Sweden Crunches Cookies

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."

Implied Consent

[Gothmolly]

If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?

Re:Implied Consent

[aziraphale]

> why should I learn to use my browser to avoid crooks?

The car had a lock on it? Well, blow me down - I wondered what that little keyhole under the door handle was. Well, I never. Still, you can't expect me to learn how to lock the car just to avoid crooks, can you?

Oh, you can?

Oh.

dumb but not a big deal

[truffle]

There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.

Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.

A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.

As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.

Legislating around IETF standards

[aziraphale]

I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.

What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.

Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.

Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.

Bigger security risk

[mgkimsal2]

There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.

Re:Bigger security risk

[Tarpan]

Only if you use a brain damaged session ID system, where the secret part is the id. A far better way is to tie the id to a specific ip.

Re:Bigger security risk

[maharg]

A far better way is to tie the id to a specific ip.

Wouldn't this present a problem where the user is behind a proxy ?

meanwhile...

[Gavin+Rogers]

Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.

Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.

Can someone translate this please

[Rogerborg]

Specifically:

• How explicit does the acceptance have to be?
• Does it apply to all content served, or just to that served to clients that can (reasonably) be identified as being in Sweden?
• Does it mandate a mechanism?
• Is the mandated mechanism pure HTTP/HTML (how do I click on a popup in lynx, for example?).
• How do they distinguish between a human browser, and a robot?
• Do sites have to implement blocking of deep linking to redirect browsers to a cookie acceptance page? Does that screw indexing engines?

Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.

Re:Seems a bit harsh

[Homology]

It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for. It attempts to give the private citizen some control of what type of information is collected, and what may be done with that information.

In general, it appears the privacy/integrity is more respected/protected in Europe than in USA. While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

This Is Idiocy

[KrispyKringle]

I'm all in favor of privacy, but this is pure lunacy. It is entirely up to the end-user to accept cookies. The only reasons end users may feel they do not have a choice are that their browsers are configured by default to accept them and a few (not many) pages require cookies to work.

So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.

Re:Seems a bit harsh

[ReelOddeeo]

While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

That is because we have not had our Police State experience yet. After the Untied Police States of America comes into being, and then eventually is overthrown, we will value things like anonymity. If we never have this experience, then we might instead just continue to have a gradual erosion of many rights. Of course, I suppose that eventually this would have to lead to the Unites Police States. The pendulum will probably have to swing fully one direction and then back.

Re:mostly not a problem:

[SmallFurryCreature]

The reason is that if a problem is left unsolved for to long, the extremer the rememedy must become. It has been tried time and time again to get websites to obey the same privacy rules as the normal world. (remember this story is in sweden, not america)

Cookies are often over used anyway. Check youre own cookie cache and check the number that are used to track you vs the number for youre convenience. (like slashdot remembering youre login). For me at least the first category by far outweighs the latter.