Slashdot Mirror
Sweden Crunches Cookies
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
Post och Telestyrelsen (the authority enforcing the law) has an english version of the "info text" needed for using cookies
A session ID can be used to track a user within a single session only. Cookies can be used to track users over multiple sessions. From multiple sessions one can build a profile. I think that's the difference.
Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
"GNU's not Unix....it's Linux" / Kami "kokamomi" Petersen
Do you use IE like most people do? You can only block all cookies (and lose the use of your netbank, for instance) or allow all cookies.
:-p That said, everyone should use Moz Firebird.
Uh, false?
You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.
Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.
People who haven't used IE for years shouldn't go talking about it's features or lack thereof.
The law doesn't apply to cookies used to supply the user with a service she asked for.
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
..if people actually read and understood the text before making headlines out of it..
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
I beg to disagree--a few posts below also re-iterate your point.
In PHP, URL-rewrite slows things down and bloats your script. It also makes your URLs look ugly: sometimes you may want them to stick in the user's mind.
While for a forum this may be OK, for a fairly big user-centric website it is simply ridiculous to have to do away with cookies--they are a convenient way to deal with things "behind the curtain"; they also have the added security of not being immediatly visible to the user (he has to want to see them, by looking at his filesystem or other.)
Privacy -wise, all decent modern browsers have some form of modern cookie filtering--the user can choose to block, etc.
The only solution I see is, as suggested below, have a front page which tells the user and gives him the choice to leave.
All in all, I find this law a little silly, although of course I understand the privacy concern.
yours ever, fz.
Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
mostly not a problem:
do you want to remember my password (uses cookies) (x) yes ( )no
Hardly... Have you *ever* tried to disable cookies altogether? It is difficult to get things done. Most websites will simply refuse navigation without cookies. Microsoft's idea of a "session cookie" that disappears after you leave the site was a good idea but their implentation does not work (it is the same as turning cookies off).
While this isn't a problem for advanced users, I do build and deploy a number of PCs for friends and family. IE is a requirement because many sites are not up to speed on Mozilla yet.
Argh...
Life is the leading cause of death in America.
I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Trust the Computer. The Computer is your friend.
PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.
Btw, I might add that I know one of the major lawyers responsible for this law.
Internet Explorer 6 uses the Compact Privacy policy as specified in the W3C P3P spec. It uses this to determine whether a cookie is unsatsifactory (different rules based on whether it is a third party cookie or not). MSDN has documentation covering Internet Explorer's decision matrix (unfortunately framed).