“Me want cookies!”   This is what I hear many of my Government clients say – more specifically they want to understand cookies in relation to their web analytics.  I have come to call this the “Cookie Monster” issue since there is so much confusion.  So for my post here (and with many thanks to DJ) I thought Let’s start with dessert first!

Below I have listed from most accurate to less accurate the ways visitors are identified on-line:

1. Authenticated:  The technique by which access to Internet or intranet resources requires the user to enter a username and password as identification.  This is the only way to count visitors “across machines”, as no matter where they log in they are identified correctly.  Cookies are really just tracking unique computers!
2. Persistent Cookies :  A text file containing a random identification string that “lives” on the visitors computer.  Using the value stored in this cookie, WebTrends can identify if you’ve been to the site before and identify you as a “new” or “returning” visitor (but can’t tell anything else about you… it’s a random number after all!).  This is also used to provide “unique visitor” counts in WebTrends.
3. Session Cookies : A text file containing a random identification string that only remains in the computer’s memory for the length of the visit, or “session”.  It does not live on the machine after you navigate away from the site that set it, so there is no way to identify visitors that have been to the site before.
4. IP Address : Internet Protocol Address is used to identify a computer connect to the internet.  Since there are only so many IP addresses to go around, more often than not individual machines end up sharing the same IP address due to the use of proxy servers (used by large organizations like companies and universities), internet service providers or even home wireless routers.

The real question is “how does visitor identification affect my analytic reports”?   Very few Government sites use authentication, so that means that most visitor tracking is either with IP address (tends to be very inaccurate) or with Cookies (Session or Persistent).  The current OMB guideline restricts the use of Persistent Cookies for Government Agencies to only agencies that have received direct permission. This means most government web analytic programs are limited to Session Cookies.  Since only Authenticated or Persistent cookies can track a visitor returning to the site the use of Session cookies eliminates ‘returning’ and ‘unique’ visitor information.

Understanding this in relation to the data you are collecting for your reports makes all the difference in analyzing the information correctly. While you can see how many visitors or visits came in a day – you will not be able to know how many visit/visitors are new vs returning. Does this mean that analytics then has no value? Absolutely Not!! Even gathering information with Session Based ID still provides valuable insight on path navigation, content groups, registrations, surveys etc. which in turn can help with the number one point of the eGov Initiatives – to improve constituents on line experience.

One final thought about cookies: It is also important to know the source of the party setting the cookie on your machine (we recommend and use 1st party cookies).   If you navigate to www.agency.gov for example, the cookie was be considered 1st party if it is set by the domain you are visiting (www.agency.gov in this case), but if a cookie was set by www.vendor.com, it would be a 3rd party cookie because you weren’t specifically requesting information from www.vendor.com.  3rd party cookies have historically been tolerated, but the proliferation of spyware, malicious websites and with increased privacy concerns a harsh light has been shed on this technology in the past few years.  Newer browser technologies are even actively rejecting 3rd party cookies, and rejection rates can be as high as 27% according to some analysts.  If you are only using a 3rd party cookie to identify your traffic the only source to fall back on if it’s rejected is the IP Address.

Tim Evans as part of the WAA Public Sector Committee is currently gathering information from agencies that have successfully petitioned for the use of persistent cookies to share with agencies interested in pursuing the use of persistent cookies – please feel free to contact either Tim or myself if you’d like to participate.

For additional insights and options on accurately assessing traffic on government sites, please download our Government Best Practices whitepaper or comment below on what else you’d like to see addressed here for government agencies online.

Tags: cookies, government, OMB guidelines, privacy

This entry was posted on Friday, October 31st, 2008 at 6:00 am and is filed under Best Practices, Industry Perspectives, Online Privacy. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.