New EU Net Rules Set To Make Cookies Crumble

NickstaDB writes "From the BBC article: 'From 25 May, European laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies." These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"

They will just bury it

They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.

Re:They will just bury it

Data protection legislation in the EU requires that explicit consent is given. That means clear, unambiguous, and upfront consent. You can't hide it in a blizzard of tick boxes or EULAs. Defaulting options to give consent won't work either.

Big business might try tor rely on a "permissive environment" of weak national regulators but the EU commission takes these things seriously. After stunts like data loss and Phorm they're wise to the tricks. Any wiseguy is just going to get their ass handed to them.

Re:They will just bury it

[Dunbal]

Explicit. That means exactly that you can NOT bury it anywhere, it has to be right there with a Yes/No BEFORE the cookie is installed.

Re:They will just bury it

[Niedi]

They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.

Actually that's not even that important, because right now pretty much no member state cares for the fact that it should put this into local legislature.

Britain is the first state to actually implement the directive, all others are lagging hopelessly behind and still want further discussion with the EU about the details. With the ad-lobbyists heads firmly stuck to their backsides they will probably delay it until IP6 comes along or some other loophole (flashcookies...) is left in the directive/laws...

Re:They will just bury it

[cyclomedia]

Surely the "remember me" tickbox next a login form just needs to be changed to "remember me with a cookie" and most sensible uses for cookies are covered (considering that the regulation has an exception for shopping cart contents).

Re:They will just bury it

[andrea.sartori]

Yeah, sure, because a Yes/No guarantees the user has a) read the message, b) understood what this cookie stuff was, c) consciously clicked the "right" button.
Real world situation: "It asked me something." "What did ask what?" "Dunno, I just clicked OK."
Come on. 80% of the malware in the world is installed exactly after "gathering explicit consent from Web users".

Re:They will just bury it

[paziek]

Not really, since wikipedia (assuming its correct) claims, that websites need to give clear information about why information is stored as well as an option to opt-out. It doesn't say they need conenst before they can use that information. But then again, this could be incorrect and someone should really read that directive already.
http://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electronic_Communications#Cookies

Re:They will just bury it

[Joce640k]

Will the single checkbox apply to all twelve tracking sites which attached to the page?

Re:They will just bury it

[Tim+C]

"Session cookie" has a specific meaning - the cookie is transient and lasts until the end of the browser session, that is, until the window is closed. (Technically until the executable terminates)

TFS specifically mentions "text files"; session cookies are not written to disk and so are not text files.

Re:They will just bury it

[Dunbal]

IANAL but no, the Yes/No does NOT guarantee the reading of the message. However what it DOES do is make you look like a fool in court if you ever dispute the issue. Judge: did you read the warning? Plaintiff: No Judge: But you clicked "Yes you had read the warning" Plaintiff: Yes Judge: So you are in the habit of clicking Yes to everything without reading what you are agreeing to? OK, click yes here: case dismissed.

Re:They will just bury it

[andrea.sartori]

Oh, I see the point now. Sorry. And I thought I was being cruel to "the web users"... ;)

Re:They will just bury it

[PIBM]

Text files ? What if I encrypt the content, it's no longer text, it's binary ..

Re:They will just bury it

[kikito]

Others are saying thar the law makes this "unburyable". I'd argue that, from a Lawer's point of view (by the way: IANAL), something put on the EULA or terms and conditions is not "buried". It's explicit. As in, written there. Even if you normally don't read it, those guys do. And those guys are the ones that send cease-and-desist letters; they are the only ones that matter.

So, in my humble opinion, the OP is right; putting it on the EULA or whatever will be good enough.

Re:They will just bury it

[acohen1]

Have you seen the average non /. reading web user? This is exactly what they do, they click "ok" and and "yes" to anything that pops up without reading it automatically. I do a specific kind of tech support for a device that runs on windows, and with some users its impossible to find out what an error message says because they've clicked "ok" so quickly practically as a reflex, it doesn't occur to them that the contents of the dialog box might be helpful.

Re:They will just bury it

[Raenex]

Have you seen the average non /. reading web user? This is exactly what they do, they click "ok" and and "yes" to anything that pops up without reading it automatically.

How many Slashdotters actually read the EULAs? Sometimes I do, or try to scan it, but usually life is too short for that kind of crap.

Re:They will just bury it

[acohen1]

Indeed, I just meant in the context of the article, pretty much everyone will automatically consent to any sort of tracking because they've been trained to hit yes to everything, even when its not a 25000 word EULA, which pretty much no one has the patience to read.

Re:They will just bury it

[praxis]

Cookies are text, you can encrypt to your hearts content, but then you need to make sure it's encoded into text or it won't come across in the header correctly. The browser then stores that value as a text file. So no, cookies are not binary, unless you mean in the sense that everything is binary.

Re:Thanks EU

[plover]

Great - what the internet needs is more regulation.

Thanks EU.

I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.

Re:Thanks EU

[mrcaseyj]

IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.

Allowing cookies = consent?

[Max+Romantschuk]

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent. Time will tell how this all plays out, but it's safe to say that people get bored of clicking "allow" really quickly.

Do browsers even ask if you want to allow cookies these days? I guess not? 10 years ago you did have to explicitly allow them (either globally or on a per-site basis) but I guess they are allowed by default these days? Can't remember seeing a cookie prompt in a long time.

Re:Allowing cookies = consent?

[wvmarle]

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

Re:Allowing cookies = consent?

[Cimexus]

I go with a whitelist approach. My browser is set to deny all cookies except those specifically allowed.

The way I identified which ones to allow is by turning cookies on to 'accept all except third party', using the web as normal for a few days, then observing which cookies had been written. After filtering out the obvious ones that I didn't need, I added the rest to the whitelist. These are all from sites that I have to log into obviously, so I have [*.]slashdot.org, mail.google.com, etc.

Only downside is if I register for a new forum or something I have to remember to add it to the whitelist, but that's OK. Means I can browse the web knowing I'm not accepting cookies except for those I explicitly need to remain logged into stuff.

Re:Allowing cookies = consent?

[aaronszy]

it's safe to say that people get bored of clicking "allow" really quickly.

If the opt-in notices get annoying, browsers could detect the requests and opt you in automatically. Problem solved.

Re:Allowing cookies = consent?

[VortexCortex]

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

Well, earlier today, I pasted this in my address bar:

javascript:void(document.cookie = "reminder=Don't forget:\n\tCover page for TPS report.");

Just now I pasted this in my address bar:

javascript: alert( document.cookie );

(Not a moment too soon -- I almost sent that report with the old cover sheet.)

That message was sent to every website I visited today. I know damn well they don't have my explicit permission to read the cookie headers that my browser sends them -- Especially not when they contain such important trade secrets. I'll report all the sites in my history post haste! In fact, YOU don't have explicit consent to be reading my notes either! I never gave you explicit consent, so I'm afraid I'll have to report you as well.

Hmm, I'm not sure, but I think that since I'm self employed part-time I might be in violation too! I didn't update the Cookie Consent Clause of my Explicit Permissions Form to specify that my company has the explicit permission to track my thoughts throughout the day using text files & "magic-cookies".

I sure hope I don't get fined, I can never go back to the yellow sticky squares... not after that time they didn't get my explicit permission to record the doodles I made of my manager, and nearly got me fired by way of an unauthorized 3rd party doodle disclosure!

(When I complained Post-It admitted that paper and pens normally only have implied consent to record and redisplay information to anyone within reading / writing distance, and explicit consent is required in the EU. However the EULA on the shrink wrap that I thew away said that by opening the package I forfeit my right to consider marks made with my hands as information...)

Re:Allowing cookies = consent?

[Tim+C]

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

And they would be wrong, as all major browsers that I've used default to allowing cookies without prompting. Even if that were not the case, this regulation requires explicit consent, while that browser setting is almost certainly implicit consent.

Re:Allowing cookies = consent?

[AmiMoJo]

I prefer to have cookies on but cleared when the browser is closed, with a whitelist of ones I want to keep. That way all sites work normally but their tracking cookies get deleted every time I close the browser, and I can stay logged in to sites I whitelist. It is a nice trade-off between privacy protection and ease of use, and as an added bonus it probably screws up a lot of tracking systems because they see me as a "new victim" every day.

Tracking =/= cookie use

[mclearn]

Cookies have legitimate uses that have nothing to do with "tracking". Perhaps the issue comes with trying to interpret the specific language used rather that knee-jerk "everyone must opt-in". If your cookies are not used to track -- if you do not use, for example, Google analytics -- then you are not in violation. The article basically states this.

Re:Tracking =/= cookie use

[hedwards]

The problem is that a lot of sites include cookies for third parties without permission or any explanation. I regularly get requests for facebook to set a cookie for me. I'm not sure why most of those sites would do such a thing.

But in general I've found very little help on sites explaining to me why various javascript or cookies are requesting to be loaded by my browser. And really it makes it tough for me to figure out what ones are really necessary and which ones might not be.

Re:Tracking =/= cookie use

The articles state that only shopping baskets are explicitly exempt, and that login, session management or anything else is not.
It says in fact that that you are allowed to store the actual content of a shopping basket (really stupid if one does this), I don't think you are even allowed to store a shopping basket id in a cookie which points to a server side basket.

What the european directive actually says I've not yet checked.

Re:Tracking =/= cookie use

[scdeimos]

The articles state that only shopping baskets are explicitly exempt, and that login, session management or anything else is not.

I don't believe it says that at all. From what I can see the article says:

Specifically excluded by the directive are cookies that log what people have put in online shopping baskets.

And it implies that all other types of cookies require explicit user consent (or at least have their contents and usage explained).

Given that cookies should be short and sweet, and used for things like storing Session IDs, it sounds rather odd that the directive encourages storing shopping basket data in them.

It's unfortunate that Flash Cookies and HTML5 Data Stores aren't mentioned - they are already replacing cookies in some contexts.

Re:Tracking =/= cookie use

[Terrasque]

The norwegian wording of it does not make any exceptions. Translated back to english, its:

Storage of information in the user's communication equipment or gaining access to such information data is not allowed.

Such storage or access can still happen if the user has been informed by the data controller under the norwegian Data Protection Act and has given his consent.

There have been some screaming about it in the technical press, but the rest of the country doesn't understand what the fuss is about (as usual)

Re:Tracking =/= cookie use

[del_diablo]

Not again :(

Re:Tracking =/= cookie use

[binkzz]

I regularly get requests for facebook to set a cookie for me. I'm not sure why most of those sites would do such a thing.

Because no other site has as many people logged into it at any one time other than facebook. So every time a site asks to set a facebook cookie, it plays all its info back to facebook which then manages to connect all the individual sites' info together, creating a fuller picture of you and your habits. Which in turn is worth a lot to advertisers.

If your wife looks at pregnancy tests, thanks to facebook you'll get junk mail at home with offers for baby food, nappies and who knows what else before she even has a chance to tell you.

Re:Tracking =/= cookie use

[tolan-b]

The article may not say so but the law says that cookies which are required to perform a specific service which the user has requested (such as tracking a shopping basket) are exempt. This would include session cookies for sites where the user's behaviour isn't tracked by the session. Admittedly defining what is and isn't tracking in this case is a bit of a grey area.

Re:Tracking =/= cookie use

[VJ42]

The norwegian wording of it does not make any exceptions.

Norway's not even a member of the EU. I know that they have to implement a lot of EU legislation to stay in the EEA, but surely they have more space for interpretation of EU directives than EU member states.

Re:Tracking =/= cookie use

[LordLimecat]

Those are rather easily blocked in every popular browser's default setup. In chrome for example, all 3rd party cookies are blocked. Took all of...2 minutes to find that option and set it.

This isnt a problem, its that people dont care, and the ones who claim to care dont care enough to educate themselves about the web they are using.

Re:Nothing new here, move along..

[wvmarle]

TFA mentions "explicit consent" is needed. Burying stuff in some legal notices will be considered implicit consent at best. So at least from the face of it every site will have to ask for it. TFA specifically mentions more use of pop-up windows... interesting... are there still people without pop-up blockers then?

Wrong Solution

[amirulbahr]

The web browser, whichever one it is, that the user has decided to use should make the decision about whether or not to ask the users permission to set a cookie. Website are not doing anything malicious by setting cookies, they are simply asking the client browser to keep a bit of information and return it on subsequent visits. The web browser can ignore the request, ask the user for permission first, or silently accept it.

Many browsers can be configured to operate in either of those three modes. Effort would be better spent educating users... or better yet... just let it go already it isn't a big deal.

Re:Wrong Solution

Some cookies are used to remember login details, others are used to track your behaviour. You can't tell your browser to allow one type and block the other because your browser can't tell which one is which. That's what this law is about.

Re:Wrong Solution

[wvmarle]

The old Mozilla suit made it very easy to set cookies acceptance to "visited site only". No third-party cookies. So if I visit say slashdot.org I only accept cookies from slashdot.org and not from say adnetwork.com who happens to put an ad on that page. I like that option. Cookies have their use, keeping you logged in for example - often needed even within a single session - or storing certain personal preferences, yet ad networks have no business in tracking me.

Later Firefox only had an all-or-nothing option when it came to cookies: accept all, or block all (with option for exceptions).

Firefox may still have it but it's buried; now in FF 3.6.15 I can not even find a cookies setting in the preferences at all! The only way I can find to get to the cookies configuration is via about:config. I may miss something but it certainly is not very obvious.

Re:Wrong Solution

[Nursie]

Find a FF extension called "Cookie Monster" and then revel in th granular control you have once again :)

Re:Wrong Solution

[Entrpy]

Firefox may still have it but it's buried; now in FF 3.6.15 I can not even find a cookies setting in the preferences at all! The only way I can find to get to the cookies configuration is via about:config. I may miss something but it certainly is not very obvious.

Do you mean if you visit the preferences pane, then go to privacy, custom settings and untick the box labeled "accept cookies from third party sites," this is not the behavior you're looking for?

Re:Wrong Solution

[wvmarle]

The option you mention is not there in my Firefox installation (this may be a Ubuntu "fix"?). Only stuff about history and location bar, and an option to manually delete individual cookies.

Re:Wrong Solution

[js_sebastian]

Later Firefox only had an all-or-nothing option when it came to cookies: accept all, or block all (with option for exceptions).

Firefox may still have it but it's buried; now in FF 3.6.15 I can not even find a cookies setting in the preferences at all! The only way I can find to get to the cookies configuration is via about:config. I may miss something but it certainly is not very obvious.

Not true. Firefox 3.6.15 speaking here: Edit/Preferences/Privacy: Unset the checkbox on "accept third party cookies", and set "Keep Until" to "I close Firefox". No harder than it was before. Also it is not a setting I frequently change so from the UI point of view I do not want a button or two-click access to it.

Re:Wrong Solution

[binkzz]

One major difference is that the website does not know why a cookie is set. This directive forces sites to explain to you why they need a cookie.

Re:Wrong Solution

[0123456]

For some bizarre reason they've hidden it: you need to select 'use custom settings for history' to be able to configure coookie use.

Re:Wrong Solution

[LordLimecat]

Thats why the user can read the public privacy policy and decide whether to allow the cookie or not.

I cannot imagine how this law could be sanely implemented.

Re:Wrong Solution

[littlewink]

"Some cookies are used to remember login details"

Yes, but they are not necessary to do that. There are other ways of tracking state. But programmers are lazy and usually use the easiest way out (cookies)..

I see lots of code rewriting in our future.

It's Easy!

[KeithIrwin]

The first time someone visits your website, you redirect them to a consent form and then if they opt out of being tracked, you just set a cookie showing that they've opted out so that you won't have to ask them again. See, problem solved.

(I say that tongue-in-cheek, but it would actually probably work if you set a "don't track" cookie which wasn't personal to them. Most grocery stores also offer non-tracking versions of their loyalty cards. My dad has one for Harris Teeter and his card number is all zeroes. That's the number they give out to everyone who asks not to be tracked. Similarly you could set a cookie which only includes an "opt-out" code which is the same for everyone opting out so that you can't track them individually.)

Clue stick

[agendi]

Have they costed how much it will be to make their own sites compliant?

Re:Clue stick

[Malc]

I couldn't give a rat's arse how much it costs sites to comply. I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself. Cookies have been a fundamental feature of the web for a long time as a way to make the web a better experience for users, but I certainly didn't ask advertisers et al to abuse this functionality for things that aren't in my interest.

Re:Clue stick

[agendi]

I don't mean corporates, I mean the Govt. agencies themselves that are currently using cookies, I bet they are the one of the first ones that work around it AND bill the tax payer for the effort of outsourcing the work to a foreign multinational. Yay! In the end it won't change squat.

Re:Clue stick

[MrL0G1C]

Bah, This could turn out to be a real pain for anybody who deletes cookies, now every time I visit a European site I'm going to have to opt out of tracking cookies - and how are they going to log this decision - with a cookie of course. What a complete pain (I can do my own privacy thanks). This reminds me of when Internet explorer would regularly pop-up a box saying the site had active-x would I like to turn active-x on - I switched back to mozilla.

Meanwhile the UK census has just come round and the gov't will promptly be selling the information to anyone who wants it (without my name on it, ha).

Re:Clue stick

[LordLimecat]

I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself.

Im going to assume you use internet explorer.

1) Tools --> Internet Options --> Privacy
2) Move the slider to "Block all cookies"
3) Click apply. Youre done! Cookies can never threaten your freedom again!

And that option has only been there for what....10 years now? I remember learning about that back in 2001 when people were getting all freaked out about cookies, when i was just a teenager with no technical skill. And I know that Firefox and Chrome and Opera and Lynx and Links (having used them on google recently, it asks you for every cookie) and probably the now-dead Netscape all have similar, easily found options for those who actually care.

This law doesnt solve any problem that would not be better solved by people who care setting their options properly. Or if you really have a hardon to legislate, make new updates / installs of browsers require the user to opt in or out of cookies altogether, or make a choice to allow some with consent. Problem solved.

Don't blame the EU

Blame Privacy International, who are basically the only ones lobbying for this.

Car anology

The EU requires car manufacturers to get consent from drivers for the car to burn fuel.

Re:Car anology

[hedwards]

We here in the US refer to that as the "ignition switch" and it's very effective at telling the machine not to burn fuel.

Re:Car anology

[Malc]

Hmmm, bad car analogy. As an owner and driver, I already have control over that. Perhaps it would be more like manufacturers putting a feature or governor in your car that makes it drive past some advertising slowly, without your permission... in which in my case I'd want the EU to regulate, just like I'm happy to see them doing something about abusive companies trying to track me for their benefit rather than mine.

Re:Car anology

[jhobbs]

Woo Hoo! Patent idea! I just offer you $1000 toward your down payment and you agree then when an advertiser under contract has a radio ad airing your radio will turn on and turn up to an ear busting level. Also you may not travel more than 25mp/h past an advertising partner's billboard. It's genius cause all anyone would care about is the $1000!

Re:EU = make things harder

[Nursie]

Make it harder for people to track other people for financial gain?
Sure.

Protecting the privacy of EU citizens seems more important to me than your transient concerns about having to do a bit more work.

Solution

[Memroid]

1. Force browsers in relevant countries to pop up a message "Would you like to accept a cookie from www.[...]?" for every website they visit (and every cookie).
2. People everywhere else live happily ever after.
3. ???
4. Profit!

Re:Solution

[Nursie]

"We all know that this won't happen anyway because what website in its right mind make itself too hard to use? If it becomes a case of accept our policy or don't use our site, perhaps the EU will evolve the regulations."

Or you could say -

We all know that this won't happen anyway because what website in its right mind make itself too hard to use? If it becomes a case of accept our policy or don't use our site, perhaps websites will stop using so many damned unnecessary and unwanted cookies.

Seriously, have you looked at how many thousands of cookies the average browser holds these days? Jaysus. Given the tiny number of sites I actually require to hold account details for me, it's nuts.

Session cookies I have less of an issue with when they're used for actual useful stuff (shopping baskets) and are not third party.

Re:Thanks EU

[Malc]

Hosts your sites as you like, but companies doing business in the EU will still need to comply or it will become expensive for them. Perhaps advertisers in this situation won't want to pay per click if they're not doing business in the EU any way, which will affect US hosted sites too. Also, the US courts have set plenty of precedent by feeling free to take legal action outside their own jurisprudence

Re:Thanks EU

[goombah99]

Great - what the internet needs is more regulation.

Thanks EU.

I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.

Or Sealandia or Naru or Libya or Russia.

Which of course simply undermines your own homegrown industry and once based outside the country other exploits are now feasible.

The way we deal with this for physical goods is tariffs. e.g. your country has no OSHA laws, or pays to low a minimum wage then we may slap a tarrif to equalize the playing field and protect the home industry.

This of course eventually leads to protectionist tariffs.

Re:Thanks EU

[DarwinSurvivor]

HAHAHA. Says the guy who's country created the patriot act! American VPS companies have been losing lots of money because people don't want to put their data on a server in a country where the government can just go "This server is running on the same hardware as someone who MAY have sent a secret message to someone in IRAQ with a picture of a child, thus we are confiscating everything!"

Mozilla already lets you set that

[billstewart]

You can set Mozilla to always ask, always accept, always reject, do one of those except for exceptions, accept for session only, remember your choices or not remember them, etc. At this point I don't know what the default it :-)

Re:Thanks EU

[Samantha+Wright]

HAPPY FUN GRAMMAR NAZI ADVENTURE: "Jurisdiction", not "Jurisprudence". Remember, a dictionary page per day keeps the lurking trolls at bay!

Re:EU = make things harder

[cbope]

Sorry, you are looking at it from the wrong direction. The difference between the US and the EU is that the EU (or by extension the state governments that form it) are protecting their citizens from violations of privacy by corporations. You see, over here, we actually care about privacy and our governments do actually help to protect it. Done properly and where needed, regulation is a Good Thing(tm). Corporate Fascism hasn't yet fully taken over here in the EU as it has in the US.

All you have to do is look at areas such as telecommunications: The EU's mobile phone operators and ISP's provide FAR better service, better prices and a LOT more competition in this area than in the US. I live in a small country of only 5.2 million, and I can choose from literally dozens of mobile phone operators and I have multiple ISP's to choose from with very competitive offerings. I can shop for the best price and/or service. I am not limited to one or two major monopolistic operators or ISP's like in some parts of the US.

Just like the 2-party political system, which is a joke, you guys over in the States need to get over your long-held belief that regulation is bad. Regulation in the EU generally *protects* the consumer and their privacy and prevents monopolistic business practices. In the US, practically everyone believes in the invisible hand of the free market. The problem is the invisible hand is stealing from consumers pockets and stuffing the pockets of corporations. The invisible hand is NOT working in YOUR favor, it's working in favor of the corporations.

Now before a troll comes along and says I do not know what I am talking about, I am an American living abroad in the EU, for more than 10 years. I have lived and worked in both places and I have worked for both American and EU based companies. I can assure you, the EU way really is better and I cannot really consider living and working in the US anymore. It is a major downgrade on practically every metric.

Back to the original topic: tracking cookies. This regulation is in response to companies who abuse users by tracking them using cookies. This is unwanted behavior. Cookies were not originally intended for this use and since companies have been abusing cookies (and by extension the consumers/users), it calls for regulation since companies in the free market cannot be held responsible for acting responsibly. Companies will only do what they can to increase profits and/or market share unless forced to do something else. Regulating cookies for tracking behavior is needed and I do not have a problem with this. It protects me as a consumer since it is widely known to be abused. This is precisely why regulation is sometimes needed.

You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.

Just saying a better method is needed.

Try setting your privacy level not to accept 3rd party cookies and set it to ask you every time (Firefox). I have no problem denying cookies manually all day. Some of the most egregious use of cookies come from mainstream sites like msnbc, cnn, etc.. Those sites are whoring themselves out to advertising and data miners more than any other sites I can think of... so I don't visit them anymore. I don't need to read or listen to their junk when their interests aren't trying to serve mine.

Re:Nothing new here, move along..

[hedwards]

Yes, especially since the site now has no way of knowing whether or not it has previously asked for permission unless the answer was yes. Meaning that if you say yes then that's the last you hear of it, but if you say no, then it'll ask you for permission every time you visit the site.

My main concern is that there's not really any information given about why a lot of these sites are setting cookies for facebook and random other sites.

Cookies

[cultiv8]

will never die.

Re:Eurotrash fucktards

[awshidahak]

Europe today would be the same if Hitler had won. They are worse than Nazis

Wow am I out of the loop or what. They still practice genocide over there?

Re:Thanks EU

[TubeSteak]

I think that's exactly what America needs: more EU regulation.

Actually, it probably is.
The Europeans take their privacy laws very seriously and, unlike the USA, they enforce the shit out of them.
The USA has a lot of laws, but enforcement is hit or miss, especially when it comes to consumer protection.

Do not set

[Mystra_x64]

Do not set any cookies if person is not registered (here is your consent). Problem solved. Actually, that would be pretty nice.

Re:Do not set

[Nursie]

Under EU law you would likely be prohibited from doing some of those things without consent also.

The web is perfectly functional with a very limited set of allowed cookies and adblock set to not load most javascript or advertising.

I don't have java enabled. Flash is default blocked, flash cookies are removed on browser exit. ActiveX isn't an issue.

Most 'idiots' don't want to be tracked. The less tech savvy 'idiots' don't knwo that there are good and bad sides to cookies so they just disable them all. This wouldn't be a problem if they weren't abused heinously.

You've got me on the browser size and position stuff though. I would warrant that if you have to resort to these sorts of tactics you already know you're evil.

Re:Do not set

[Mystra_x64]

[quote]One small problem -- In order to register you must create an account... In order to create an account you must allow cookies (these pre-registration cookies serve as nonce values to help prevent spam).[/quote] Why would you need those? You don't. Also, when you press register button then you have an intent to register. There are way too many sites who just slap cookies as soon as you open them. Even if I don't even intended to be there longer than reading 1 page. Why would I need that cookie? There are even some which don't even work with those disabled. Now that's something.

Re:Thanks EU

Well until IPv6 routers start randomizing the addresses... then it won't be much different from NAT.

Stupid

[localman]

Sure, cookies can be used for shady purposes but for heaven's sake - every useful website I can think of uses the hell out of cookies. It's the only practical way to maintain UI state. Browsers already have the ability to warn per cookies. They used to come with this turned on by default, but most have stopped that now. Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that. Even a once-off per site setup is absurd. This is the result of passionate but ignorant people.

Oh well. Like most such laws, there will almost surely be a legal workaround that dodges the spirit of the law. And in this case thank god for that.

Re:Stupid

[Nursie]

"Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that."

Yup, it's crazy the number of cookies now being set/read when you visit modern sites. This is a very strong positive for the legislation though.

Me, I use "Cookie Monster" in firefox. It allows me to deny all third party cookies outright, and default-deny the rest. It has a neat little menu to allow cookies from a specific site on temporary basis (Let it set cookies until the browser is restarted), allows session cookies only or allow full access.

Coupled with ABP it makes me much happier about the net, and makes the net a much happier, quicker place.

Re:Stupid

[KiloByte]

Browsers already have the ability to warn per cookies. You can't possibly browse the web like that. Even a once-off per site setup is absurd.

For you. For me, it's a vital functionality, and one of reasons I don't touch Chrome with a ten foot pole.

Of course, I use once-off, with Cookie Monster to be able to alter the decision later as the built-in UI takes a couple minutes (!) to alter it.

Most third-party bastards get onto my DNS-do-not-resolve list, too. Just blocking their cookie does hardly anything, they can use your IP and headers to get almost as much info. To the contrary, being warned about a new cookie is good since I know there's scum I didn't know of before. And there is not that many trackers around, I haven't added any to my list in two months already.

Re:Stupid

[u38cg]

My suspicion is that after a while, most sites will set upon a standard protocol for requesting permission that can be intercepted by a plug-in and silently answered by the browser without the user's interference. After a while, this plug-in will be bundled automatically and the situation will be exactly the same as it is now.

Re:Stupid

[LordLimecat]

For you. For me, it's a vital functionality, and one of reasons I don't touch Chrome with a ten foot pole.

1) Wrench --> Options --> Under the Hood --> Content settings.
2) Block sites from setting any data.
3) When you browse to a site, click the "cookie w/ x" icon in the title bar. Review your cookies, choose which to allow, and whether it is for session only.
Its actually handled BETTER than other browsers, as you can review said cookies before allowing them.

This, again, is why this regulation is all around terrible.

Re:Stupid

[cdrguru]

The solution is for a popup to appear asking for permission for every cookie on every web page.

Without that, the folly of this will not be apparent. When Google asks for this for every web site that uses Google Analytics the folly of this will be apparent.

Trying to find some happy middle ground between what the EU regulators are asking for and what is acceptable is pointless. It is like arguing with a pig - you just annoy the pig and frustrate yourself.

Re:Stupid

[KiloByte]

That's new, but still bad. Inconvenient -- you need 5 clicks instead of one, and it still breaks your first visit by telling the site you don't have cookies.

There's a crapload of sites which work noticeably worse if you have cookies completely off, so in a vast majority of cases the answer will be "allow for session".

Re:Stupid

[LordLimecat]

If you just want them for the session, under content settings choose "Clear cookies and other site data when I close my browser"

This isnt really rocket science, a google search would have given you all of this information. I just found this out by getting the gumption up to care for 3 minutes.

Re:Stupid

[KiloByte]

Bzzzt wrong. It makes ALL cookies temporary, including those you specifically want to keep. I don't want to have to log in to reputable sites like Slashdot or Wikipedia every single time.

Re:Thanks EU

[zill]

IPv6 will give almost every computer practically static addresses

What if multiple people share the same computer?

Re:Thanks EU

[Narcocide]

You got modded flamebait but in reality you've understated the situation quite significantly. When the feds come to bust a private host for something they usually take everything in the room that is even plugged into the same power line and all the networking hardware out to the wall, then they leave it up to the owners of the hardware to litigate for return of their property.

Compromise.

[zmollusc]

How about a browser option of 'accept all cookies - but delete them once the session is over'?
The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.

Re:Compromise.

[Nursie]

They should build the "Cookie Monster" addon into FF by default, with a sensible set of defaults (like auto-deny third party cookies).

That would cover it.

Re:Compromise.

Already exists in Firefox ! Accept cookies from sites ... Keep until: I close Firefox

Re:Compromise.

[wvmarle]

You mean like Firefox's Private Browsing mode?

Re:Compromise.

[VortexCortex]

How about a browser option of 'accept all cookies - but delete them once the session is over'? The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.

Done: Open Firefox > Tools > Start Private Browsing.

This is the "mode" which you seek.

The bullshit legislation won't matter. There are hundreds of hacks to store user state without cookies. All of the data can be stored server side, and if just one identifying piece of information correlates two user profiles (say, usage pattern, or time of day + IP address) then your data is being mined.

Stop private browsing, go to a different website, the ads on that website link the current time of day & my IP address to the profile they bulit while I was "private browsing".

Re:Compromise.

[KiloByte]

Cookie Monster is damn nice, it just lacks one thing: the ability to let permanent cookies stay if you allow the site to do so. Currently, you need to go to that site again and login/set up/etc once more.

I guess it's a problem in Firefox core -- if set to session cookies by default, it probably overwrites the cookie's expiration so Cookie Monster can't restore it

Re:Compromise.

[LordLimecat]

I think most browsers already have this.

Ghostery for FF

[b4nd0ler0]

As for third party cookies: I use Ghostery on Firefox and it works pretty well and it's pretty unobtrusive once configured. It's amazing to see how many of these cookies are used and abused. Some sites have literally dozens of them. (./ has two: Google analytics and Addthis). FB and Twitter are major culprits, they have no business tracking me when I'm visiting some other site, I'm not one of their users and I don't give a sh`t about what they do. I support this legislation, we just don't know how much user data these companies are gathering and for what use so it's basically saying that you cannot track people that doesn't want to be tracked.

Re:Ghostery for FF

[Tim+C]

FB and Twitter are major culprits, they have no business tracking me when I'm visiting some other site, I'm not one of their users and I don't give a sh`t about what they do.

I do use FB, and they still have no business tracking me on other sites.

Oh so important anti-virus scanners!

[Coolhand2120]

This comes from anti-virus and anti-malware programs labeling cookies as threats in order to make themselves appear more usefull than they really are: "oh look boss, this cookie was going to kill your cat!". So the layman uses his computer and sees his Norton fuck-ur-comp2201 report that www.target.com is trying to H4X0R their computer. Knowing the insidious nature of the evil corporate entity known as target said layman writes his representative informing him of the ticking time bomb Norton shit-tron-1117 reported.

Dear Sir or Madam,
I am writing to inform you of the insidious nature of the virus/malware/fascist threat known as a "cookie". In spite of its innocent name, hidden inside this simple text file is a menace so horrible that it should be expunged from the face of the earth. I'm not sure what it does, but I certainly don't want my children taking cookies from strangers without my express consent.

Reguards, J. Gearstorfer II esq. Lt. Gen. Ret. etc..

Of course when you lump cookies into the same category as trojan horses people are going to react this way. The nonsensical way some anti-malware programs behave is unethical. You cannot say "all cookies are bad" because it's simply a load of shit. I'm a highly experienced web developer and I really cannot think of any way that a cookie can harm you, your computer or your cat.

A cookie is just as revealing as your IP or your IP's RDNS entry. The only reason web sites use cookies is because they have no other way to distinctly identify which computer is hitting their web site from the other side of a NAT (your firewall). If each computer had a distinct static IP address (IPv6 or MAC) there would be no need for cookies. That cookies are somehow dangerous sounds just like people calming that vaccines are giving their children autism.... No... Actually, the vaccine people have a better case.

You absolutely need cookies to make web programs work and prevent accidental session hijacking. Any other method is a joke and therefore not used by serious programmers. Cookies cannot harm you. The worst thing that can happen is someone could tell you went to www.target.com because you have a cookie that says that on your computer, BFD.

This is not a score for privacy. This is a score for ignorance.

Re:Oh so important anti-virus scanners!

[zmollusc]

Could you explain why cookies are 'absolutely needed'? Or provide a link? I can see how cookies are useful, but I don't see how they are vital.

Re:Oh so important anti-virus scanners!

[DigitalSorceress]

Coolhand2120, you've hit the nail precisely on the head.

I remember back when anti-virus apps first started to whine about cookies, I was like, "what? do these guys have ANY CLUE how the web works?". I eventually came to the conclusion that they did, but that they were benefiting from the appearance that they were stopping all this "evil" stuff.

Cookies are an absolutely essential way to maintain state across multiple visits from a given user on a web site. As always, XKCD is on-the-ball ... http://www.xkcd.com/869/

I only ever use session cookies on web sites/apps that I build. Then again, I don't have anything to do with advertising.

Re:Oh so important anti-virus scanners!

[wvmarle]

Well I agree with you that a cookie may not physically harm you; and that they are very useful tools for web site programming.

Yet the primary problem with cookies is the third-party cookies that ad networks place on your computer. So this ad network can track which web sites you visit. This has no use for you as end user; it only servers to give the ad network more information about you. They can see you visit slashdot, they can see you visit certain lolcat related sites, they see you visit amazon, they follow you whenever you hit a web site where their ads (and cookies) are served. And that is the problem they most likely want to tackle as that is where privacy is an issue.

Re:Oh so important anti-virus scanners!

[Coolhand2120]

I mentioned it in my post:

The only reason web sites use cookies is because they have no other way to distinctly identify which computer is hitting their web site from the other side of a NAT (your firewall).

It's so they can tell it's the computer in the living room and not the computer in the bedroom. Or if you like an office analogy, it's so Sue in accounting doesn't get the same Facebook page as Ted in IT.

Technically speaking, the only information visible to the servers on the internet is the IP/MAC address of your nat/firewall/whatever, the computers behind the nat/firewall/whatever cannot (by design) expose their unique IDs (MAC or Media Access Control addresses) to the internet server because the MAC address given is of the NIC in the nat/firewall/router, not of the client computer. Yes, there are other ways of tracking people, such as browser signature or some other organic information about the client, but this is in no way a solution. If Sue in accouting uses the same browser and OS as Tim in IT (very likely!) than they appear to be the same person to the internet server. Without the infamous cookie Sue see's Ted's Facebook page (and has some trouble explaining why he friended Sue's girlfriend).

Really it all comes down to this: IPv4 doesn't have enough addresses to go around, so we stick UUIDs in text files on each computer that visits a given site to uniquely identify them from other user's who visit the same site.

Re:Oh so important anti-virus scanners!

[Coolhand2120]

Not only is the cookie essential for web programming (session handling), but people trying to track you don't even need a cookie. They have a whole slew of other methods of tracking you, the cookie is only the tip of the iceberg. These companies are sharing information to bolster their own databases. If you go to any site that uses google analytics for instance, any other site running the same or similar tracking software can piece together your entire visit by your IP address alone. And that's before they use even higher tech devices like tracking images that utilize UUIDs in HTML5 canvas, something you'd have to disable javascript on every page to prevent or use a contacted string of your IP+browser+OS+CPU to uniquely identify you without a cookie.

Because they aren't doing session handling with the cookies "good enough" is. So what if they catch your whole house, they still got you! There is no way to block the tracking, you're tracked, get used to it. Almost anything you do to prevent the tracking is useless.

And when IPv6 is implemented, forget about anonymity! Classless network. Everyone has their own UUID for an address. Then programmer's will stop using cookies for sure!

Re:Oh so important anti-virus scanners!

[lingon]

The MAC adress is only visible to the first router. Unless your computer located in the data hall of the company you're visiting, they're not getting it. OTOH, two users will likely have at least one thing in the HTTP header set differently, even if they're the same version, and that can be used to track them. I think EFF (or some other such organisation) did a test of this quite recently.

Re:Oh so important anti-virus scanners!

[zmollusc]

Thank you. I hadn't thought about 2 natted users accessing the same web site. Duh. I will go back to painting cave walls.

Re:Thanks EU

[Bobakitoo]

What if multiple people share the same computer?

The kids get to see pornography advertisments because you browser for porn last night. Fun for the whole family!

Re:EU = make things harder

[syousef]

You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.

This move won't give you that. In fact it does the exact opposite. Corporations are going to force you to sign EULA that includes allowing them to track you for EVERYTHING. Think of Google requiring login (no anonymous searches). The first thing you're going to have to do no matter what URL you type in, is log in.

Re:Thanks EU

[wvmarle]

In my experience with ADSL and cable you have a fixed address already. It is just not guaranteed to be fixed but a new IP every few months is fixed enough for lots of tracking purposes. Just leave your own router connected; usually DHCP will give you the current IP address upon renewal. There is no reason it would have to change to begin with.

Re:Thanks EU

[Malc]

Haha - I was think about both, and in this case the difference between jurisprudence in both places. Jurisdiction is indeed what I meant. It's been a long day...

Consider this submission

[qmaqdk]

NickstaDB writes

"From the CNN article: 'From 25 May, US laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies". These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"

And then consider how different the reactions and comments would be.

Re:EU = make things harder

I don't know where you live, but here in the EU those EULAs are not enforcible.

Re:EU = make things harder

You have total control over the cookies you allow to be set in your browser, and the data you send to someone. You always have. This is regulation for the sake of appearances, nothing more. It's also going to prove nearly impossible to enforce or track, and it's going to effect very negatively things that are well beyond it's scope. This is because typical of most regulation, it will be broadly worded, and poorly understood.

Re:Throwing the baby out but keeping the bath wate

[Nursie]

Sure, they will, but there are things that can be achieved simply by blocking some cookies.

For instance - why should facebook be able to track people across every site with a "like this on facebook" button, regardless of whether they have a facebook account?

This can be worked around by switching off third party cookies (and perhaps blocking any content loaded from fb when not actually visiting FB), which IMHO aren't useful for anything BUT tracking.

I can't say it would bother me to see all the "affiliates" on the net die off.

cookieless tracking

[alabandit]

who needs cookies? tracks geeks best http://yro.slashdot.org/story/10/01/27/1638216/Tracking-Browsers-Without-Cookies-Or-IP-Addresses

Re:EU = make things harder

[lordholm]

Google requiring log-in = people start using bing (have they renamed it again yet?) / yahoo / altavista.
Really... this is what would happen.

I have seen plenty of people who, when encountering a log-in / register window, they just close the web-page and do something else. Come, to think of it, all sites requiring log-ins, would be a huge boost for productivity.

Re:EU = make things harder

[SydShamino]

Hahaha, that's pretty funny. Just exactly how many sites do you know that moved behind a registration wall and gained readership?

Re:EU = make things harder

[cynicist]

There is no free market in the US. There are lots of regulations and government intervention here, they just happen to be on behalf of corporations rather than individual citizens. One of the reasons you can choose multiple ISP's and we cannot is due to monopoly agreements granted to ISP's in the US. You have more favorable regulation in the EU to be sure, but don't pretend the problems in the US have anything to do with a lack of government involvement...

Re:Thanks EU

[martijnd]

Remind me to generate a new IPv6 address for every hour of the day...

In Denmark

[terminal.dk]

The interpretation of the EU regulation is different. I think the latest bet on how Denmark understand the EU regulation is:

The users must be informed that cookies are used, and always have easy access to the "cookie policy".
The user must have a way to opt-out. It is still debated if it is enough to inform him how he adds sites to the Internet Zone, and denies cookies to sites in the Internet Zone. Persistent Cookies needs user approval, session cookies not.

There is also the other solution that wil kill the regulation: Just tell users that to use the site they must accept cookies. If they don't, they can go away. When they can visit no websites at all, they will start accepting the cookies. Most technical skilled people thinks this is the worst law ever decided by the EU. So many websites are dependent on cookies today, that most of the web would stop working if cookies was disabled.

As it is now, it is the user that decides if he want JavaScript or Cookies.

Re:In Denmark

[leuk_he]

In other words, Super cookies, cookies that are re-created(based on flash cookies or some other hmtl wizardy if the user deletes them are a not-wanted item according to the law.

Re:In Denmark

[xenobyte]

Well, if the alternative is as things are today, I prefer the new regulation. It is important to make people AWARE of the fact that their every move is tracked, mapped, mined, interpreted, valued and sold. A lot of people are not aware of this and would object if they knew.

Unfortunately this use of cookies is kind of a form of abuse. The cookie system was meant to store information like login credentials, session IDs and similar, each for a specific site or closely related sites. Using them with ad-servers across countless unrelated sites will open up for cross site tracking and thus data mining and all the other 'bad' stuff. Requiring a site to obtain permission for its own cookies shouldn't be much of a problem. But ad-servers should be forced to obtain a new permission for each site each ad appears on, to severely limit the abuse we see today - because most people will chose "No, now and forever for this site (some ad-server)".

Re:Thanks EU

[Snowblindeye]

IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.

That problem has been solved by RFC 4941, otherwise known as the Privacy Extensions. Most OSes support it, though I believe some don't enable it by default. IIRC the iPhone is one of the devices that doesn't support it, but that should be fixable once IPv6 becomes more widespread.

wtf??

[mshenrick]

1. the user sent the information in the first place 2. the cookies are on thir computer 3. just use a cookie blocking extension, no need for server side implementation

Not my job.

[Lord+Bitman]

I have a perfect solution! Rather than continuing to use magical cookies which can follow you around and tell everyone where you've been, I'm going to re-implement a cookie-like thing which cannot possibly do anything you don't want!

Here's how it will work: When you go to my website, I will send your browser a "brownie". The "brownie" will just be a short text string.
Then, if you want me to track you, simply inform your browser that you would like to send back the "brownie". whenever you connect to my server.
In this way, every single connection will require explicit consent to be maintained! If your browser doesn't send the "brownie" with every connection, I won't track you.

The unicorns which maintain the magical cookies that track you without requiring your browser to explicitly send them back every time may be upset by this scheme, but I am never in favour of rejecting a technology simply because it will put people out of work.

Re:Thanks EU

[teh+kurisu]

Ironically, the BBC have a follow-up article, the first paragraph of which reads:

European rules aimed at giving consumers more control over how their web browsing is tracked will not be enforced come May, experts have said.

Re:Thanks EU

[TheThiefMaster]

Interesting idea: Different IPv6 address per user account.

Re:EU = make things harder

All of that doesn't matter. Things work differently around here. Not complying with laws or trying to subvert them is considered an unfair competitive advantage and your competitors can sue you.

Re:Thanks EU

[julesh]

I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.

Doesn't matter where the site is hosted -- this is about data collection. Even if the site is hosted in the US, it would be illegal for an EU company to download the data from their US servers in order to perform any kind of analysis. If the site is designed in the EU, it would be illegal for the EU designers to set it up to track visitors without consent. If the site is designed in the US, it would be illegal for the EU owning company to request the US designers to set it up to track visitors without consent. Simply offshoring the hosting wouldn't help: you basically have to offshore your entire operation to get around this.

Re:What the fuck

[julesh]

What do they think the 'Remember Me' checkbox is for!?

Erm... exactly what this is about. This legislation means that such checkboxes are mandatory, rather than just a good idea. And they have to default to unchecked.

Re:Thanks EU

[bazmail]

IF this had been the US government introducing this law you'd all be applauding it. Reminds me how all the yanks jumped to Microsoft's defense when the EU fined it heavily for anti-competitive practices, despite everyone constantly complaining about Microsoft. Typical anti-European sentiment from Americans.

Re:EU = make things harder

[phantomfive]

Now before a troll comes along and says I do not know what I am talking about, I am an American living abroad in the EU, for more than 10 years.

You don't know what you are talking about. You can't reasonably think of the EU as one homogenous unit. The tiny country you're living in sounds pretty good, but remember the EU also includes Italy and Latvia. Things that work for 5.2 million people don't always scale to 60 million or 200 million. Italy is where you can go to jail for a youtube video critical of politicians. Italy where the ties between business and government are so much more imaginably corrupt than happens in America. They don't even try to hide it. Is that the Europe you want?

That's why it annoys me when people say they want a healthcare system like Europe's. Ya right, do you want a healthcare system like Estonia? Do you even know what you are talking about? Please think these things through.

Re:EU = make things harder

How do you track consent in the first place, without cookies?

A user giving consent (or not) means that you've got to have a unique way of identifying that user. In the stateless HTTP protocol this means that you've got to have some state preserved. You can either do that with very fancy URLs (but then back buttons, bookmarks, browser history and such will not work properly) or with cookies.

Re:EU = make things harder

[AmonTheMetalhead]

What I want to know is what I have to do explicitly to comply with this thing, apparently it's been in the pipeline for over 3 years, and it's the first I hear from it. Some practical info would've been nice. Guess I'll have to dig up the regulation itself on one of the EU sites... Wish me luck!

Re:Yes

[TaoPhoenix]

Do you have to click yes to all 12 trackers to "authorize the page to load"?

"Sorry, you didn't agree to all 12 trackers, so therefore we can't afford to give you the page."

Re:EU = make things harder

[Nursie]

You try to read the cookie.

If you fail then they haven't got one. You don't try to write one until you actually need one (shopping basket, account signup or login etc), at that point you ask permission with it spelled out that they can't go any further without it.

If they decline then you send them back to your front page or to google or something.

If you're a forum or something then sure, you need cookies for pretty much anything (other than random drop-in people just looking). If you're something like an online newspaper, that's not behind a subscriber/pay wall, you don't bother with cookies at all.

Seriously, if I wasn't coming here to comment, can you think of a reason slashdot would *need* to set cookies?

Re:EU = make things harder

[AmonTheMetalhead]

Somehow i doubt that. You see, google doesn't really need to use cookies to track you, all they need is a HTTP GET from your browser in order to do some pretty decent tracking based on your browser, OS & IP combination.

Re:Thanks EU

[OeLeWaPpErKe]

The whole point of a hierarchical addressing scheme is that you DON'T randomize the addresses. That's, incidentally, the problem IPv6 was supposed to solve (before, of course, politics got in the way).

Why ? A hierarchical routing table only needs to contain your own clients, and a single upstream route. That's maybe 10-20 routes for any "normal" point in the network. 50 at the most.

Randomizing addresses, for political reasons, got us to ... checking ...

345750 network entries using 41835750 bytes of memory

(and of course, rising fast). The difference ? A 10000 route switch is $2000, one that can take one million routes (the minimum you'll risk if you're smart) costs around $50000 (that's per device).

Re:Thanks EU

[piripiri]

And what if my operating system connects to the network BEFORE showing the login screen?

Re:Thanks EU

[1u3hr]

Great - what the internet needs is more regulation.

How dare those cheese eaters interfere with companies' God-given right to spy on us?

Re:Thanks EU

[TheThiefMaster]

Every process on a system already runs under a user account. Even the process that displays the login prompt. Shouldn't be a problem!

Re:Thanks EU

[TheRaven64]

Nope, most IPv6 implementations do periodically randomise the host part of the address (low 64 bits). They keep the old one around until all existing connections are gone, then switch to using the new one exclusively. Two HTTP subsequent requests from IPv6 hosts may come from different IP addresses without the user doing anything, although they will come from the same subnet (but that subnet can easily have a few thousand people in it if it's a university or corporate campus).

Re:Thanks EU

[TheRaven64]

IPv6 explicitly requires every network adaptor to support having multiple IP addresses concurrently. You can have one for the system, one for the web server, and one for each user.

Re:EU = make things harder

[lennier1]

I have seen plenty of people who, when encountering a log-in / register window, they just close the web-page and do something else. Come, to think of it, all sites requiring log-ins, would be a huge boost for productivity.

Don't forget sites which want RL data (name, address) without really having a need for those details.

Re:Thanks EU

[growse]

Isn't it the case that the most basic connected home router only needs 1 routing entry for it's /64, and that clients would then have 18,446,744,073,709,552,000 different random addresses within that /64 to choose from?

Ah, just re-read, GPP said 'routers'. Agreed, having the router doing some sort of random address translation would be insanity. What if the client picked a new random address every, say, week? day? hour? minute?

Re:Yes

[TheRaven64]

Sounds fine to me. If your content is really that valuable to me, I'll agree. If not, then I'll go to your competitor.

Re:Thanks EU

[Astun]

hey what's not to like about securing your own privacy?? that is exactly what it needs..... not an internet kill switch like some countries are trying to have -ahem- not looking at anyone america

Re:Well if you choose to opt out,

[Nursie]

Why would I need a cookie to read things?

This is where my understanding of all the protest over this breaks down. To just read a site, what use is it to me to have a cookie?

Sure, for buying stuff, or for logging in or whatever else, I see how they're used. But for just reading a site (or loading an ad) why should I have to maintain a cookie?

Re:Thanks EU

[xenobyte]

This isn't limited to 'the feds' - most police around the world behave the same way. Oh, and it doesn't even have to be plugged in... :(

Old monitors standing idle in the corner - confiscated.
MP3-player in the kids bedroom - confiscated.
Ancient 5.25" floppy disks - confiscated.
Standard household power-strips and cables - confiscated.

The list goes on and on and doesn't make sense. Quite obviously, it's all about harassment and nothing else.

Re:Thanks EU

[SimonTheSoundMan]

I think we need a car analogy before we start.

You go to a retail store and park your car outside, and while you are in the store, the retail store goes and places a GPS tracker to the underside of your car. You are unaware of this tracker, and the retail store starts tracking your exact movements. They want to know which competitors you visit, for how long and how frequently, they may also find you go to a gym every day, or figure out where you work. To remove the tracker, you will have to look under your car and remove it.

Would you say that this unknown tracker by a brick and mortar store is acceptable?

The EU want web sites to ask you explicitly before they can track you. A little like the analogy above asking you when you arrive at the store if they can stick the tracker under your car.

Re:Thanks EU

[OeLeWaPpErKe]

Correct. The lower 64 bits change, the upper 64 bits stay constant.

Now ... which of these 2 identify the client ? The changing part, or the non-changing part ?

Re:EU = make things harder

I live in a small country of only 5.2 million, and I can choose from literally dozens of mobile phone operators

No shit, it's almost like it's easier to provide coverage for 5 million than it is for 250 million!

?session_id

[thetagger]

Awesome, instead of cookies we will have ?session_id= parameters. It's like the 1990s all over again! Can we go back to writing CGI scripts in Perl now?

Now seriously, doesn't this mean that tracking will still be available to people who do really large scale behavioral-pattern datamining while us clods will have a hell of a harder time implementing any kind of non-static page?

Maybe it's not such a bad idea

[masterpiga]

It could be a good way of getting only legitimate cookies. Content-providers will be somehow forced to get rid of all hosted content (banners, flash videos, embedded pages and whatever) that silently drops cookies into my browser, as if they won't do so the users will be prompted with 50 cookie requests whenever they are visiting their pages, and they will quickly browse to fresher waters. They will have to chose other forms of advertisement that do not violate my privacy. They (the content providers) would also be forced to be more considerate about the usage of cookies, like pushing them to your machine only after log-in. Accepting every now and then a cookie from the sites that I choose to visit wouldn't seem such a big hassle to me. On the other hand, I do not like the idea of having laws for everything, I would rather let the responsibility on the users. If they are sensitive about their privacy, they should just set their cookie policy to "always ask" and run away from sites that try to drop cookie bombs on their machines. (Even though, at the rate cookies are delivered on almost every big-content page nowadays, this strategy would soon leave them with very few places to go...)

Re:Thanks EU

[F�an�ro]

now I might missunderstand that rfc, but it seems totally useless.

You can only get a different address within the subnet your provider assigns to you, so companies will simply maintain a table of which ISPs use which size of subnet, and ignore the corresponding variable part of the address.

Presto, unique ID per household again

Re:EU = make things harder

[Alex+Belits]

Google requiring log-in = people start using bing (have they renamed it again yet?) / yahoo / altavista.
Really... this is what would happen.

The whole point of a law is that everyone must obey it.

There is also a matter of Google benefiting from any laws that make things harder for all search engines and ad networks -- it will hurt its competitors more than will hurt Google because Google still has more data and more sophisticated analysis, so it can afford to base its ads on data available without tracking. Google gets plenty of information from overall statistics, searches and association of ads with pages where ads are displayed. Persistent tracking is a bonus for them, however nothing will be broken if ads won't be able to set cookies all by themselves.

Re:EU = make things harder

[beaviz]

I live in a small country of only 5.2 million, and I can choose from literally dozens of mobile phone operators

No shit, it's almost like it's easier to provide coverage for 5 million than it is for 250 million!

That is SO true. If you have 250 million people, there's no potential customers! Or hey wait a minute. It's exactly the same. Bullshit argument.

Meanwhile, in USA, USA, USA

[ThatsNotPudding]

Unions are being banned and corporations can give limitless amounts of cash to politicians. Proud, very proud.

Aaaargh! Welcome to pop-up hell, or just hell...

[barry61]

This legislation, which is close to being enacted, has avoided publicity to date. I can see why people might want it, though I think it would be better sorted by a browser fix (you can switch off cookies right?). From the point of view of smaller websites, having to specifically ask every time you want to issue a cookie is a nightmare - presumably we do this thorough a pop-up? (pop-up blocked anyone?)

The IP record fix looks like a way to avoid this, though paradoxically it results in our having to record more specific data about visitors, logging IP addresses and browser details in a database, and trying to match them up to each HTTP request to ensure that the visitor gets the service the site is intended to provide. Previously we haven't bothered recording any of this data - the cookie was between you and the temp folder on the server...

Sorry, but this is a crap bit of legislation...

Re:Thanks EU

[u38cg]

The detailed drafting of the regulations, which is how European directives are implemented, will not be ready before May. It's hardly unreasonable to state you're not going to be strictly enforcing regulations which haven't yet been promulgated.

Re:Why are people so obsessed with cookies?

[Alex+Belits]

Ad networks and tracking behavior of users between unrelated visits. Things can get seriously creepy if, say, news site will always first display the stories similar to the topic user looked at before, even if the user does not have an account and did not want the site to choose those things for him.

Not sure about this - is it really enforceable?

[coofercat]

I wonder how enforceable this is - asking all website owners to ask if they can set an anonymous cookie? Really?

However, I wonder if the spirit of it is best achieved in the browser. Essentially, accept cookies from the hostname/domain written in the address bar, and don't accept any others. Thus, visiting /. will give me a slashdot.org cookie (maybe), but won't give me (or send out) the Google Analytics or Addme cookies (which aren't in my interest, as they aren't sites I'm visiting).

Personally, I hope this gets watered down to a browser feature, rather than what it appears to be right now. But I can see worse worlds than one where you can't have anonymous cookies without permission. Of course, we realise that ad networks will move out of the EU to avoid this, but that will slow down ad delivery, which will make them less attractive to advertisers than the in-EU ones, so we may well see less of that than we might imagine at this point. In the longer term, I'm sure the lowlives of the tracking world will find ways to do their work without worrying about these regulations, but keeping them out of the EU isn't really a bad thing for us Europeans.

Re:Not sure about this - is it really enforceable?

[omglolbah]

And as usual, the legislation is quite strick and scary looking to a lot of corporations.

And I suspect the usual thing will happen, as with cell-phone calls across borders within the EU...

The companies will fix the issue to make the law unneeded to avoid the huge mess the law would create. This is a motivator for a lot of corporations to take a second look at what they're doing. The advertising corporations must be monitoring this and realize that they cant just harvest all they can with no regard for any privacy concern or the hammer -will- come down.

I doubt the law will ever come into play unless there is yet another major privacy breach to spur it.

Re:Yes

[nosferatu1001]

Fabulous. At least I now:

a) know you are wanting to load 12 trackers
b) can decide whether you site is soooo critical to me I'm willing to load them.

The answer to b is "unlikely" - great thing about the web, if you're doing it someone else probably is as well. I'll go there.

Re:EU = make things harder

[nosferatu1001]

EULA /= EXPLICIT CONSENT.

Guess what is required by the directive.

Re:EU = make things harder

[nosferatu1001]

Or you can be taken to court, have criminal proceedings brought against you and the directors put in jail.

Re:Thanks EU

[KingMotley]

No, it's just that it isn't that hard to either write, or in the case of browsers that support add-ins (IE, Firefox, Chrome -- maybe opera with 11+) to manage/deny cookies if you are that much of a privacy nut.

Personally, I *like* advertising companies knowing more of what I like and don't like. That way I will stop getting bombarded by viagra/cialis products. I don't need them. If you are going to put an ad up, put one up that I might actually be interested in.

As for the EU/Microsoft... The whole browser thing we all said was a farce when the EU was fining MS. They forced them to implement a browser ballot box to "prove" there was injustice, and finally level the playing field (Because EU residents are obviously all sheep and can't download their own browser). And what were the effects of all the EU bullshit? Nothing. Nothing at all. Ok, well, the 9th place browser manufacturer claiming they had their downloads per week nearly DOUBLE, statistics show that IE usage actually INCREASED shortly after the ballot box was introduced. Nice job EU.

If you are going to trot out some bullshit about how the US has "typical anti-EU sentiment", please pick an example that doesn't show how ridiculously stupid the EU was being.

Re:EU = make things harder

[AmiMoJo]

Fortunately the EU isn't that stupid and covers all methods, not just cookies. The BBC focused on cookies because they something people have heard of, but the rules cover all forms of tracking. ISP level, Google-style redirect-URL level, malware level...

It seems like the US is trying to have something similar with an opt-out do-not-track list. In the EU we prefer the option that by default gives citizens the most protection/benefit, so ours is opt-in.

Re:Aaaargh! Welcome to pop-up hell, or just hell..

[omglolbah]

Yes it is a piece of crap legislation. Why?

It is trying to stop abuse happening through tracking with cookies. There really isnt any technical way to fix this without breaking or inconveniencing a lot of people.

Bad situations make for bad laws. I agree that it would be a bad idea in its present form, but dismissing the intention behind it is not.

Re:Thanks EU

[Crudely_Indecent]

Did you forget NAT64?

I have a simple means of getting explicit consent

[drinkypoo]

If the user blocks cookies, then I won't set any cookies. If the user doesn't block cookies, I will set them.

What we need is not a rule like this, which is stupid. We need an accessibility rule that says any website which must be accessible (government and utilities for example) must work without cookies.

Re:EU = make things harder

[kikito]

The invisible hand is just another religion.

Re:EU = make things harder

[angel'o'sphere]

Corporations are going to force you to sign EULA that includes allowing them to track you for EVERYTHING. Think of Google requiring login (no anonymous searches).

Sigh ... you know so little about what is going on outside of the USA.
In the EU you can not waive rights/privileges which you have by law by "signing" an EULA EULAs in the sense as they exist in the USA are not existing in Europe. It is illegal to put something into an EULA which is contradicting to law. Sigh, you can not give up your rights. Not even by clicking on an EULA thing ...
It is so simple: EU law > state law > region law >> EULA / contract / agreement etc.

angel'o'sphere

Re:EU = make things harder

[kikito]

I'd argue that US =/= Utah times 50 (fortunately for US)

And Estonia is a great place, you should visit it.

Re:EU = make things harder

The situation he's describing is true for the UK as well (population : 61.8m as of 2009).

Now, as I understand it that's about a fifth of the population of the USA. However, the USA is a collection of states with their own governments, much like the EU. There's *NO* reason that regulations like this couldn't be implemented at the state level - the largest state in terms of population is California, with 38m, and there are only 7 states with more than 10m people (april 2010 census figures).

Actually, I take that back. There is *one* reason you won't see this in the US - a lack of political will. California seems to be the only state that actually cares about its citizens privacy, and it's constantly butting heads with Federal as a result.

Re:EU = make things harder

Back to the original topic: tracking cookies. This regulation is in response to companies who abuse users by tracking them using cookies. This is unwanted behavior. Cookies were not originally intended for this use and since companies have been abusing cookies (and by extension the consumers/users), it calls for regulation since companies in the free market cannot be held responsible for acting responsibly. Companies will only do what they can to increase profits and/or market share unless forced to do something else. Regulating cookies for tracking behavior is needed and I do not have a problem with this. It protects me as a consumer since it is widely known to be abused. This is precisely why regulation is sometimes needed.

Except that's not what requiring permission for all cookies does.

Requiring explicit permission for all cookies trains users to "just click OK" to the cookie permission popups. This also means that by disguising something else as a cookies popup you can get users to click "OK" and give it permission to do something else enteierly.

A passable solution would be requiring browsers to default to denying all cookies not on a white list. But that is very different from requiring web pages to secure permission every time they want to issue a cookie.

cookies are being replaced anyway by WebDB

[gr8_phk]

Cookies are so last millenium. Firefox 4 is pushing that new WebDB or whatever it's called so companies can keep a whole database of info on your local machine. Heck, they won't even need to keep user information in their own database, they can just query your machine any time you visit them. Go ahead, let them ban cookies altogether so we're forced into this new more scalable and flexible replacement.

Re:Thanks EU

[Mr.+Slippery]

not an internet kill switch like some countries are trying to have -ahem- not looking at anyone america

The U.S. is not "trying" to have an internet kill switch. It has one, under a law that goes back to the 1930s and grants the President broad authority over wired and wireless communication. The bill in question would have limited, not expanded, this power.

Re:Thanks EU

[Agripa]

You can only get a different address within the subnet your provider assigns to you, so companies will simply maintain a table of which ISPs use which size of subnet, and ignore the corresponding variable part of the address.

Presto, unique ID per household again

But this is largely already the case with IPv4. Either your single IPv4 address rarely or never changes or even worse, reverse DNS will return your DNS address assigned by your ISP. Do those DNS addresses ever change?

At least some IPv6 tunnel brokers allow you to setup your own reverse DNS.

Just stop cross-site cookies, that would be enough

[01101010001010001010]

When you leave a site you can have a popup / popunder to say that the site has put a cookie on your browser so that when you come back you can auto-login. That makes sense. How to explain to a user why a website at www.site1.com has allowed www.site2.com to put a cookie on your browser (e.g. advert networks, google analytics) is much harder. Differentiate between the two and you could have a workable system. Screwing up google analytics would leave me looking to auto-upload all my apache logs to Google somehow, which would then beg the question of 'Who do server logs belong to?" I'm assuming they are mine in the same way that if I sat by the roadside and made a list of the number plates of the cars that passed, that data would be mine as well...... What do you think? P

Re:Thanks EU

[mldi]

Can already do this with IPv4.

Re:EU = make things harder

[maxwell+demon]

And why should Google require login? I can use Google with cookies disabled just fine.

Re:Aaaargh! Welcome to pop-up hell, or just hell..

[barry61]

As far as I can see the purpose of the legislation is to prevent targetted advertising, though if you have a real heap of information on people I guess you could try to profile them in more detail. This isn't something that most websites can do effectively in isolation, as we simply don't have the market coverage to track what people are doing outside of the 20 seconds or so most visitors spend on the site (short of downloading your browser history - NOTE update your browser!). It is more of an option for big online retailers, like Amazon, though I honestly don't object to them suggesting products on the basis of what I've looked at already - I guess there is a trust relationship there which I find adds to the browsing/shopping experience.

In the UK the big stink came with the Phorm contract with BT, one of our main ISP's, but this is a very different technology to what we as web developers usually have access to, and I don't believe it was cookie based...

In fact the only people I know of at the moment who track you (me and everyone else) like a hawk are the Search Engines. They do do it to offer you targeted searches, which are pretty annoying if you are logged in as they can give you a seriously distorted view of the web (why is that little site you have just created at the head of the Google rankings? - Oh bugger, logout and look again!), but even if you are not logged in they will set regional preferences for your search, though clearly they use IP tracking rather than cookies.

To get a similar level of intelligence to that in the possession of the likes of Google, large numbers of websites would have to pool information, and if you are talking about this level of integrated development, then you would be using IP tracking as well, and not cookies, which are site specific (again make sure your browser is up-to-date!).

Now, just perhaps there is a business model for world domination here...

They don't understand the tech

[Sloppy]

Lawmakers can demand whatever they want, and ultimately get it by means of force. I am not going to dispute that, or EU's right to (however misguidedly and stupidly) attempt to protect peoples' anonymity.

But .. this is lame, because it is so utterly at odds with how cookies work.

All cookies used by websites are voluntarily sent, at least as far as the website can tell. The website offers a cookie, and the browser (or user, depending on how good the UI is) decides whether or not to store that cookie and later send it back in future requests. If there is any lack of consent here, it's that the browsers aren't asking users what they want.

You can pretend that this is all just technicalities, but nevertheless that is the reality of the situation, so anything stemming from the false pretense is likely to have unintended consequences and fail to accomplish its goal.

Websites do not store cookies on your computer. They do not have that capability. Your browser really is the problem, and if you try to hold websites responsible for what happens, instead of whoever is actually responsible, then all the bad things that you worry about, are going to continue to happen.

Re:Just stop cross-site cookies, that would be eno

[barry61]

It ought not to be possible to post cross-site cookies, though with many sites adverts and other content is displayed in frames, so it is not clear what site you are actually on... Perhaps it shouldnt't be possible to download framed content from a different root URL in the one browser window? (Browser developers - does this make sense?)

Re:EU = make things harder

[phantomfive]

Oh ya, thanks, Id love to visit Estonia sometime.

Re:EU = make things harder

[LordLimecat]

You see, over here, we actually care about privacy and our governments do actually help to protect it.

In other words, by protecting people from themselves we make them more free, is that it?

Look, this isnt hard. Dont want facebook to try to monetize you? Dont use facebook. If people care enough about such things they will educate themselves on them; if they do not, they will not.

Over here in the US, you see, there has historically been an emphasis on "freedom to do things" rather than "freedom from things", though here too it is changing recently.

Re:EU = make things harder

[LordLimecat]

If Bing cannot track you, it cannot monetize you. What makes you think a corporation wants to lose billions a year on a search engine that raises 0 revenue?

They love burying exactly this sort of thing

[Livius]

This is exactly what evil corporations do all the time. Request consent for something seemingly innocuous that in fact signs any your rights to any confidentially at all, with about as much opportunity for negotiating the terms as the average EULA.

Re:Thanks EU

[F�an�ro]

This is definitely not the case where I live.
My ISP gives a new ip on each connect, often a different subnet, and the reverse-dns adresses are tied to the IP and change with them. Any DSL provider I know does the same thing.

Several even force a disconnect after 24 hours, others have longer periods, but changing your ip is as simple as setting your modem to disconnect on idle.

Re:EU = make things harder

[angel'o'sphere]

Well,
I assume you are either an Estonian living in Italy or an Italian living in Estonia ... or from where does your wisdom come?
Anyway, the EU consist out of 27 countries. You picked Italy as a very bad example out of those ;D
The is political and cultural in fact a very homogene area. At least as homogene as you can be if the south west in Portugal is Catholic and speaks a romanian language while the 3 Baltic nations speak their own micro languages and the north is protestantic and speaks mainly indo germanian languages. Anyway, in culture we much in common. So, Italy ... the country of contrasts. The second richest region the EU is in north Italy. In fact I think it is the third richest in the world, the area in the Lombardai and around has the highest per capita income. As a side note, the richest area of the world is San Marino, an enclave state with perhaps only 100,000 inhabitants and likely only a dozen villages ... even smaller than Lichtenstein.
OTOH the south of Italy is by far the poorest region of Europe.
Regarding healthcare, well, I think you took the wrong topic to pick on. Especially the young nations, where you would not believe, it have excellent health care. The Estonian one is outstanding.
Italy has the lowest infant death rate of the world, e.g. A lot of people in Switzerland (which has an excellent health care system) travel for difficult operations to Italy. Because the Italian hospitals are better.
Anyway, just to set some stuff straight.
Best Regards
angel'o'sphere

Regulate use.

[Requiem18th]

While I approve of privacy oriented legislation, I'm more concerned with regulating humans than software.

A good analogy is how a doctor wouldn't get in trouble for collecting your medical history, but will get in trouble if he sell that information to advertisers. I don't think making it illegal to store cookies is the right way about it. Rather make it illegal to sell this information to others, or to retain it for periods longer than a certain threshold.

Regulate the use of the information collected, not the technology used to collect it.

Guess they just won't run ad services in the EU

[Luke-Jr]

EU can't regulate US companies, so all the ad services will just operate over here...

Re:Thanks EU

[angel'o'sphere]

You guys seem not to et that the hosting location is completely irrelevant, or do you?

If my web address is www.denominazione.it, entreprise.fr, corporation.co.uk or firma.de it is obviously a web address serving content for a european company.

Who the fuck cares in what bana republic the server is hasted?

You are liable under EU law for what you as a EU company do ... after all obviously such a company would offer its web services very likely mainly to EU citizens.

angel'o'sphere

P.S. do you really think a US corporation would get away with breaking US laws by placing their server into german?

Re:EU = make things harder

[jopsen]

You don't know what you are talking about. You can't reasonably think of the EU as one homogenous unit.

True, there's a huge difference between the member nations in many aspects... Especially when it comes to stuff like social services, income and wealth... However, in terms of regulation a lot of good work an consolidation of laws is happening at the EU...

Re:Thanks EU

[TheRaven64]

In theory, yes, but how many people have enough public IPv4 addresses assigned to do this? IANA rules mean that they shouldn't have them if they do...

Re:EU = make things harder

[AtomicJake]

Does the EU do anything apart from make things harder for people? This effectively means no anonymous cookies.

What is an "anonymous" cookie? A cookie that I cannot see - a "stealth cookie"?

  I'm guessing it's more about controling and monitoring citizens than about protecting their privacy.

Wrong guess. It has nothing to do with it.

The thing is there are lots of legitimate uses for anonymous or one time cookies for which consent.isn't practical, so if this flies, it will detract from the Internet as we know it.

Please elaborate.

BTW: I agree to another argument: We can use cookie filters within the browser and do not need to make it part of the Web sites. On the other hand, if all sites that do not actually need cookies from a technical point stop using them, this would be a Good Thing(tm).

Re:EU = make things harder

[cdrguru]

Yes, but you are far less valuable to Google without knowing your habits that they can sell. So much less valuable that they are unwilling to provide service to you without said tracking.

Re:EU = make things harder

[AtomicJake]

And why should privacy protection require a log-in? It's the exact opposite.

Re:Thanks EU

[steveg]

Which of those involve routing? The changing part, or the static part?

Re:EU = make things harder

[AmonTheMetalhead]

You seem to be more informed about this specific regulation then i am, do you happen to have a link to the text? I've got no clue where to even start looking for it

Re:Thanks EU

[omnichad]

Quite obviously, it's all about harassment and nothing else.

And free old electronics recycling, apparently. It can get expensive to properly dispose of those lead filled CRT monitors.

Re:Thanks EU

[omnichad]

They seem to be pretty vague on what cookies are allowed. Cookies that maintain shopping carts are specifically allowed, but I see nothing in the article about cookies to maintain a login session. So even logging into GMail would require asking permission to store a cookie, and users would think that it's only for advertising tracking. So just to use most sites, you'd have to grant them free access to write cookies anyway.

Re:EU = make things harder

[maxwell+demon]

You must have a very strange version of C, where /= divides the right argument by the left. All C versions I know divide the left argument by the right.

Re:EU = make things harder

[maxwell+demon]

California seems to be the only state that actually cares about its citizens privacy, and it's constantly butting heads with Federal as a result.

Maybe it's related to the fact that Schwarzenegger is originally Austrian?

Re:EU = make things harder

[maxwell+demon]

What is an "anonymous" cookie?

A cookie without a name, of course. :-)

Re:Thanks EU

[maxwell+demon]

In order to have a monopoly on the user data?

Catch 22 and the pain in the arse..

[SuperCharlie]

So.. you go to a site.. it says "please allow us to store cookies to enhance your experience" yada yada.. you say no.. next time..you get the same message...lather, rinse, repeat until you say yes because **there is no other way to maintain the persistent state of the selection**.

People will simply not go to the sites eventually or say yes after the umptienth time to get away from having to click no.

non-stored cookies?

[tmshort]

Does a "text file" only exist on secondary storage? What about session cookies - those without an expiration date that are generally not written to a file on disk. Do they count? No "text file" is created, so they wouldn't fall under this law? It's a bit vague.

Why?

[cdrguru]

There are other ways that are more secretive and much harder for users to control than cookies. Fingerprinting the user's computer isn't that hard and if you collect enough information through the browser you can probably do it with 99% accuracy or better. So then you can store the information on the server.

What this should do is annoy the crap out of users. The "proper" implementation is to ask with a popup every time a cookie would be stored. If the user has the browser confirming cookies this would result in two popups for every cookie - the more the better, right?

What this regulation seems to think they are addressing is some kind of special "tracking" cookie and not ordinary cookies that are used simply to save things like login information. I haven't read the regulation but from the article it sounds like they carved out some very small number of specific, none of which apply to my web site. So, do I assume the regulations aren't really going to apply to me?

Of course, there is the question of what possible point does this have for any US-based company? Would it mean that EU-affiliates would be prosecuted? Hardly. Would it mean that an EU subsidary would be prosecuted? Maybe. For a small US company, I'm not sure it has any meaning at all. Except we would get email from angry EU users trying to say that we were not following EU regulations and they were going to "turn us in to the Web police". Yes, I have gotten email like that before.

I think the real solution is for every web site to confirm every cookie individually. Annoy the crap out of users and make sure they know it is this new EU regulation that is requiring it. Maybe that would get some claification or a repeal. It sounds like an incredibly short sighted and pointless regulation.

Re:Thanks EU

[OeLeWaPpErKe]

*sigh* the point I was trying to make is that the unchanging part identifies the client.

Re:EU = make things harder

[Alex+Belits]

It's the other way around. Logged in user has to be tracked just to maintain his logged in status (this still doesn't mean, site should report those things to advertisers). However when user is not logged in, there should not be any cookies that identify the user when he will look at the same site later, or (especially) cookies for completely unrelated advertisers' hosts that have nothing to do with functionality of the site.

Re:Thanks EU

[icebraining]

The server can just drop/ignore all the bits that might change, which still identifies a single home router (like having a single public IPv4 address + NAT).

Re:Thanks EU

[icebraining]

Mine too. I use a dynamic dns service for my home server, but it's almost useless, it hasn't changed since I set it up last year.

Re:Thanks EU

[icebraining]

No, it's just that it isn't that hard to either write, or in the case of browsers that support add-ins (IE, Firefox, Chrome -- maybe opera with 11+) to manage/deny cookies if you are that much of a privacy nut.

That doesn't give companies the right to exploit people's privacy. Whether you can block it or not is irrelevant.

Personally, I *like* advertising companies knowing more of what I like and don't like. That way I will stop getting bombarded by viagra/cialis products. I don't need them. If you are going to put an ad up, put one up that I might actually be interested in.

So give them permission, the law doesn't stop you as the consumer to give your data away.

Re:Thanks EU

[icebraining]

From the actual directive:

(...) Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. (...)

Directive 2009/136/EC, clause 66.

Seems it covers login cookies.

Re:What the fuck

[icebraining]

Do you actually think you're only tracked when you choose that checkbox? Ha. You don't even have to register to be tracked, especially by ad networks.

Re:Thanks EU

[mldi]

Not that many people. I personally do this, as I have multiple public IP addresses with 1 internet connection. Helps me keep personal traffic separate from server traffic. I don't want to be personally blocked by IP if my server was crawling a website and they have more sensitive rules than the norm.

Re:Thanks EU

[KingMotley]

Whether you can block it or not is irrelevant.

No, that is completely relevant. Obviously the government needs to step in because people can't be bothered to keep things they want private, private.

Re:Thanks EU

[icebraining]

That's like saying that companies should be stopped from putting cameras in every street because people can't be bothered to use face-covering hats.
People shouldn't have to - this isn't people willingly submitting data without reading a ToS. You can be tracked without registering or accepting anything, especially by third-party ad networks and such.

Not to mention, it's impossible for the user to distinguish between a tracking cookie and a login or preferences cookie.

Re:Thanks EU

[KingMotley]

That's like saying that companies should be stopped from putting cameras in every street because people can't be bothered to use face-covering hats.

Are you suggesting that it should be illegal for traffic cameras, ATM cameras, in store cameras, etc? lol.

Not to mention, it's impossible for the user to distinguish between a tracking cookie and a login or preferences cookie.

That is because they are exactly the same thing. Only difference is how they are used. I'm quite sure the EU will be incompetent enough to make both illegal.

Re:Thanks EU

[icebraining]

Are you suggesting that it should be illegal for traffic cameras, ATM cameras, in store cameras, etc? lol.

No, and neither will be cookies. But in the EU such cameras are regulated. At least if the camera films the street you need a permission, and you have to make sure the data isn't cross-linked with other cameras or shared with third-parties, exactly to prevent such tracking.

That is because they are exactly the same thing. Only difference is how they are used. I'm quite sure the EU will be incompetent enough to make both illegal.

First, tracking cookies won't be illegal, sites will only need to ask for explicit permission from the user. There's a large difference. In fact, many websites already have a "remember me" checkbox for such needs.

Secondly, instead of being "quite sure", you could actually know by reading the directive, but I'll do it for you:

(...) Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. (...)

Seems to cover login cookies, as they are "strictly necessary" to give you the service you registered for.

Re:Thanks EU

[KingMotley]

(...) Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. (...)

Seems to cover login cookies, as they are "strictly necessary" to give you the service you registered for.

Thanks for proving my point. Now just wait for the inevitable lawsuit to be put forth proving that you don't need any kind of cookie to provide said service (say, such as using a unique/encrypted seed as part of the query string in the URLS), and presto! You have exactly what I just said.

Re:Thanks EU

[icebraining]

Now just wait for the inevitable lawsuit to be put forth proving that you don't need any kind of cookie to provide said service (say, such as using a unique/encrypted seed as part of the query string in the URLS), and presto! You have exactly what I just said.

First, the directive isn't law, so the specific wording is irrelevant.

Second, people don't sue over anything over here, they would complain to their national data protection commission.

Third, it's obvious that the directive isn't specifically against cookies, so the commission, knowing that a query string or any other method identify you as well as a session cookie (it's their purpose as login keeping system), would simply disregard such complaint as an identifying system - regardless of how it's implemented - is in fact required to log people in.

Re:Thanks EU

[DarwinSurvivor]

Maybe in the US, but here in Canada we have a recycling program. Every time you buy a piece of electronic equipment, a recycling fee is added to your bill. This means that we can now take ANY electronic device to the recyclers for FREE. If you have a *large* quantity, you can even arrange for them to pick it up, for FREE! It's very similar to the oil situation, almost any gas station with a garage will take used oil for free and send it to the recyclers, because you've already paid the recycling fee when you bought it.

Re:Thanks EU

[steveg]

Except I think you're wrong. The unchanging part identifies the subnet. The changing part identifies the client.

Re:Thanks EU

[OeLeWaPpErKe]

And, pray tell, what *is* the subnet identified ... it is the ethernet port of the router at the customer site. So you can identify that. Which home the request was made from. Is that personally identifying information ? Of course it is.

The other "changing" part, you can determine the machine's MAC address from it, so it identifies the machine uniquely.