Review of Department of Justice Internet Sites

Report No. 01-05
March 13, 2001
Office of the Inspector General


Introduction

Internet sites can be powerful tools to inform the public about federal government activities and programs. These sites raise privacy concerns when they use "cookies", a primary method of compiling information and data about Internet users, to track the activities of users over time and across different sites. 1

As a result of recently passed legislation, we are required to determine whether Department of Justice (DOJ) Internet sites or third parties working for the DOJ collect personally identifiable information from users that access DOJ Internet sites. Our review consisted of reviewing information provided by DOJ officials and limited testing of cookies for the DOJ Internet sites. We did not perform detailed tests to verify the information contained in the documentation. Thus, this report and the associated work was not performed in accordance with Government Auditing Standards (GAS), but was performed as an "other activity of an audit organization" pursuant to GAS 2.10.

Criteria

Office of Management and Budget (OMB) Memorandum M-00-13 (June 22, 2000), Privacy Policies and Data Collection on Federal Web Sites, stated that "cookies" should not be used at federal Internet sites, or by contractors operating the sites on behalf of agencies, unless there was clear and conspicuous notice; a compelling need to gather the data; and appropriate, publicly disclosed safeguards for handling "cookie"-derived information. In addition, the memorandum stated that the agency head must personally approve the use of "cookies."

The recently enacted Treasury and General Government Appropriations Act, 2001 (H.R. 5658, Section 646) (The Act) requires the Inspector General of each department or agency to report to Congress:
any activity of the appropriate department or agency relating to--

  1. the collection or review of singular data, or the creation of aggregate lists that include personally identifiable information, about individuals who access any Internet site of the department or agency; and

  2. entering into agreements with third parties, including other government agencies, to collect, review, or obtain aggregate lists or singular data containing personally identifiable information relating to any individual's access or viewing habits for governmental and non-governmental Internet sites.

Methodology

In response to the OMB memorandum and The Act, we assessed DOJ written guidance related to web development and privacy policies, and prohibitions pertaining to collecting, reviewing, or obtaining data regarding individuals using DOJ Internet sites. In addition, on January 4, 2001, we tested the 56 DOJ Internet sites listed on the DOJ's Alphabetical List of Components with Internet Sites (see attachment) to determine whether the DOJ or third parties were collecting personally identifiable information related to any individual's access or viewing habits on the sites. To conduct our testing, we:

  1. Set the Internet browser to warn us if "cookies" were being sent, and we cleared the "cookie" log to ensure that the only entries were those from our test.

  2. Entered two sites known to set "cookies," msn.com and cnet.com, to ensure that the browser warning worked properly and the log recorded the "cookies." In both cases the browser warned us that cookies were being sent to our computer and asked whether we wanted to accept them. We accepted them.

  3. Examined the "cookies" log and, in both cases, the "cookies" were logged.

  4. Entered the 56 DOJ Internet sites to determine whether they would send "cookies" to our computer.

Results

DOJ Internet sites tested were not collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits at the time we tested the sites for "cookies." For all 56 DOJ Internet sites tested, we were neither warned nor asked to accept DOJ or third party "cookies," and, upon examining the browser's "cookies" log, found that no DOJ or third party "cookies" had been recorded.

Currently, DOJ organizations with Internet sites certify quarterly in writing to the Assistant Attorney General for Administration that they comply with OMB Memorandum M-00-13. This policy, as stated earlier, restricts but does not prohibit the use of "cookies."

However, we found no DOJ written guidance related to The Act's prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites. While The Act did not specifically cite "cookies" as the prohibited method, many commercial Internet sites use "cookies" to do just that when a user accesses their site. Currently, DOJ organizations with Internet sites are not certifying to The Act's prohibitions on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites. Rather, they are merely certifying to OMB Memorandum M-00-13's restricted use of "cookies." In our judgment, the current DOJ certification process should be expanded to include The Act's prohibition on collecting, reviewing, or obtaining personally identifiable information relating to any individual's access or viewing habits on DOJ Internet sites.

Appendix
Alphabetical List of DOJ Components with Internet Sites Reviewed for "Cookies"

 
1	American Indian and Alaska Native Affairs Desk (OJP) 
2	Antitrust Division 
3	Attorney General 
4	Bureau of Justice Assistance (OJP) 
5	Bureau of Justice Statistics (OJP) 
6	Civil Division 
7	Civil Rights Division 
8	Community Oriented Policing Services - COPS 
9	Community Relations Service 
10	Corrections Program Office (OJP) 
11	Criminal Division 
12	Diversion Control Program (DEA) 
13	Drug Courts Program Office (OJP) 
14	Drug Enforcement Administration 
15	Environment and Natural Resources Division 
16	Executive Office for Immigration Review 
17	Executive Office for U.S. Attorneys 
18	Executive Office for U.S. Trustees 
19	Executive Office for Weed and Seed (OJP) 
20	Federal Bureau of Investigation 
21	Federal Bureau of Prisons 
22	Foreign Claims Settlement Commission of the United States 
23	Immigration and Naturalization Service 
24	INTERPOL -- U.S. National Central Bureau 
25	Justice Management Division 
26	National Criminal Justice Reference Service (OJP) 
27	National Drug Intelligence Center 
28	National Institute of Corrections (FBOP) 
29	National Institute of Justice (OJP) 
30	Office of the Associate Attorney General 
31	Office of the Attorney General 
32	Office of Attorney Personnel Management 
33	Office of Community Dispute Resolution 
34	Office of the Deputy Attorney General 
35	Office of Dispute Resolution 
36	Office of Information and Privacy 
37	Office of the Inspector General 
38	Office of Intelligence Policy and Review 
39	Office of Justice Programs 
40	Office of Juvenile Justice and Delinquency Prevention (OJP) 
41	Office of Legal Counsel 
42	Office of Legislative Affairs 
43	Office of the Pardon Attorney 
44	Office of Policy Development 
45	Office of Professional Responsibility 
46	Office of Public Affairs 
47	Office of the Solicitor General 
48	Office for State and Local Domestic Preparedness Support (OJP) 
49	Office of Tribal Justice 
50	Office for Victims of Crime (OJP) 
51	Tax Division 
52	U.S. Attorneys 
53	U.S. Marshals Service 
54	U.S. Parole Commission 
55	U.S. Trustee Program 
56	Violence Against Women Office (OJP) 


Footnotes

  1. "Cookies" are small software files placed on computers without a person's knowledge that can track their movement on an Internet site. Essentially, cookies make use of user-specific information transmitted by the Internet server onto the user's computer so that the information might be available for later access by itself or other servers. Internet servers automatically gain access to relevant cookies whenever the user establishes a connection to them, usually in the form of Internet requests.