Thirty five year old cookies

I’m finding myself slightly confused about the Google backlash washing around the blogosphere, which is summarised quite well by Gavin Sheridan. Most of the arguments against using Google unsurprisingly centre around privacy issues, in particular the “35 year cookie”. I was under the impression that cookies could only be set for a maximum of a year, but having checked Netscape’s Cookie Specification and RFC 2965 it appears I was mistaken.

So let’s take a look at the cookies in question, via the Mozilla project’s handy Web Sniffer utility (the front page for this tool is here):

HTTP/1.0 200 OK Content-Length: 3403 Connection: Keep-Alive Server: GWS/2.0 Date: Sun, 09 Mar 2003 14:34:32 GMT Content-Type: text/html Cache-control: private Set-Cookie: PREF=ID=05ba0c124de8df6e:TM=1047220472:LM=1047220472:S=Ke2RQCqjCEowS1x-; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com

There it is—a 35 year cookie. Now let’s take a look at some of Google’s competitors.

AllTheWeb:

HTTP/1.1 200 OK Date: Sun, 09 Mar 2003 14:36:42 GMT Server: Apache/1.3.27 (Unix) PHP/4.2.3-atw Set-Cookie: atw-uid=CgVSBj5rUXoAAQnFAwSFAg==; path=/; domain=.alltheweb.com; expires=Sat, 09-Mar-13 02:36:42 GMT X-Powered-By: PHP/4.2.3-atw Last-Modified: Sun, 09 Mar 2003 14:35:00 GMT Expires: Thu, 19 Apr 2001 04:25:21 GMT Cache-Control: max-age=0, private Set-Cookie: PREF=frschk=1:_lm=1047220602; expires=Fri, 07-Mar-08 14:36:42 GMT; path=/ Connection: close Content-Type: text/html; charset=iso-8859-1

That’s two cookies—one for 5 years and one for 10 years. Interesting to see that they’re using their own modified version of PHP 4.2.3 :)

Teoma:

HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sun, 09 Mar 2003 14:38:50 GMT Connection: Keep-Alive Content-Length: 6629 Content-Type: text/html Set-Cookie: CTST=yes; expires=Sun, 09-Mar-2003 15:03:50 GMT; path=/ Cache-control: private

That cookie lasts for about half an hour and doesn’t contain a unique identifier. Plus they’re running IIS!

Altavista:

HTTP/1.0 200 OK Set-Cookie: AV_POS=pos=1047220999574; path=/; domain=.altavista.com; Set-Cookie: AV_USERKEY=AVS03b87123ae55d80a1c21250000022; expires=Tuesday, 31-Dec-2013 12:00:00 GMT; path=/; domain=altavista.com; Server: AV/1.0.1 MIME-Version: 1.0 Cache-Control: no-cache,no-store,max-age=0 pragma: no-cache Expires: Sun, 09 Mar 2003 14:43:19 GMT Set-Cookie: AV_MKT=1; Domain=altavista.com; Path=/; Expires=Thu, 01-Dec-1994 16:00:00 GMT Content-Type: text/html; charset=ISO-8859-1 Content-Length: 10020 Date: Sun, 09 Mar 2003 14:43:19 GMT

What a mess! There’s a session cookie (which only lasts until the browser s closed) recording what looks like the time I first visited the front page, a 10 year cookie with a unique ID and another cookie set to expire in 1994, possibly in an attempt to wipe out cookies set by an older version of the site.

So what have we learnt? Both AllTheWeb and Altavista set 10 year unique identifier cookies, while Teoma appears not to set any. At the end of the day though, what is the difference between a 10 year and a 35 year cookie? How many people are going to go a whole ten years without losing their browser’s cookies, through a browser upgrade, PC upgrade, change of job or just wiping the cookie directory? Thee answer to that question is self evident, so in practise a 10 year unique identifier cookie is just as big an invasion of privacy as a 35 year cookie.

On the privacy front, AllTheWeb and Altavista are just as guilty as Google.

Posted 9th March 2003 at 2:58 pm

This is Thirty five year old cookies by Simon Willison, posted on 9th March 2003.

View blog reactions

Next: A plea for pings

Previous: Roogle

Slightly off-topic, but the date of expiry that Google sets (Sun, 17-Jan-2038 19:14:07) isn't just randomly plucked out of the air. With the current specification, it is impossible to set an expiry date on a cookie to be any greater than that (when the number of seconds since the UNIX Epoch is greater than 2³¹ - ie. it's a 32-bit signed integer).

If you try to set a cookie expiration date higher than that in PHP, it will just make it a session cookie. If you try it in ASP, it will give you an error message.

Tom - 9th March 2003 21:28 - #
Aaah! That makes a lot of sense.
Simon Willison - 9th March 2003 21:30 - #
Heres a big difference, Google doesn't track where you go after you make your search. Most other search engines do.. Now thats even more worrying. Plus the fact is that if I have a cookie that only lasts a month I can still sequentially track the same user by refreshing it on every visit. This really is such a non-argument about Google and they should just drop the exp down to a year as it would make NO difference to their ability to track anyone. As for other search engines knowing exactly what sites I click on, that I DON'T like.
Tim Parkin - 10th March 2003 12:23 - #
Agreed with Tim, this is a non-issue. Cookies? We're worried about *cookies*? In 2003? All browsers I've used in the past two years have per-site cookie control (some easier to configure than others). And for the rest of you, there's an entire category for ad/cookie/whatever filters in the Open Directory (ironically, I'll post to the Google Directory version here). http://directory.google.com/Top/Computers/Software /Internet/Servers/Proxy/Filtering/Ad_Filters/
Mark - 10th March 2003 15:31 - #
Ok, it's now a year or more past the date of the original post. What we now see, is that google is fairly careless about security, except their own of course. Ancient cookies are just so sad. Obviously driven by some pointy headed management type.
plumsauce - 6th November 2004 07:31 - #
I don't get it. What use are these cookies if they can be dumped at any time by deleting cookies and cache? Are they preying on the people who don't know to do that regularly, or are they using some kind of cookie that can't be dumped? Thanks for the nice conversation.
Cheryl - 25th April 2006 13:33 - #

Comments are closed.

Simon Willison’s Weblog

Thirty five year old cookies

6 comments