Slashdot Mirror
Sweden Crunches Cookies
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.
Actually, scratch that, most websites will just ignore the law and get on with life.
IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
results in 62 cookies being blocked by my browser. Seems these guys have a lot of work to do to comply with the new law :)
How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?
-josh
If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?
I want to delete my account but Slashdot doesn't allow it.
There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.
Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.
A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.
As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.
---
I support spreading santorum
A special web page where the user can choose whether or not to recieve cookies. What a good idea! All a web site needs to do is save the 'don't give me cookies' preference in a cookie and... wait.... Um.....
Eat at Joe's.
Post och Telestyrelsen (the authority enforcing the law) has an english version of the "info text" needed for using cookies
I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.
What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.
This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.
Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.
Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.
A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.
There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.
creation science book
Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
"GNU's not Unix....it's Linux" / Kami "kokamomi" Petersen
Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.
Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.
Do you use IE like most people do? You can only block all cookies (and lose the use of your netbank, for instance) or allow all cookies.
:-p That said, everyone should use Moz Firebird.
Uh, false?
You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.
Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.
People who haven't used IE for years shouldn't go talking about it's features or lack thereof.
The law doesn't apply to cookies used to supply the user with a service she asked for.
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
Specifically:
Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.
If you were blocking sigs, you wouldn't have to read this.
..if people actually read and understood the text before making headlines out of it..
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Trust the Computer. The Computer is your friend.
PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.
Btw, I might add that I know one of the major lawyers responsible for this law.