Analysis: Federal websites using cookies
Got cookies? The U.S. Mint does. So do (or did) NASA, the General Services Administration and the Treasury, Energy, Interior, Education and Transportation departments, according to a preliminary audit released by the Office of the Inspector General last week. Trouble is, in most cases, those cookies on government Web sites were unauthorized -- they violated specific, unambiguous federal rules.
And nobody's exactly sure how it happened or how widespread the problem is. We can make some pretty good guesses, though.
After all, we're technical people. We know how techies think. Cookies are technology. Technology is a good thing, and it's much more important than rules. And if rules get in the way of what we're trying to accomplish with technology, well, which is more important: rules or getting the job done?
In some cases, outside contractors may not even have known about the no-cookies rules. And at one site that was run by a private contractor, the contractor's agreement even gave the private company rights to all the data collected from cookies.
The rules just disappeared from their radar. They were inconvenient, and in the rush to the Web, they just got brushed aside.
No, don't snicker at those irresponsible government techies. You've probably got cookies you don't know about, too. More to the point, you've probably got rules being brushed aside in ways that could threaten your company much more than any unauthorized government cookie could.
And those rules matter.
Corporate IT shops are now neck-deep implementing and maintaining systems that involve contracts and legal requirements and bureaucratic regulations -- systems like customer relationship management, supply chains and online stores.
We build this stuff fast, then hack and tweak it to make it work. And we keep hacking and tweaking to get it working better. Unfortunately, we have no way of knowing how many of those hacks and tweaks violate contracts, laws, regulations or our companies' public statements.
Cookies? They're the least of the problem, the readily visible tip of the iceberg. Users who are really concerned about cookies can easily set their Web browsers to flag cookies when a Web site uses them. Those users probably knew about the cookie-laden government Web sites long before the inspector general did.
And if some self-appointed inspector general wannabe catches our Web sites trying to set cookies when our published privacy policies say we don't use cookies, we'll look bad. But we'll probably be able to correct the problem pretty quickly.
The real risk comes with the other rules we ignore. Privacy rules. Security rules. Data handling rules. Regulatory requirements. Contract provisions.
Break those rules and your company could end up in court. Break them badly enough -- or with bad enough results -- and things could get really ugly.
And don't think code reviews during development are enough to make sure rules are followed. Remember, we're rebuilding and reconfiguring these systems on the fly every day. Unless everyone understands all the rules, you could be on the receiving end of fines, penalties, lost customers or lost court cases.
Maybe it's time to do an audit of your own. Find out how many of your people know the rules, especially the nontechnical rules, that they have to follow. And find out how deep their commitment is to following those rules. And how much re-educating you need to do.
Because you've got rules, and you'd better make sure they're followed.
» posted by ITworld staff
Computerworld
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
