Thirty five year old cookies
I’m finding myself slightly confused about the Google backlash washing around the blogosphere, which is summarised quite well by Gavin Sheridan. Most of the arguments against using Google unsurprisingly centre around privacy issues, in particular the “35 year cookie”. I was under the impression that cookies could only be set for a maximum of a year, but having checked Netscape’s Cookie Specification and RFC 2965 it appears I was mistaken.
HTTP/1.0 200 OK
Date: Sun, 09 Mar 2003 14:34:32 GMT
Set-Cookie: PREF=ID=05ba0c124de8df6e:TM=1047220472:LM=1047220472:S=Ke2RQCqjCEowS1x-; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
There it is—a 35 year cookie. Now let’s take a look at some of Google’s competitors.
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2003 14:36:42 GMT
Server: Apache/1.3.27 (Unix) PHP/4.2.3-atw
Set-Cookie: atw-uid=CgVSBj5rUXoAAQnFAwSFAg==; path=/; domain=.alltheweb.com; expires=Sat, 09-Mar-13 02:36:42 GMT
Last-Modified: Sun, 09 Mar 2003 14:35:00 GMT
Expires: Thu, 19 Apr 2001 04:25:21 GMT
Cache-Control: max-age=0, private
Set-Cookie: PREF=frschk=1:_lm=1047220602; expires=Fri, 07-Mar-08 14:36:42 GMT; path=/
Content-Type: text/html; charset=iso-8859-1
That’s two cookies—one for 5 years and one for 10 years. Interesting to see that they’re using their own modified version of PHP 4.2.3 :)
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2003 14:38:50 GMT
Set-Cookie: CTST=yes; expires=Sun, 09-Mar-2003 15:03:50 GMT; path=/
That cookie lasts for about half an hour and doesn’t contain a unique identifier. Plus they’re running IIS!
HTTP/1.0 200 OK Set-Cookie: AV_POS=pos=1047220999574; path=/; domain=.altavista.com;
Set-Cookie: AV_USERKEY=AVS03b87123ae55d80a1c21250000022; expires=Tuesday, 31-Dec-2013 12:00:00 GMT; path=/; domain=altavista.com;
Expires: Sun, 09 Mar 2003 14:43:19 GMT
Set-Cookie: AV_MKT=1; Domain=altavista.com; Path=/; Expires=Thu, 01-Dec-1994 16:00:00 GMT
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 09 Mar 2003 14:43:19 GMT
What a mess! There’s a session cookie (which only lasts until the browser s closed) recording what looks like the time I first visited the front page, a 10 year cookie with a unique ID and another cookie set to expire in 1994, possibly in an attempt to wipe out cookies set by an older version of the site.
So what have we learnt? Both AllTheWeb and Altavista set 10 year unique identifier cookies, while Teoma appears not to set any. At the end of the day though, what is the difference between a 10 year and a 35 year cookie? How many people are going to go a whole ten years without losing their browser’s cookies, through a browser upgrade, PC upgrade, change of job or just wiping the cookie directory? Thee answer to that question is self evident, so in practise a 10 year unique identifier cookie is just as big an invasion of privacy as a 35 year cookie.
On the privacy front, AllTheWeb and Altavista are just as guilty as Google.