There has already been some good discussion on the mailing list:
I consider this a serious issue because we are infringing on anonymous users' anonymity.
- Anonymous users are given a 1-year cookie which uniquely identifies them. After logging out and clearing all cookies from my browser, I visited en.wikipedia.org and received this cookie. Why would an anonymous user be given an identifying token?
mediaWiki.user.id=oDNtHcMSeGMSZyRehhuC7ypQRuPEGk3a; expires=Wed, 18 Dec 2013 18:25:38 GMT; path=/; domain=en.wikipedia.org
- Anonymous users are enrolled in clicktracking. I was surprised because the extension page at http://www.mediawiki.org/wiki/Extension:ClickTracking specifies that it affects "users", and I think it should very explicitly state that it affects "logged-in users and anonymous visitors" if that is really the intention.
clicktracking-session=0orJJTU79otWR6x1m8ykUAyasVpZJBn2x; path=/; domain=en.wikipedia.org
- Registered user's cookies are not cleared at logout. This seems like a pretty basic fix.
enwikiUserName=Adamw; expires=Sun, 16 Jun 2013 18:43:51 GMT; path=/; domain=en.wikipedia.org; Secure; HttpOnly