Slashdot Mirror
New EU Net Rules Set To Make Cookies Crumble
NickstaDB writes "From the BBC article: 'From 25 May, European laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies." These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"
They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.
Great - what the internet needs is more regulation.
Thanks EU.
I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.
John
IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.
Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent. Time will tell how this all plays out, but it's safe to say that people get bored of clicking "allow" really quickly.
Do browsers even ask if you want to allow cookies these days? I guess not? 10 years ago you did have to explicitly allow them (either globally or on a per-site basis) but I guess they are allowed by default these days? Can't remember seeing a cookie prompt in a long time.
.: Max Romantschuk
Cookies have legitimate uses that have nothing to do with "tracking". Perhaps the issue comes with trying to interpret the specific language used rather that knee-jerk "everyone must opt-in". If your cookies are not used to track -- if you do not use, for example, Google analytics -- then you are not in violation. The article basically states this.
The web browser, whichever one it is, that the user has decided to use should make the decision about whether or not to ask the users permission to set a cookie. Website are not doing anything malicious by setting cookies, they are simply asking the client browser to keep a bit of information and return it on subsequent visits. The web browser can ignore the request, ask the user for permission first, or silently accept it.
Many browsers can be configured to operate in either of those three modes. Effort would be better spent educating users... or better yet... just let it go already it isn't a big deal.
I couldn't give a rat's arse how much it costs sites to comply. I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself. Cookies have been a fundamental feature of the web for a long time as a way to make the web a better experience for users, but I certainly didn't ask advertisers et al to abuse this functionality for things that aren't in my interest.
HAHAHA. Says the guy who's country created the patriot act! American VPS companies have been losing lots of money because people don't want to put their data on a server in a country where the government can just go "This server is running on the same hardware as someone who MAY have sent a secret message to someone in IRAQ with a picture of a child, thus we are confiscating everything!"
HAPPY FUN GRAMMAR NAZI ADVENTURE: "Jurisdiction", not "Jurisprudence". Remember, a dictionary page per day keeps the lurking trolls at bay!
Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
Sorry, you are looking at it from the wrong direction. The difference between the US and the EU is that the EU (or by extension the state governments that form it) are protecting their citizens from violations of privacy by corporations. You see, over here, we actually care about privacy and our governments do actually help to protect it. Done properly and where needed, regulation is a Good Thing(tm). Corporate Fascism hasn't yet fully taken over here in the EU as it has in the US.
All you have to do is look at areas such as telecommunications: The EU's mobile phone operators and ISP's provide FAR better service, better prices and a LOT more competition in this area than in the US. I live in a small country of only 5.2 million, and I can choose from literally dozens of mobile phone operators and I have multiple ISP's to choose from with very competitive offerings. I can shop for the best price and/or service. I am not limited to one or two major monopolistic operators or ISP's like in some parts of the US.
Just like the 2-party political system, which is a joke, you guys over in the States need to get over your long-held belief that regulation is bad. Regulation in the EU generally *protects* the consumer and their privacy and prevents monopolistic business practices. In the US, practically everyone believes in the invisible hand of the free market. The problem is the invisible hand is stealing from consumers pockets and stuffing the pockets of corporations. The invisible hand is NOT working in YOUR favor, it's working in favor of the corporations.
Now before a troll comes along and says I do not know what I am talking about, I am an American living abroad in the EU, for more than 10 years. I have lived and worked in both places and I have worked for both American and EU based companies. I can assure you, the EU way really is better and I cannot really consider living and working in the US anymore. It is a major downgrade on practically every metric.
Back to the original topic: tracking cookies. This regulation is in response to companies who abuse users by tracking them using cookies. This is unwanted behavior. Cookies were not originally intended for this use and since companies have been abusing cookies (and by extension the consumers/users), it calls for regulation since companies in the free market cannot be held responsible for acting responsibly. Companies will only do what they can to increase profits and/or market share unless forced to do something else. Regulating cookies for tracking behavior is needed and I do not have a problem with this. It protects me as a consumer since it is widely known to be abused. This is precisely why regulation is sometimes needed.
You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.
We here in the US refer to that as the "ignition switch" and it's very effective at telling the machine not to burn fuel.
Europe today would be the same if Hitler had won. They are worse than Nazis
Wow am I out of the loop or what. They still practice genocide over there?
I think that's exactly what America needs: more EU regulation.
Actually, it probably is.
The Europeans take their privacy laws very seriously and, unlike the USA, they enforce the shit out of them.
The USA has a lot of laws, but enforcement is hit or miss, especially when it comes to consumer protection.
[Fuck Beta]
o0t!
You got modded flamebait but in reality you've understated the situation quite significantly. When the feds come to bust a private host for something they usually take everything in the room that is even plugged into the same power line and all the networking hardware out to the wall, then they leave it up to the owners of the hardware to litigate for return of their property.
As for third party cookies: I use Ghostery on Firefox and it works pretty well and it's pretty unobtrusive once configured. It's amazing to see how many of these cookies are used and abused. Some sites have literally dozens of them. (./ has two: Google analytics and Addthis). FB and Twitter are major culprits, they have no business tracking me when I'm visiting some other site, I'm not one of their users and I don't give a sh`t about what they do. I support this legislation, we just don't know how much user data these companies are gathering and for what use so it's basically saying that you cannot track people that doesn't want to be tracked.
What if multiple people share the same computer?
The kids get to see pornography advertisments because you browser for porn last night. Fun for the whole family!
You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.
This move won't give you that. In fact it does the exact opposite. Corporations are going to force you to sign EULA that includes allowing them to track you for EVERYTHING. Think of Google requiring login (no anonymous searches). The first thing you're going to have to do no matter what URL you type in, is log in.
These posts express my own personal views, not those of my employer
Hmmm, bad car analogy. As an owner and driver, I already have control over that. Perhaps it would be more like manufacturers putting a feature or governor in your car that makes it drive past some advertising slowly, without your permission... in which in my case I'd want the EU to regulate, just like I'm happy to see them doing something about abusive companies trying to track me for their benefit rather than mine.
Already exists in Firefox ! Accept cookies from sites ... Keep until: I close Firefox
Google requiring log-in = people start using bing (have they renamed it again yet?) / yahoo / altavista.
Really... this is what would happen.
I have seen plenty of people who, when encountering a log-in / register window, they just close the web-page and do something else. Come, to think of it, all sites requiring log-ins, would be a huge boost for productivity.
"Civis Europaeus sum!"
Hahaha, that's pretty funny. Just exactly how many sites do you know that moved behind a registration wall and gained readership?
It doesn't hurt to be nice.
There is no free market in the US. There are lots of regulations and government intervention here, they just happen to be on behalf of corporations rather than individual citizens. One of the reasons you can choose multiple ISP's and we cannot is due to monopoly agreements granted to ISP's in the US. You have more favorable regulation in the EU to be sure, but don't pretend the problems in the US have anything to do with a lack of government involvement...
Well I agree with you that a cookie may not physically harm you; and that they are very useful tools for web site programming.
Yet the primary problem with cookies is the third-party cookies that ad networks place on your computer. So this ad network can track which web sites you visit. This has no use for you as end user; it only servers to give the ad network more information about you. They can see you visit slashdot, they can see you visit certain lolcat related sites, they see you visit amazon, they follow you whenever you hit a web site where their ads (and cookies) are served. And that is the problem they most likely want to tackle as that is where privacy is an issue.
IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.
That problem has been solved by RFC 4941, otherwise known as the Privacy Extensions. Most OSes support it, though I believe some don't enable it by default. IIRC the iPhone is one of the devices that doesn't support it, but that should be fixable once IPv6 becomes more widespread.
Ironically, the BBC have a follow-up article, the first paragraph of which reads:
Interesting idea: Different IPv6 address per user account.
Not only is the cookie essential for web programming (session handling), but people trying to track you don't even need a cookie. They have a whole slew of other methods of tracking you, the cookie is only the tip of the iceberg. These companies are sharing information to bolster their own databases. If you go to any site that uses google analytics for instance, any other site running the same or similar tracking software can piece together your entire visit by your IP address alone. And that's before they use even higher tech devices like tracking images that utilize UUIDs in HTML5 canvas, something you'd have to disable javascript on every page to prevent or use a contacted string of your IP+browser+OS+CPU to uniquely identify you without a cookie.
Because they aren't doing session handling with the cookies "good enough" is. So what if they catch your whole house, they still got you! There is no way to block the tracking, you're tracked, get used to it. Almost anything you do to prevent the tracking is useless.
And when IPv6 is implemented, forget about anonymity! Classless network. Everyone has their own UUID for an address. Then programmer's will stop using cookies for sure!
How about a browser option of 'accept all cookies - but delete them once the session is over'? The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.
Done: Open Firefox > Tools > Start Private Browsing.
This is the "mode" which you seek.
The bullshit legislation won't matter. There are hundreds of hacks to store user state without cookies. All of the data can be stored server side, and if just one identifying piece of information correlates two user profiles (say, usage pattern, or time of day + IP address) then your data is being mined.
Stop private browsing, go to a different website, the ads on that website link the current time of day & my IP address to the profile they bulit while I was "private browsing".
Now before a troll comes along and says I do not know what I am talking about, I am an American living abroad in the EU, for more than 10 years.
You don't know what you are talking about. You can't reasonably think of the EU as one homogenous unit. The tiny country you're living in sounds pretty good, but remember the EU also includes Italy and Latvia. Things that work for 5.2 million people don't always scale to 60 million or 200 million. Italy is where you can go to jail for a youtube video critical of politicians. Italy where the ties between business and government are so much more imaginably corrupt than happens in America. They don't even try to hide it. Is that the Europe you want?
That's why it annoys me when people say they want a healthcare system like Europe's. Ya right, do you want a healthcare system like Estonia? Do you even know what you are talking about? Please think these things through.
"First they came for the slanderers and i said nothing."
How do you track consent in the first place, without cookies?
A user giving consent (or not) means that you've got to have a unique way of identifying that user. In the stateless HTTP protocol this means that you've got to have some state preserved. You can either do that with very fancy URLs (but then back buttons, bookmarks, browser history and such will not work properly) or with cookies.
Somehow i doubt that. You see, google doesn't really need to use cookies to track you, all they need is a HTTP GET from your browser in order to do some pretty decent tracking based on your browser, OS & IP combination.
Browsers already have the ability to warn per cookies. You can't possibly browse the web like that. Even a once-off per site setup is absurd.
For you. For me, it's a vital functionality, and one of reasons I don't touch Chrome with a ten foot pole.
Of course, I use once-off, with Cookie Monster to be able to alter the decision later as the built-in UI takes a couple minutes (!) to alter it.
Most third-party bastards get onto my DNS-do-not-resolve list, too. Just blocking their cookie does hardly anything, they can use your IP and headers to get almost as much info. To the contrary, being warned about a new cookie is good since I know there's scum I didn't know of before. And there is not that many trackers around, I haven't added any to my list in two months already.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Nope, most IPv6 implementations do periodically randomise the host part of the address (low 64 bits). They keep the old one around until all existing connections are gone, then switch to using the new one exclusively. Two HTTP subsequent requests from IPv6 hosts may come from different IP addresses without the user doing anything, although they will come from the same subnet (but that subnet can easily have a few thousand people in it if it's a university or corporate campus).
I am TheRaven on Soylent News
IPv6 explicitly requires every network adaptor to support having multiple IP addresses concurrently. You can have one for the system, one for the web server, and one for each user.
I am TheRaven on Soylent News
I think we need a car analogy before we start.
You go to a retail store and park your car outside, and while you are in the store, the retail store goes and places a GPS tracker to the underside of your car. You are unaware of this tracker, and the retail store starts tracking your exact movements. They want to know which competitors you visit, for how long and how frequently, they may also find you go to a gym every day, or figure out where you work. To remove the tracker, you will have to look under your car and remove it.
Would you say that this unknown tracker by a brick and mortar store is acceptable?
The EU want web sites to ask you explicitly before they can track you. A little like the analogy above asking you when you arrive at the store if they can stick the tracker under your car.
Correct. The lower 64 bits change, the upper 64 bits stay constant.
Now ... which of these 2 identify the client ? The changing part, or the non-changing part ?
now I might missunderstand that rfc, but it seems totally useless.
You can only get a different address within the subnet your provider assigns to you, so companies will simply maintain a table of which ISPs use which size of subnet, and ignore the corresponding variable part of the address.
Presto, unique ID per household again
Fabulous. At least I now:
a) know you are wanting to load 12 trackers
b) can decide whether you site is soooo critical to me I'm willing to load them.
The answer to b is "unlikely" - great thing about the web, if you're doing it someone else probably is as well. I'll go there.
EULA /= EXPLICIT CONSENT.
Guess what is required by the directive.
Sigh ... you know so little about what is going on outside of the USA. ...
In the EU you can not waive rights/privileges which you have by law by "signing" an EULA EULAs in the sense as they exist in the USA are not existing in Europe. It is illegal to put something into an EULA which is contradicting to law. Sigh, you can not give up your rights. Not even by clicking on an EULA thing
It is so simple: EU law > state law > region law >> EULA / contract / agreement etc.
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself.
Im going to assume you use internet explorer.
1) Tools --> Internet Options --> Privacy
2) Move the slider to "Block all cookies"
3) Click apply. Youre done! Cookies can never threaten your freedom again!
And that option has only been there for what....10 years now? I remember learning about that back in 2001 when people were getting all freaked out about cookies, when i was just a teenager with no technical skill. And I know that Firefox and Chrome and Opera and Lynx and Links (having used them on google recently, it asks you for every cookie) and probably the now-dead Netscape all have similar, easily found options for those who actually care.
This law doesnt solve any problem that would not be better solved by people who care setting their options properly. Or if you really have a hardon to legislate, make new updates / installs of browsers require the user to opt in or out of cookies altogether, or make a choice to allow some with consent. Problem solved.
Well, ... or from where does your wisdom come? ;D ... the country of contrasts. The second richest region the EU is in north Italy. In fact I think it is the third richest in the world, the area in the Lombardai and around has the highest per capita income. As a side note, the richest area of the world is San Marino, an enclave state with perhaps only 100,000 inhabitants and likely only a dozen villages ... even smaller than Lichtenstein.
I assume you are either an Estonian living in Italy or an Italian living in Estonia
Anyway, the EU consist out of 27 countries. You picked Italy as a very bad example out of those
The is political and cultural in fact a very homogene area. At least as homogene as you can be if the south west in Portugal is Catholic and speaks a romanian language while the 3 Baltic nations speak their own micro languages and the north is protestantic and speaks mainly indo germanian languages. Anyway, in culture we much in common. So, Italy
OTOH the south of Italy is by far the poorest region of Europe.
Regarding healthcare, well, I think you took the wrong topic to pick on. Especially the young nations, where you would not believe, it have excellent health care. The Estonian one is outstanding.
Italy has the lowest infant death rate of the world, e.g. A lot of people in Switzerland (which has an excellent health care system) travel for difficult operations to Italy. Because the Italian hospitals are better.
Anyway, just to set some stuff straight.
Best Regards
angel'o'sphere
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.