Sweden Crunches Cookies

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."

What?

Do these people not know you can reject cookies with your browser?

Re:What?

[LarsG]

Do these people not know you can reject cookies with your browser?

Yes, they do. But they also know that it is often hard for the user to know for which purposes the cookies are used.

This is not an anti-cookie law. This is a law that requires the website to tell the user what the cookies are used for.

Implied Consent

[Gothmolly]

If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?

Re:Implied Consent

[jkrise]

If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies?

What if your browser came pre-configured?
What if you open Hotmail, and it says you need to enale Cookies to use it?
What if sites used Cookies for purposes other than for the intended browsing experience?

Wake up folks, know how to operate your browser.

More than 60% Slashdotters use IE, use the default settings of Slashdot - /. can simply make the default threshold as -1 and ask users to change it ... why should I learn to use my browser to avoid crooks?

-

Re:Implied Consent

[aziraphale]

> why should I learn to use my browser to avoid crooks?

The car had a lock on it? Well, blow me down - I wondered what that little keyhole under the door handle was. Well, I never. Still, you can't expect me to learn how to lock the car just to avoid crooks, can you?

Oh, you can?

Oh.

Re:Implied Consent

[bigman2003]

Okay- honest question...

Why do you fear cookies?

A few years ago, the public was against cookies. I had users calling me up all the time, because their web browser "didn't work". Frequently, the problem was that they had turned off cookies, and couldn't access a lot of sites.

When I asked them "why did you turn cookies off?" the answer was always the same - "I don't want them to know my credit card number."

I had to tell them again and again, cookies can only store information that you supply. And the site can only access information that it set. (With the exception of things like Doubleclick- but you can turn 3rd party cookies off) Any site you WANT to give important information to, will not be allowing 3rd party cookies with sensitive information.

After a few months of these users having to re-enter their password each time they visited a site, they started to get tired of it, and slowly turned their cookies back on. Eventually, it got down to where only one person still had cookies turned off- I found out he was the 'ringleader' the person who started the whole trend.

This person has always been the least productive member of the group- more concerned about everything else in the world, than getting his job done. I don't think he will ever change, because he is paranoid, but I do enjoy watching him log in to sites all the time, and always give his speech about not wanting them to get his credit card number.

Cookies are generally very safe. For most users, they make using the web far easier, and more enjoyable. This is an area where "what they don't know, won't hurt them" that I fully support.

dumb but not a big deal

[truffle]

There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.

Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.

A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.

As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.

Re:dumb but not a big deal

[hswerdfe]

ok lets say I am using Mozilla and I get this warning that some website, wants to store a cookie on my machine.

how do I know if I should let it?
I don't know what its tracking or what it will be used for.

there needs to be more information than just its a cookie.

Legislating around IETF standards

[aziraphale]

I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.

What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.

Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.

Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.

Re:Legislating around IETF standards

[aziraphale]

> Following your logic, it would be dangerous to regulate any SMTP traffic (whether opt-in, opt-out or whatever) because people can choose whether to receive messages or not.

Slightly different; when I make an HTTP request, I'm expecting an HTTP response. No web server sends out unsolicited HTTP responses to clients on the offchance they'll pick them up and set a cookie :)

HTTP responses are always solicited, including a Set-cookie header in there is not a huge burden on the client. SMTP servers are servers, obviously, so take a somewhat different role.

By having an open port 25, just like having an open port 80, you are inviting people to submit packets to you. So SMTP servers, just like web servers, should expect to receive requests. They may choose to reject those requests, or process them, in accordance with the various RFCs that exist, but they certainly can't expect to have any control over what requests they receive in the first place.

Legislation should only be about what people do with technology, not about technology itself. Legislating that web sites must obtain permission before using cookies is different to legislating that web sites must get permission before storing permanent records of a person's name and address. Similarly, legislating that you must have someone's explicit permission before sending them an email advert is fine; legislating that you must have their explicit permission before opening a connection to port 25 of their server is not.

I hope that clears up where I stand..

Bigger security risk

[mgkimsal2]

There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.

Re:Bigger security risk

[Tarpan]

Only if you use a brain damaged session ID system, where the secret part is the id. A far better way is to tie the id to a specific ip.

Re:Bigger security risk

[maharg]

A far better way is to tie the id to a specific ip.

Wouldn't this present a problem where the user is behind a proxy ?

meanwhile...

[Gavin+Rogers]

Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.

Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.

Can someone translate this please

[Rogerborg]

Specifically:

• How explicit does the acceptance have to be?
• Does it apply to all content served, or just to that served to clients that can (reasonably) be identified as being in Sweden?
• Does it mandate a mechanism?
• Is the mandated mechanism pure HTTP/HTML (how do I click on a popup in lynx, for example?).
• How do they distinguish between a human browser, and a robot?
• Do sites have to implement blocking of deep linking to redirect browsers to a cookie acceptance page? Does that screw indexing engines?

Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.

Re:Seems a bit harsh

[Homology]

It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for. It attempts to give the private citizen some control of what type of information is collected, and what may be done with that information.

In general, it appears the privacy/integrity is more respected/protected in Europe than in USA. While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

Re:What about your trusty DB?

[arkanes]

That is, after all, why they were invented in the first place.

Oh, and while storing the source IP is a partial solution, it's not 100% (think people behind a common proxy), and the whole point of the session id is that you DON'T re-enter your user/pw at every page. Cookies are the best, cleanest way to maintain state over a session. They're even better if you want to maintain state over multiple sessions (on the other hand, this can be dangerous and I'm not sure that it's usefull enough to outweight the security and privacy concerns).

Translation of article

[McDutchie]

Since the Fish knows no Swedish, here is a quick translation... any errors are mine. NoT = Note of Translator.

- M.

Here is what the law says

SFS 2003:389, chapter 6. Integrity protection

18. Electronic communication networks may be used to store or gain access to information stored in a subscriber's or user's terminal equipment only if the subscriber or user of the personuppgiftsansvarige (NoT: "entity responsible for handling the personal data", i.e. the website) receives information about the operation's purpose and is given the opportunity to decline such operation. This shall not hinder such storage or access as is necessary to execute or facilitate to transfer an electronic message via an electronic communications network or as is necessary to provide a service that the user or subscriber has expressly requested.

Hard to comply with new law on electronic communication

(07/24/2003 4:24pm)

Today, many sites are becoming illegal, as the new law on electronic communication takes effect. It says that sites must communicate what the cookies' contents is used for. The users must also be given the option to refuse.

Starting today, Swedish websites may not utilise so-called cookies without explaining the purpose of the treatment of the data that's in them. I addition, users must be given the chance to stop the use of cookies.

This is one of the consequences of the new law on electronic communication, SDS 200:389, which is taking effect.

It is apparently not sufficient to set the web browser to automatically accept cookies. The website one visit must explain what the information will be used for and also give the user the option to refuse the use of cookies.

Hard for sites

This gives Swedish websites two options.

"One alternative is to stop using cookies, making the website's functionality suffer", says Jonas Eriksson at Webkonsulterna in Östersund.

The other option is one Jonas Eriksson doesn't even want to think about.

It means that the majority of Swedish sites that use scripting languages with session variables such as asp and php become illegal insofar as they don't rebuild the websites so that the users can approve of cookie use before they enter the site.

But it doesn't stop there.

"It isn't enough that people get a load of banner and popup ads every day. Now even all ad networks must first start a Javascript to ask people if they want to set a cookie before viewing the ad", he says.

PTS complies with the law

The (supervision authority? watchdog?) for the electronic communications law is Post- och Telestyrelsen, PTS, and on their website it says the following:

"Cookies are therefore used for purely technical reason and they are used today by most websites. According to the new electronic communications law, which takes effect starting July 25, 2003, all who visit websites shall be informed about cookie use and be given the option to refuse such use."

Fine threat

According to Charlotte Ingvar-Nilsson, biträdande rättschef (NoT: some high-up function that I don't know how to translate) at PTS, PTS will monitor how the market will act on the new law.

"If websites don't comply with the law, we have to start with educating about the changes", she says.

And if that doesn't work?

"If we suspect someone of not comlying with the law, that website will get at least a month to fix that. After that we have the option to issue an order which could be accompanied with a fine", says Charlotte Ingvar-Nilsson.

PTS also has the option to decide that people who neglect a debt entirely or partially shall cease operations if the infraction is not insignificant.

"It remains to be seen whether it can become applicable in this case", says Charlotte Ingvar-Nilsson.

This Is Idiocy

[KrispyKringle]

I'm all in favor of privacy, but this is pure lunacy. It is entirely up to the end-user to accept cookies. The only reasons end users may feel they do not have a choice are that their browsers are configured by default to accept them and a few (not many) pages require cookies to work.

So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.

Re:Seems a bit harsh

[ReelOddeeo]

While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

That is because we have not had our Police State experience yet. After the Untied Police States of America comes into being, and then eventually is overthrown, we will value things like anonymity. If we never have this experience, then we might instead just continue to have a gradual erosion of many rights. Of course, I suppose that eventually this would have to lead to the Unites Police States. The pendulum will probably have to swing fully one direction and then back.

Dumb

[nnnneedles]

I'm from sweden and I must say that this sucks.

It's just one more of those stupid swedish rules that hinders the marketplace. Like back in the day, you couldn't get a .se domain name, you had to get a www.site.region.city.se.

Why can't they just leave the internet alone!

Stupid lawmakers.

Re:mostly not a problem:

[SmallFurryCreature]

The reason is that if a problem is left unsolved for to long, the extremer the rememedy must become. It has been tried time and time again to get websites to obey the same privacy rules as the normal world. (remember this story is in sweden, not america)

Cookies are often over used anyway. Check youre own cookie cache and check the number that are used to track you vs the number for youre convenience. (like slashdot remembering youre login). For me at least the first category by far outweighs the latter.

Why not move away?

[Sagev]

The internet is, by it's very nature, not a location-specific sort of thing. Why wouldn't every ISP in Sweeden simply pack up and move to Norway? They keep their traffic, keep their design, keep their cookies, and all they have to do is live in lovely Norway.

Re:Seems a bit harsh

This basically means you can't use ASP sessions AT ALL. You could have a session-disabled ASP page at the start of your site to present a "do you want to use cookies?" option - but then you've got to code your site without sessions at all.


Right!

Take a deep breath and repeat after me: "Gratuitous session state is a bad thing."

Oh, I'm not saying a login session (for sites where logging in is apropriate) with a few variables is bad, but session state for sites where folks are essentially "browsing through" is evil. Yes, I understand that it is harder to do it right, but the resulting improvement in performance and scalability you get w/o session state is well worth the effort.

If you can do your site w/o session state, you absolutely should do your site w/o session state.