Slashdot Mirror
Sweden Crunches Cookies
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
Post och Telestyrelsen (the authority enforcing the law) has an english version of the "info text" needed for using cookies
This represents a huge problem for swedish sites which use .asp and .php session variables.
:-)
Just use Java Web Application with JSPs. They automatically handle the generation of sessionId with cookie or URL rewritting without any modification to the source code.
A session ID can be used to track a user within a single session only. Cookies can be used to track users over multiple sessions. From multiple sessions one can build a profile. I think that's the difference.
Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
"GNU's not Unix....it's Linux" / Kami "kokamomi" Petersen
Ah yes, but URL's are explicitly linked to a browser session and store session-based information.
Close the browser and you're a different user next time you visit the site. Cookies on the other hand can be used to flag you as a returning visitor and link you to databased information more effectively.
Personally, I think this is a little bit too draconian. User can already choose to turn cookies on or off so maybe effort should be made to educate them. Conversely, I can see that cookies may in some remote way be tied in with a country's Data Privacy/Protection Laws, so this kind of action has come about because of that.
Do you use IE like most people do? You can only block all cookies (and lose the use of your netbank, for instance) or allow all cookies.
:-p That said, everyone should use Moz Firebird.
Uh, false?
You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.
Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.
People who haven't used IE for years shouldn't go talking about it's features or lack thereof.
The law doesn't apply to cookies used to supply the user with a service she asked for.
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
Enabling Cookieless Session State in ASP.NET
Read the RFCs. A Set-Cookie header is just a header. The behavior of the client is then covered by the RFC. It MAY choose to accept the cookie. It MAY choose to ask the user of the client whether to accept the header. It SHOULD have a facility to allow the user to reject all cookies. The RFC nowhere says MUST. In other words, the way the standard is framed, a Set-Cookie header is a request, not a demand.
..if people actually read and understood the text before making headlines out of it..
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
I beg to disagree--a few posts below also re-iterate your point.
In PHP, URL-rewrite slows things down and bloats your script. It also makes your URLs look ugly: sometimes you may want them to stick in the user's mind.
While for a forum this may be OK, for a fairly big user-centric website it is simply ridiculous to have to do away with cookies--they are a convenient way to deal with things "behind the curtain"; they also have the added security of not being immediatly visible to the user (he has to want to see them, by looking at his filesystem or other.)
Privacy -wise, all decent modern browsers have some form of modern cookie filtering--the user can choose to block, etc.
The only solution I see is, as suggested below, have a front page which tells the user and gives him the choice to leave.
All in all, I find this law a little silly, although of course I understand the privacy concern.
yours ever, fz.
URL session tokens are quite a bit less secure than cookie based ones. I know of at least a couple online webstores that allow session hijacking through thier JSP URL tokens. (You're shopping. You see X item. You cut & paste the link to your friend so they can look at it... now you're both shopping in the same session...)
Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
ah - I see - compare the ip address on subsequent hits to the ip address of the originating hit.
OK - wouldn't that be a problem where the user is behind *multiple* proxies, so the ip address that the website sees could change from hit to hit ?
(I'm behind such a set of proxies right now..)
$ strings FTP.EXE | grep Copyright
@(#) Copyright (c) 1983 The Regents of the University of California.
mostly not a problem:
do you want to remember my password (uses cookies) (x) yes ( )no
Hardly... Have you *ever* tried to disable cookies altogether? It is difficult to get things done. Most websites will simply refuse navigation without cookies. Microsoft's idea of a "session cookie" that disappears after you leave the site was a good idea but their implentation does not work (it is the same as turning cookies off).
While this isn't a problem for advanced users, I do build and deploy a number of PCs for friends and family. IE is a requirement because many sites are not up to speed on Mozilla yet.
Argh...
Life is the leading cause of death in America.
I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Trust the Computer. The Computer is your friend.
If you use IE6 then it only accepts cookies when you have a privacy statement.(default setting) It means that when you want to read/set a cookie you have to provide the browser with a privacystatement. This is actually 3 documents consisting of 2 xml files and a html file explaining what the cookie is trying to do.
:)
Bloody annoying if you are coding a webapplication, I assume it broke a lot of old stuff
PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.
Btw, I might add that I know one of the major lawyers responsible for this law.
SFS 2003:389, 6 kap. Integritetetsskydd
18 Elektroniska kommunikationsnät får användas för att lagra eller få tillgång till information som är lagrad i en abonnents eller användares terminalutrustning endast om abonnenten eller användaren av den personuppgiftsansvarige får information om ändamålet med behandlingen och ges tillfälle att hindra sådan behandling.
Detta hindrar inte sådan lagring eller åtkomst som behövs för att utföra eller underlätta att överföra ett elektroniskt meddelande via ett elektroniskt kommunikationsnät eller som är nödvändig för att tillhandahålla en tjänst som användaren eller abonnenten uttryckligen har begärt.
This is my own translation, more or less word by word since I don't have much experience with translation of laws :-)
SFS 2003:389, 6 chapter. Integrityprotection
18 Electronic communicationnetworks may be used to store or access information that is stored in the subscriber's or user's terminalequipment only if the subscriber or user recieve information about its usage, by the responsible(person?)of the personal information, and has an opportunity to block such a treatment.
This do not stop storage or access that is needed to perform or make it easier to transfer an electronic message via an electronic network or as neccessary to provide a service that the user or subscriber explicitly has requested.
I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....
AC comments get piped to
Internet Explorer 6 uses the Compact Privacy policy as specified in the W3C P3P spec. It uses this to determine whether a cookie is unsatsifactory (different rules based on whether it is a third party cookie or not). MSDN has documentation covering Internet Explorer's decision matrix (unfortunately framed).
PHP sessions only store a session key too. The same may not necessarily be said about all PHP developers, of course, but PHP itself isn't *that* retarded (usually) :)
Integrity protection
Electronic communication networks may be used to store or access information that is on a subscriber or user's terminal equipment only if the user receives information about the purpose of such treatment and is given a opportunity to reject it.
This does not prevent storage or access that is necessary to accomplish or facilitate the transfer of an electronic message through an electronic communication network or that is necessary to provide a service that the user or subscriber explicitly requested.
Thanks for browsing at -1
Please vistit my blog: www.framtiden.nu
Cookies? Dangerous? It seems to me that this whole cookie-paranoia is nothing but a product of a sensational media jumping on the wrong things. Cookies aren't dangerous. And they don't hamper your privacy any more than the security camera in your local grocery store. Sweden's government needs to do a reality check and figure out what is important and what it shouldn't piddle and twiddle about.
I don't see why websites should get your consent for cookies. Most modern day browsers like Mozilla or IE6, there are options to restrict first-party cookies and second-party cookies based on the website's compact privacy policy. You can even create a blacklist of websites you know abuse cookie power. Of course, some sites might not have a compact privacy policy, so maybe better legislation would require a policy on every site!
Even still, I've never been very concerned about cookies. If you're worried about them tracking your every movement on the internet, block third-party cookies. And keep in mind they can track you by IP address!
Overall, I think this is plain unfair to the websites that will have to completely rewrite their whole websites to comply with this ridiculous law. Luckily I don't have to deal with it!
/usr/bin/complain >
Just include:
set sessionState cookieless="true"
in your web.config file and ASP.NET will not use cookies to store the session state. Rather, a hidden form tag stores the session identifier.
Title pretty much says it all. Hidden form fields in dynamically generated HTML work fine to maintain state data. I use this method all the time to build shopping carts and navigation systems. There is no need to put session state info into cookies or URLs and I find sites that do so annoying.
You have to have a page (linked to from the front page) to describe what cookies are, how to disable them and how they are used on your page. Having it as the front page is NOT necessary, nor is having it all as text on the front page. The information should be able to be accessed during the web site visit, in a nutshell. You do NOT need to have a no-cookie version since the user can empty her cookies or simply block cookies from your domain. However, a link to the explanatory page from your login is preferred.