Thirty five year old cookies
9th March 2003
I’m finding myself slightly confused about the Google backlash washing around the blogosphere, which is summarised quite well by Gavin Sheridan. Most of the arguments against using Google unsurprisingly centre around privacy issues, in particular the “35 year cookie”. I was under the impression that cookies could only be set for a maximum of a year, but having checked Netscape’s Cookie Specification and RFC 2965 it appears I was mistaken.
HTTP/1.0 200 OK
Date: Sun, 09 Mar 2003 14:34:32 GMT
Set-Cookie: PREF=ID=05ba0c124de8df6e:TM=1047220472:LM=1047220472:S=Ke2RQCqjCEowS1x-; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com
There it is—a 35 year cookie. Now let’s take a look at some of Google’s competitors.
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2003 14:36:42 GMT
Server: Apache/1.3.27 (Unix) PHP/4.2.3-atw
Set-Cookie: atw-uid=CgVSBj5rUXoAAQnFAwSFAg==; path=/; domain=.alltheweb.com; expires=Sat, 09-Mar-13 02:36:42 GMT
Last-Modified: Sun, 09 Mar 2003 14:35:00 GMT
Expires: Thu, 19 Apr 2001 04:25:21 GMT
Cache-Control: max-age=0, private
Set-Cookie: PREF=frschk=1:_lm=1047220602; expires=Fri, 07-Mar-08 14:36:42 GMT; path=/
Content-Type: text/html; charset=iso-8859-1
That’s two cookies—one for 5 years and one for 10 years. Interesting to see that they’re using their own modified version of PHP 4.2.3 :)
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2003 14:38:50 GMT
Set-Cookie: CTST=yes; expires=Sun, 09-Mar-2003 15:03:50 GMT; path=/
That cookie lasts for about half an hour and doesn’t contain a unique identifier. Plus they’re running IIS!
HTTP/1.0 200 OK Set-Cookie: AV_POS=pos=1047220999574; path=/; domain=.altavista.com;
Set-Cookie: AV_USERKEY=AVS03b87123ae55d80a1c21250000022; expires=Tuesday, 31-Dec-2013 12:00:00 GMT; path=/; domain=altavista.com;
Expires: Sun, 09 Mar 2003 14:43:19 GMT
Set-Cookie: AV_MKT=1; Domain=altavista.com; Path=/; Expires=Thu, 01-Dec-1994 16:00:00 GMT
Content-Type: text/html; charset=ISO-8859-1
Date: Sun, 09 Mar 2003 14:43:19 GMT
What a mess! There’s a session cookie (which only lasts until the browser s closed) recording what looks like the time I first visited the front page, a 10 year cookie with a unique ID and another cookie set to expire in 1994, possibly in an attempt to wipe out cookies set by an older version of the site.
So what have we learnt? Both AllTheWeb and Altavista set 10 year unique identifier cookies, while Teoma appears not to set any. At the end of the day though, what is the difference between a 10 year and a 35 year cookie? How many people are going to go a whole ten years without losing their browser’s cookies, through a browser upgrade, PC upgrade, change of job or just wiping the cookie directory? Thee answer to that question is self evident, so in practise a 10 year unique identifier cookie is just as big an invasion of privacy as a 35 year cookie.
On the privacy front, AllTheWeb and Altavista are just as guilty as Google.
More recent articles
- Weeknotes: Embeddings, more embeddings and Datasette Cloud - 17th September 2023
- Build an image search engine with llm-clip, chat with models with llm chat - 12th September 2023
- LLM now provides tools for working with embeddings - 4th September 2023
- Datasette 1.0a4 and 1.0a5, plus weeknotes - 30th August 2023
- Making Large Language Models work for you - 27th August 2023
- Datasette Cloud, Datasette 1.0a3, llm-mlc and more - 16th August 2023
- How I make annotated presentations - 6th August 2023
- Weeknotes: Plugins for LLM, sqlite-utils and Datasette - 5th August 2023
- Catching up on the weird world of LLMs - 3rd August 2023
- Run Llama 2 on your own Mac using LLM and Homebrew - 1st August 2023