from the CIA's FOIA site on Monday afternoon, March 18, 2002.
Scroll to the bottom to see
PIR home page
CIA's Internet Presence
An Internet security firm in London spent a couple of days trying to figure out the CIA's server setup by using public sources and legal techniques. They produced a diagram of the CIA's internal server network. One comment about this diagram: from our logs, it's clear that casual Internet surfers at the CIA appear either as:
The diagram makes it appear as though the relay2 channel is only for incoming email, but this channel is definitely also used for outgoing web surfing traffic.
Also, there is a site at www.foia.ucia.org that provides access to FOIA documents. This site is not on the diagram. It appears to be outsourced to Digex, Inc. and has an IP number of 18.104.22.168
This Digex site, designed by Olympus Group, sets a weblog analysis cookie that expires in 2010 and includes your IP number. It's labeled EGSOFT_ID. That surprised us, as we recall that during the Clinton administration, an order went out telling government sites to avoid this sort of thing. (Oh well, I suppose if you're authorized to carry out assassinations, a mere spurious cookie probably won't get you into trouble with your boss.) By the way, every FOIA document we've seen that's offered through the CIA's FOIA site is utterly boring and insignificant.
(Sometimes their site even seems deliberately misleading. Try a search for "Condor" and assume that you're interested in the Operation Condor that half of Latin America is screaming about. None of the five documents is remotely relevant; the only thing you come away with is their tracking cookie. Now try our site.)
A warning: don't do port scans or excessive pings on the CIA's servers. They might think you're an Arab and ask the FBI to break down your door and take your computer. But feel free to block them from your website.
March 15, 2002
Mr. David E. Wheelock
Dear Mr. Wheelock:
I presume that you know who is responsible for the CIA's website at http://www.foia.ucia.gov. I tried to contact the Olympus Group, the purported designers of this page, but they don't seem to exist these days. The server for this page is apparently outsourced to Digex, Inc.
I am writing about the cookie issued by this site. I realize that someone may have added the cookie plug-in at the server, and that you have nothing to do with this cookie. If that's the case, I'd appreciate the name and contact information of someone else who is responsible.
When visiting this site today, I received the following cookie:
www.foia.ucia.gov FALSE / FALSE 1293753656 EGSOFT_ID 12.34.567.89-1019205920.29477230
The "1293753656" is an expiration date of December 31, 2010.
The 12.34.567.89, which I have edited for my own privacy (I am posting a copy of this email on my website), was my Internet IP number.
The "1012597920.29477980" is apparently a unique ID number, since it changes with each new cookie issued. I have also made some changes in this number, otherwise someone would be able to look up my IP number.
The EGSOFT_ID presumably identifies this cookie as part of a web log analysis program. However, there is no guarantee that this is in fact the purpose of the cookie, as this ID could be easily forged by anyone with access to the server.
Even assuming that the EGSOFT_ID is authentic, the use of a persistent cookie for log analysis and statistical reporting does not qualify as a "compelling need" as outlined in the OMB policy (point 2 above).
Moreover, the privacy notice on the site makes no mention of this persistent cookie (points 1 and 3).
And, I presume, you are unable to show that the Director of Central Intelligence has authorized your use of persistent cookies on this site (point 4).
Well then, it must be a mole that likes cookies!
From the CIA director's site:
"The Central Intelligence Agency Web site does NOT use the 'cookies' that some Web sites use to gather and store information about your visits to their sites." [ emphasis in original ]
Date: Mon, 18 Mar 2002 16:25:08 -0500
From: "Mike S." <[deleted]@ucia.gov>
Subject: Persistent Cookies--www.foia.ucia.gov
Dear Mr. Brandt,
I'm the site manager for the DCI/CIA public website and was asked to investigate your observations and reply to you. You are absolutely right: that part of the DCI/CIA website at www.foia.ucia.gov, which is hosted separately from the main site, has been setting persistent cookies -- unbeknownst to us. And because we were unaware this was occurring, neither our overall site notices nor the Electronic Reading Room's specific notices contained information about these cookies. I am very familiar with Federal policy on cookie use, and prior to your note, I believed that our website was in full compliance.
Most important for you to know is that the Electronic Reading Room site manager has turned off the setting of both persistent and session cookies for visitors to www.foia.cia.gov, which is hosted separately from the main DCI/CIA website.
Here's what happened: The Central Intelligence Agency's former Electronic Document Release Center site was completely redesigned by a contractor with whom we no longer do business and reposted as the Electronic Reading Room on January 29, 2002. As you surmised, the contractor incorporated into the site a popular commerial software program for analyzing Electronic Reading Room log files containing information about visitor traffic. Neither the contractor nor the ERR site manager nor I were aware that this particular program, apparently by default, sets a persistent cookie to determine if a visitor is a repeat visitor, information the software then uses in producing statistical reports regarding site traffic. I've been assured that this cookie contained no personal information. It was not a third-party cookie. And the ERR's host server does not set cookies.
As an extra measure, we are destroying the two sets of log files for www.foia.ucia.gov that we maintained to eliminate any possibility that we have improperly retained data about the ERR site's visitors. This will be completed today and will include all log files created since the redesigned site was posted January 29.
Our Privacy Notice identifies the information that we do routinely collect about visits to the site, information that is recorded in log files. Our log files do not record any information that personally identifies visitors. This is the same information collected by many, if not most, website managers for security purposes, to analyze site use patterns, and to manage sites based on such analysis.
Further, we have, until today, set session cookies when visitors log onto the Electronic Reading Room site. These cookies expired when the visitor closed his or her browser. We have also stopped using session cookies today on the ERR site after the site manager determined the functionality they provided was not required. I would note that the use of session cookies on Federal websites was specifically excluded from OMB policy memorandum M-00-13 in a September 5, 2000, letter from OMB to the U.S. Department of Commerce chief information officer.
I'm sincerely thankful that you took the time to notify us of your finding -- a situation about which we were unaware prior to your note. I believe the actions we have taken today satisfy your concerns since we are once again in full compliance with Federal guidelines regarding cookie use.
Central Intelligence Agency
And our reply to their reply:
Thank you, "Mike S.", for your reply.
I noticed a couple of hours ago that the persistent cookie was gone, and put an update box at the top of http://www.namebase.net:82/ciascan.html
I am glad to hear that you are destroying the cookie files.
I'm still getting the following session cookie from the site, but that doesn't bother me:
With your permission, I'd like to add your reply to the bottom of our page in another box.
And their reply to our reply to their reply:
Date: Mon, 18 Mar 2002 18:48:06 -0500
From: "Mike S." <[deleted]@ucia.gov>
Subject: Re: Thanks for your reply
Dear Mr. Brandt,
I'm personally very embarrassed to find out that we are still setting session cookies after I said we are not -- a fact I became painfully aware of after sending you my response. With the perfect clarity of hindsight, I should have personally checked what I had been told before I pressed "send."
The Electronic Reading Room website contractor is unsure what is generating the session cookie. He is going to call the company hosting the site to ask, again, if their server software is setting a session cookie. In the end, depending on what's generating it, he said the session cookies may turn out to be a function of some of the software used (he was not specific) and that we may not be able to turn session cookies off. If that turns out to be the case, we will determine the session cookie's use and modify our legal notices to accurately reflect that they are in use on the Electronic Reading Room site and their purpose.
I expected you to post my response to your website without asking, but I very much appreciate the fact that you've asked. The awkward position your request puts me in is that my reply states we stopped using session cookies today which you and I both know now is not the case. I do not ask nor encourage you to alter my note to you which I sent in good faith. If you decide to post my note, I do ask that you find a way to let your site's users know that I have acknowledged my misstatement and that we continue to work on the session cookie issue.
Please let me know what you decide to do. The choice to post or not is yours.