Google cookie expiration plans called 'worthless'

Google Inc.'s plans to shorten the life span of cookies installed on a user's computer, ostensibly to improve user privacy, is being dismissed by some as complete hype.

Apart from making it appear that the company is taking steps to address growing privacy concerns related to its data storing habits, in reality, the move changes very little, observers said.

"No users will experience any gains in privacy at all due to Google's change in policy," said Randy Abrams, director of technical education at ESET, a vendor of antivirus products in San Diego. "It's not a bad idea. It's just a worthless one. [Google's announcement either] demonstrates a complete lack of understanding about the role cookies can play in privacy, or else utter contempt for the intellect of Google users."

In a blog post on Monday, Google's global privacy counsel, Peter Fleischer, said that in the coming months, the company will start issuing user cookies that will be set to autoexpire after two years. Currently, the cookies set by Google on a user's computer are designed to expire in 2038 -- unless users set their browsers to delete them sooner, he said

"After listening to feedback from our users and from privacy advocates, we've concluded that it would be a good thing for privacy to significantly shorten the lifetime of our cookies," Fleischer said.

But the fact that Google's cookies will autorenew every time a user visits a Google Web site completely negates any effect the move might have had, Abrams said. Only users who do not return to Google for two years will have their cookies autoexpire after that period. In all other cases, cookies will autorenew and reset their life spans with each visit to a Google site.

Consequently, the move has no effect on Google's existing privacy posture, said Pete Lindstrom, an analyst at the Burton Group in Midvale, Utah. "As far as I can tell, there's going to be no change to the effective level of their intrusiveness, which I don't think is too significant in the first place. Maybe they want to get a little bit of privacy press."

Google did not immediately respond to a request for comment.

Google's plans to shorten the life span of its cookies come amid growing concerns, especially in the European Union (EU), about its data retention policies. In June, Privacy International, a global privacy advocacy group, placed Google at the bottom of a list of 23 Internet companies for "comprehensive consumer surveillance and entrenched hostility to privacy."

In June, Google announced that it would anonymize its search server logs, including IP addresses and cookie ID numbers after 18 months. That move was in response to a letter sent in May by the EU's Article 29 Data Protection Working Party, which expressed concerns about the length of time Google stores information in its search server logs (download PDF).

The letter, addressed to Fleischer, noted that server logs contain information that could be linked to an identified or identifiable person and therefore come under the purview of European data protection laws. In the same letter, the EU group also expressed concern about the 30-year life span of the cookies that Google installs on user systems. The letter noted that the Google's cookie life span was "disproportionate" to its stated purpose of storing user preference information.