Larry King). But most of their stories tell both sides of an argument, and give good evidence to support both opinions. So try not to throw the baby out with the bath water. Just because one news.com writer implied some negative things about CF (by quoting an industry expert that stated loose facts) doesn’t mean the entire organization is bad!

  11. Yacoubean – thats all it takes sometimes is one writer to discredit an entire orangization because it shows that no fact checking is taking place and they instead chose to run a story for sentionalist reasons. Dan Rather sound familiar?
    And yes, I’m sure News.com has some very professional writers, but this makes the entire newsroom look bad. It makes one wonder how many other stories have "loose facts".
    This is a prime example as to why I only goto CNET for product reviews.
    This is liberal-bias at it’s best. Anti-government, anti-Bush. Take a look at their follow up comments 🙂

  12. I think the point of the article is not that government agencies monitor use, but it highlights the fact that the web development/security practices at these agencies are bad enough that there is a potential, even without malicious intent, to use the practice to spy on people.
    For example, the CFID/CFTOKEN cookies, if stored indefinitely, allows you to cross-reference the website user, based on their cookie with their other visits to the site. Because CFID/CFTOKEN matching information is stored on the ColdFusion server, such matching (call it "spying" if you want) is possible. True, you will have to write scripts or mine the data in another way, but the point is that 25 years after visiting a site, my site visit can be tracked and matched to the old one.

  13. I agree that one columnist can make an entire news room look bad. But again, try not to throw the baby out with the bath water. What are the alternatives for solid technical reporting? slashdot? theregister? zdnet (a cnet property, btw)? Let’s be honest, every news organization displays some bias, some more than others (cnn, foxnews, ny times).
    One time I saw an error in one of news.com’s articles. It was a minor technical error, but I went ahead and clicked on the reporter’s name at the top of the article. I expected to be sent to a generic ‘contact us’ form, but instead I was actually sending an email to this reporter using his real email address! I never expected my email to be read, let alone responded to. However, within a few hours I not only got a response from the reporter, but he immediately went and corrected his story! That is a lot better than most news organizations today, who are content to print a correction buried in the back of one of their minor sections, and that is /if/ they decide to print a correction!

  14. I believe that the issue here is simply CNET’s readership.
    CNET’s revenue is based entirely on advertising and not subscribers. If they were able to get a sensationalist article like this posted on The Drudge Report then their page views go through the roof for that day. Based on their advertising rates, a headline on Drudge for 24 hours should increase their revenue by roughly $40,000. This article is nothing more than a stunt to draw a few more bucks.

  15. Hope you don’t mind but I forwarded your two articles on this to BoingBoing, which today linked to the offending article. We’ll see how they take it.

  16. I can actually make a compelling argument as to why cookies are necessary for government websites:
    If they use URL tokens, then these websites will be infinitely less findable in search engines. Putting session information in URLs means that each URL is unique to that visit; this makes it much more difficult for search engines to crawl and index the content of these websites.
    So, sure, they could make these cookies expire when the browser closes. But god help those of us trying to find government information if they stop using cookies altogether.

  17. Adria,
    Good point, but you could modify the URLs for the search engine bots. I’ve heard of people doing that in their apps; look for the the various bots in the http_user_agent and don’t worry about session stuff or porting around URL variables. I am not saying that you should stop using cookies, I myself love them. I’m just mentioning a way I’ve heard of to handle the SEs.

  18. Is this debate some sort of joke? Nearly ever website and blog as these webhit meters on them (sitemeter, doubleclick.net, googleads, etc) in the form of a tiny 10×10 image or embedded reference. So this means these webhit metering companes get a Refer hit on every single website an enduser goes to – complete with his IP and and full URL of the referring website.
    All this cookie controvsersy is about how a specific server monitors its visitors and what other websites they go to, and that is totally irrelevent. The motherlode of data is at these webhit counter sites, which (without cookies) get a near comprehensive set of breadcrumbs of websites the enduser has visited. People, wake up!

  19. Is this debate some sort of joke? Nearly ever website and blog as these webhit meters on them (sitemeter, doubleclick.net, googleads, etc) in the form of a tiny 10×10 image or embedded reference. So this means these webhit metering companes get a Refer hit on every single website an enduser goes to – complete with his IP and and full URL of the referring website.
    All this cookie controvsersy is about how a specific server monitors its visitors and what other websites they go to, and that is totally irrelevent. The motherlode of data is at these webhit counter sites, which (without cookies) get a near comprehensive set of breadcrumbs of websites the enduser has visited. People, wake up!

  20. Yacoubean,
    User agent filtering doesn’t actually doesn’t work as well as you might think. Spammers have tried to hide keyword-stuffed content by only presenting it to search engines (it’s called "cloaking"), based on the user agent, leading search engines to send out spiders that don’t identify themselves. So now the spam arms race uses IP addresses to identify spiders. Trying to send one set of content to search engines and another to users, even if it doesn’t violate search engine policies, can be massively complicated.
    So using cookies that expire appropriately is still the best solution.

  21. Adria,
    I’ve seen what you’re talking about with spammer sites. I hate those! However, I don’t really think sending SE bots a different URL than your regular visitors is sending them different content. Some will probably disagree with me, but there is a pretty big community around SE friendly URLs out there, and I’d assume these people aren’t shooting themselves in the foot on purpose (nor ignorantly).

  22. Long term cookies, such as those indicated in the article, are then stored in the log files. So while ColdFusion may not use them for tracking purposes, the data is available for tracking purposes. Every log analysis program I’ve ever used is capable of using long term cookies for tracking purposes.
    Having been through the process of trying to get clearence to use long term cookies in a NIH website for use for anonymous statistics, I can tell you that the OMB does not allow it.

  23. so nice of you all to trash Declan’s story — too bad none of you has the faintest CLUE what you’re talking about.
    This isn’t a story that has anything to do with cookies being bad or good.
    The reason it’s a story is because the official GOVERNMENT POLICY says that cookies are illegal. Got that? So when these government groups are breaking their policy, that’s an issue. It’s not an issue that CNET uses cookies, if they do, because that’s not illegal or even unusual. It’s ILLEGAL for the government to do it.
    "In a 2003 memo, the White House’s Office of Management and Budget prohibits federal agencies from using persistent cookies – those that aren’t automatically deleted right away – unless there is a "compelling need."
    A senior official must sign off on any such use, and an agency that uses them must disclose and detail their use in its privacy policy.
    Peter Swire, a Clinton administration official who had drafted an earlier version of the cookie guidelines, said clear notice is a must, and ‘vague assertions of national security, such as exist in the NSA policy, are not sufficient."
    Daniel Brandt, a privacy activist who discovered the NSA cookies, said mistakes happen, "but in any case, it’s illegal. The (guideline) doesn’t say anything about doing it accidentally.""

Leave a Reply to Persimmon Cancel reply