Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Confusion Surrounds UK Cookie Guidelines

Soulskill posted more than 3 years ago | from the cookie-is-for-me dept.

Privacy 143

pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."

Sorry! There are no comments related to the filter you selected.

There should be... (5, Insightful)

myurr (468709) | more than 3 years ago | (#36079758)

...a law stopping people from making laws about things they simply do not understand.

Re:There should be... (2)

Nursie (632944) | more than 3 years ago | (#36079854)

What makes you think they don't understand?

It's probably true, but in this case I don't think they're necessarily wrong.

Cookies are horrifically overused, and outside of ~20 sites that both need them to function properly and I care about functioning properly, I've been getting on fine without them for months now.

This tells me that an awful lot of them, especially third party cookies (of which I allow none) are totally unnecessary even without privacy concerns. Having users participate in their own tracking this way, without permission, does seem wrong to me, and I applaud the effort to do something about it.

If the laws are not clear then unfortunately that is par for the course these days. Hopefully that can be fixed.

Re:There should be... (2)

myurr (468709) | more than 3 years ago | (#36079912)

Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used. How else would slashdot know you were logged in, for example.

This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this.

Re:There should be... (3, Interesting)

Nursie (632944) | more than 3 years ago | (#36079932)

"Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

"This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

Sure, and that's a valid use (IMHO). It could easily work this way though -
User goes to front page
Check for cookie
If no cookie allow user to browse site
When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

If the cookie's there from the beginning then do the usual auto-login stuff.

A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

I realise all this makes things more complicated for end users as well, which is less than ideal.

Re:There should be... (1)

Idimmu Xul (204345) | more than 3 years ago | (#36080080)

A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

That is not an answer to that technical problem.

The only answer I can think of right now to track that someone has opted out of cookies is to append something to the URL &optout=1 style, which in itself is a form of tracking and can be extended to pass tracking information to 3rd party sites anyway.

Re:There should be... (4, Interesting)

Nursie (632944) | more than 3 years ago | (#36080112)

What's not an answer to the technical problem?

Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

I don't get why there's more of a problem than this.

maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

Re:There should be... (1)

VortexCortex (1117377) | more than 3 years ago | (#36080690)

What's not an answer to the technical problem?

Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

I don't get why there's more of a problem than this.

maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

It's easier than that... Use No-Script or the current version of Firefox4 (or a future version of IE9), and enable the "DNT: 1" (Do Not Track: [enabled] ) HTTP Header. This header will be sent with every HTTP request informing the websites that you have pre-opted out, you do not wish to be tracked.

Obviously if you need to log-in you must agree to let them store some data about you (your login credentials & profile). The information they collect should be clearly stated on their privacy policy, and since most such TOS agreements state that they can change the policy at will, they should update the policy with the list of the companies that they are sharing your privacy data with... (Derp, It arn't that hard -- Spaghetti Monster forbid they should use their open ended license terms to help support transparency of their privacy policy)

Indeed, the technical problem has already been solved, and is being adopted by major browser distributors... Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

Re:There should be... (0)

Anonymous Coward | more than 3 years ago | (#36080778)

technical problem

This is not a technical problem. This is a social problem. Having to ask someone not to do something to you should not be the norm.

Re:There should be... (1)

delinear (991444) | more than 3 years ago | (#36081050)

The social problem exists to prevent the bigger social problem of how you track user state between different pages on the site or different sessions. Cookies are a convenience to avoid asking the user to reset all their preferences for every single page (or having an incredibly static web - which I know a lot of people will say they prefer, but millions of others enjoy the rich web experience), the real problem lies in the lack of distinction (or at the very least clarity of distinction) between a cookie that is purely for the user's convenience and one that is for tracking purposes. I'd be more than happy with a solution that allowed companies to set cookies that made my life easier so long as they had to get my permission to use them for any kind of tracking or analysis purposes.

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080832)

Can you tell me - does anyone in the advertising business care about DNT headers? They'd be pretty damn easy to ignore if there's no legislative backing.

Hell I can stick "yes I'd like fries with that" in a header, but I don't expect anyone will pay any attention.

Re:There should be... (1)

Pieroxy (222434) | more than 3 years ago | (#36080876)

Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

Google has a built-in setting "Ignore exceptions and block third-party cookies from being set". This is enough for me so far. Sites can set any cookie they want. Third parties go to hell.

Re:There should be... (1)

vegiVamp (518171) | more than 3 years ago | (#36080770)

Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing. That removes the entire issue of keeping track of who opted out - you simply assume everyone who doesn't already have a cookie doesn't want one until they ask for it.

Re:There should be... (1)

Jaruzel (804522) | more than 3 years ago | (#36080184)

When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

Way to go - that's brilliant way to scare off potential customers...

Most web users don't even know what a cookie is. All they care about is that the site they are shopping on remembers who they are, and makes adding things to their baskets and checking out as simple and easy as possible. No matter HOW you word the opt-in dialog, people will still get confused and click back to Google to find a less scary site.

The anti-virus people have done such a good job (sarcasm btw) telling people not to trust any non requested popups, that many will just assume it's a dangerous website trying to eat their computer.

I see this new cookie law having a direct impact on little independent web shops. :(

-Jar

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080222)

"Way to go - that's brilliant way to scare off potential customers..."

Eh, sorry, in my worldview privacy comes before commercial concerns.

On the rest - why does it have to be a popup? Popups are evil anyway, in pretty much any situation I can think of. Just take them to a page saying - "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

I mean, it's not like people actually purchase anything through any internet shop without agreeing to a huge set of terms and conditions anyway, even if they don't read them.

If you need a basket type session before this point then can you not use session id's in the url?
This may be like a hack to work around the absence of session cookies, but session cookies are kept for the lifetime of the browser session (not the tab, not when you leave a page) so can still allow cross-site tracking, if they are third-party.

Re:There should be... (1)

Arlet (29997) | more than 3 years ago | (#36080312)

"As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

What about 3rd party cookies attached to ads ? There may be several different ones on a single page.

Re:There should be... (2)

Nursie (632944) | more than 3 years ago | (#36080324)

As far as I'm concerned they're a non issue - i.e. they ought to be scrapped, effective immediately.

I can't find it in me to even start to care about a solution for these poor, poor advertisers that will allow them to keep tracking people.

Re:There should be... (1)

Arlet (29997) | more than 3 years ago | (#36080380)

If they can't have the cookies, the advertisers will just track you based on browser headers and/or IP address.

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080396)

Which is there prerogative, recording what happens at their end.

Personally I see a line between people unwittingly participating in feeding their information to advertisers and server-admins recording who accesses what to analyse later.

Re:There should be... (1)

Arlet (29997) | more than 3 years ago | (#36080414)

There's little difference in providing browser headers/IP, and providing a cookie, when you visit a web site. With the right tools, they can be used in exactly the same way.

The only difference is that I can delete a cookie, but I have no influence over what the server does with my browser headers, or IP address.

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080436)

An IP address is a fundamental part of the communication going on. Browser headers not so much. I have mixed feelings about browser headers anyway, especially given how often they are abused for "this site is only compatible with" reasons.

Yeah, don't know. It's less in the way of actively participating in your own tracking without you knowledge. And both browser versions and IP addresses change from time to time. Perhaps the "Do Not Track" legislation proposed in California is a better option.

Re:There should be... (1)

vegiVamp (518171) | more than 3 years ago | (#36080780)

You're free to spoof your agent string or connect through a proxy.

Re:There should be... (1)

Arlet (29997) | more than 3 years ago | (#36080902)

A proxy ? And let them see all my traffic ? That's worse than what I've got now.

Re:There should be... (1)

vegiVamp (518171) | more than 3 years ago | (#36080938)

Because right now, nobody sees your traffic? And if that really bothers you, you're unable to set one up yourself? Here's a hint: SOCKS proxying is built-in to openssh.

Re:There should be... (1)

Arlet (29997) | more than 3 years ago | (#36081008)

Only my ISP sees all my traffic, not some random 3rd party site I know nothing of. Given the choice, I'd stick with my ISP.

And no, it doesn't really bother me. But then again, cookies don't bother me either. I was just pointing out that banning cookies doesn't really improve anything regarding your on-line privacy.

Also, I have no idea how setting up a proxy improves anything regarding my traceability. They'll just use the proxy's IP address instead. The only solution would be to have a large pool of proxy servers, and pick a random one every time. But that means that all these proxies get a chance to see my traffic, instead of just my ISP.

Re:There should be... (1)

icebraining (1313345) | more than 3 years ago | (#36080542)

Those ad networks simply can't set them.

Re:There should be... (0)

Anonymous Coward | more than 3 years ago | (#36080710)

Eh, sorry, in my worldview privacy comes before commercial concerns.

Well good for you. Now will you please bugger off. Some of us are trying to earn a living, not infringing anyone's privacy, and have better things to do than comply with stupid laws designed by cretins.

If you really really care about the issue, make laws for the browser manufacturers, rather than every fucking website operator in Europe.

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080854)

"Well good for you. Now will you please bugger off. Some of us are trying to earn a living, not infringing anyone's privacy, and have better things to do than comply with stupid laws designed by cretins."

If you're not infringing on anyone's privacy then you have nothing to worry about. There are exceptions for cookies essential to the service (session cookies for baskets etc), but not for those that are cosmetic (site look and feel, autologin) or advertising related.

If you don't fit within that then, like other forms of targeted advertising and behaviour tracking, you need to get permission. In many ways this just brings the electronic realm in line with the physical world in some ways.

"If you really really care about the issue, make laws for the browser manufacturers, rather than every fucking website operator in Europe."

Spoken like a true marketing man, it's the user's responsibility to make sure you're not tracking them and to stop you doing it eh? Otherwise they must want it?

Bah, no sympathy for you here.

Re:There should be... (1)

jonbryce (703250) | more than 3 years ago | (#36080968)

And if your cookie is for cosmetic changes, you just need to have a check box that says "save these settings on my computer". If they tick it, they have given permission for the cookie.

Re:There should be... (1)

AmiMoJo (196126) | more than 3 years ago | (#36080638)

User goes to front page
Check for cookie
If no cookie allow user to browse site

If only... I have Firefox clear most cookies between sessions, and it is surprising how many sites jump on you the moment you visit with a survey about your visit or a content-covering advert. All this will do is add "we need to set cookies, click YES to continue" messages to every site.

Re:There should be... (1)

WaffleMonster (969671) | more than 3 years ago | (#36080202)

What makes you think they don't understand?

It's probably true, but in this case I don't think they're necessarily wrong.

Legislating that which is easily solved with technology is a dead giveway.

There is no reason your browser can't be configured to ASK you first before storing cookies if you care so much.

The technical solution works globally on all systems throughout the world.

The legislative solution is limited to the handful of sites in the UK that comply.

Re:There should be... (1)

Nursie (632944) | more than 3 years ago | (#36080242)

Most people don't know they exist.
99% of them are worthless.
Tracking people without permission falls into the arena of the legal.

There are good technological solutions to stopping people hacking into your systems too, doesn't stop us making it a crime.

BTW, it's an EU directive, not UK only.

Re:There should be... (1, Funny)

lxs (131946) | more than 3 years ago | (#36080394)

And as per usual, only in the UK they find it "confusing."

Re:There should be... (0)

Anonymous Coward | more than 3 years ago | (#36080364)

And voting on things they don't understand.

Re:There should be... (1)

Co0Ps (1539395) | more than 3 years ago | (#36080760)

Absolutely agree. The biggest mistake made in the HTTP standard was calling cookies "cookies". The familiar name invites politicians to mistakingly think that they know what their function and purpose is. They should have called it "state exchange identifier" instead and we wouldn't have none of this crap.

Question of terminology (2)

jcwayne (995747) | more than 3 years ago | (#36079882)

IANAL(imey), so I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/

Re:Question of terminology (1)

Nursie (632944) | more than 3 years ago | (#36079896)

"I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/"

Not all biscuits, only unsolicited internet biscuits :)

Re:Question of terminology (1)

burisch_research (1095299) | more than 3 years ago | (#36080014)

Sounds like a load of buffa-biscuit to me!

Also, biscuits go well with tea. Arthur Dent would approve wholeheartedly.

Re:Question of terminology (1)

jonbryce (703250) | more than 3 years ago | (#36080994)

In UK English, a cookie is a specific type of biscuit with little bits of chocolate in it and usually soft and chewy rather than hard and crunchy.
It is EU law than is banning them, not UK law.

Wifi Cookie Global Warming? (1)

bryan1945 (301828) | more than 3 years ago | (#36079886)

So if they UK is having Wifi problems with global warming, what is that going to do to their cookies? Will their cookies only work for a certain range, and then turn into scones? I demand an irrational panel of useless government bureaucrats to investigate now! God save all our tea and cucumber finger sandwiches.....

The idea is just fine (3, Interesting)

xenobyte (446878) | more than 3 years ago | (#36079894)

It's just next to impossible to use the law as it is.

To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

Re:The idea is just fine (2)

Xeranar (2029624) | more than 3 years ago | (#36079900)

Thank you. I'm glad somebody answered in a logical thoughtful way instead of the goofy knee-jerk "Government is stupid/bad!" that seems to come up so often. The answer is simple and frankly should have been implemented years ago. Cookies are not that wonderful and while I enjoy using them to log in to non-secure websites for simple stuff I am not a big cookie fan otherwise. They're sneaky bastards.

Re:The idea is just fine (1)

hcs_$reboot (1536101) | more than 3 years ago | (#36079922)

Considering how cookies are important, like session-ID storing, the question should better be asked once only, by the browser.
People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors.
Pretty quickly, it will appear obvious that the law cannot apply to cookies.

Re:The idea is just fine (1)

Nursie (632944) | more than 3 years ago | (#36079962)

You'd be surprised how functional the internet is without cookies.

You need them for a lot of session-based stuff (login on forum sites, internet shopping/banking/etc) but most sites you visit don't really need them.

Re:The idea is just fine (1)

mikael_j (106439) | more than 3 years ago | (#36080238)

Most sites I visit need them since most sites I visit have some form of session handling.

It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online.

Re:The idea is just fine (1)

Nursie (632944) | more than 3 years ago | (#36080304)

"It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online."

Yup, so those sites that need it (there are about 20 that I care enough about to allow it) get permission and everything is fine.

But there's session handling and there's session handling. Slashdot needs a cookie. Dilbert does not. Wikipedia does not. Doubleclick can f*ck right off. It's actually still 1995 in a lot of places I go to read information.

Re:The idea is just fine (1)

jonbryce (703250) | more than 3 years ago | (#36081016)

Session cookies are allowed. The checkbox that says "remember me" needs to be renamed to say "save my login details on this computer and log me in automatically every time I visit". Then you are obtaining informed consent for the cookie.

Re:The idea is just fine (1)

Arlet (29997) | more than 3 years ago | (#36080286)

You also need them to store simple preferences, such as language settings. If you go to CNN, it lets you choose between international or US news, which is very convenient for people. A lot of sites have something similar. If you don't have cookies enabled, these things often break silently.

Re:The idea is just fine (1)

Nursie (632944) | more than 3 years ago | (#36080310)

Then ask if it's ok to store site preferences in a cookie, once, the first time someone changes a setting like that.

Re:The idea is just fine (1)

Arlet (29997) | more than 3 years ago | (#36080326)

The whole point of setting a preference is that it will be remembered for next time. Obviously it needs to be stored somewhere. Anybody who wants to set a preference and understands what they are doing is going to allow the cookie.

Or, perhaps you want to include 2 pages of legalese explaining all the conditions that are attached to the use of the cookie, that people aren't going to read anyway.

Re:The idea is just fine (1)

Nursie (632944) | more than 3 years ago | (#36080350)

It's simple, find another magic way of remembering, ask permission to store the data on the user's computer, or don't have the setting.

I'm sure it would be more convenient for me if every site on the internet knew my waist, collar and shoe sizes too, the minor inconvenience of having to tell them is the tradeoff for privacy in that case. Here, CNN asking once if they can stick a cookie on your machine is the price.

Re:The idea is just fine (0)

Anonymous Coward | more than 3 years ago | (#36080384)

Then don't fucking allow them to store shit on your computer Nursie. I see you trolling this article everywhere with your bullshit, but look, if you can't control what is stored on your computer, that's your problem. Thanks for making another goddamn clickthrough for the rest of the world. Hint: its called a whitelist.

Re:The idea is just fine (1)

Nursie (632944) | more than 3 years ago | (#36080404)

I do control what's on my computer. Most other computer users don't know what a cookie is, let alone what they're used for or how many they have on their machine from advertisers and trackers. They might liek to know. They might like to be asked before they're set.

And if "replying honestly to people who reply to me" is now trolling then... wow. Why so angry?

Re:The idea is just fine (1)

mjwalshe (1680392) | more than 3 years ago | (#36080648)

as would a lot of useability stuff want to set a site into its visually impaired style is one example

Re:The idea is just fine (0)

Anonymous Coward | more than 3 years ago | (#36080628)

If the Internet is fuctional without cookies, then perhaps rather than bringing in new laws to apply to all websites, it would be better to get the major browser makers to adopt no-cookie settings by default?

Re:The idea is just fine (1)

icebraining (1313345) | more than 3 years ago | (#36080562)

People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors.

No they won't, because businesses aren't stupid and will cut back on cookies immensely to prevent confusing the users. The only reason every site nowadays sets a boatload of cookies is because they don't have to ask.

Re:The idea is just fine (1)

VortexCortex (1117377) | more than 3 years ago | (#36080894)

Considering how cookies are important, like session-ID storing, the question should better be asked once only, by the browser. People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors. Pretty quickly, it will appear obvious that the law cannot apply to cookies.

::Sigh::

The website you are visiting has requested to store a cookie on your computer.

(o) Do not accept the cookie for this site.
( ) Do not accept cookies for any site.
( ) Allow only this cookie for just this session.
( ) Allow all cookies from the domain example.com for just this session.
( ) Allow all cookies from the domain example.com until they expire or you clear them.
( ) Use the recommended action of your chosen privacy advisor service: allow for 1 session only

[x] Remember my decision and do not ask me again.
(This setting can be changed later in the privacy tab of your profile options)

(Advanced: click here to see the content of the cookie and to set per cookie acceptance / expiration policies )

The cookie-monster plugin for Firefox gives you per site options, but I haven't used it in a while, basically, just the above dialog would suffice for all of my cookie related needs.

Re:The idea is just fine (2)

Chrisq (894406) | more than 3 years ago | (#36079950)

Redirect everyone without cookies to a page with a consent form describing all cookies set. Have an "accept" yes or no option. The no takes them to a page that says "sorry, you are unable to use our site", and an option to try again.

Re:The idea is just fine (1)

L4t3r4lu5 (1216702) | more than 3 years ago | (#36080550)

"Dear ChrisQ,

I admire you for your adherence to regulation regarding our website. Your input into the compliance process has been valuable.

Since you have provided the potential customers with the choice of accepting cookies or not using the site, our sales have dropped 35% and advertising revenue is now nill. We are no longer able to support your position with this company. Please clean off your desk and hand in your ID and keys to the receptionist on the way out.

All the best for the future,
Your ex-Boss."

Re:The idea is just fine (0)

Anonymous Coward | more than 3 years ago | (#36080828)

Dear ex-Boss,

You built a business model around gaining revenue from doing things that people despise. I have no idea how I ended up working for you. I hope your family starves. Go to hell.

Sincerely,
  Cares About Principle

Re:The idea is just fine (1)

Mouldy (1322581) | more than 3 years ago | (#36080578)

Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners. Something along the lines of "This website wants to set cookies which may be necessary for it to work correctly, do you want to allow this? yay/nay". Someone/"they" could even make a standard that allows websites to explain to browsers the reasoning behind each cookie set. Of course, this has the problem that too many people don't update their browsers - but those people bring it on themselves and should therefore not be "protected" by this law.

Re:The idea is just fine (0)

bentcd (690786) | more than 3 years ago | (#36080652)

Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

This will be a problem for all of two seconds before site operators realize that showing ads is, after all, more important than letting ads track users; and they change their site so that it just works cookies or no.

Re:The idea is just fine (0)

Anonymous Coward | more than 3 years ago | (#36080640)

so a lot of publishers own there own ad platform - oh sorry that's not a third party we own our own :-)

Re:The idea is just fine (1)

VortexCortex (1117377) | more than 3 years ago | (#36080786)

It's just next to impossible to use the law as it is.

To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies.

Or, you can pre-opt out of ever website on the planet by sending the DNT: 1 (do not track: enabled) HTTP Header [w3.org] in every request for web resources.

The current version of Firefox4 supports this header, as well as NoScript for previous versions of FF. MS has stated that IE9 will support this header option too. Google (and the MPAA) have expressed concerns with allowing users to automatically opt out of every tracking service by simply stating their wishes to not be tracked... Therefore, Chrome will not support the feature, (I created a patch for Chromium -- IMHO, No one should use Chrome since there is a clean open source version available as Chromium).

An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go.

Enable DNT:1 header. The FIRST thing the advertiser sees in your request for a resource they host (which normally allows them to set a cookie if your browser has them enabled) is the DNT:1 header -- This allows you to inform them ahead of time that you do not want to be tracked.

I agree that the proposed Cookie Guidelines are not the needed legislation. I don't think that sites need my permission before they send "SET-COOKIE: somekey=somevalue" to me -- We all can use cookie blocking software (and/or the browser itself) to disable the acceptance of these cookies. I do agree that sites should tell me what they will track about me, and exactly which companies they will share such info with if I agree to allow them to track me. Use the "we can update these policies at any time" mumbo-jumbo in order to provide an up to date list of who's got access to privacy related data...

Basically this can be done in a simple way: [...]

Indeed, it's already been done, now we just need the Advertisers to respect our pre-opt-out wishes... Legislation will be required, unfortunately, this law is not it.

Grammar Nazi (0)

Jack Malmostoso (899729) | more than 3 years ago | (#36079924)

From the summary:

it's current site would not be compliant with its new guidelines

Which one is it? "It's" or "its"? I'm not saying you're supposed to know which one is correct, but at least be consistent.

Re:Grammar Nazi (0)

Anonymous Coward | more than 3 years ago | (#36080182)

I'm not saying you're supposed to know which one is correct

He writes like someone who is fluent in English, so I would expect him to know which one is correct.

cookies are dangerous (1)

nyatty (1869046) | more than 3 years ago | (#36079952)

Cookies can easily be used for spying that makes it dangerous.

rofl (0)

Anonymous Coward | more than 3 years ago | (#36079956)

It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites.

Good luck with that.

Re:rofl (1)

Tasha26 (1613349) | more than 3 years ago | (#36080264)

Actually I hate that my Facebook, Gmail, Yahoo, Twitter and Youtube data are stored on American servers. Now this data is freely available to scumbags like the FBI which can check it whenever they want and without a warrant [slashdot.org] . Server location in the financial industry (a.k.a domiciliation) is a very big decision before setting up funds and getting investors. Why shouldn't we do the same for our online data?

RFC2965 need merging and update with HTML5 storage (1)

La Gris (531858) | more than 3 years ago | (#36079984)

Session tracking really need new standard and some merging with the HTML5 client side storage. This with clear client enforceable client policy, server and DOM standard way of reading the access and store policy settings.

The situation now is:
- an obsolete RFC2965 cookies standard with no average user know/can manage safely,
- and a still to be standardized HTML5 incompatible client storage and database.

New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

Re:RFC2965 need merging and update with HTML5 stor (1)

WaffleMonster (969671) | more than 3 years ago | (#36080156)

The situation now is:
- an obsolete RFC2965 cookies standard with no average user know/can manage safely,
- and a still to be standardized HTML5 incompatible client storage and database.

New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

If you liked storing pointers to data kept on servers you will *LOVE* storing even more data from each site on your computer.

Well I guess right up until the point where all the fine folks on the Intertubes intentionally design sites to consume massive amounts of disk space across an infinite number of attacker domains and or force erasure of legitimate content after the fixed storage pool is exhausted.

Re:RFC2965 need merging and update with HTML5 stor (2, Interesting)

Anonymous Coward | more than 3 years ago | (#36080230)

There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different userids at the same time, something that doesn't work with cookies. When the user navigates from one domain to another, generate a new session id. When loading images or scripts from a different domain than the current page, load them with a new session id.

No tracking possible.

"Remember me" would no longer be a setting on the page, which writes a permanent cookie, but a setting in the browser, which makes the current session id fixed for the current domain.

Re:RFC2965 need merging and update with HTML5 stor (1)

La Gris (531858) | more than 3 years ago | (#36080526)

Too bad you posted as Anonymous because I find you expose a very brilliant simple solution. I would have marked you as friend to more easily follow your next posts.

There are no cookies in the UK (0)

Anonymous Coward | more than 3 years ago | (#36079990)

They call them biscuits. Or possibly scones. I dunno, but they serve them with Tea, at precisely 4pm everyday. It's like the whole country grinds to a halt.

Re:There are no cookies in the UK (2)

Jaruzel (804522) | more than 3 years ago | (#36080212)

Not True.

Yes we have biscuits, but we also have cookies. Cookies are typically rough circular baked sweet dough with added fruit or chocolate. Most Cookies are also moist in the centre. They are also baked fresh and bought from dedicated cookie or bakers shops (you can get pre-packed cookies but these are horrible and dry).

Biscuits are dry (excluding the filling) and come in defined shapes. To use a common example, Oreos (also available in the UK) qualify as biscuits not cookies.

-Jar

Its a pointless law (1)

Chrisq (894406) | more than 3 years ago | (#36080010)

You could just use the browser "propmpt every time" setting if you want to decide which sites use cookies. (the prompt allows you to say "always for this site).

You know you need to worry... (0)

quarkoid (26884) | more than 3 years ago | (#36080034)

...when the people creating the law have no understanding of the subject they're legislating on.

"[cookies] are text files placed on your computer"

Say no more.

Re:You know you need to worry... (1)

Arlet (29997) | more than 3 years ago | (#36080086)

It's close enough. Cookies are small pieces of text, and they are stored on your computer.

Re:You know you need to worry... (1)

quarkoid (26884) | more than 3 years ago | (#36080124)

"Petrol is a metal tank attached to your car"

"Ink is the stick you use to write on paper with"

"Music is the big square boxes attached to your amplifier"

Close enough it may be, but to definitively state something as fact which is quite clearly not fact (or, even if it is, only in a limited number of cases) when describing why legislation applies is just wrong.

They could quite simply have said, "Cookies are small pieces of text which your computer may choose to store." - there, simple. It also has the plus that it tells the user it's up to them whether they're stored.

But then we're not very hot on taking responsibility for what our computers do.

Ho hum.

Re:You know you need to worry... (1)

Nursie (632944) | more than 3 years ago | (#36080170)

You going to explain about cookies to my mother?

I sure as hell don't want to. Somebody probably should though, as she's unwittingly feeding all sorts of info to whoever wants it on the internet, without her knowing.

Saying users have the choice is disingenuous here.

Re:You know you need to worry... (1)

Arlet (29997) | more than 3 years ago | (#36080210)

The typical user just clicks on a web site, and has no idea what cookies are, and that they are getting stored on their computer. In most cases, there's no 'choosing' involved, since they are enabled by default. For those cases, saying that the text just gets stored on your computer is accurate enough.

Re:You know you need to worry... (0)

Anonymous Coward | more than 3 years ago | (#36080290)

...when the people creating the law have no understanding of the subject they're legislating on.

"[cookies] are text files placed on your computer"

Say no more.

Uh, you don't understand the subject, that description of web-cookies is perfectly accurate and sufficient.
The original web-cookies was implemented as small text-files existing in the traditional file system on your computer. Now cookies are stored together in a database-file by most browsers, but they are still files and they are still text-files.

The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

Re:You know you need to worry... (2)

he-sk (103163) | more than 3 years ago | (#36080524)

The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

Also, a database file is usually not a text-file, because it contains data that is not human-readable.

Re:You know you need to worry... (1)

Arlet (29997) | more than 3 years ago | (#36080662)

Also, a database file is usually not a text-file, because it contains data that is not human-readable.

There is little conceptual difference between a database and a file system. For the sake of the discussion it doesn't matter if cookies are stored in little individual files on a file system, or if they are combined in a small database implemented as a single file.

Re:You know you need to worry... (1)

VortexCortex (1117377) | more than 3 years ago | (#36080992)

The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name." That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

Also, a database file is usually not a text-file, because it contains data that is not human-readable.

Have you written any code to access those? Guess what, you use a FILE DESCRIPTOR. The goal is that everything in Unix be accessible as a file... If it looks like a turd; Smells, feels and tastes like a turd -- It's a pedant.

Is it good enough? (0)

Anonymous Coward | more than 3 years ago | (#36080204)

Industry players and content providers alike are confused by the new UK cookie legislation. An anonymous industry spokesperson who sports blue hair, googly eyes and bad table manners is against this new law, saying that cookies is (sic) good enough for him. In other news, a pig falls in love with a frog. Stay tuned after the break.

Stalkers (1)

Tasha26 (1613349) | more than 3 years ago | (#36080228)

I hate the way major websites have perverted third-party cookies, because now if u block them, this will result in loss of website navigability... and Flash players not working properly in some cases. I believe those big websites deliberately created such 3rd-parties (ytimg.com, yimg.com?) to turn tracking into stalking.

Re:Stalkers (1)

ledow (319597) | more than 3 years ago | (#36080298)

Really? I use Opera, with "Accept cookies only from the site I visited" set to on (which is the default) and have never run into a problem with this.

What sites specifically? Because I have *zero* cookies from either of those sites you mentioned and yet don't have a problem navigating any of what I would consider the major sites - the only sites that give me problems are ones where they don't have Opera compatibility at all, I can't even remember the last time I had a cookie issue (maybe with the inbuilt Steam browser not staying logged into Steam community - but I can't even *see* the cookie settings for that).

Re:Stalkers (1)

Tasha26 (1613349) | more than 3 years ago | (#36080502)

Thanks for the tip, will try that! I haven't used Opera for Windows yet (but i do use it all the time on my Nokia and to access /. in the loo). I did read they have problems rendering some websites so I've stuck to Firefox and its new hunger for RAM & CPU resources.

Duplicate article, or rather triplet (0)

Anonymous Coward | more than 3 years ago | (#36080236)

The EU directive is covered by this slashdot article:
http://yro.slashdot.org/story/11/03/10/0123210/New-EU-Net-Rules-Set-To-Make-Cookies-Crumble

The problems involved with implementing the EU directive is (better) described in this slashdot article:
http://yro.slashdot.org/story/11/04/30/208236/Sweden-May-Mandate-Opt-in-For-Cookie-Transfer

Replacing the word Sweden with UK, don't make this a new article (especially since the linked UK-article is very sparse on details).

I can feel the heat cloing in (2)

troll -1 (956834) | more than 3 years ago | (#36080250)

Remember the CAN-SPAM ACT 2003 in the US? That was another pointless law. Spam is at an all time high. You only stop spam with a spam filter. Governments only gets bigger, never smaller.

Re:I can feel the heat cloing in (0)

Anonymous Coward | more than 3 years ago | (#36080554)

You will only reduce spam by defining a new authenticated mail system...

Re:I can feel the heat cloing in (1)

Arlet (29997) | more than 3 years ago | (#36080636)

Authenticated mail won't work as long as there is still malware that can steal your credentials.

necessary with effeciency (0)

Anonymous Coward | more than 3 years ago | (#36080288)

I think all the permission has to come from the owner of the website before sending a cookie. I hope the law in this case will be necessary to control all this.African Safari Tanzania [tanzaniasa...ations.com]

Hey, Idiots, this already exists! (0)

Anonymous Coward | more than 3 years ago | (#36080356)

It is called Check-the-goddamn-options-page!
If people are too stupid to go and enable popups for local storage requests, they shouldn't be on computers, period.

Yeah, do that EC, do that, ban people from computers and require everyone take a test to gain a license to connect to the internet.
Hell, I best not, they might actually seriously consider it...

Bright side for those who run web apps (2)

InsurrctionConsltant (1305287) | more than 3 years ago | (#36080484)

From the guidelines [ico.gov.uk] (pdf):

The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

So, by my reading of that, you do not need further consent merely for logins/session cookies:

This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

Re:Bright side for those who run web apps (1)

Nursie (632944) | more than 3 years ago | (#36080598)

That sounds eminently reasonable to me, and neatly counters a lot of the "sky is falling" stuff people have said further upthread.

Re:Bright side for those who run web apps (1)

JackDW (904211) | more than 3 years ago | (#36080716)

Wouldn't it be even more reasonable to require web browsers to use the sort of restricted cookie settings that you personally use? As in "block by default". The EU already demonstrated that it can force major browser makers to do weirder things [wikipedia.org] . If IE starts blocking third-party cookies and demanding confirmation for first-party cookies, then every other browser will be able to do the same thing too, because websites will quickly adapt to the new way.

Going after websites is stupid because the law is unenforceable, and in any case only applies to websites in one part of the world. Security (and privacy) should be a default on the client side first. The opt-in should be within the browser.

More mental mastubation (1)

countertrolling (1585477) | more than 3 years ago | (#36080866)

That's what all this silly chatter over 'privacy' is.. If you're on the net, you are being tracked. You will always be tracked, whether you want it or not... and whether you know it or not, so kindly STFU over it. You only available option is to fill the system with as much junk info as you can. So make a script that does just that, through sockpuppets and other fake stuff. Raise the noise level high enough to render it useless. But whatever the hell you do, try to stop believing for half a second that you know what goes on deep in the bowels of Google, Apple, MS, *.gov, etc... Little by little they can download everything you have on your computer. They got your number, and that's that.

It is just as lame to think a website can be regulated as it is to believe they can be censored, and it's even dumber when you consider that our various governments now pass laws in secret, demanding 'back doors' and keyloggers built into your hardware and more. They are not really interested in protecting your privacy. They only want to keep you pacified into thinking you have any at all.. Well, you don't have any.. none.. zilch.. To believe otherwise is simply naive.

A User-Agent does not uniquely identify a person (1)

mrthoughtful (466814) | more than 3 years ago | (#36080922)

Firstly, Cookies are generally tied to User-Agents, not to people. UK websites are not required to get consent from spiders, crawlers, or other bots.
What I invite the ICO to do is to demonstrate a technical, non-invasive, means of being able to identify an individual from the information made available over a HTTP1.1 request.

Secondly, regarding Session Cookies, it is trivial to replace a session cookie with a QueryString token - so what is the differentiating feature of these two that requires consent for the former and nothing for the latter.

Thirdly, hasn't anyone yet learned that the Internet doesn't follow state boundaries?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?