Slashdot Mirror
Sweden May Mandate Opt-in For Cookie Transfer
Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."
Yay for another obscure, legalese clause in the Terms and Conditions section of pretty much every web page that pretty much nobody ever reads.
That's good enough for me.
Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins, habituate Swedish computer users to clicking on the "yes, allow" button, and make foreign companies face trial in Swedish courts for using standard web technologies, while doing nothing about advertisers' ability to track users without permission!
From what I understand this proposition only covers tracking cookies, not the use of cookies in general.
I just read the proposal and it's purpose, as far as cookies go, is to make spyware illegal to comply with an EU directive. The discussion centers around how to do this without requiring an opt-in for every cookie because cookies are also used to spy on you.
Third party cookies should be illegal but I very much doubt that this proposal wants to go there.
Seriously.
This is of coursed based on an EU directive. Not sure why Sweden was singled out.
Doesn't make it less stipid, but you know... maybe tone down the hyperbole a bit.
Assuming this is even real, it is absurd.
Cookies are only transfered and saved on the user's computer because the web browser allows them to be. Every web browser I have seen has the ability to both black list and white list cookie requests. In other words, the final decision if cookies are saved on the user's computer is determined by the browser, not the web site.
Next there are issues with its implementations. Lets assume the user rejects you sending a cookie. How do you know on the next page they rejected cookies? You can't, because cookies are used to carry this type of data from one page to another. Meaning that if a site wishes to use cookies for whatever reason, and you reject it, that it will have to prompt you each and every page you go to, with no way of determining if you have rejected cookies in the past.
Cookie management is not a job for websites, but web browsers... And I am sure some web browser already has a addon that prompts about every cookie.
Not sure how enforceable or practical it would be. Considering how central cookies are to today's web usage, I think it would be simply annoying to have to confirm each and every cookie before you get it. I like the the way Cookie Monster for firefox does it myself. Although, if the Swedish government wants to pay someone to write plugins/extensions for all the other browsers that work the same way, I'd be smiling.
How is a website supposed to remember whether a visitor opted out of cookies?
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
How does this compare to an option in my browser that says "confirm by popup every cookie requested"?
Mandating that websites continue to function properly when the browser refuses to register cookies would at least be slightly smarter.
Consent is implied by each individual user's web browser. Cookie Censorship need not apply, we already have the tools to manage our own cookie states (visitor discretion is not just advised, it's mandatory).
Much like the way no one can force you to visit their website, websites can not force your browser to accept a cookie -- And, last time I checked both IE & Firefox by default alerted me that a website was requesting to set a cookie, and the default action was to "[x] remember my decision" -- I opted to not have to answer yes each time, and instead opted to set my cookies to be cleared on each exit...
I am in no way prevented from disallowing all cookies... I remember writing web login systems before cookies were widespread -- URL MUNGING -- UHG! Hell, we even used the HTTP-REFERER (sic) header to transfer logins across domains (it contains your last visited URL -- the one before the current page request).
While I do like to know what the little opaque tokens are being used for, there is no reason to mandate their purposes be posted somewhere. Cookies are DESIGNED to track some user specific state information. Cookies track users. End Of Discussion. We know what they are for! Guess what else tracks users? Their IP ADDRESS; This, combined with URL munging == cookies. Netscape just wanted a formalized and more flexible way to do things...
I can imagine requiring a user to click yet another security dialog each time I add a bit of info or change the way a cookie operates -- To get around this one or both of the following WILL occur:
1. URL Munging, CSS style color hacks, and other tricks (like decoding a cached .PNG with client side JS) will be used instead of cookies for more user state preservation purposes.
2. The users will be given a "[x] Remember my decision" option, and we're right back to where we are now!
Ignorant fools -- When will we mandate that you must pass a technology test before voting for or against said technology related laws? EG: Score a 100% on the "Web Cookie" tech test, and you're fully qualified to vote -- score a 25% and your vote would be worth 25% of a vote since you don't know shit about what you're voting for or against....
Until then we'll keep having people who don't know shit pass ignorant laws based on "feelings" instead of "facts".
Always get your information straight from the horse's mouth. The IDG article is pretty clear for people that know the context and understand Swedish, but seem to totally confuse less informed slashdot readers and the really bad slashdot summary make the confusion even worse.
The proposal is based on an EU directive. Countries that are part of EU must implement all EU directives, or leave EU. Sweden don't have much choice in the matter. (Many other country parliaments implement undesired EU directives the same way as the Devil reads the Bible, Swedes would never do that, that would be dishonest and something a Swede would rather die then do (Swedes are often called the Japanese of Europe, because of cultural similarities), but that is another story.)
The EU directive in question (sorry about the PDF):
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF
The Swedish proposal (Google Translate mangles the translation into meaning something entirely different, so I don't give you a Google Translate link, hope you can read Swedish):
http://www.riksdagen.se/webbnav/index.aspx?nid=37&dok_id=GY03115
Next comes the meme:
Hmmmm ....
A few minutes ago I was wondering if it would be possible to chop a file into lots of tiny snippets and distribute them across millions of PCs as browser cookies ... ? I think it would be a great way to make the web rethink the cookie policy.
Here in the Netherlands we have the same kind of law, but after protests from the technical crowd it appears the simply enabling cookies in your browser is a valid opt-in for placing cookies. Nothing to worry about, the law is just finally adapted to what already happens technologically...
Is it just the traditional HTTP cookie? HTML-5 will let all kinds of data to be stored on clients and then you can use one of the techniques behind Evercookie!
I've read the bill and it seems possible that the consent can be given by setting the browser to allow cookies. So this will do nothing. Do not track headers is much better!
I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.
And if you say no you won't get a cookie remembering that you've said no, so on the next page you get a pop-up asking if you want the cookie, right up until people give up and just accept the cookie.
-=This sig has nothing to do with my comment. Move along now=-
But cookies in general does track users. This by far the most common use these days. Even they they are used to carry preferences it is often implemented with a tracking cookie that can then map user-id to preferences server-side.
Hmm... I've heard both Brits and Dutch complaining that they implement all the directives but everyone else ignores them. So apparently at least three states implement all the directives and everyone else (including the other two states that implement them), refuse to implement directives.
Logical? Hardly... but neither is any other myth about the Union.
Of-course, directives should be implemented! The main problem now is the lack of reporting of Union centric news, it would be good if normal newspapers would have a couple of pages of Union centric news since the general population is unlikely to read the EU Observer or similar publication.
"Civis Europaeus sum!"
This EU directive must be implemented by May 25th but Sweden is a bit late to the party - it was covered by the UK government a few weeks ago:
http://techlogon.com/2011/04/17/new-european-website-law-is-a-gift-to-america/
Although the UK Government are committed to it they have said "We do not expect to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies”. When a government advises its citizens that a law can be broken with impunity, it is a very bad law...
... especially on mobile phones...
Here's a little exercise. Go into your browser config and turn this feature on, and see how long you can tolerate using the web.
I imagine you won't last long.
AFAIU "tracking cookie" means a cookie set from a third-party site in order to track you across several sites. The cookies Slashdot uses to keep track of you when logged in are not tracking cookies, because they are only set or read if you are going to Slashdot (at least I hope so). The cookies advertisers set are tracking cookies, because you get them and send them back whenever you go to a page where the advertiser advertises. You can get a cookie at Slashdot, and send it back when visiting the New York Times, or vice versa.
A simple (but not completely accurate) rule of thumb is: If the cookie comes from a server other than that found in the URL of the site and contains identifying information, then it's a tracking cookie.
The Tao of math: The numbers you can count are not the real numbers.
Well, probably it would be a single sentence "this site needs cookies to work properly [link: site's cookie policy]. enable cookies for this site? [Yes] [No]"
Of course the cookie policy page should be readable without cookies enabled.
The Tao of math: The numbers you can count are not the real numbers.
What about local storage? http://en.wikipedia.org/wiki/Web_Storage
It is not about declining the cookie. There are many other ways to do that. It is about sites explaining what they use the cookies for. So if the site is using doubleclick, it will need to explain that some cookie is used to offer specialized advertisement, while another might be used for color preferences.
That way people are informed at what goes on.
Don't fight for your country, if your country does not fight for you.
The problem is that most people don't know that they can disable cookies, let alone selectively. Furthermore, they don't understand what it's all about, and since it's a complicated technical topic (if you disagree you need to meet some users) they probably cannot be made to understand. The only thing they know is "if I disable cookies some websites don't work". That they could allow these specific cookies wouldn't occur to them, and neither that they could delete them later. And even if the browser asked what cookies to allow (which it generally won't because most browsers just accept all of them out of the box, as discussed before) the user would see a list of meaningless codes - and just accept them all, for ever.
This law is meant to address this. When you cross a bridge, you don't have to be an bridge engineer and figure out yourself if the bridge is safe - you know there are laws and standards in place so you, a layman, can cross any bridge without having to do a safety inspection on each one. Similarly, when you use the internet, you shouldn't have to be a computer engineer to figure out what gets stored on your computer and why - you should be able to trust that there are laws in place protecting you from abuse.
Now, perhaps this could have been more elegantly handled in the browser (just demand meaningful cookie names and remove the option to allow all cookies) - but thanks to technical people like you and me, who decided to a) include this option and b) to default it to on, this war is lost. It is, given Swedish law, nigh impossible to mandate how a browser should function in this regard, and any law to that effect won't affect the existing installed user base. Furthermore, it might very well be politically impossible to force things upon users for their own protection. In all other walks of life the burden and possible penalties are put on the miscreants, so such a law would be very hard to explain to citizens. So the law just forces service providers to do what they should have done anyway: inform the user what they store.
What if browsers had an option to prompt the user for each cookie received, and what if the web standards allowed for a "purpose" field when setting a cookie?
Warning: The Surgeon General Has Determined that Sigs are Dangerous to Your Health
I use nginx and drupal in the USA.
my nginx has it turned off cause I didn't add the module ngx_http_userid_module.
drupal does use a PHPSESSION cookie though.
In an effort to be nice to Sweden (where my favorite death metal music comes from) and to help fellow nginx+drupalers in Sweden
I am wondering...
What exactly do I say to satisfy Sweden's new law?
I am thinking right now it would be, this site uses cookies, I think because of drupal, but I don't really know the fuck why. It certainly isn't for profit, or tracking, or fucking with you, as you can see my site has no products, or advertisements. If you don't like that, the get on down the road bitch.
What language do I say it in? Is English okay?
Where do I say it? I don't want java, javascript, and extra flash or an ugly link on my artistic website
Is there a standard location like robots.txt where a website can put this shizzle without fucking up the operation of teh websites?
Please don't mark this down into troll-ville. I am being serious.
http://en.wikipedia.org/wiki/Schwedentrunk
~1630 wants it "Swedish Drink" back.
Domestic spying is now "Benign Information Gathering"
Unless there's a 'leak', you will never, ever know what is being gleamed from your computer.
For justice, we must go to Don Corleone
Ah - good, then I don't need to mess with the cookie handling of Drupal.
For what it's worth - then that's a good thing since I hate all those cookies that is on my computer for "tradedoubler" and stuff like that - I don't get any doubled trade for that. Cookies are meant to be eaten, not had.
I'm just waiting for opt-in law for telemarketers and other kind of junk too.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Actually it is about that, according to the proposed law simply explaining that the cookie is necessary isn't enough, you have to give the user an option to decline the cookie(which as far as I know can be a link off the site), or the site has to configured so that cookies are turned off by default and the user can set preferences to allow them.
.se TLD or belong to a company or person that resides in Sweden or does business in Sweden)
Also this can not be fixed by adding it to the EULA since the typical Eula is not considered binding according to Swedish law unless it's a multistep process(there has to be at least 3 steps for an online agreement to be considered valid) and then the hosting part is fully responsible for the text in the EULA meaning that if a clause is found to be against the law or otherwise unenforceable the signing party can petition the court to annul the EULA in its entirety.
And even then the agreement is only valid for the single user who accepted the agreement, any other person using that computer has not signed the agreement and is therefore not bound by the agreement.
This of course only affects sites that are hosted in Sweden, or is using the
So, how will they store the fact that the user denied opt-in for a cookie if they can't store it in a cookie? localStorage?
I am not devoid of humor.