Simon Willison’s Weblog

Thirty five year old cookies

9th March 2003

I’m finding myself slightly confused about the Google backlash washing around the blogosphere, which is summarised quite well by Gavin Sheridan. Most of the arguments against using Google unsurprisingly centre around privacy issues, in particular the “35 year cookie”. I was under the impression that cookies could only be set for a maximum of a year, but having checked Netscape’s Cookie Specification and RFC 2965 it appears I was mistaken.

So let’s take a look at the cookies in question, via the Mozilla project’s handy Web Sniffer utility (the front page for this tool is here):

HTTP/1.0 200 OK
Content-Length: 3403
Connection: Keep-Alive
Server: GWS/2.0
Date: Sun, 09 Mar 2003 14:34:32 GMT
Content-Type: text/html
Cache-control: private
Set-Cookie: PREF=ID=05ba0c124de8df6e:TM=1047220472:LM=1047220472:S=Ke2RQCqjCEowS1x-; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com

There it is—a 35 year cookie. Now let’s take a look at some of Google’s competitors.

AllTheWeb:

HTTP/1.1 200 OK
Date: Sun, 09 Mar 2003 14:36:42 GMT
Server: Apache/1.3.27 (Unix) PHP/4.2.3-atw
Set-Cookie: atw-uid=CgVSBj5rUXoAAQnFAwSFAg==; path=/; domain=.alltheweb.com; expires=Sat, 09-Mar-13 02:36:42 GMT
X-Powered-By: PHP/4.2.3-atw
Last-Modified: Sun, 09 Mar 2003 14:35:00 GMT
Expires: Thu, 19 Apr 2001 04:25:21 GMT
Cache-Control: max-age=0, private
Set-Cookie: PREF=frschk=1:_lm=1047220602; expires=Fri, 07-Mar-08 14:36:42 GMT; path=/
Connection: close
Content-Type: text/html; charset=iso-8859-1

That’s two cookies—one for 5 years and one for 10 years. Interesting to see that they’re using their own modified version of PHP 4.2.3 :)

Teoma:

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 09 Mar 2003 14:38:50 GMT
Connection: Keep-Alive
Content-Length: 6629
Content-Type: text/html
Set-Cookie: CTST=yes; expires=Sun, 09-Mar-2003 15:03:50 GMT; path=/
Cache-control: private

That cookie lasts for about half an hour and doesn’t contain a unique identifier. Plus they’re running IIS!

Altavista:

HTTP/1.0 200 OK Set-Cookie: AV_POS=pos=1047220999574; path=/; domain=.altavista.com;
Set-Cookie: AV_USERKEY=AVS03b87123ae55d80a1c21250000022; expires=Tuesday, 31-Dec-2013 12:00:00 GMT; path=/; domain=altavista.com;
Server: AV/1.0.1
MIME-Version: 1.0
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Expires: Sun, 09 Mar 2003 14:43:19 GMT
Set-Cookie: AV_MKT=1; Domain=altavista.com; Path=/; Expires=Thu, 01-Dec-1994 16:00:00 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 10020
Date: Sun, 09 Mar 2003 14:43:19 GMT

What a mess! There’s a session cookie (which only lasts until the browser s closed) recording what looks like the time I first visited the front page, a 10 year cookie with a unique ID and another cookie set to expire in 1994, possibly in an attempt to wipe out cookies set by an older version of the site.

So what have we learnt? Both AllTheWeb and Altavista set 10 year unique identifier cookies, while Teoma appears not to set any. At the end of the day though, what is the difference between a 10 year and a 35 year cookie? How many people are going to go a whole ten years without losing their browser’s cookies, through a browser upgrade, PC upgrade, change of job or just wiping the cookie directory? Thee answer to that question is self evident, so in practise a 10 year unique identifier cookie is just as big an invasion of privacy as a 35 year cookie.

On the privacy front, AllTheWeb and Altavista are just as guilty as Google.