• United States



by Dave Gradijan

Canadian ISVs Digest Google’s Cookie Policy

Jul 24, 20074 mins
CSO and CISOData and Information Security

Google’s decision to issue cookies with an automatic two-year expiry for users who don’t return to the search site may not be an earth-shattering move, but it’s the company’s recognition of a privacy issue that really counts, an expert said.

The cookies act as tracking files for user search preferences, such as keywords, primary language, number of results per page, and options to filter out sexually explicit websites. The cookies, which are installed on users’ computers, are currently subject to a blanket expiry date of 2038.

Although it’s “about time” that Google made such a change, the two-year time frame for storing user preference data is probably still too long, said David Fewer, staff counsel at Ottawa, Ontario-based Canadian Internet Policy and Public Interest Clinic (CIPPIC).

However, the bigger issue, he added, is the acknowledgment by the company of a larger underlying matter. “Google’s move here is a recognition that they’ve got to do more.”

Google’s announcement isn’t terribly significant, according to Michael McDerment, CEO of Toronto-based Freshbooks, an online invoicing and time-tracking service.

“If no one’s using the cookies for two years, there’s no data being collected anyway, and chances are the computer that created those cookies is obsolete,” he said. “It says nothing, to be honest, as far as I can tell.”

McDerment thinks Google’s announcement is not all that meaningful, and is garnering interest due to the company’s renown. “These sound like very standard things, nothing to write home about.”

But given the advent of Web 2.0 and vendor-hosted services, there should be an industry standard that’s compliant with the law to guide data-retention time frames, said Fewer. “Surprisingly, in this day and age we’re still talking about that being something that industries aren’t doing a good job [at].”

But it’s not that simple, he said: “Does that mean two years, two months, two days if you’re talking about a particular term? It will depend on what’s fair in the circumstances.”

McDerment agreed that it’s difficult to establish a blanket standard for user data retention across industries, as it “really depends on what you use the cookie for. It varies from use case to use case.”

Freshbooks does not use cookies to store user data, he said. Instead, it uses them to manage Web session log-ins, a common use for such files. “If you don’t refresh your server in two hours, we log you out.”

On the enterprise front, companies concerned about privacy probably already address the issue of data-tracking cookies, said Craig Fitzpatrick, CEO of Devshop, an Ottawa-based provider of a Web-based software project management tool.

They do so by way of policies, with tools that automatically delete cookies, or they choose to turn off the cookies by default upon browser installation, he said.

Anyhow, Fitzpatrick doesn’t see data-tracking cookies as that big a deal. “People realize cookies aren’t really that bad to begin with, and if you think they are, you have the right to delete them anytime you want.”

Fewer thinks it really boils down to whether vendors are ensuring the technologies they develop operate fair information-gathering practices.

He recommends vendors be guided by two principles when designing tools that have an impact on consumer privacy: Identify the required data, and collect only that data. “What’s the point of collecting ubiquitous information, and what’s the point of keeping it?”

And be transparent with the data-collection process: “If you’re not breaking the law, then why not be transparent in what you’re doing?”

— Kathleen Lau, Computerworld Canada