Contractor Investigated for White House Site Tracking

By Walaika K. Haskins
December 30, 2005 10:29AM

"The fact that the White House site used Web bugs that do not capture personally identifiable information is irrelevant," said privacy expert Larry Ponemon. "The key issue is government officials were caught completely off-guard when reporters learned that Internet tracking technologies were planted on the White House's site."

The White House has started an investigation to determine if a government contractor used banned Internet tracking technologies to analyze usage and traffic at www.whitehouse.gov.

The contractor, WebTrends, Inc., allegedly used Web bugs -- small, almost invisible images inserted in Web pages that pass information anonymously to third-party sites -- to record who visited the White House Web site and when they did so.

While Web bugs are not prohibited, David Almacy, White House Internet director, said there will be an investigation to determine whether WebTrends violated a 2003 policy set by the Office of Management and Budget (OMB) banning the use of Internet tracking devices on government sites.

"No one even knew it was happening" Almacy said in an interview with the Associated Press. "We're going to work with the contractor to ensure that it's consistent with the OMB policy."

The disclosure came just one day after the National Security Agency confirmed that it had mistakenly used a prohibited type of cookie to track the comings and goings of individuals to its Web site.

Why You Buggin?

Web bugs, on their own, are a relatively innocuous tracking device used by online advertisers. The problem with the bugs used by WebTrends is that they were linked with cookies from the sites of other WebTrends clients. That allowed the company to know if and when an individual made a return or repeat visit to the White House site.

According to WebTrends' Jason Palmer, vice president of product management, the cookies were not used in that manner. In a statement to the AP, the Portland, Oregon-based company said that the analysis it performed for the White House site is typical.

The OMB ban specifies that a federal agency must prove a "compelling need" to include a tracking device, receive approval from a senior official, and disclose the usage of such technology. No such clearance was sought, Almacy said, because it was not thought necessary. Almacy said that his office was unaware of the problem until it received the query about cookies from the news media. No personal data were collected, he added.

An Unwelcome Surprise

The reason for the 2003 OMB requirement is to make it absolutely clear that Americans' privacy rights are not at risk when browsing government sites, said Larry Ponemon, founder of the Ponemon Institute and adjunct professor of Ethics & Privacy at Carnegie-Mellon University's CIO Institute.

"The fact that the White House site used Web bugs that do not capture personally identifiable information is irrelevant," he said. "The key issue is government officials were caught completely off-guard when reporters learned that Internet tracking technologies were planted on the White House's site."

Even more disturbing, Ponemon said, is that the problem was the result of a contractor -- not a government agency -- planting Web bugs on the site. Ponemon said this is worrisome as it indicates that "external parties may have too much latitude or control over key technologies deployed within our government." Such a loss of control over government Web sites is a serious flaw in the government's critical infrastructure that opens doors to cyber-criminals and terrorists, he added.

"If this situation involved a major corporation's violation of its Internet privacy commitments, the FTC, attorneys generals and the legal community would be yelling bloody murder," Ponemon said. "There appears to be a double standard at work here since this case concerns a governmental Web site."