Playing by the rules

Got cookies? The U.S. Mint does. So do (or did) the U.S. National Aeronautics and Space Administration (NASA), the U.S. General Services Administration and the U.S. Treasury, Energy, Interior, Education and Transportation departments, according to a preliminary audit released by the U.S. Office of the Inspector General last week.

Trouble is, in most cases, those cookies on government Web sites were unauthorized – they violated specific, unambiguous federal rules.

And nobody’s exactly sure how it happened or how widespread the problem is. We can make some pretty good guesses, though.

After all, we’re technical people. We know how techies think. Cookies are technology. Technology is a good thing, and it’s much more important than rules. And if rules get in the way of what we’re trying to accomplish with technology, well, which is more important, rules or getting the job done?

In some cases, outside contractors may not even have known about the no-cookies rules. And at one site that was run by a private contractor, the contractor’s agreement even gave the private company rights to all the data collected from cookies.

The rules just disappeared from their radar. They were inconvenient, and in the rush to the Web they just got brushed aside.

No, don’t snicker at those irresponsible government techies. You’ve probably got cookies you don’t know about, too. More to the point, you’ve probably got rules being brushed aside in ways that could threaten your company much more than any unauthorized government cookie could.

And those rules matter.

Corporate IT shops are now neck-deep implementing and maintaining systems that involve contracts and legal requirements and bureaucratic regulations – systems such as customer relationship management, supply chains and on-line stores.

We build this stuff fast, then hack and tweak it to make it work. And we keep hacking and tweaking to get it working better. Unfortunately, we have no way of knowing how many of those hacks and tweaks violate contracts, laws, regulations or our companies’ public statements.

Cookies? They’re the least of the problem, the readily visible tip of the iceberg. Users who are really concerned about cookies can easily set their Web browsers to flag cookies when a Web site uses them. Those users probably knew about the cookie-laden government Web sites long before the inspector general did.

And if some self-appointed inspector general wannabe catches our Web sites trying to set cookies when our published privacy policies say we don’t use cookies, we’ll look bad. But we’ll probably be able to correct the problem pretty quickly.

The real risk comes with the other rules we ignore. Privacy rules. Security rules. Data handling rules. Regulatory requirements. Contract provisions.

Break those rules and your company could end up in court. Break them badly enough – or with bad enough results – and things could get really ugly.

And don’t think code reviews during development are enough to make sure rules are followed. Remember, we’re rebuilding and reconfiguring these systems on the fly every day. Unless everyone understands all the rules, you could be on the receiving end of fines, penalties, lost customers or lost court cases.

Maybe it’s time to do an audit of your own. Find out how many of your people know the rules, especially the non-technical rules, that they have to follow. And find out how deep their commitment is to following those rules. And how much re-educating you need to do.

You’ve got rules, and you’d better make sure they’re followed.

Hayes, a Computerworld (U.S.) senior news columnist, has covered IT for more than 20 years. Contact him at