Slashdot Mirror
EU May Outlaw Cookies
Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.
All modern browsers allow users to turn off cookies completely.
People all ready have the choice.
You can't legislate stupidity out of life...
nuclear iraq bioweapon encryption cocaine korea terrorist
Cookie monster will be SO disapointed!!!
.. .
And I hate to disapoint a monster. It's dangerous
You tell him .
In Soviet Russia you dant have to put up with these crappy jokes
The EU appears headed toward a classic error - they haven't defined the problem correctly. Instead of asking "how can we protect the privacy of our citizens" they asked "how can we prevent organizations from using this specific technology to invade our citizens privacy."
Whoever proposed this absolute ban on cookies clearly has never done any kind of web development. Sheesh.
** The opinions expressed here are my own, and do not reflect those of my employers - past, present, or future**
I can see banning long-duration cookies, but e commerse would collapse without the session cookie, or something functionally eqivelant. A better rule would be to require browser makers to provide better granularity in cookie preferences, and to make the settings more conspicuous.
I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve. BB
While I realize their security concerns, in my opinion the problem isn't with the cookies. The bigger security concern, is really with web bugs. The rest of the stuff that the EU seems to be concerned about really is data that could be generated by analyzing web server logs. The problem is with sites that monitor people across multiple domains.
I mean, I could write some personal infomation
on that paper and slip it under your mousepad.
Then, later, I could update that piece of paper
with new information.
What's good about this:
- Someone, somewhere is taking privacy
seriously.
What's bad about this:
- It demonstrates a fundamental lack of
understanding about the modern world.
Overall, I say it's good. They are *thinking*
about privacy, which is more than the US
Government is doing (aside from thinking about
how to get rid of privacy).
-nate
... and, while we're at it, ban the cakes, too. And the spanish cocas. And all kinds of biscuits. And pretzels, too, just in case. It's easier to forbid the food that's Bad For You than to pass a directive requiring all european citizens to go on a diet.
I just can't help buy wonder what will Cookie Monster say about this: "When cookies are outlawed, only outlaws will have delicious meals", or something like that.
Oh, you mean software cookies? Oh...
"Trust me - I know what I'm doing."
- Sledge Hammer
What will we do when cookie monster is removed from the cast of Sesamee Street?
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
It sounds like all they want is a method to have the user explicitely agree to accept a cookie whenever one's proposed. Many (most?) browsers already support that functionality. Maybe browsers just need to ship with that defaulted to "on" for EU countries. I don't really understand why they're making such a fuss.
To be honest, I think they're going about this thing entirely the wrong way. Don't attack a technology because it has the *ability* to do something you don't like. Attack those that are abusing the technology. In this case, full and proper support for the W3C's P3P initiative looks like it addresses all of the privacy concerns that go with cookies. Maybe they should be looking at this instead.
One thing Microsoft has done right recently is P3P support in IE6, and setting the browser to default itself to what I would consider a reasonable setting out of the box, which automatically blocks a significant number of 3rd-party cookies. I love seeing this in action.
But don't I, as a website administrator, have a right to know the usage patterns of my users? If I set up a lemonade stand on the side of the street, I know exactly who comes to my store, how many times they come back, and if I'm smart enough, I can use this information to my advantage to sell more lemonade (e.g., I know that Tom buys lemonade on his lunch break at 12:15 everyday, so I better be open then). Why should online business be put at a huge disadvantage? Cookies are a great tool for maintaining a state over a stateless protocol, and differentiating one users "session" from another.
And also, a great deal of code to keep people "logged in" to web sites uses cookies to maintain state. Without cookies, web sites are forced to use the IP address as the unique identifier to distinguish between two users. What about proxy servers and firewalls? DHCP and dynamic IPs? Maintaining state over HTTP would be a nightmare without cookies.
The only problem comes up when cookies are used across different sites, or one company sells your browsing habits to another without your consent. But by browsing a site, you are implicitly giving that site the permission to see what you are doing.
Cookies, when used in a responsible way, can increase privacy. Of course, that is not true with those practically eternal cookies which expire some day in the year 2037 or so. On the other hand, there are other tracing methods such as exclusively dynamic URIs or even cache timing attacks (yet another interesting Felten paper, BTW).
In my opinion, you should not outlaw the tool, but the intention to gather data. Recently, we've seen so many attempts at restricting tools which have some negative potential, competely neglecting the positive possibilities such tools present. Shall we make the same mistake again?
They should allow opt-in cookies, but I'd still like every site to be required to state what data it keeps in its cookies and what it does with it as part of its privacy policy.
I'd like to see browsers with more refined cookie control. I should be able to set the cookie policy for each domain.
From what I read, they aren't banning cookies per se. What they're banning is any collection of personal information without explicit informed consent. So you can use cookies all you want, as long as you tell the user what personal information you're storing in them and let them say whether they want to allow it or not. And if you use cookies for things like shopping carts, where there's no personal information in them, then there's no restrictions on them. All perfectly sensible to me.
Reading the Yahoo story, its pretty clear the author took the Internet Advertising Board's press release and printed it almost verbatim.
The proposed legislation has nothing to do with browser cookies, it focuses on regulating what kinds of private information marketing scum can gather and share without permission. The bill aims to prevent marketing firms from using any data obtained through illicit or decietful means to be correlated with personal identities. It would also prevent marketing from using personal information to gather other info through other means.
Web sites could still set cookies on your browser, and even track sessions from one logon to the next. But the web sites would not be allowed to match that information with individual identities. They could still gather statistics, monitor actions, and anything else cookies are useful for, but not for targetting individuals.
This legislation was proposed before, but was stalled after the IAB and a few other telemarketing firms pooled their money to fight it. It has been delayed for a while, but is back for another round.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Those hockey pucks my english mother-in-law makes should be outlawed!
A strange game. The only winning move is not to play. How about a nice game of chess? - Joshua (Wargames)
On this dudes homepage (in dutch...) his official statement does not say he wants to ban cookies at all. He's only proposing legislation in order to abridge tracking users' browsing habits and then using these to send them advertisements based on their habits without the users knowledge. This is not a bad thing in my opinion; our normal use of cookies (e.g. no need to login to /. and tracking sessions on usefull web-applications) will not be affected at all. Wim van Velzen's official statement can be found here (dutch).
He doesn't sound like he totally understands cookies, though; he says things like "it's still unclear wether cookies can be used to gather information about other sites the user has visited" and he proposes a "maximum validity date for cookies" which has been there since t=0.
So either I misunderstood all of this, Yahoo got this wrong, or Wim van Velzen's statement is incorrect, but I guess he wrote it himself so that's ok. Nothing to see here people ...move along.
0x or or snor perron?!
That's just crap.
c def/guest,0,1,1/index.html
Cookies are needed for only one thing. Every other current use for cookies can be done better without them, or (IMNSHO) shouldn't be done at all. The best example is session tracking. Those of my websites which need to track sessions all use URI mangling to do so.
For instance, look at my website for AdAce. When you go there, you get immediately redirected to a URI that includes session information, that looks something like this: http://www.adace.com/0123456789abcdef0123456789ab
The long hex number and the comma-delimited string constitute your session id. No cookie needed. By using relative URIs in all the webpages, there's no problem with the mangled session information being lost: the browser thinks that its just a directory path. In those few places where we need to use absolute URIs, we use a cgi or an apache content handler to modify the URI in place to include the correct session id. This number is used to look up your session data in a daemon running a simple database for that purpose -- and to verify that the comma delimited string hasn't been tampered with. The database exists purely in RAM. I've even locked the pages in place so there's no danger of them getting swapped. None of your session data ever goes onto a hard disk; only the fact of the session, as it appears in the server logs. My cgis (and a couple special purpose apache modules) all use an API library that I wrote in order to communicate with this daemon. That lets them get data out of your session record, and put data into it. The point of all this is that we hold the burden of maintaining your session information. No need for cookies.
The only function provided by cookies that can't be done in any other way is what we in the advertising industry call "frequency capping". The idea is that you (the advertiser) have bought a big campaign with a lot of impressions, but you don't want one user to see your campaign more than, say, 3 times. So we need some way to track how often you've seen a particular campaign. If the campaign is all running on a single website, then it's easy enough to use other methods. But when the campaign is running across at least two unrelated websites, the adservers have to create and manipulate a cookie in order to track this.
If you've ever received a cookie whose name is RMID, and whose value is just a number, then you've received one of these cookies. They're generated by RealMedia's (not to be confused with Real Networks, the makers of realmedia player) ad server for campaigns that have frequency capping turned on.
These cookies are the only cookies ever generated or inspected by any AdAce machine. I am strongly opposed to the use of cookies in any situation where some other method is possible. And as CSO of AdAce, I've put my foot down on this issue: no cookies where we can do something else, and even if we can't do something else, no cookies if its possible for it to be exploited by acquisition, mismanagement, or subpeona, to violate someone's privacy.
(incidentally, this form of session tracking gives WebTrends conniption fits -- that's the main reason that I'm writing my own log analyzer)
-- Nolite audere delere orbiculum rigidum meum.
I have a number of customers in Europe (particularily in Germany) who express a great deal of trepidation and fear about cookies. Particularily from folks who aren't tech savvy. I once wrote an entire web app that maintained state using GET paramaters and hidden input fields, all because they fear cookies. But since then, I've written many apps that wholeheartedly rely on cookies. If the EU were to ban cookies altogether (which apparently they may not) ... well my customers are going to have to shell some good ol' US dollars my way to make things work! I say bring it on!
Ultimately there are too many applications that run over the web that have to have session identifiers. Sometimes it's so that it can identify returning visitors, sometimes it's so it can just track some current information (like your shopping cart). Somewhere, it's going to have to stick that session identifier in there.
You can put it in the cookie, but that means people who disable cookies on general principles can't use your site. Sort of a nuisance.
You can put in on the URL, but if you do that, you have to be aware that people may send URLs containing session identifiers to their friends by e-mail, or they might post them to a newsgroup, or better yet, they might just put up their own web site with a link with that ID in it. I've seen all three in sites I've worked on that use URL-rewriting.
Because we wanted to avoid cookies, we started checking referrers on inbound requests. Yes, of course referrer can be spoofed; that's not the issue. We simply wanted to catch casual sharing of URLs containing session identifiers. Any referrer that doesn't match the site of the actual request, or where the session ID is different than the one in the request, is rejected; a new session is established at that point. If the request was for an interior page that requires logging in first, the user then gets booted back to the site entrance or a login page.
It really depends on whether you want to go ahead and use cookies or not. I prefer not. Cookies certainly are not the only way to manage sessions.
People are never as simple as their stereotypes. This applies equally to Christians, Muslims, and Emacs-lovers.