Google's cookie cut may not be enough for EU

EU data watchdog welcomes Google's announcement of a two-year cookie lifespan but says its major concern is server log data use.

Tom Espiner Special to CNET News
3 min read
A member of an influential European Union privacy group has said it will meet to discuss whether Google has gone far enough in reducing the amount of time the Google cookie stays on computers.

Alexander Dix, Berlin's security and privacy representative, told CNET News.com sister site ZDNet UK that the Article 29 Data Protection Working Party, a group of European privacy experts, welcomed Google reducing its cookie time to two years, but said the group would discuss whether Google has gone far enough.

"It's certainly an improvement, but we will have to discuss whether this is enough," Dix said. "It's a good thing that Google has addressed the question of a cookie time limit."

Cookies are small files stored on a computer so that it can be recognized when it revisits Web sites, enabling the site to remember the user's preferences for things like e-commerce, and sites that require a log-in.

Dix said that Google renewing the cookie every time a person used either Google or a site using Google applications, such as Google Analytics, was not a major privacy concern, as users could control cookies by configuring their browser.

"People can influence cookies by configuring their browser--they can just accept one session. Users have more choice than with their log profiles," he said.

Even so, the privacy expert said that cookies were still a concern for the data watchdog, especially cookies that users have accepted or rejected without knowing they have done so. However, Dix said that a bigger concern was the anonymization of server log data, and that the only major search company to disclose its server log data-retention policy had been Google, which anonymizes server logs after 18 to 24 months. Major search players such as Microsoft and Yahoo have yet to disclose their server log data-retention policy, Dix said.

"Certainly Microsoft and Yahoo have not discussed server log profile retention so far. Google has, and we would welcome it if Yahoo and Microsoft did the same," Dix said.

Server log data shows how a computer has been used to search, and can be mined to provide information. Dix said that the major search players had not disclosed how they intended to use that information.

"Our main concern about all search engine providers is that they are transparent about what they intend to do with the information--a concern Microsoft hasn't addressed so far. Maybe they have a privacy-friendly policy--I don't know. They should certainly tell users if they have one," said Dix.

A senior representative for Yahoo Europe said the company will make an announcement on data retention policies "in a matter of weeks."

"Our policies reflect the fact that our users' trust is one of Yahoo's most valuable assets. Maintaining that trust and protecting our users' privacy is paramount to us. Our data retention practices vary according to the diverse nature of our services. We don't break out that information currently as we view it to be commercially sensitive," said the representative.

"We only keep data as long as is required by law and is useful for our business purposes. In some cases, that is as short (a period) as a few weeks. This data is used to benefit our users in many ways. That includes protection against fraud, personalized content, product innovations based on what we learn about how users interact with our site, and best-in-class free services paid for by targeted advertising," the representative added.

Microsoft declined to comment.

Tom Espiner of ZDNet UK reported from London.