The Transportation Security Agency's website is not only hosting a site that looks like a phishing attack designed to steal personal information from citizens, it's also using cookies on its website -- a practice that the government frowns on. The main TSA site sets two cookies -- both of which expire in 2017.
One of the cookies is set to tsa.gov, while the other is served from a web analytics company called WebTrends.
Now the TSA does state on its privacy policy page that it uses cookies. But, that may not be enough to satisfy the government policy on the use of tracking cookies. In 2003, the White House's Office of Management and Budget issued binding rules on the use of cookies by federal agencies and their contractors -- stating:
If cookies are going to be used, the rules require that the site include "clear and conspicuous notice" of the cookies, that there exists a "a compelling need to gather the data on the site," that there are "appropriate and publicly disclosed privacy safeguards" for cookie information, and that the head of the agency personally approves the cookies.
Given that there are no preferences or passwords to be saved on the site, I don't see what the "compelling need to gather data" is. Likewise, what is stored on the cookie and how it is used is simply not spelled out on the privacy policy page, which simply defines cookies generally:
Finally, I don't know if TSA chief Kip Hawley has signed off on the use of cookies. I've put in a call, but given the weather in Washington, D.C., it may take some time for the agency to reply. But I assume they will do so before my TSA cookie expires in 10 years.
Many thanks to reader Logical Extremes, who pointed out the cookies in the comments in the phishing post.
