The CNIL has suggested that it would be more readable and useful to remove the ID found in the 3rd party opt-out cookie. Having an ID in that cookie is not a problem but it's a bit confusing as it almost looks like it's a visitor ID (though its only a static ID that will be the same for all opt-out cookies).
More info: the reason an id appears there is that our cookies are signed. @robocoder do you think there is still a security advantage to signing our cookie? Maybe we could now safely remove the signing part of the Cookie class.
We sign the cookie to ensure the cookie was created by Piwik by a user who explicitly opted out. If you remove the ID, then third-party developers can easily spoof the cookie (e.g., via a browser extension).
You're welcome to remove the ID, but I think some users would prefer it be configureable and/or default to prevent spoofing.
An alternative is to rename the cookie to something more innocuous, e.g.,
Either way, CNIL's suggestion has no weight. First, it's not an ID -- it isn't personal identifiable information that needs to be kept confidential. Second, removing it would allow spoofing, which would be counter to the principle of data security.
Thanks for your input. I've moved out of backlog as this is low priority.