Slashdot Mirror
Sweden May Mandate Opt-in For Cookie Transfer
Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."
Yay for another obscure, legalese clause in the Terms and Conditions section of pretty much every web page that pretty much nobody ever reads.
That's good enough for me.
A nice pop-up when you visit almost any Swedish website explaining the cookie is necessary to remember your preferences from page to page and asking you if you want to proceed.
Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins, habituate Swedish computer users to clicking on the "yes, allow" button, and make foreign companies face trial in Swedish courts for using standard web technologies, while doing nothing about advertisers' ability to track users without permission!
You all suck goatse asshole, just don't admit that.
Man, Break Fest 2011 is gonna be a total bummer.
You must wait a little bit before using this resource; please try again later.
Eric Raymond is way ahead of you.
Do you even lift?
These aren't the 'roids you're looking for.
I just read the proposal and it's purpose, as far as cookies go, is to make spyware illegal to comply with an EU directive. The discussion centers around how to do this without requiring an opt-in for every cookie because cookies are also used to spy on you.
Third party cookies should be illegal but I very much doubt that this proposal wants to go there.
Seriously.
This is of coursed based on an EU directive. Not sure why Sweden was singled out.
Doesn't make it less stipid, but you know... maybe tone down the hyperbole a bit.
Assuming this is even real, it is absurd.
Cookies are only transfered and saved on the user's computer because the web browser allows them to be. Every web browser I have seen has the ability to both black list and white list cookie requests. In other words, the final decision if cookies are saved on the user's computer is determined by the browser, not the web site.
Next there are issues with its implementations. Lets assume the user rejects you sending a cookie. How do you know on the next page they rejected cookies? You can't, because cookies are used to carry this type of data from one page to another. Meaning that if a site wishes to use cookies for whatever reason, and you reject it, that it will have to prompt you each and every page you go to, with no way of determining if you have rejected cookies in the past.
Cookie management is not a job for websites, but web browsers... And I am sure some web browser already has a addon that prompts about every cookie.
Not sure how enforceable or practical it would be. Considering how central cookies are to today's web usage, I think it would be simply annoying to have to confirm each and every cookie before you get it. I like the the way Cookie Monster for firefox does it myself. Although, if the Swedish government wants to pay someone to write plugins/extensions for all the other browsers that work the same way, I'd be smiling.
How is a website supposed to remember whether a visitor opted out of cookies?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
How does this compare to an option in my browser that says "confirm by popup every cookie requested"?
Mandating that websites continue to function properly when the browser refuses to register cookies would at least be slightly smarter.
Consent is implied by each individual user's web browser. Cookie Censorship need not apply, we already have the tools to manage our own cookie states (visitor discretion is not just advised, it's mandatory).
Much like the way no one can force you to visit their website, websites can not force your browser to accept a cookie -- And, last time I checked both IE & Firefox by default alerted me that a website was requesting to set a cookie, and the default action was to "[x] remember my decision" -- I opted to not have to answer yes each time, and instead opted to set my cookies to be cleared on each exit...
I am in no way prevented from disallowing all cookies... I remember writing web login systems before cookies were widespread -- URL MUNGING -- UHG! Hell, we even used the HTTP-REFERER (sic) header to transfer logins across domains (it contains your last visited URL -- the one before the current page request).
While I do like to know what the little opaque tokens are being used for, there is no reason to mandate their purposes be posted somewhere. Cookies are DESIGNED to track some user specific state information. Cookies track users. End Of Discussion. We know what they are for! Guess what else tracks users? Their IP ADDRESS; This, combined with URL munging == cookies. Netscape just wanted a formalized and more flexible way to do things...
I can imagine requiring a user to click yet another security dialog each time I add a bit of info or change the way a cookie operates -- To get around this one or both of the following WILL occur:
1. URL Munging, CSS style color hacks, and other tricks (like decoding a cached .PNG with client side JS) will be used instead of cookies for more user state preservation purposes.
2. The users will be given a "[x] Remember my decision" option, and we're right back to where we are now!
Ignorant fools -- When will we mandate that you must pass a technology test before voting for or against said technology related laws? EG: Score a 100% on the "Web Cookie" tech test, and you're fully qualified to vote -- score a 25% and your vote would be worth 25% of a vote since you don't know shit about what you're voting for or against....
Until then we'll keep having people who don't know shit pass ignorant laws based on "feelings" instead of "facts".
Always get your information straight from the horse's mouth. The IDG article is pretty clear for people that know the context and understand Swedish, but seem to totally confuse less informed slashdot readers and the really bad slashdot summary make the confusion even worse.
The proposal is based on an EU directive. Countries that are part of EU must implement all EU directives, or leave EU. Sweden don't have much choice in the matter. (Many other country parliaments implement undesired EU directives the same way as the Devil reads the Bible, Swedes would never do that, that would be dishonest and something a Swede would rather die then do (Swedes are often called the Japanese of Europe, because of cultural similarities), but that is another story.)
The EU directive in question (sorry about the PDF):
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF
The Swedish proposal (Google Translate mangles the translation into meaning something entirely different, so I don't give you a Google Translate link, hope you can read Swedish):
http://www.riksdagen.se/webbnav/index.aspx?nid=37&dok_id=GY03115
Next comes the meme:
Hmmmm ....
A few minutes ago I was wondering if it would be possible to chop a file into lots of tiny snippets and distribute them across millions of PCs as browser cookies ... ? I think it would be a great way to make the web rethink the cookie policy.
Here in the Netherlands we have the same kind of law, but after protests from the technical crowd it appears the simply enabling cookies in your browser is a valid opt-in for placing cookies. Nothing to worry about, the law is just finally adapted to what already happens technologically...
Is it just the traditional HTTP cookie? HTML-5 will let all kinds of data to be stored on clients and then you can use one of the techniques behind Evercookie!
I've read the bill and it seems possible that the consent can be given by setting the browser to allow cookies. So this will do nothing. Do not track headers is much better!
I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.
I suggest that the user must inform me of the purpose regarding every http header field posted to my server.
So as a user, am i going to have to click a whole bunch of dialogs every time I want to log in to a website, just to say that I give them permission to give me a cookie which allows me to log in to the website?
Ugh - another misguided internet law.
Hmm... I've heard both Brits and Dutch complaining that they implement all the directives but everyone else ignores them. So apparently at least three states implement all the directives and everyone else (including the other two states that implement them), refuse to implement directives.
Logical? Hardly... but neither is any other myth about the Union.
Of-course, directives should be implemented! The main problem now is the lack of reporting of Union centric news, it would be good if normal newspapers would have a couple of pages of Union centric news since the general population is unlikely to read the EU Observer or similar publication.
"Civis Europaeus sum!"
This EU directive must be implemented by May 25th but Sweden is a bit late to the party - it was covered by the UK government a few weeks ago:
http://techlogon.com/2011/04/17/new-european-website-law-is-a-gift-to-america/
Although the UK Government are committed to it they have said "We do not expect to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies”. When a government advises its citizens that a law can be broken with impunity, it is a very bad law...
... especially on mobile phones...
Here's a little exercise. Go into your browser config and turn this feature on, and see how long you can tolerate using the web.
I imagine you won't last long.
i will have to click and approve every damn cookie on websites
approve cookie number 372 ?
yes no
I think they've lost the plot, it reads as if they've become paranoid obsessive! :0)
The purpose of existence is to make money.
more like accomplices. sneaking looks out the windows? while off topic stand-up usually suffices, it looks like presenting images of water to extremely dehydrated folks, nowadays. stand-up like bush did? oprah? all that constant applause? same guys? free lunchers. sheesh.
the 'press' needs a good real replacement corps, as they now behave as the scriptdead free press corpse.
no one's fault? our own worst enemies? mother nature is not fooled/amused at all, but we are?
disarm. thanks again.
What about local storage? http://en.wikipedia.org/wiki/Web_Storage
Will they forbid the interpretation of TCP sequence numbers without explicit user permission too?
The problem is that most people don't know that they can disable cookies, let alone selectively. Furthermore, they don't understand what it's all about, and since it's a complicated technical topic (if you disagree you need to meet some users) they probably cannot be made to understand. The only thing they know is "if I disable cookies some websites don't work". That they could allow these specific cookies wouldn't occur to them, and neither that they could delete them later. And even if the browser asked what cookies to allow (which it generally won't because most browsers just accept all of them out of the box, as discussed before) the user would see a list of meaningless codes - and just accept them all, for ever.
This law is meant to address this. When you cross a bridge, you don't have to be an bridge engineer and figure out yourself if the bridge is safe - you know there are laws and standards in place so you, a layman, can cross any bridge without having to do a safety inspection on each one. Similarly, when you use the internet, you shouldn't have to be a computer engineer to figure out what gets stored on your computer and why - you should be able to trust that there are laws in place protecting you from abuse.
Now, perhaps this could have been more elegantly handled in the browser (just demand meaningful cookie names and remove the option to allow all cookies) - but thanks to technical people like you and me, who decided to a) include this option and b) to default it to on, this war is lost. It is, given Swedish law, nigh impossible to mandate how a browser should function in this regard, and any law to that effect won't affect the existing installed user base. Furthermore, it might very well be politically impossible to force things upon users for their own protection. In all other walks of life the burden and possible penalties are put on the miscreants, so such a law would be very hard to explain to citizens. So the law just forces service providers to do what they should have done anyway: inform the user what they store.
What if browsers had an option to prompt the user for each cookie received, and what if the web standards allowed for a "purpose" field when setting a cookie?
Warning: The Surgeon General Has Determined that Sigs are Dangerous to Your Health
The proposal is based on an EU directive. Countries that are part of EU must implement all EU directives, or leave EU.
This is AFAIK not true. Failing to implement directives will get a country fined (or threatened to be fined, or nothing may happen, depending on whether anybody cares). Any country can choose to ignore these threats and fines, at which point there may be sanctions and other repercussions. But at no point will a country be required to leave the EU - again AFAIK, there's no formal way of leaving the EU.
How about they just uncheck 'accept cookies' if they don't want them?
http://en.wikipedia.org/wiki/Schwedentrunk
~1630 wants it "Swedish Drink" back.
Domestic spying is now "Benign Information Gathering"
Unless there's a 'leak', you will never, ever know what is being gleamed from your computer.
For justice, we must go to Don Corleone
So, how will they store the fact that the user denied opt-in for a cookie if they can't store it in a cookie? localStorage?
I am not devoid of humor.