I've been digging around in our cookie jar, as part of my work with Fundraising, and I have a few questions about the cookies we set on anonymous users.
First, I am deeply impressed with the care we have taken to respond to the community's privacy concerns, and after first-hand experience negotiating with our lawyers to implement an additional cookie, I think that WMF deserves its place as a model to the rest of the internet. I would like to help clean up or at least explain the few oversights I identify below, so that we can be fully confident that we are doing everything we can to prevent abuse of our visitors' privacy.
1) Anonymous users are given a 1-year cookie which uniquely identifies them. After logging out and clearing all cookies from my browser, I visited en.wikipedia.org and received this cookie. Why would an anonymous user be given an identifying token?
mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18 Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
2) Anonymous users are enrolled in clicktracking. I was surprised because the extension page at http://www.mediawiki.org/wiki/Extension:ClickTracking specifies that it affects "users", and I think it should very explicitly state that it affects "logged-in users and anonymous visitors" if that is really the intention.
clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/; domain=en.wikipedia.org
3) Registered user's cookies are not cleared at logout. This seems like a pretty basic fix.
enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; domain=en.wikipedia.org; Secure; HttpOnly
Ideally, an anonymous user, whether or not they have ever been logged in as a registered user, will not transmit any personally identifying information in their requests. All three of these cookies violate that principle. I have not found any public debate on the issue, hopefully others are interested in this topic.
Regards, Adam Wight