July 17, 2007
@ 09:44 PM
Comments [12]
Google Cookie Expiration Policy Changes: Too Little, Too Late

One of the side effects of working for a large, successful, multinational corporation is that you tend to lose your sense of perspective. For example, take this post from the Official Google blog entitled Cookies: expiring sooner to improve privacy which states

We are committed to an ongoing process to improve our privacy practices, and have recently taken a closer look at the question of cookie privacy. How long should a web site "remember" cookie information in its logs after a user's visit? And when should a cookie expire on your computer? Cookie privacy is both a server and a client issue.

On the server side, we recently announced that we will anonymize our search server logs — including IP addresses and cookie ID numbers — after 18 months.
...
In the coming months, Google will start issuing our users cookies that will be set to auto-expire after 2 years, while auto-renewing the cookies of active users during this time period. In other words, users who do not return to Google will have their cookies auto-expire after 2 years. Regular Google users will have their cookies auto-renew, so that their preferences are not lost. And, as always, all users will still be able to control their cookies at any time via their browsers.

What’s is interesting in this post is that Google has sidestepped the actual privacy issue that has many people concerned about the amount of knowledge the company has about Internet users. Numerous bloggers such as Nelson MinarShelley Powers and John Dowdell have already pointed how this change doesn't actually change the status quo. In today’s world, Google knows more about most Internet users than their spouse. Thanks to the magic of HTTP cookies Google knows remembers...

You pretty much can't use the Web without running into a Google cookie. So it seems somewhat facetious for Google to claim that if you can avoid using the Internet for two years then they'll forget everything they are storing about you. Oops, actually they don't even claim that. They simply claim that they’ll stop associating your old data with your current usage, if you manage to avoid hitting a Google cookie for two years. 

If Google really wanted to address people's privacy concerns they’d blog about how they plan to use and protect all the data they are collecting about Internet users from all of their services instead of making ineffective token gestures that are specific to one service.      

Now playing: Lil Boosie & Webbie - Wipe Me Down (feat. Foxx)


 

Categories: Competitors/Web Companies

« Note to Software Vendors, the World is C... | Home | Django or Rails, Ruby or Python? »
Wednesday, 18 July 2007 01:54:16 (GMT Daylight Time, UTC+01:00)
AdSense (and Analytics too, I think) is served from a different domain and does not use the Google cookie from google.com. I don't think there is a cookie on the Adsense domain at all.
ManchuFoo
Wednesday, 18 July 2007 10:37:51 (GMT Daylight Time, UTC+01:00)
Out of interest, what is Microsofts policy on cookie retention?
MamboNumber5
Wednesday, 18 July 2007 17:16:27 (GMT Daylight Time, UTC+01:00)
My Safari/Mac currently shows separate cookies for adsenseReferralSourceID, AdSenseLocale, and more. These are on the main Google domain.

("ManchuFoo", you can check your own cookies before posting guesses, oui...?)

I'd feel more comfortable with the whole cross-site tracking issue if we people who were actually generating this data could inspect, delete, and assign permissions over each type of bit we create. Example: "Okay, Google can keep my search terms if they're immediately anonymized and aggregated but I don't want them to tie those terms to my surfing history... it's fine if Gmail knows about my interest in golfing sites but I don't want them selling my address directly to advertisers", stuff like that. Right now none of us know what Google knows about us, much less what they're doing with that info.

We generate that data. Yet Google assumes sole ownership. Such an imbalance will always be under pressure.

jd/adobe
John Dowdell
Wednesday, 18 July 2007 19:15:15 (GMT Daylight Time, UTC+01:00)
will you stop whining about google? you're starting to sound like a little bitch.
mallory
Thursday, 19 July 2007 02:40:46 (GMT Daylight Time, UTC+01:00)
John,

It's not really a guess. You can look at the HTML and Javascript used to render AdSense ads on any website. The ads are served from the googlesyndication.com domain (last I checked). Due to cross-domain security restrictions, scripts from a domain cannot read or write cookies on another domain.

I have several cookies from google.com but none of them refer to AdSense. They're all PREF, SSID and other stuff related to GMail and other services where I'm logged in.

I have no cookies on googlesyndication.com even though I visit many websites daily that use AdSense ads.

Perhaps the cookies you're seeing are due to your visiting some Google.com page that promotes AdSense? Are you yourself an AdSense publisher? In that case, cookies might be set on google.com if you log in to your AdSense account. They may also have come from some other Google service that might have an AdSense tie-in ...
ManchuFoo
Thursday, 19 July 2007 02:55:58 (GMT Daylight Time, UTC+01:00)
After some more investigation:
- http://www.google.com/adsense (the page that explains adsense to
prospective publishers) is the one setting the AdSense cookies on
the google.com domain. The cookies control the language of the
AdSense product pages themselves.

- Nowadays, AdSense ads seem to be served from www.googleadservices.com.
And I do see one cookie there: it's labelled Conversion and showed
up after a click on a Google ad on www.google.com (but not
all ads). Looks like this is used for Google's new experimental
system where an advertiser pays per Acquisition/Action or Conversion
rather than per Click. You'd need a cookie there to track a user
from the ad impression to the click to the final action of purchasing
something on the advertiser's web site ...
ManchuFoo
Thursday, 19 July 2007 03:40:38 (GMT Daylight Time, UTC+01:00)
uhm, I've got AdSense cookies. I don't know what documentation out there exists on them, but like my first paragraph said up above:

"My Safari/Mac currently shows separate cookies for adsenseReferralSourceID, AdSenseLocale, and more. These are on the main Google domain."

The implications of cross-site beacons are significant. Check into DoubleClick's privacy worries towards 1997, the concern over "web bugs" or other tracking beacons. If the US CIA could be told each URL your IP address visits then there would likely be a stronger reaction. Risk's the same in either case, though. Such surfing histories become a very valuable target for all types of agendas. We need to be able to opt out.
John Dowdell
Thursday, 19 July 2007 05:54:47 (GMT Daylight Time, UTC+01:00)
John,

What I'm saying is that those AdSense cookies on google.com on your machine do not come from the AdSense ads served by Google. They come from Google's AdSense product pages themselves.

You can verify this for yourself by clearing all your cookies and then visiting a page with AdSense ads (no cookies should show up no matter how many such different pages you visit) and then visit http://www.google.com/adsense and now you should see those cookies show up.

Bottomline is Google is not setting cookies that track you across AdSense websites. The cookies you are seeing do not come from the AdSense ads.

However, you might want to be worried about Google Analytics since that is explicitly designed to track visitors to websites and I believe that they use cookies on a single Analytics (or Urchin) domain.

BTW, the same thing is true for Amazon Affiliates and the ads used there are served by Amazon from amazon.com and can use your amazon.com account information. I have been really shocked on a few occasions when I see my name in a greeting inside the ad unit on some random website. And then I realize that it's an Amazon ad pulling that information from my Amazon account. That is really creepy, especially if they start personalizing it to books or movies that I've been looking at recently.
ManchuFoo
Thursday, 19 July 2007 12:52:59 (GMT Daylight Time, UTC+01:00)
I happen to agree that Google's announcement isn't much of anything, but what is Microsoft's policy? I have a hard time believing it is different at all, so this complaint just seems to be for the sake of bagging them.
nexusprime
Thursday, 19 July 2007 12:54:48 (GMT Daylight Time, UTC+01:00)
Argh. Please remove my email address if you can. I have been working very hard to keep it off the indexers :/

Thanks
nexusprime
Thursday, 19 July 2007 20:41:44 (GMT Daylight Time, UTC+01:00)
Privacy has always seemed like Google's "Achilles Heel" to me. Competitors should try to exploit this as much as possible.
Arthur Davidson Ficke
Friday, 20 July 2007 06:39:50 (GMT Daylight Time, UTC+01:00)
Whatever the cause, it might be more useful if all those Google domain cookies were documented, transparent, and publicly controllable, than if they were erased if not triggered for two years.


John Dowdell
Comments are closed.