Tuesday, January 16, 2007
Tainted cookies from Downing Street
Like many people, part of their routine is running anti-spyware and adware programs to bolster their firewall and anti-virus defences.
So last night trawling through the usual suspects picked up by Ad-Aware, I found a couple of quarantined files from The Guardian and one from CNet plus a few clearly ad-related. Nothing out of the ordinary there. But lodged amongst them was a first appearance from "uk.stat.com/primeministersoffice/downingstreet."
Hunting down the cookie details shows it allegedly expiring at the end of the session as opposed to many that optimistically expire 35 years from now, such as Google's. (Show me a PC in regular use that will function and be active 35 years from now and I'll be impressed). As Simon Willison points out 'How many people are going to go a whole ten years without losing their browser’s cookies, through a browser upgrade, PC upgrade, change of job or just wiping the cookie directory?'
The question remains why would a cookie from Downing Street appear as spyware? and more generally 'when do cookies become spyware?' Stefanie Olsen at CNet looked at this way back in 2005. She defines 'Spyware as denying people reasonable control over the application -- the ability to easily uninstall it, for example. And, as its name implies, it typically spies on people while they're surfing the Web. It can collect passwords, bank statements and other personal data, down to the keystroke.'
Olsen reports that Richard Smith, a privacy and security consultant said "some anti-spyware audits are padding the potential threat to create the impression that they're doing more work than they really are to protect consumers."
Yet why the Prime Minister's Office's cookies and code appear as spyware is not clear.