Slashdot Mirror
Sweden Crunches Cookies
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.
Actually, scratch that, most websites will just ignore the law and get on with life.
IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
results in 62 cookies being blocked by my browser. Seems these guys have a lot of work to do to comply with the new law :)
Will now compel Microsoft to tell users exactly what information it is extracting.. Great!
We Know Where You Went Today
-
If you keep throwing chairs, one day you'll break windows....
How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?
-josh
Well at least PHP will offer the option of allowing you to use the session ID as a variable in the request/post string .. ie : page.php?PHPSESSID=xxxxxxxxxx ..
So you can effectively track the user on the server side like this
Do these people not know you can reject cookies with your browser?
that the site containing the article tried to cookie me a half-dozen times before loading the first page?
If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?
I want to delete my account but Slashdot doesn't allow it.
I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.
BOO! TERRO
Shouldn't that be "comes into farce"
?I'm sorry if I haven't offended anyone
How about just URL re-writing? That would be equivalent to session cookies.
Rest of the data required by the sites should anyway be stored in their database and used only when the user 'logs-on' to the site or indicates to the site in some way who he/she is.
Finally someone is doing something for the extremely stupid idea of the cookies !
There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.
Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.
A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.
As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.
---
I support spreading santorum
A special web page where the user can choose whether or not to recieve cookies. What a good idea! All a web site needs to do is save the 'don't give me cookies' preference in a cookie and... wait.... Um.....
Eat at Joe's.
Post och Telestyrelsen (the authority enforcing the law) has an english version of the "info text" needed for using cookies
Isn't the cookie monster also from Sweden?
..not believe this. *If* such law exists I think that swedish will not obey it or do they simply deny put Cookies: yes/no dialog at the start page. If you choose no then you will redirected to slashdot.org.
I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.
What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.
This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.
Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.
Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.
A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.
This represents a huge problem for swedish sites which use .asp and .php session variables.
:-)
Just use Java Web Application with JSPs. They automatically handle the generation of sessionId with cookie or URL rewritting without any modification to the source code.
Why not simply store session information in some backend database and pass the session ID along on the URL? Problem solved :) Besides...cookies can get messy. Y'know, with all those crumbs laying around (i.e. spyware, ad trackers, etc).
"I'm not a vegetarian because I love animals. I'm a vegetarian because I hate plants." -- A. Whitney Brown
There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.
creation science book
if you store state in an encrypted hash on an input hidden tag.
This is my sig.
The assumption that you can and should be able to provide all kinds of programming through a web interface ignores the fact that many applications involve personal data and the web is fundamentally public even if you add SSL or whatever gizmos to try and avoid the fact. There are many services that should not be provided through a browser. That doesn't mean applications can't be network enabled, but perhaps they shouldn't operate within a browser.
Although the web is where a lot of great open souce development takes place, this fact shouldn't be interpreted as being anti-open source by any means. The web is great, but not everything has to be crammed into a browser. In fact, it seems like it's the closed source interests that are most intnet on pushing "web services."
This only becomes more of an issue with standards like XML. Sure, it's potentially possible to provide all kinds of interactivity through a browser with XML, but the question remains, should you?
As a developer, I wish there was a compiled list of web site laws such as this. Id like to visit 1 web page where I could see all international and local government laws that are relevant to creating a internet based website.
Do you this US export restriction laws apply to servering static content too?
Why can't just the paranoid people block cookies?
I can't exactly see the big problem with cookies (other than that it's a unreliable solution for remembering user-data).
As already mentioned, if PHP is using sessions, it will first try to set a cookie with the session-ID. If that fails, it will pass the session-ID along with the url or automagicaly add a hidden-field to forms.
Good luck rewriting ALL php-sites that uses sessions.
As I see this, cookies do more good then harm, and it's no problem disabling them, so what's all the fuzz about?
--
Will work for bandwidth.
I once wrote an othello game that played this way. You could take back moves because it was stateless on the server end. The pointer also changed over the legal move squares because they had URLs under them. I may still have C source somewhere.
BTW, first one to patent this please send me a check as thanks.
Internet Explorer said it would block cookies that invalidated your privacy.
Now I use Mozilla Firebird and block any cookie that isn't from a site that I'm logged into. Does anyone know what kind of heuristics MSIE used to determine which cookies are good and which are bad?
The US Army: promoting democracy through unquestioned obedience
Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
"GNU's not Unix....it's Linux" / Kami "kokamomi" Petersen
Foockeeng mudereturs. Mey yuoo ell rut in hell. Bork Bork Bork!
Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.
Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.
The law doesn't apply to cookies used to supply the user with a service she asked for.
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
Enabling Cookieless Session State in ASP.NET
...send a courriel to the government... Oh, wait, that's French...
Thank God I don't live in Europe!
grisha.org
Specifically:
Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.
If you were blocking sigs, you wouldn't have to read this.
Oh wait, its in Swedish!
Anyway, AFAIK ASP.NET is the only web technology with built in support for cookieless sessions. Obviously you can roll your own in other technologies.
<conspiracy type="theory">
Microsoft fudged the issue for Swedish lawmakers, thus making ASP.NET the web technology of choice in Sweden?
</conspiracy>
Most writers regard truth as their most valuable possession, and therefore are most economical in its use - Mark Twain
Will we now see websites where any user running IE is banned, because all the other web browser users can be assumed to have made a choice about accepting cookies or not?
Beep beep.
Why can't they legislate that browser makers (far fewer of them) make it stupidly easy to manage cookies and include some helpfile about what cookies are? The Mozilla and Konqueror tools are good first steps, but a big 'cookie' icon (with a bite taken out of it or something) that brought up a simple but detailed view of the state of cookies in the browser would help immensely.
:)
5-10 programs would be impacted instead of the tens of thousands of sites which will be impacted by this (stupid) law.
If there were cameras that tracked my usage whenever I took pictures of certain places, the law would be written to mandate that cameras contained functions to limit this ability. They wouldn't require the owners of every place that could possibly be photographed to change how people take pictures of their locations. Maybe that's not a good analogy?
creation science book
The article doesn't say that you really need the consent of the user. You only need to provide an option on the website, which when chosen stops the site from using cookies.
/. article says), you just need to provide an option (on the website) to turn them off. And, as stated, you need to provide information about what the cookies will be used for.
So you do not really need to ask the user if he wants to use cookies or not (as the
The Babel worm is a sweedish to english translator. Here is the Babelworm translation
..if people actually read and understood the text before making headlines out of it..
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
My browser settings permit cookies, if that isn't an agreement then I don't know what is.
I will not rewrite my website, so put me in jail! I dare ya!
Actually, I'd love to see how this acts out in court. It seems to me like the browser prefs. argument is valid.
we come in peace / shoot to kill
So redesign all Swedish web sites to adhere to the cookie legislation, and then send the bill to the government. If everybody does it then that may force them to reconsider the legislation. Did they even have any technologists or experts available when making this law?
Do you wish to receive cookies from our website for the purpose of ...?
( ) Yes (X) No Submit
You indicated that you do not wish to receive cookies.
May we set a cookie to remember this decision?
( ) Yes (X) No Submit
You indicated that you do not wish to receive cookies.
May we set a cookie to remember this decision?
( ) Yes (X) No Submit
...
main(O){10<putchar((O--,102-((O&4)*16| (31&60>>5*(O&3)))))&&main(2+ O);}
LN2 is cool!
How will they handle someone linking to a page well inside the site? I could see the cookie warning being a no-brainer to set up when people type in an url like www.swedishurl.com (or whatever) and get a page like on a porn site, warning you of the content (or in this case, the cookie usage) and giving you the option to bail out. But how can this be handled from users coming via links?
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Not a facile question, but legally, what constitutes a Swedish Website in this context? i) A Swedish company with a website hosted in the US? ii) A US company with a website hosted (mirrored, even) in Sweden?
--
This sig is inoffensive.
Bork bork bork!
"Obviously, I'm not an IBM computer any more than I'm an ashtray" (Bob Dylan)
Say I have an app that talks HTTP back to a server (in this case, located in the US). Now say that app uses embedded IE, and uses cookies. Is that covered by this?
Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
what the?
This is by far the craziest thing I've heard for a while, the onus should be on the client to choose wether they want cookies or not, not forcing the web developer to NOT use a useful web technology enabled in ALL browsers. It's there, they should be able to use it...
Crazy swedes!@
generic
Have you been brainwashed by MSFT's marketing? PHP has been able to do this for a long time. And judging by some of the JSP URLs I've seen, some of the Java based web solutions do to. PHP can re-write URLs embedded in a page as it serves it up to include a session ID parameter. That involves no rolling your own - it comes for free.
While I'm certainly against governments mandating development methods, there are good technical arguments for coding a web site in a cookie-minimal manner.
Firstly, you can't in any way guarantee their availability for a given client. The user may have chosen to turn them off, they may be working at a company who's corporate policy is to block cookies, they may even be using a browser which does not support cookies. This is a "bear your user in mind" kind of consideration, similar to avoiding non-standardized Javascript in your web site code.
Secondly, "session" variables under IIS (and equivalents) don't scale well. The "scope" of a session variable is at most the server it's running on. Where you could easily redirect to a mirrored server if your site is written such that it doesn't rely on session variables, you suddenly have a significant problem if it does and you try to scale it to a server farm.
Thirdly, for most all capabilities cookies give you, you can easily implement this by passing an identifier from page to page in the URLs. Use this identifier to track which user/session it is, and look up your state values in a database table.
Fourthly, HTTP is at it's core, supposedly a stateless protocol. Cookies go against the spirit of HTTP, which, though it may seem an aesthetic point, leads to various issues such as the story's, in which a stateful implementation requires major rework when forced to support a stateless one.
~ Whence do you come, slayer of men, or where are you going, conqueror of space?
1) serve up a page with a cookie and a redirect
2) attempt to read cookie when client follows redirect
3) refuse to serve any more pages to client if cookie is present
4) ???????
5) PROFIT!!!!
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
Well, they could always force people to use the Opera browser. It will pop up a box for every cookie displaying the contents and asking if you want to allow the cookie or not. Come to think of it, Opera is headquartered in Norway, maybe there's a connection?
-TheDawgLives suckitdown
This may be tough for developers and leave them scrambling for a little while, but it's fair to the user. They should have the right in all countries to know what data their cookies store and how it's being used.
"I've got to stop masturbating! It makes me too lazy! Stop it, Albert. Stop it." -- Albert Einstein
Its woth noting that in ASP.NET, the default method for saving the session state key is to put it in a hidden input field on the form. This is ideal because it doesn't use cookies. If for some reason this doesn't work for you, you can configure it to store the key in the URL (although this is a security problem), or use cookies.
To change the method for storing session state, you don't have to write any code. You just tweak a parameter in the XML configuration file called web.config. This is something that Microsoft got right...
My browser is not set up to block cookies. My browser is set to notify me, however, & pops up a privacy notice everytime one gets sent, and gives me the option to block them. You know that AOL ad with the screen full of pop-ups? I was astounded, when i tested, to see how many sites such as MSN will send you. Including the ones for ad servers that deliver popups. My brother laughed and called me paranoid, but i'm not. This is how i learned about computers in the first place, by observing and playing with them, and my HTML started by staring at page source, and now my info about security and so on is coming from watching what brushes up against my computer. Ten websites produced more than 50 cookies. The lowest was zero, the highest was fifteen. (and the site was kind enough to reset my home page for me, d*it)
For those of use who need to use the net at work, it would be beautiful to have a choice in an environment where we can't see or play with things. Besides, eith phone calls they have to tell you if you're being recorded, so i think that both public cameras AND net cookies AND any other such info-recording system should be required to let you know that you're in the lens. If they want my info, they can ask. (set your firewall to make windows only able to connect when YOU want it to, and see how annoyed it gets!)
"I'd say 'Have a good time,' but arson is still illegal.
Apparently the United States isn't the only place where stupidity reigns in the courts.
I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Trust the Computer. The Computer is your friend.
If you use IE6 then it only accepts cookies when you have a privacy statement.(default setting) It means that when you want to read/set a cookie you have to provide the browser with a privacystatement. This is actually 3 documents consisting of 2 xml files and a html file explaining what the cookie is trying to do.
:)
Bloody annoying if you are coding a webapplication, I assume it broke a lot of old stuff
This surprises me, Sweden is supposed to be one of the most open and free countries in the world, it is, or was at the top of the UN human freedom index (which for some reason i cant find anymore).
If you dont want cookies, turn them off, if you dont want advertising companies tracking you with cookies, set your browser to only allow specific sites. Really all annoying things- vbscript viruses, pop-ups, banner ads, tracking can all be stopped by the browser, html believe it or not is an open standard and you can control anything that happens on your computer.
This comment does not represent the views or opinions of the user.
The law should have been more general, not only about the cookies.
The real problem is that our web activities are stored everywhere to fill in commercial databases. The way it's done doesn't matter: cookie on the client, server side trick, etc.
I hope other countries will realize that it's the real issue.
PS: France already has a such law (I mean a general one protecting the individuals).
www.pts.se is the Swedish institution in charge of monitoring the cookie behaviour. Click on this link (there is an English translation that you read. What's funny is that a couple of cookies get set as soon as you load the page asking whether you accept the use of cookies. I've heard of a rumour that says that someone has already informed the Swedish police that PTS is committing a crime.
Just generate a session id, store everything in a database. If they have to login to use the site, even better, just retrieve the data for their user ID and generate a new session ID.
;-)
No cookies, and you can still track just how many times the user clicked on the link for dirty pics of smutty grannies.
That said, I don't give a crap about cookies. I turn 'em on and leave 'em for every where I go. It doesn't matter to me what gets stored in a cookie on my machine. After all, it could just as easily be stored in a database connected to the web server rather than on my machine.
Sheesh, people. McNealy was right, you have no privacy on the web, get over it!
(Don't worry. I've still got karma to burn.)
Just be sure to wear the gold uniform when you beam down -- you know what happens when you wear the red one.
- M.
I find your argument flawed. It's like the social security card fiasco. "It's not a national ID number," but the funny thing is, once it's out there, you can hardly do anything without it, unless you want to create a big hassle for yourself (have you ever tried not giving up your SOC# to the dozens of different orgs that demand it - actually illegally?).
If you have a state mandate for cookies like this, then rather than having a veneer of "choice" - i.e., I can "choose" to disable cookies but then (feigned surprise) OH! Most websites don't work! Now people actually have the option to exercise this kind of privacy, rather than just the illusion that they do, and websites will use them judiciously, if at all.
Not saying that this kind of policy is ultimately a good idea, but I do have an immense amount of respect (and surprise) at such an apparent concern for privacy. The list of nations where such things seem on people's minds to this degree is perilously short. Laws like this today, meaningful reforms tomorrow... etc etc.
Want to Know How to Cheat the GPL? Read On!
Can they use a cookie to remember whether or not the user wants to use cookies or not? :)
Chris -- http://www.bitter.net/
The law has a loophole that allows cookies and other storage for something the customer has expressedly requested. That would conceivably put most websites in the clear, as the viewer requests to view the website. However, cookies tied to, for example, banner ads would not be as easy to get through that hole.
you are about to enter the abc123 site
[proceed]use cookies
[go back]don't use cookies
only the truely paranoid are going stop here, (or anyone that cant utilize cookies, but face it they're not coming in anyway)
when every site has an ugly annoying nag page at the head of it, and the law is shown to have failed at it's intended purpose, perhaps it will get tossed out.
So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.
PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.
Btw, I might add that I know one of the major lawyers responsible for this law.
What we need, is an extension to HTTP standard to supply the session id alongside with the HTTP request. A client would receive a new id every time it doesn't supply one to a server when making a request.
I checked... fortunately all my applications comply with these provisions as described in the /. blurb. (Unfortunately I don't read swedish, so I don't know whether they really comply with the law.)
My application asks permission by sending the following header:
Set-cookie: USERID=80b1818f4b0d3f21306b1982; expires=Saturday, 24-Jul-2004 13:28:11 GMT; path=/; domain=.example.com
This tells the user that the cookie will be used to identify them to *.example.com until 24 July 2004 at the latest. The user gives permission by sending this cookie back to me. If the user doesn't give permission, she doesn't send it back and my site doesn't track her identity.
Is this simply a case of lawmakers not understanding how cookies work? As I see it, anyone who sends me a cookie, as it requires active participation on their (client's) part to SEND it to me as part of subsequent requests, has given permission. If they didn't give permission, why would they send me the cookie?
If there weren't so many moronic laws on this side of the atlantic, I'd sit back and have a laugh at the Swedes' expense about now.
.sig: file not found
I don't understand the purpose of this law. Anyone with a snazzy enough backend can just configure a computer to log your info and save it to assigned IP addresses.
To keep "session" info, just add the ?user&bigrandomnumber after the URL, then bookmark it. All it has to do is check if the data is correct in the db, then it calls up your info. No session info required. It's still early, and I haven't had enough coffee, but I believe this would work.
Cookie handling is the one advantage IE has over Mozilla. Mozilla needs cookie whitelisting.
My current workaround is to use two profiles. My main profile does not allow cookies. When I want to access the sites I need (only two so far, but they are important to me), I switch to the profile that allows cookies.
Hardly an optimal situation, especially on Firebird which does not have profile switching on the fly (unlike Mozilla).
This may be a little inaccurate since I'm Norwegian, but here we go:
Hard to keep up with electronic communication
Today you may experience some unreliable websites. The new law on electronic communication starts today. It says that the sites must inform the purpose of each cookie. The users must also have an option to avoid them.
As of today, swedish websites may not use socalled cookies without informing the user of the purpose and contents stored in them. The user must also have a choice to avoid the cookies.
This is a consequence of the new law on electronic communication, SFS 2003:389, which starts today.
It is not enough to tell the browser to accept all cookies. The website you visit must inform what kind of information is stored, and what the purpose of it is - in addition of giving the user an option to avoid them.
Hard for the sites
Swedish websites have two options.
- One alternative is to stop using cookies. The website functionality may suffer from this, says Jonas Eriksson from Webkonsulterna in Östersund.
Jonas Eriksson doesn't even want to consider the other option.
That makes the majority of all swedish websites who use script languages such as asp and php to become unreliable, unless they rebuild the web sites so the users can use them without cookies when they enter.
But there's more.
- If you thought banners and pop-up ads were bad, considerthe fact that all ad networks now must launch a javascript asking the user wether or not s/he will store a cookie after viewing this ad, he says.
PTS follows up
In the website of Postal and Telecommuncations dept, the PTS, you can read the following:
"Cookies are used by most websites today. The new law on electronic communication, starting July 25th 2003, states that all websites using cookies must inform the user and give an option to work around them."
Hard to tell
According to Charlotte Ingvar-Nilsson, the executive chief of PTS, the PTS will check how the market acts on the new law.
- If the websites don't comply, then we must start informing them on the changes, she says.
What if they don't follow up?
- If we suspect that someone don't follow up, then the website gets one month to comply with the law.
The PTS also have the rights to terminate the service of those who do not follow the new law, unless it is of less importance.
- It remains to see if it will be required, says Charlotte Ingvar-Nilsson.
www.6502asm.com - Code 6502 assembly or.. DIE!!
I'd expect popup adds to be outruled in 10 years from now.. in the first country that happens to do it..
I'd expect most swedish sites to do the same as to this date, except add a notice "We will place a session cookie on your computer when you login. If you don't want this, please, do not login." next to their login box.. big deal..
Software should be free as in speech, but if we also get some free beer, all the better.
I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....
AC comments get piped to
This is a damn good thing.
:
.
.
Cookies
- Violate your privacy.
- Is a valuable thing to grab through cross-scripting vulnerabilities.
- Waste space on your hard disk and they are a mess to sort out (visit a web site, get 3 new cookies)
- There use is totally irrelevant most of the time. You absolutely don't need cookies to track sessions. Ever heard about GET and POST methods and their abilities to carry variables? Ever heard about the SID variable in PHP?
So what are cookies really useful for?
To avoid users type their username/password? Well... most browsers can autofill forms so this is not a big issue any more.
The only real "use" of cookies I can see is for advertisement capping (so that an ad is only shown once)
{{.sig}}
I'd view the symptoms that one user's displaying as warning signs. You know he's gonna be the one to snap and riddle the office with bullets, right?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I'm from sweden and I must say that this sucks.
.se domain name, you had to get a www.site.region.city.se.
It's just one more of those stupid swedish rules that hinders the marketplace. Like back in the day, you couldn't get a
Why can't they just leave the internet alone!
Stupid lawmakers.
Will code a sig generator for food
If your website contains nothing but static content, do you honestly need cookies, a registration system(a la mp3.com) or other garbage like that?
.html pages that don't require you to have knowledge on database programming and require it to be a fully dynamic website, just to display a text file.
I fear that the web is moving too far away from simple
*sigh*
Anyone remember when the only annoying website out there was geocities, just because it only had ONE popup ad?
This law has a good purpose to protect privacy, but it makes the mistake to involve technological ways of doing this.
This means that soner or later sombody will find a way to circumvent it. Perhaps just by moving the sites from Sweden. The text in the law is also very unclear as it allows cookies if they are needed to provide a service that the user have ordered.
The result will be that bad guys will still have cookies on their sites, while users will be pestered with "Do you allow cookies" messages on each and every sites where cookies have a legitimate use.
God is REAL! Unless explicitly declared INTEGER
Cookies are E.V.I.L. (tm) anyway.
And all those II$ websites should be crushed out of existence because they propagate E.V.I.L. (tm)...
We need a way to use mod-points to move a comment 5 places up or down. You, my friend, should be at the top of this non-story.
Last post!
The internet is, by it's very nature, not a location-specific sort of thing. Why wouldn't every ISP in Sweeden simply pack up and move to Norway? They keep their traffic, keep their design, keep their cookies, and all they have to do is live in lovely Norway.
what is so bad about cookies anyway? I'm a web developer and I've met one guy who refuses all cookies (therefore is unable to use some of my sites), I asked him why he did that and even though he is a techie, he wasn't able to give me an answer. And I don't get it, neither. So please: Show me one single incident where cookies caused anybody harm. Thanks.
Any site that is going to use an 'internal' login (ie, not auth'd by the webserver, but by your backend database) must use cookies. My cycling team calendar I wrote does this, and I have always on the login page stated that cookies are needed for the site to work, and what the cookies are used for. What's the big deal?
My website is in the US. The US has no such law. The Swedish government has no jurisdiction here, so this is completely irrelevant except to those that publish websites within Swedish jurisdiction. Screw Sweden -- they suck anyway.
Skiers and Riders -- http://www.snowjournal.com
doesn't p3p already cover this? you have to state that you are using cookies and for what purpose in a binary form so the browser can varify what you are stating. then the browser only allows the website to do what you stated. the browser then can display what was stated and what the browser is currently allowing the website to do based upon the binary statement. a human-readable statement is also provided (you could have the browser generate this based upon the binary statement that the browser went by) at a url so the user can click on 'privacy report' and get to the web page. providing the option to leave is so silly... the user, having read the statement and disagreeing can simply point to where ever else they want to go and just leave! i don't get that the website needs to provide an option to 'leave' a website. i didn't know i was trapped by every wesite that i visited...
just because you can concoct and pass a law doesn't mean you should. silly if you ask me.
I submitted that story last night. I guess nobody around here is interested. They all must be using Debian.
You are in a mall. You see a new shop - one you've never been in before. Being curious, you approach the shop.
As you attempt to enter the shop, a large bouncer-like gentleman says
Would you:
Now, how is this any different than a web site needlessly setting a cookie just to track you?
Too damn many websites want to set a cookie just because you tried to GET index.html - not because you are trying to set a preference or make a purchase.
www.eFax.com are spammers
just another example of why the technologically retarded shouldn't be allowed to make new (IT based)? laws. they really should consult someone who knows what they're talking about before passing stupid laws. cookies are not evil, but the media seems to think they are. people (sites) who misuse cookies are evil.
You just don't normally expect to see this kind of stupidity coming out of Sweden.
This website requries the use of cookies for proper function. We are required by law to ask you this. No personal information will be stored in them.
Click YES, or bugger off.
Yours Trully, Your Bank.
You are NOT supposed to actually know anything about Windows on Slashdot. Knowing as much about WIndows as you do about Linux may get an assasin sent to your house.
Vote Quimby!
There is absolutely nothing wrong with cookies. You don't agree? Turn them off. It's just so simple...
The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for.
:-) ). The US is becoming slightly more European on information policy.
I recognize the abuses being put on Internet technologies as their commercial applications grow. I've been predicting that spyware would become common when RealPlayer first showed up with their "phone home" gunk. (This is back in the day where phoning home to check for a current version was considered potentially offensive and always disableable.) However, as an engineer, I'm very frusterated by legal restrictions over what can be done, and I'm quite doubt that world legislatures can move quickly enough to make fair laws to control rapidly changing tech. Cookies can go or come, and if the US makes a similar law, I'm sure a differently-named system to store client-side state will be introduced.
In general, it appears the privacy/integrity is more respected/protected in Europe than in USA.
Mmmm...debatable. Traditionally (9/11 has screwed things up a bit) the US has done a better job of preventing government abuse of information. The FBI and the CIA have domain restrictions. FOIA lets people see what data the government is building up on them. Key escrow was shut down. Contrast this to Britain, where passwords must be supplied to the government on demand or jail time can be handed down, or most European countries, where key escrow is common.
Where Europe shines (more socialized environment that it is) is in preventing corporate abuse of information. Companies have a lot of laws regulating what they can do with information on people.
The US has started to get worse WRT government data (Office of Homeland Security, PATRIOT Act) and better WRT corporate information (limitations on sharing of data between financial institutions -- of course, this just prompted a bunch of mergers of financials to bypass said limitation, but still
May we never see th
I'll go further than you and say that this is great. It's not so much that the site user must explicitly ask for cookie services as much as the company CAN NOT do anything with cookies that they don't tell the user about and the user approves. I know this sounds like the same thing, but the implementation can be done differently. It's going to be an all or nothing deal we can imagine, but companies that lie are going to get burnt. Hopefully, this will extend to banner adds, theoretically hosted by another machine. Honest companies can relax.
If people have trouble making their stupid IIS servers comply with this, then IIS was never honest to begin with. While M$ dishonesty is the root of their bad performance, complying with Sweedish laws are the least of the problems users of IIS have to deal with.
Friends don't help friends install M$ junk.
Cookies are nothing but a little bit of text stored by your browser. They are domain specific - e.g. a cookie from a server at domain1.com cannot be accessed by a server at domain2.com.
The real problem is the media and some privacy loonies decided that cookies and the monsters underneath children's beds at night are on the same level.
Somehow this myth of cookies being bad was repeated so many times it became an accepted truth.
As a web developer, I say disabling cookies just gets in the way of letting users have a better experience at a site. You have to add sessions to the URLs, and have to have users log in to know who they are in a later session.
The only possible privacy problem is third party cookies. Mostly, advertising that tracks what ads you've seen or not, or what websites you've visited. That I don't love, and I can see privacy issues with.
However it's easy to disable thrid parties cookies with any decent browser. Only accept cookies from the site you're visiting, and nothing should break.
Isn't there a soul in the media who can see through the nonsense? Sheesh.
/* TAANSTAFL */
This shows one of the major differences between Sweden and the US; the government is by the people, for the people. Although this law might shoot above target and not fulfill it's makers hopes, it is evident that it has been formed with an honest intent of protecting the surfer's privacy, not some big company's capitalistic interrests.
Integrity protection
Electronic communication networks may be used to store or access information that is on a subscriber or user's terminal equipment only if the user receives information about the purpose of such treatment and is given a opportunity to reject it.
This does not prevent storage or access that is necessary to accomplish or facilitate the transfer of an electronic message through an electronic communication network or that is necessary to provide a service that the user or subscriber explicitly requested.
Thanks for browsing at -1
Please vistit my blog: www.framtiden.nu
Maybe they could just make them smaller like Oreo is doing. Smaller Oreos means lowering the risk of getting fat. The new smaller web cookies might not be as big of a security risk. G
Uh, a long random string?
I've found that my posts don't format quite right w/o a sig.
I don't understand why people, especially legislators of any country spend their time on this stuff.
Only 'flamers' flame!
Does slashdot hate my posts?
Cookies? Dangerous? It seems to me that this whole cookie-paranoia is nothing but a product of a sensational media jumping on the wrong things. Cookies aren't dangerous. And they don't hamper your privacy any more than the security camera in your local grocery store. Sweden's government needs to do a reality check and figure out what is important and what it shouldn't piddle and twiddle about.
Why can't people see the slippery slope here??
Here we have a "government" (and one of the usually more enlightened ones at that) legislating how a piece of software - a Web site - must be designed.
Many of us just sit back and accept this, because Privacy is Good, Cookies can violate Privacy, hence Cookies are Bad, and, ergo, legislation against Cookies is Good.
I don't like or use cookies either, but the mere fact that we don't like something does not give government a legitimate power to ban it.
Here is the logical conclusion of the road you are allowing this government to travel. Computers can be used to violate Privacy. Privacy is Good, therefore Computers are Bad, and we should legislate against Computers.
Ridiculous? You bet.
But no different than what's happening now, except in degree.
Governments exist to protect Life, Liberty and Property. That is why they are created and that is their only legitimate purpose.
Governments that begin to violate these rights, even in a small way, tend to grow to violate them in bigger ways.
People who think there should be a Law against anything they don't like give government exactly the excuse they need to do so.
Please do not let a relatively minor issue, such as the abuse of cookies, justify your support of government coercion over software makers.
If you do, then don't be too surprised when eventually it starts to infringe your freedom as well.
Nonaggression works!
I have Mozilla ask me if I want to accept cookies, and blocking them usually dosn't cause a problem. I really apreciate it when a web site dosn't even try to set a cookie till I click something that might need to be saved like a "buy it" link. That way I know they have a reason other than snooping for the cookie.
Might not be 100% correct, but it gives you a clue:
Svårt följa ny lag om elektronisk kommunikation
(2003-07-24 16:24)
Many sites become illegal today. Since new law regarding electronical communication is taking effect. It says that the sites has to inform about the content in the cookies will be used for. The users should also be given the opportunity to refuse using them.
From today on, Swedish websites can't use so called cookies without informing about the purpose of computing the data that's in them. In addition, the user is given an opportunity to stop using cookies.
That's the consequence of the new law about electronical communication, SFS 2003:389, which has started to take effect.
It's not enough that the web browser automatically chooses to accept cookies. The website you visit must inform about how the information will be used and also give the user the ability to refuse using cookies.
Cumbersome for the web sites
Therefore Swedish websites has two alternatives.
- One alternative is to stop using cookies. The functionality of the website will suffer, says Jonas Eriksson at Webkonsulterna in Östersund.
Jonas Eriksson doesn't want to think about the second alternative.
It means that the majority of the Swedish websites that use scripting languages with session variables - such as ASP and PHP becomes illegal - unless they don't built the websites so that the user can approve the use of cookies before they enter the pages.
But it doesn't end there.
It's not enough that you on a daily basis see a bunch of banner advertisement and popup messages. Now the advertisement network has to start a JavaScript and ask if you're allowed to set a cookie and then show the commercial, he said.
PTS keeps track of the law
The Swedish Post and Telecommunications authority (PTS) is the guardian authority for this law, and on their website it says:
"Cookies are used from a technical point of view and today it's used by most web sites. According to the new law on electronical communication, which takes effect on July 25, 2003, all web site visitors should be informed of the usage of cookies and also be given the opportunity to refuse such usage."
Threat of getting a ticket
According to Charlotte Ingvar-Nilsson, deputy legal manager at PTS, PTS will control how the market is reacting on the new law.
- If the web sites don't follow the law, we'll start informing about the changes, she said.
If that's not enough?
- If we got a suspicion that someone doesn't follow the law, the web site gets at least one month to fulfil the requirements stated by the law. After that we have the right to enforce it in conjunction with a ticket, said Charlotte Ingvar-Nilsson.
If the web site doesn't fulfil the duties, PTS also have the right to decide to shut down their business if it's not a small matter.
- We'll have to wait and see if this is something that will be implemented for this case, said Charlotte Ingvar-Nilsson.
by Anders Nordner
Svårt följa ny lag om elektronisk kommunikation means "Hard to follow the new law on electronical communi"... missed that one.
The problem is what people are using cookies FOR, not cookies per se. Using cookies to store passwords or access keys is insecure unless you take into account the risks involved and go a step further to protect the user.
A blanket decree requiring web sites to require user permission before using cookies of any sort is ignorant.
the law restricts the general concept of unauthorized storing of user info. Hence, doing that also now seems illegal. Bizarre eh?
Photos.
Any comments? :-p
Don't overlook the fact that a website can't store information about you unless you give it that information somehow. I personally like it a lot more when a website remembers my settings or preferences the next time I come back. I don't have to log into /. every time I come.
Where this breaks down though, is advertising. Advertisers that load banners off a central server could use this for tracking what sites you visit. If this is a big concern to you (despite the fact they don't actually know who you are, or anything about you besides your cookie id and the sites you visit..), then you can always block all the advertising servers. There are lists circulating of hosts files to change the IP's to 127.0.0.1 or something, and updated frequently.
Yeah sure, the average user probably will have a hard time doing that. But then the average user isn't as concerned about privacy. If they are, then they'll learn how to protect themselves.
Hell, I deal with 50+ people a day that don't want to fax their CC number to me, you think that they want their person information stored on a webserver tha is easily hacked?
What does this have to do with cookies? Even if you disable cookies, they can still store your information; they just don't know its you when you come back.
And what's to stop people from using other methods? Track your IP address along with your USER_AGENT string, and as long as that USER_AGENT comes from the same subnet, assume it's the same. Or go further and use Javascript to detect screen resolution, versions, etc. Use as much information as possible to make a 'fingerprint' of that browser.
Overall, I think this whole thing is a legal solution to a already-technologically-fixed problem that doesn't even exist in the first place.
Speak before you think
I don't see why websites should get your consent for cookies. Most modern day browsers like Mozilla or IE6, there are options to restrict first-party cookies and second-party cookies based on the website's compact privacy policy. You can even create a blacklist of websites you know abuse cookie power. Of course, some sites might not have a compact privacy policy, so maybe better legislation would require a policy on every site!
Even still, I've never been very concerned about cookies. If you're worried about them tracking your every movement on the internet, block third-party cookies. And keep in mind they can track you by IP address!
Overall, I think this is plain unfair to the websites that will have to completely rewrite their whole websites to comply with this ridiculous law. Luckily I don't have to deal with it!
/usr/bin/complain >
You need to get by the first paragraph and start to realize what this law is all about. It's about privacy. The web site owners has to tell the users about the way they use the data they collect by having a cookie at their browser.
Cheers!
Based on several of the translations I have seen in the other messages the law breaks down to
:P (ignorance of a law doesn't exempt you from the law)
1) you must give the end user information about the cookie before it is stored
2) the user should have the option of refusing the cookie.
So, cant #1 be completed by sending the information in the HTTP headers??? Who cares if they don't read it (or don't know how)... It was still available to them
And #2, and cookies can be refuesed by most current clients. If the user elects to use software that doesn't have the refusal ability. All that needs to happen here is that the customer needs to "upgrade" to get that ability.
In fact, wouldn't the act of sending the cookie itself fit the above descriptions???? All the user needs to do is read the cookie themselves and decide wheather or not to accept it.... If they don't choose to do so, or have a browser that can't, they are the only ones at fault.
sig. "I didn't do it."
As someone else pointed out, configuring your browser to accept cookies amounts to consent, IMHO.
This issue has already been addressed as part of the feature set of all major browsers. We don't need a law to enforce this. Users already have all the tools they need.
-rick
Well i think that question about do you want to use cookies is browsers problem. But some kind of information site about sites cookies is not a bad idea. If you really want to store information about some surfer there are whole bunch another ways so... I think that in future it is even "easier" and more reliable to store information related to IP. Mostly i use cookies cause im too lazy to make db table for users or something else (and also cause IPs are mostly dynamic).
Just include:
set sessionState cookieless="true"
in your web.config file and ASP.NET will not use cookies to store the session state. Rather, a hidden form tag stores the session identifier.
All websites physically in Sweden, or all websites that's in swedish, no matter the physical whereabouts? Either way, stupid law. As such, nothing new to see.
or, as the law says, webmasters could be up-front about what they're doing.
Until all people are honest, there will be laws to punish those who aren't
and some innocents will alway be squeezed in the process.
gewg
or the people who know M$'s reputation and don't trust Windows Update to get patches for and/or new version of IE.
Title pretty much says it all. Hidden form fields in dynamically generated HTML work fine to maintain state data. I use this method all the time to build shopping carts and navigation systems. There is no need to put session state info into cookies or URLs and I find sites that do so annoying.
You have to have a page (linked to from the front page) to describe what cookies are, how to disable them and how they are used on your page. Having it as the front page is NOT necessary, nor is having it all as text on the front page. The information should be able to be accessed during the web site visit, in a nutshell. You do NOT need to have a no-cookie version since the user can empty her cookies or simply block cookies from your domain. However, a link to the explanatory page from your login is preferred.