http://www.wired.com/threatlevel/200...e_tsas_tracki/

Are TSA’s Tracking Cookies Legal?

* By Ryan Singel Email Author
* February 14, 2007 |
* 9:50 am |
* Categories: Uncategorized
*

The Transportation Security Agency’s website is not only hosting a site that looks like a phishing attack designed to steal personal information from citizens, it’s also using cookies on its website — a practice that the government frowns on. The main TSA site sets two cookies — both of which expire in 2017.
One of the cookies is set to tsa.gov, while the other is served from a web analytics company called WebTrends.

Now the TSA does state on its privacy policy page that it uses cookies. But, that may not be enough to satisfy the government policy on the use of tracking cookies. In 2003, the White House’s Office of Management and Budget issued binding rules on the use of cookies by federal agencies and their contractors — stating:

Particular privacy concerns may be raised when uses of web technology can track the activities of users over time and across different web sites. [...] Because of the unique laws and traditions about government access to citizens’ personal information, the presumption should be that "cookies" will not be used at Federal web sites.

If cookies are going to be used, the rules require that the site include "clear and conspicuous notice" of the cookies, that there exists a "a compelling need to gather the data on the site," that there are "appropriate and publicly disclosed privacy safeguards" for cookie information, and that the head of the agency personally approves the cookies.



Read More http://www.wired.com/threatlevel/200...#ixzz0f6zv9zZy

A three year old article, posted in its entirety...any new information or other reason for posting it?

yeah it appeared on the front page of wired.com a few hours ago. i didn't know it was that old. it was front page news.

Perhaps someone could launch something that could be considered by some definitions, a cyber attack on the TSA website, to teach them a lesson.

Oh yea, attack a government website.

I hope you know this is a daily occurrence? There is nothing special about denial-of-service or other attacks. Pretty much the web and its managers route around them. It is rare that they make the news.

I know. I'm just sayin'....

Felt I should point out that the above is not true. The "data" (other than the cookie itself) *is* stored on the server. The last sentence should read: "Whenever you visit a 'cookie' site, the server looks for its cookie on your hard drive and, if found, then reads the information it stored on its own servers."

Actually, if you want to get even more correct, the server tells the computer (client) to look for its cookie on your hard drive...

Thank you for your discretion.

just another reason to reset your browser and/or clear your cache and cookies after visiting certain websites

Or just more reason to use Private Browsing, where nothing is saved and it's all deleted after each session.

Not really. At least not necessarily. The cookie does, in fact, only hold certain information on your local computer. It might reference a server-side data structure that should be loaded or it might just reference something local. But there is no guarantee that there is specific information stored on the server that is gleaned from the cookie itself.

This I agree with, but, again, that doesn't mean that there is necessarily data about the client stored on the server inside the cookie.

I'm sure the cookie could, for example, report back to the TSA which computers visited the TSA website and the Flyertalk website (or others such as the ACLU, etc.), and record and report their IP addresses which could then be run through a database to ascertain who its assigned to (i.e. John Smith's Comcast cable Internet account).

True, but the point I was trying to make is that it doesn't store additional information on the hard drive like it said. That was the incorrect part.

Or use sites like this.

Dave