Updated

Even after they were told to knock it off, federal agencies have allowed their Web sites to contain tracking devices that have the ability to collect information about users' Web habits and personal information without notice.

Sen. Fred Thomson, R-Tenn., and Rep. Jay Inslee, D-Wash., say they are livid after the release of a report that indicates government sites may be intentionally violating citizens' privacy, despite an administration directive last year for these sites to stop monitoring users.

"I think what it demonstrates, on the part of a lot of folks in several agencies, is their trivial view of privacy," blasted Inslee, who with Thompson had called for a agency-wide, government study of federal Web sites to determine whether they are in compliance with 1999 privacy rules.

He said the results of that study have been "stunning," with the worst offender so far being the Department of Defense. "The [Defense Department] by order of magnitude has the worst record of any agency so far," he said.

Cookie Monsters

Current policy states that federal Web sites cannot employ the use of tracking devices, including so-called "cookies" and Web bugs, to build user profiles. They must also post privacy notices on sites in which substantial information is collected from visitors.

According to the Inspector General of the Defense Department, 128 out of the 400 sites reviewed had 128 persistent cookies present. Persistent cookies, as opposed to regular cookies, do not expire when the user leaves the site and stay "on," tracking user activity on a site for an indeterminate amount of time.

While they are banned from government sites, persistent cookies are permitted if they meet specific conditions, including permission from the Secretary of Defense. In the audit, however, officials said the secretary did not grant permission for their use on any Defense site to date.

In addition, 100 of those sites did not have privacy notices and 61 sites requested voluntary personal information without first displaying a privacy notice.

Not All Cookies Are Harmful

But some privacy experts say that while cookies and Web bugs could be used for the collection and exchange of user information, there is no proof at this time the government was intentionally doing that.

Some of the devices were likely planted there by third party sources, while others were possibly placed by contracted Web designers. And non-persistent cookies are often used to track possible hacker activity.

"It was most likely an accident," said Richard Smith, chief technology officer at the Privacy Foundation.  Or "they were looking for hackers trying to break into their Web sites." 

Smith pointed out that Web designers routinely put such devices into commercial sites, and they might have not known that certain measures were violating privacy statutes on government sites. "The people who were building the Web site … they never really thought it through," he said.

But while some cookies are harmless enough, he conceded, others collect information that is shared with online advertising companies, like Double Click, Inc.

"People just don't know," says Lauren Gelman, director of public policy for the Electronic Frontier Foundation. "Maybe they will have some idea of what a cookie is, or they may have heard of a Web bug … but do they really know about their ability to collect information about you and where you've been and then coordinate that with other information about you and where you've been?"

Government "Should Be Held Accountable"

The report indicated that once approached with evidence of the tracking devices, many of the Web operators were unaware of the problem and rectified the problems immediately.

But critics say that just isn't enough, as the privacy policy for government Web sites had been approved two years ago and the debate over online policy has been raging ever since.

"If you violate [privacy], you should be held accountable," said Wayne Crews, director of technology studies at the Cato Institute. He noted that the Defense sites, which include those run by the Army, Navy, Air Force and Marines, are often used by military men and women accessing services.

"If a Web site is a service site, if you're checking on a pension or something like that, your privacy needs to be protected," Crews said. "If a government site is using information, you'd want that stated publicly. You don't want it having unlimited powers."