The Idaho National Engineering and Environmental Lab (INEEL), a Department of Energy facility near Idaho Falls, serves as a storage area and incinerator for some of the nation’s most radioactive toxic waste. It was a job that for 20 years was done quietly, away from major cities and towns and the scrutiny of the public. Then, citizens of growing communities downwind of the facility like Jackson, Wyo., began to raise a fuss. The result for the time being is that the incinerator at INEEL has shut down amid allegations that nuclear and other radioactive or toxic heavy metals waste are being mishandled or poorly monitored in storage.
While the Department of Energy (DOE) is investigating the charges, some of which have proven true, INEEL was recently found to have been using software that tracks visitors to its website, a violation of DOE policy and a presidential order given through the federal Office of Budget and Management.
Such web software features are called “cookies,” and their use on the internet has become commonplace. Internet subscribers whose servers feature a personalized homepage already have a “persistent cookie” on their computer, a file written to a private user’s computer from a website host (in this case, the server) to track the number and type of pages a visitor hits while on the site, as well as sites referred to or from. This information can then be used to create a profile, or educated demographic guess, of the visitor. “Session cookies” are the same type of feature, but are dropped from a visitor’s computer when the visitor leaves the site.
Who can use this type of information? According to WebTrends.com, the website for the software company that provided INEEL with their cookies, the software was developed for web entrepreneurs looking for the upper hand in pinpointing customer demographics. Yet WebTrend describes the software in a manner that implies that more than just general demographic information could be gleaned from their products: “Powerful ... easy to use ... and gives detailed graphical analysis of user behavior ... Review visitor behavior, visitor paths, demographics, and much more ... gives HR [human resources] professionals the information they need to understand how company employees are using the corporate intranet.”
While it’s not clear how much of such rhetoric is advertising hyperbole, the potential appeal to INEEL officials, whose record of running afoul of lawful standards of hazardous waste disposal has been confirmed lately by DOE investigators, seems undeniable. (The ability to monitor internal “intranet” use seems especially pertinent in light of recent allegations by one former INEEL employee of repeated exposure to radioactive waste that were verified by DOE reports.)
INEEL spokesman John Walsh said in a Dec. 12 phone interview: “We probably knew they were there. We were under the impression that they were all just session cookies. And then after we were told we had persistent cookies, we searched and found 14 pages of them out of some 150,000 on our website. We turned them off, and to our knowledge there are no more persistent cookies anywhere on our site.”
Walsh insisted any claims that INEEL was “spying” on visitors was simply not true, a claim questioned by Keep Yellowstone Nuclear Free (KYNF) spokesman Erik Ringelberg.
“INEEL has come full circle on this one, first denying they had any persistent cookies, and then saying they didn’t know they had them, and now acknowledging they had them but denying they were using the feature,” says Ringelberg. “The WebTrend software they had is specifically designed for tracking the kind of information they say they weren’t interested in tracking. And the cookies are in direct defiance of federal agencies’ internet policy.”
KYNF identified the persistent cookies to INEEL officials, who initially flatly denied they were there, then modified their position to cooperate with KYNF to have the persistent cookies turned off.
The nature and extent of information that can be gleaned from cookies is disputed, even in web programming circles. University of Montana web developer Mike Manzanec differentiates between the task cookies perform and hacking, which is blatantly illegal.
“Cookies are probably misunderstood, and in some cases get a bad reputation for no real reason,” he says. “You can’t read other people’s email or find out their name, address and phone number, at least not directly. What you can do is amass a lot of information quickly about how much time an individual computer is spending on your website, which pages they visit, and therefore what kind of information they’re interested in. It’s not possible for a provider like Microsoft Network, which uses permanent cookies, to identify individual users, since the number would be in the millions, and subscribers visit millions of different sites. But for smaller organizations, if an individual visits enough times and spends enough time, you might wind up being able to guess accurately about whose computer was logging on to your site.”
According to Ringelberg, this is precisely the scenario between INEEL and KYNF. “There’s a limited number of people who are going to be looking for the kind of information that’s on their website,” says Ringelberg. “We are certainly one of those groups, but our concern was over access for the general public, which deserves to know about these things without being looked at in return.”
Ringelberg thinks the worst part of the INEEL cookie caper is the unknowable. “Who would want with this kind of information?” he asks. A good question, given the asterisk put on the cookie-free claim made by INEEL spokesman Walsh: “We are still using cookies internally, no one has had the time yet to go through all of our own pages and turn everything off there.”