Google to Throw Out Stale Cookies

Bowing to privacy concerns, Google says its cookies will now automatically expire after two years on the systems of inactive users.

Bowing to privacy concerns, Google has changed its policy on cookie expiration.

The companys previous stance was that all cookies would expire in 2038. Now, cookies on the PCs of inactive users will be tossed after two years.

According to Peter Fleischer, global privacy counsel for Google, based in Mountain View, Calif., cookie privacy is an issue both on the client and on the server side. On the server side, the search giant recently announced it would anonymize data, including IP addresses and cookie ID numbers, after 18 months.

That decision followed a long spell of Google being a headline-grabbing privacy whipping boy. Within a few weeks in the spring of 2007, Google was singled out as the only company to flunk Privacy Internationals privacy ranking, was criticized for its Street View service, which may get a bit too close for comfort, and was investigated in Europe for failing to follow elements of the European Union data protection law.

On the server side of the privacy question sits the issue of cookies.

A provider of online services such as Google uses cookies for authentication, tracking and maintaining specific information on users, including site preferences. For example, a users preference to search in English and to have no more than 10 results presented on a page would be stored in a cookie.

/zimages/3/28571.gifClick here to read more about the volume of personal data Google is gathering.

The date for cookie expiration was initially set far in the future, Fleischer said, because the primary purpose of a cookie is to preserve preferences. Besides, he said, users can always change cookie handling behavior in their browsers. Users can, for example, delete all or specific cookies or accept specific types of cookies only, such as those from first parties and not those from third parties.

Cookies are sent by a server to a users Web browser and then sent back each time the user accesses the server again. The privacy concern is that these simple packets of text can be used to track browsing behavior.

Based on feedback from users and privacy advocates, Google has decided to toss its cookies far sooner than 2038.

"After listening to feedback from our users and from privacy advocates, weve concluded that it would be a good thing for privacy to significantly shorten the lifetime of our cookies—as long as we could find a way to do so without artificially forcing users to re-enter their basic preferences at arbitrary points in time. And this is why were announcing a new cookie policy," Fleischer said in the company blog.

Googles new policy is to issue cookies set to auto-expire in two years. Active users cookies will auto-renew, however. Cookies will expire on the systems of users who havent returned to Google within that two-year period.

"Together, these steps—logs anonymization and cookie lifetime reduction—are part of our ongoing plan to continue innovating in the area of privacy to protect our users," Fleischer said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.