Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confusion Surrounds UK Cookie Guidelines

Posted by Soulskill on from the cookie-is-for-me dept.

pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."

143 comments

  1. There should be... by myurr · · Score: 5, Insightful

    ...a law stopping people from making laws about things they simply do not understand.

    1. Re:There should be... by Nursie · · Score: 2

      What makes you think they don't understand?

      It's probably true, but in this case I don't think they're necessarily wrong.

      Cookies are horrifically overused, and outside of ~20 sites that both need them to function properly and I care about functioning properly, I've been getting on fine without them for months now.

      This tells me that an awful lot of them, especially third party cookies (of which I allow none) are totally unnecessary even without privacy concerns. Having users participate in their own tracking this way, without permission, does seem wrong to me, and I applaud the effort to do something about it.

      If the laws are not clear then unfortunately that is par for the course these days. Hopefully that can be fixed.

    2. Re:There should be... by myurr · · Score: 2

      Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used. How else would slashdot know you were logged in, for example.

      This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this.

    3. Re:There should be... by Nursie · · Score: 3, Interesting

      "Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

      Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

      Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

      "This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

      Sure, and that's a valid use (IMHO). It could easily work this way though -
      User goes to front page
      Check for cookie
      If no cookie allow user to browse site
      When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

      If the cookie's there from the beginning then do the usual auto-login stuff.

      A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

      I realise all this makes things more complicated for end users as well, which is less than ideal.

    4. Re:There should be... by Idimmu+Xul · · Score: 1

      A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

      That is not an answer to that technical problem.

      The only answer I can think of right now to track that someone has opted out of cookies is to append something to the URL &optout=1 style, which in itself is a form of tracking and can be extended to pass tracking information to 3rd party sites anyway.

      --
      The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
    5. Re:There should be... by Nursie · · Score: 4, Interesting

      What's not an answer to the technical problem?

      Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

      I don't get why there's more of a problem than this.

      maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

    6. Re:There should be... by Jaruzel · · Score: 1

      When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

      Way to go - that's brilliant way to scare off potential customers...

      Most web users don't even know what a cookie is. All they care about is that the site they are shopping on remembers who they are, and makes adding things to their baskets and checking out as simple and easy as possible. No matter HOW you word the opt-in dialog, people will still get confused and click back to Google to find a less scary site.

      The anti-virus people have done such a good job (sarcasm btw) telling people not to trust any non requested popups, that many will just assume it's a dangerous website trying to eat their computer.

      I see this new cookie law having a direct impact on little independent web shops. :(

      -Jar

      --
      Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
    7. Re:There should be... by WaffleMonster · · Score: 1

      What makes you think they don't understand?

      It's probably true, but in this case I don't think they're necessarily wrong.

      Legislating that which is easily solved with technology is a dead giveway.

      There is no reason your browser can't be configured to ASK you first before storing cookies if you care so much.

      The technical solution works globally on all systems throughout the world.

      The legislative solution is limited to the handful of sites in the UK that comply.

    8. Re:There should be... by Nursie · · Score: 1

      "Way to go - that's brilliant way to scare off potential customers..."

      Eh, sorry, in my worldview privacy comes before commercial concerns.

      On the rest - why does it have to be a popup? Popups are evil anyway, in pretty much any situation I can think of. Just take them to a page saying - "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

      I mean, it's not like people actually purchase anything through any internet shop without agreeing to a huge set of terms and conditions anyway, even if they don't read them.

      If you need a basket type session before this point then can you not use session id's in the url?
      This may be like a hack to work around the absence of session cookies, but session cookies are kept for the lifetime of the browser session (not the tab, not when you leave a page) so can still allow cross-site tracking, if they are third-party.

    9. Re:There should be... by Nursie · · Score: 1

      Most people don't know they exist.
      99% of them are worthless.
      Tracking people without permission falls into the arena of the legal.

      There are good technological solutions to stopping people hacking into your systems too, doesn't stop us making it a crime.

      BTW, it's an EU directive, not UK only.

    10. Re:There should be... by Arlet · · Score: 1

      "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

      What about 3rd party cookies attached to ads ? There may be several different ones on a single page.

    11. Re:There should be... by Nursie · · Score: 2

      As far as I'm concerned they're a non issue - i.e. they ought to be scrapped, effective immediately.

      I can't find it in me to even start to care about a solution for these poor, poor advertisers that will allow them to keep tracking people.

    12. Re:There should be... by Anonymous Coward · · Score: 0

      And voting on things they don't understand.

    13. Re:There should be... by Arlet · · Score: 1

      If they can't have the cookies, the advertisers will just track you based on browser headers and/or IP address.

    14. Re:There should be... by lxs · · Score: 1, Funny

      And as per usual, only in the UK they find it "confusing."

    15. Re:There should be... by Nursie · · Score: 1

      Which is there prerogative, recording what happens at their end.

      Personally I see a line between people unwittingly participating in feeding their information to advertisers and server-admins recording who accesses what to analyse later.

    16. Re:There should be... by Arlet · · Score: 1

      There's little difference in providing browser headers/IP, and providing a cookie, when you visit a web site. With the right tools, they can be used in exactly the same way.

      The only difference is that I can delete a cookie, but I have no influence over what the server does with my browser headers, or IP address.

    17. Re:There should be... by Nursie · · Score: 1

      An IP address is a fundamental part of the communication going on. Browser headers not so much. I have mixed feelings about browser headers anyway, especially given how often they are abused for "this site is only compatible with" reasons.

      Yeah, don't know. It's less in the way of actively participating in your own tracking without you knowledge. And both browser versions and IP addresses change from time to time. Perhaps the "Do Not Track" legislation proposed in California is a better option.

    18. Re:There should be... by icebraining · · Score: 1

      Those ad networks simply can't set them.

      --
      Dilbert RSS feed
    19. Re:There should be... by AmiMoJo · · Score: 1

      User goes to front page
      Check for cookie
      If no cookie allow user to browse site

      If only... I have Firefox clear most cookies between sessions, and it is surprising how many sites jump on you the moment you visit with a survey about your visit or a content-covering advert. All this will do is add "we need to set cookies, click YES to continue" messages to every site.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    20. Re:There should be... by VortexCortex · · Score: 1

      What's not an answer to the technical problem?

      Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

      I don't get why there's more of a problem than this.

      maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

      It's easier than that... Use No-Script or the current version of Firefox4 (or a future version of IE9), and enable the "DNT: 1" (Do Not Track: [enabled] ) HTTP Header. This header will be sent with every HTTP request informing the websites that you have pre-opted out, you do not wish to be tracked.

      Obviously if you need to log-in you must agree to let them store some data about you (your login credentials & profile). The information they collect should be clearly stated on their privacy policy, and since most such TOS agreements state that they can change the policy at will, they should update the policy with the list of the companies that they are sharing your privacy data with... (Derp, It arn't that hard -- Spaghetti Monster forbid they should use their open ended license terms to help support transparency of their privacy policy)

      Indeed, the technical problem has already been solved, and is being adopted by major browser distributors... Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

    21. Re:There should be... by Anonymous Coward · · Score: 0

      Eh, sorry, in my worldview privacy comes before commercial concerns.

      Well good for you. Now will you please bugger off. Some of us are trying to earn a living, not infringing anyone's privacy, and have better things to do than comply with stupid laws designed by cretins.

      If you really really care about the issue, make laws for the browser manufacturers, rather than every fucking website operator in Europe.

    22. Re:There should be... by Co0Ps · · Score: 1

      Absolutely agree. The biggest mistake made in the HTTP standard was calling cookies "cookies". The familiar name invites politicians to mistakingly think that they know what their function and purpose is. They should have called it "state exchange identifier" instead and we wouldn't have none of this crap.

    23. Re:There should be... by vegiVamp · · Score: 1

      Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing. That removes the entire issue of keeping track of who opted out - you simply assume everyone who doesn't already have a cookie doesn't want one until they ask for it.

      --
      What a depressingly stupid machine.
    24. Re:There should be... by Anonymous Coward · · Score: 0

      technical problem

      This is not a technical problem. This is a social problem. Having to ask someone not to do something to you should not be the norm.

    25. Re:There should be... by vegiVamp · · Score: 1

      You're free to spoof your agent string or connect through a proxy.

      --
      What a depressingly stupid machine.
    26. Re:There should be... by Nursie · · Score: 1

      Can you tell me - does anyone in the advertising business care about DNT headers? They'd be pretty damn easy to ignore if there's no legislative backing.

      Hell I can stick "yes I'd like fries with that" in a header, but I don't expect anyone will pay any attention.

    27. Re:There should be... by Nursie · · Score: 1

      "Well good for you. Now will you please bugger off. Some of us are trying to earn a living, not infringing anyone's privacy, and have better things to do than comply with stupid laws designed by cretins."

      If you're not infringing on anyone's privacy then you have nothing to worry about. There are exceptions for cookies essential to the service (session cookies for baskets etc), but not for those that are cosmetic (site look and feel, autologin) or advertising related.

      If you don't fit within that then, like other forms of targeted advertising and behaviour tracking, you need to get permission. In many ways this just brings the electronic realm in line with the physical world in some ways.

      "If you really really care about the issue, make laws for the browser manufacturers, rather than every fucking website operator in Europe."

      Spoken like a true marketing man, it's the user's responsibility to make sure you're not tracking them and to stop you doing it eh? Otherwise they must want it?

      Bah, no sympathy for you here.

    28. Re:There should be... by Pieroxy · · Score: 1

      Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

      Google has a built-in setting "Ignore exceptions and block third-party cookies from being set". This is enough for me so far. Sites can set any cookie they want. Third parties go to hell.

      --
      Write boring code, not shiny code!
    29. Re:There should be... by Arlet · · Score: 1

      A proxy ? And let them see all my traffic ? That's worse than what I've got now.

    30. Re:There should be... by vegiVamp · · Score: 1

      Because right now, nobody sees your traffic? And if that really bothers you, you're unable to set one up yourself? Here's a hint: SOCKS proxying is built-in to openssh.

      --
      What a depressingly stupid machine.
    31. Re:There should be... by jonbryce · · Score: 1

      And if your cookie is for cosmetic changes, you just need to have a check box that says "save these settings on my computer". If they tick it, they have given permission for the cookie.

    32. Re:There should be... by Arlet · · Score: 1

      Only my ISP sees all my traffic, not some random 3rd party site I know nothing of. Given the choice, I'd stick with my ISP.

      And no, it doesn't really bother me. But then again, cookies don't bother me either. I was just pointing out that banning cookies doesn't really improve anything regarding your on-line privacy.

      Also, I have no idea how setting up a proxy improves anything regarding my traceability. They'll just use the proxy's IP address instead. The only solution would be to have a large pool of proxy servers, and pick a random one every time. But that means that all these proxies get a chance to see my traffic, instead of just my ISP.

    33. Re:There should be... by delinear · · Score: 1

      The social problem exists to prevent the bigger social problem of how you track user state between different pages on the site or different sessions. Cookies are a convenience to avoid asking the user to reset all their preferences for every single page (or having an incredibly static web - which I know a lot of people will say they prefer, but millions of others enjoy the rich web experience), the real problem lies in the lack of distinction (or at the very least clarity of distinction) between a cookie that is purely for the user's convenience and one that is for tracking purposes. I'd be more than happy with a solution that allowed companies to set cookies that made my life easier so long as they had to get my permission to use them for any kind of tracking or analysis purposes.

    34. Re:There should be... by delinear · · Score: 1

      The second every defaults that option to enabled, advertisers will simply create arrangements whereby all tracking is first party and the details are passed to them by a server side service. Same effect, slightly increased cost and complexity, less visibility.

    35. Re:There should be... by Anonymous Coward · · Score: 0

      (Un)fortunately sandbox issues do not allow a 3rd party site to read 1st party cookies. So no, it doesn't work if ad networks can't set their own cookies.

    36. Re:There should be... by delinear · · Score: 1

      While I wholly agree with your sentiment, in reality I suspect the severity of the implementation may render this impossible to police. Limit it purely to tracking cookies and there's a chance you can get sites to comply, expand that to convenience cookies and you've just created a huge additional development bill. I suspect this will go the way of disability regulations - it exists but it's never been used because practically no site on the web complies. If you limit it to tracking and analysis cookies then generally you can rip them out of websites without them horribly breaking, so it's more likely to get picked up and implemented without some huge government enforcement operation (and let's face it, how would this even work? they can't force sites overseas to implement it, if they force it only on local sites they increase the cost of doing business locally and reap the economic repercussions).

    37. Re:There should be... by Anonymous Coward · · Score: 0

      No, spoken like a small business man who isn't familiar with some of the issues, but knows they are going to end up costing me time and probably money - even if it is just to find out what I need to know.

      Do I need to look for a non-cookie based alternative to Google Analytics to get basic stats? How about tracking visitors who have come through Google adwords? Do I really have to bother every customer with a clickthrough permission? Can I put some of it in my Ts & Cs and "only" annoy my repeat customers to approve the change?

      I'm sure the answer to these questions is simple to those who specialise in the area. But I don't so it equals time, money and aggravation.

      And I do know enough to know that a web browser can already be trivially configured to do everything this law is meant to achieve. If you want to bother someone about it, bother the browser manufacturers to make it default behaviour. At least they have people on staff who understand the issues. And there are only a handful of them, but there are hundreds of thousands of me.

    38. Re:There should be... by Anonymous Coward · · Score: 0

      This may be like a hack to work around the absence of session cookies, but session cookies are kept for the lifetime of the browser session (not the tab, not when you leave a page) so can still allow cross-site tracking, if they are third-party.

      That's a fairly big caveat at the end.

      There are even bigger problems with session IDs in the URL than with (second-party) session cookies. Ignorant users will copy-paste URLs for to their friends, who will find that they're logged in as the copy-paster.

    39. Re:There should be... by Wowsers · · Score: 1

      For a so called environment minister, you'd think she (Caroline Spelman) would have SOME sort of science or engineering degree, but no, she has a BA First Class in European Studies. Like most politicians, they are NOT qualified in the areas they speak about, and is why such idiotic laws and outbusts are made.

      --
      Take Nobody's Word For It.
    40. Re:There should be... by Pieroxy · · Score: 1

      It doesn't have the same effect at all!!! Let's take an example:

      Actual situation for most people: all cookies accepted.
      I go to amazon.com, some random JS drops a cookie from the website www.trackme.org. Then I go to best buy where such a JS is also included in all pages. My browser sends the same cookie to www.trackme.org, hence identifying me to them. The next day, www.trackme.org knows I've been to both sites and know which products I've had a look at.

      My situation: Accept cookie only from the page's domain.
      I go to amazon.com where a version of the script is passed to me under the amazon.com domain name. The cookie is dropped on my browser for the amazon.com domain. When I go to best buy - where the same script is hosted under bestbuy.com - my browser doesn't send any information, so save my IP and user agent, they have no way of knowing it's the same person viewing the page.

      That is not a big difference, that's even bigger than that. It's actually the core part of the issue going away.

      Given the number of people on corporate networks (sharing the same IP and most likely the same UA) and the number of people on a dynamic IP (think mobile users), they actually have no reliable way of linking the bestbuy visit to the amazon's one.

      --
      Write boring code, not shiny code!
    41. Re:There should be... by Quince+alPillan · · Score: 2

      ...and I don't want to be bothered with every website I go to telling me that I need to add another cookie. I'm a developer and when I have a problem, I search the internet for answers. Those answers could be on some guy's blog, or it could be an answer on a forum and is usually different every time. Having a box or click through page pop up over and over and over again is annoying as hell. You may want to know what sites are setting cookies, but I don't care, and neither does most of the non-technical population.

      Browsers should provide the option for different security levels. It shouldn't be the responsibility of the website to do so because every user will be different. That way, you can be paranoid, and I can surf the internet in peace. It allows us to set our "permission" by default.

    42. Re:There should be... by edumacator · · Score: 1

      If you need a basket type session before this point then can you not use session id's in the url?

      I haven't read the new rules, but wouldn't this be the same thing as tracking through a session cookie? I'm curious if this is still covered in the rules. It would be a trivial thing to use the url based tracking string and pass it to the third party from the server. Would that be allowed?

      --
      An important change for education.
    43. Re:There should be... by Yer+Mom · · Score: 1

      Usually because the UK government seems to insist on interpreting the EU directive in the most pedantic manner possible, while other EU countries take a more sensible and pragmatic approach...

      --
      Never mind Spamassassin. When's Spammerassassin coming out?
    44. Re:There should be... by John+Hasler · · Score: 1

      > ...without permission...

      "Without permission? The site sends a cookie and your browser either accepts it and stores it away on your disk, or not. Whether or not your browser asks you for permission before accepting a cookie is entirely between you and your browser. The site operator is not reponsible for the fact that your browser may have been configured to accept cookies silently.

      > ...I applaud the effort to do something about it.

      Why not just inform people and let them make their own decisions as you have?

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    45. Re:There should be... by John+Hasler · · Score: 1

      Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing.

      Which can already be handled entirely by the browser. There is nothing a site can do to stop your browser from asking for permission before accepting a cookie.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    46. Re:There should be... by John+Hasler · · Score: 1

      > Most people don't know they exist.

      Tell them.

      > Tracking people without permission falls into the arena of
      > the legal.

      It's your browser that accepts cookies and it is your browser that honors requests for them. Why is it the site operator's problem that you are using a browser configured to do so silently?

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    47. Re:There should be... by vegiVamp · · Score: 1

      You might be fully right, but how does the browser differentiate ?

      --
      What a depressingly stupid machine.
    48. Re:There should be... by vegiVamp · · Score: 1

      Entirely correct, except that they can fuck up the site if you don't accept them. They can also do that when they have to ask you themselves, but from the ignorant user's point of view it is then the site that doesn't work properly, instead of the browser.

      The difference is minor, I'll agree, and I'm not convinced that it is worth legislating over, but on the other hand it's not as if the industry is regulating itself. Time will tell.

      --
      What a depressingly stupid machine.
    49. Re:There should be... by Anonymous Coward · · Score: 0

      Why don't they just ban the collection and storage of any information beyond that which is required for any consumer initiated business with an individual? Fsck the advertisers.

    50. Re:There should be... by Anonymous Coward · · Score: 0

      Hi, I'm your Vallet. You give me your keys and I'm going to check the box to ignore who they belong to.

      Hi, I'm your bank, since you disabled cookies you have to send your password in cleartext on the url each time you log in for each hit to our site.

      Hi, I'm the HTTP RFC, don't touch my cookies.

    51. Re:There should be... by purpledinoz · · Score: 1

      Are there really any benefits to the users to allow third party cookies? All browsers should just disallow third party cookies by default. There, solves that problem.

    52. Re:There should be... by The13thSin · · Score: 1

      Exactly.

      Look, I'm a big advocate for more privacy and believe we are currently giving away way too much private information and are tracked way too much, but this is something that should be addressed in browsers, not websites. Hell, make legislation that makes it mandatory to have a dedicated cookie-information page with a new tag that links to it if you must (so the browser can link to it, for instance with the infamous yellow bar), but the practical effect of legislation like this is that business is moving elsewhere (outside the EU).

      Any website that gives the end user a scary "I'm tracking you!" pop up will most definitely be less popular than its US/Asian/etc sibling that doesn't. More importantly, it's not what the end user wants (in most cases) as it deducts from the user experience. If you want to tackle this legitimate concern, do so from within the browser, so there is no advantage to anyone (and also solves the issue with how to warn for 3rd party cookies, plus saves a million man hours to make current websites compliant). I really don't understand why the (sometimes somewhat IT competent) EU decided to implement this in the way they did, as it will only hurt their business.

      Almost makes me wish the EU had someone in charge that calls the internet a "series of tubes"... Almost.

      --
      "This should be fun, and by fun, I mean a wholly depressing insight into the cognitive ability of some grown adults."
  2. Helpful instructional videos from across Atlantic by syousef · · Score: 4, Funny

    Correct way to handle cookies:
    http://www.youtube.com/watch?v=OqL7jyrXhLs
    http://www.youtube.com/watch?v=rHfEmIXkWfg
    http://www.youtube.com/watch?v=Cqz9ZXUoUcE

    --
    These posts express my own personal views, not those of my employer
  3. Question of terminology by jcwayne · · Score: 2

    IANAL(imey), so I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/

    --
    Failure to follow this advice may result in non-deterministic behavior.
    1. Re:Question of terminology by Nursie · · Score: 1

      "I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/"

      Not all biscuits, only unsolicited internet biscuits :)

    2. Re:Question of terminology by burisch_research · · Score: 1

      Sounds like a load of buffa-biscuit to me!

      Also, biscuits go well with tea. Arthur Dent would approve wholeheartedly.

      --
      char*f="char*f=%c%s%c;main(){printf(f,34,f,34);}";main(){printf(f,34,f,34);}
    3. Re:Question of terminology by jonbryce · · Score: 1

      In UK English, a cookie is a specific type of biscuit with little bits of chocolate in it and usually soft and chewy rather than hard and crunchy.
      It is EU law than is banning them, not UK law.

    4. Re:Question of terminology by KeithSmillie · · Score: 1

      So just leave internet Jaffa Cakes instead, legislation sidestepped!

    5. Re:Question of terminology by Anonymous Coward · · Score: 0

      Not biscuits, cookies. It's pure protectionism.

  4. Wifi Cookie Global Warming? by bryan1945 · · Score: 1

    So if they UK is having Wifi problems with global warming, what is that going to do to their cookies? Will their cookies only work for a certain range, and then turn into scones? I demand an irrational panel of useless government bureaucrats to investigate now! God save all our tea and cucumber finger sandwiches.....

    --
    Vote monkeys into Congress. They are cheaper and more trustworthy.
  5. The idea is just fine by xenobyte · · Score: 3, Interesting

    It's just next to impossible to use the law as it is.

    To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

    This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    1. Re:The idea is just fine by Xeranar · · Score: 2

      Thank you. I'm glad somebody answered in a logical thoughtful way instead of the goofy knee-jerk "Government is stupid/bad!" that seems to come up so often. The answer is simple and frankly should have been implemented years ago. Cookies are not that wonderful and while I enjoy using them to log in to non-secure websites for simple stuff I am not a big cookie fan otherwise. They're sneaky bastards.

    2. Re:The idea is just fine by hcs_$reboot · · Score: 1

      Considering how cookies are important, like session-ID storing, the question should better be asked once only, by the browser.
      People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors.
      Pretty quickly, it will appear obvious that the law cannot apply to cookies.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:The idea is just fine by Chrisq · · Score: 2

      Redirect everyone without cookies to a page with a consent form describing all cookies set. Have an "accept" yes or no option. The no takes them to a page that says "sorry, you are unable to use our site", and an option to try again.

    4. Re:The idea is just fine by Nursie · · Score: 1

      You'd be surprised how functional the internet is without cookies.

      You need them for a lot of session-based stuff (login on forum sites, internet shopping/banking/etc) but most sites you visit don't really need them.

    5. Re:The idea is just fine by mikael_j · · Score: 1

      Most sites I visit need them since most sites I visit have some form of session handling.

      It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online.

      --
      Greylisting is to SMTP as NAT is to IPv4
    6. Re:The idea is just fine by Arlet · · Score: 1

      You also need them to store simple preferences, such as language settings. If you go to CNN, it lets you choose between international or US news, which is very convenient for people. A lot of sites have something similar. If you don't have cookies enabled, these things often break silently.

    7. Re:The idea is just fine by Nursie · · Score: 1

      "It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online."

      Yup, so those sites that need it (there are about 20 that I care enough about to allow it) get permission and everything is fine.

      But there's session handling and there's session handling. Slashdot needs a cookie. Dilbert does not. Wikipedia does not. Doubleclick can f*ck right off. It's actually still 1995 in a lot of places I go to read information.

    8. Re:The idea is just fine by Nursie · · Score: 1

      Then ask if it's ok to store site preferences in a cookie, once, the first time someone changes a setting like that.

    9. Re:The idea is just fine by Arlet · · Score: 1

      The whole point of setting a preference is that it will be remembered for next time. Obviously it needs to be stored somewhere. Anybody who wants to set a preference and understands what they are doing is going to allow the cookie.

      Or, perhaps you want to include 2 pages of legalese explaining all the conditions that are attached to the use of the cookie, that people aren't going to read anyway.

    10. Re:The idea is just fine by Nursie · · Score: 1

      It's simple, find another magic way of remembering, ask permission to store the data on the user's computer, or don't have the setting.

      I'm sure it would be more convenient for me if every site on the internet knew my waist, collar and shoe sizes too, the minor inconvenience of having to tell them is the tradeoff for privacy in that case. Here, CNN asking once if they can stick a cookie on your machine is the price.

    11. Re:The idea is just fine by Anonymous Coward · · Score: 0

      Then don't fucking allow them to store shit on your computer Nursie. I see you trolling this article everywhere with your bullshit, but look, if you can't control what is stored on your computer, that's your problem. Thanks for making another goddamn clickthrough for the rest of the world. Hint: its called a whitelist.

    12. Re:The idea is just fine by Nursie · · Score: 1

      I do control what's on my computer. Most other computer users don't know what a cookie is, let alone what they're used for or how many they have on their machine from advertisers and trackers. They might liek to know. They might like to be asked before they're set.

      And if "replying honestly to people who reply to me" is now trolling then... wow. Why so angry?

    13. Re:The idea is just fine by L4t3r4lu5 · · Score: 1

      "Dear ChrisQ,

      I admire you for your adherence to regulation regarding our website. Your input into the compliance process has been valuable.

      Since you have provided the potential customers with the choice of accepting cookies or not using the site, our sales have dropped 35% and advertising revenue is now nill. We are no longer able to support your position with this company. Please clean off your desk and hand in your ID and keys to the receptionist on the way out.

      All the best for the future,
      Your ex-Boss."

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    14. Re:The idea is just fine by icebraining · · Score: 1

      People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors.

      No they won't, because businesses aren't stupid and will cut back on cookies immensely to prevent confusing the users. The only reason every site nowadays sets a boatload of cookies is because they don't have to ask.

      --
      Dilbert RSS feed
    15. Re:The idea is just fine by Mouldy · · Score: 1

      Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

      A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners. Something along the lines of "This website wants to set cookies which may be necessary for it to work correctly, do you want to allow this? yay/nay". Someone/"they" could even make a standard that allows websites to explain to browsers the reasoning behind each cookie set. Of course, this has the problem that too many people don't update their browsers - but those people bring it on themselves and should therefore not be "protected" by this law.

    16. Re:The idea is just fine by Anonymous Coward · · Score: 0

      If the Internet is fuctional without cookies, then perhaps rather than bringing in new laws to apply to all websites, it would be better to get the major browser makers to adopt no-cookie settings by default?

    17. Re:The idea is just fine by Anonymous Coward · · Score: 0

      so a lot of publishers own there own ad platform - oh sorry that's not a third party we own our own :-)

    18. Re:The idea is just fine by mjwalshe · · Score: 1

      as would a lot of useability stuff want to set a site into its visually impaired style is one example

    19. Re:The idea is just fine by bentcd · · Score: 0

      Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

      This will be a problem for all of two seconds before site operators realize that showing ads is, after all, more important than letting ads track users; and they change their site so that it just works cookies or no.

      --
      sigs are hazardous to your health
    20. Re:The idea is just fine by VortexCortex · · Score: 1

      It's just next to impossible to use the law as it is.

      To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies.

      Or, you can pre-opt out of ever website on the planet by sending the DNT: 1 (do not track: enabled) HTTP Header in every request for web resources.

      The current version of Firefox4 supports this header, as well as NoScript for previous versions of FF. MS has stated that IE9 will support this header option too. Google (and the MPAA) have expressed concerns with allowing users to automatically opt out of every tracking service by simply stating their wishes to not be tracked... Therefore, Chrome will not support the feature, (I created a patch for Chromium -- IMHO, No one should use Chrome since there is a clean open source version available as Chromium).

      An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go.

      Enable DNT:1 header. The FIRST thing the advertiser sees in your request for a resource they host (which normally allows them to set a cookie if your browser has them enabled) is the DNT:1 header -- This allows you to inform them ahead of time that you do not want to be tracked.

      I agree that the proposed Cookie Guidelines are not the needed legislation. I don't think that sites need my permission before they send "SET-COOKIE: somekey=somevalue" to me -- We all can use cookie blocking software (and/or the browser itself) to disable the acceptance of these cookies. I do agree that sites should tell me what they will track about me, and exactly which companies they will share such info with if I agree to allow them to track me. Use the "we can update these policies at any time" mumbo-jumbo in order to provide an up to date list of who's got access to privacy related data...

      Basically this can be done in a simple way: [...]

      Indeed, it's already been done, now we just need the Advertisers to respect our pre-opt-out wishes... Legislation will be required, unfortunately, this law is not it.

    21. Re:The idea is just fine by Anonymous Coward · · Score: 0

      Dear ex-Boss,

      You built a business model around gaining revenue from doing things that people despise. I have no idea how I ended up working for you. I hope your family starves. Go to hell.

      Sincerely,
        Cares About Principle

    22. Re:The idea is just fine by VortexCortex · · Score: 1

      Considering how cookies are important, like session-ID storing, the question should better be asked once only, by the browser. People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors. Pretty quickly, it will appear obvious that the law cannot apply to cookies.

      ::Sigh::

      The website you are visiting has requested to store a cookie on your computer.

      (o) Do not accept the cookie for this site.
      ( ) Do not accept cookies for any site.
      ( ) Allow only this cookie for just this session.
      ( ) Allow all cookies from the domain example.com for just this session.
      ( ) Allow all cookies from the domain example.com until they expire or you clear them.
      ( ) Use the recommended action of your chosen privacy advisor service: allow for 1 session only

      [x] Remember my decision and do not ask me again.
      (This setting can be changed later in the privacy tab of your profile options)

      (Advanced: click here to see the content of the cookie and to set per cookie acceptance / expiration policies )

      The cookie-monster plugin for Firefox gives you per site options, but I haven't used it in a while, basically, just the above dialog would suffice for all of my cookie related needs.

    23. Re:The idea is just fine by jonbryce · · Score: 1

      Session cookies are allowed. The checkbox that says "remember me" needs to be renamed to say "save my login details on this computer and log me in automatically every time I visit". Then you are obtaining informed consent for the cookie.

    24. Re:The idea is just fine by L4t3r4lu5 · · Score: 1

      That's great if you want to work in a field for the rest of your life.

      My point was that Hobson's Choice only works if you have all of the product and the only one selling. If Hobson had only half of the horses, he'd have been competed out of business within days by the others.

      Further, principles don't feed your family. If you're happy living off value-range beans and sitting under blankets with the heating off during winter, you can afford that smug satisfaction of taking the moral highground. Some of us have mortgages to pay and / or families to feed and clothe, and can't afford to "stick it to the man".

      FWIW, I agree with you. I'm just being realistic.

      --
      Finally had enough. Come see us over at https://soylentnews.org/
    25. Re:The idea is just fine by Anonymous Coward · · Score: 0

      ( ) This is my first time using a computer/the internet and you're asking me to give an answer on something I consider a reasonably complex technical question which might, based on my uninformed answer, then go on to affect all my future experiences (example, by blanket banning cookies and having a poorer user experience or by blanket allowing them and suffering loss of privacy)

      The reason we have a mechanism like cookies that silently writes this information in the first place is because sufficient users can't or don't want to understand what they are or how they work. We've had the ability to disable them almost since year dot and yet we're still having to implement laws because people can't or don't want to figure out what they are and how to turn them off. Badly thought out legislation will have huge development costs to business and confuse the hell out of users.

    26. Re:The idea is just fine by bmuon · · Score: 1

      A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners.

      This needs modding up.

      Of course, this has the problem that too many people don't update their browsers - but those people bring it on themselves and should therefore not be "protected" by this law.

      It actually shouldn't matter but not because "they bring it on themselves", but because sooner or later everyone updates, at most when they change computers.

    27. Re:The idea is just fine by Anonymous Coward · · Score: 0

      A website can trivially obtain permission from the user for the site's own cookies.

      Why are the websites doing any of this?
      This is quite easily handled by a setting available on every major browser: "Prompt for cookies".

      It's creating a major pain for a problem which has already been solved.
      Now, if they want to make legislation forbidding the use of things like Evercookie, along the lines of "Cannot attempt to bypass user's cookie settings" - I'd be OK with that.

    28. Re:The idea is just fine by Anonymous Coward · · Score: 0

      I don't normally post random flames. But you are an idiot.

    29. Re:The idea is just fine by swright · · Score: 1

      A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners.

      This. I was wondering why nobody else was making this point.

      It could even be accompanied by a law mandating that cookies are associated with descriptive information about what they are for.

      A browser-based implementation would be impossible for sites to not comply with, more user friendly for the masses, better for sites, and better for privacy.

      I really don't understand why the onus has been placed on sites :(

    30. Re:The idea is just fine by Anonymous Coward · · Score: 0

      How about a website needs permission to set a cookie if the referrer is not the same domain as the request? Cookies were designed for small local storage for a site you visit, the problem is off-domain subrequests are given the same freedom to set cookies as the main page you want to go to. As such, google can set a cookie identifying you on any site their ads are on. This should be considered an XSS attack, except all the major browser makers depend on this feature (Apple, Microsoft, Google). A cookie in and of itself is harmless when it can not be matched up with a referrer outside of your own domain.

      Also, you need cookies for any site that requires you to login, otherwise it takes some creative methods to keep you logged in without sending your authentication credentials through the URL line each request.

    31. Re:The idea is just fine by VortexCortex · · Score: 1

      ( ) This is my first time using a computer/the internet and you're asking me to give an answer on something I consider a reasonably complex technical question which might, based on my uninformed answer, then go on to affect all my future experiences (example, by blanket banning cookies and having a poorer user experience or by blanket allowing them and suffering loss of privacy)

      The reason we have a mechanism like cookies that silently writes this information in the first place is because sufficient users can't or don't want to understand what they are or how they work. We've had the ability to disable them almost since year dot and yet we're still having to implement laws because people can't or don't want to figure out what they are and how to turn them off. Badly thought out legislation will have huge development costs to business and confuse the hell out of users.

      Perhaps you missed this option:
      ( ) Use the recommended action of your chosen privacy advisor service: allow for 1 session only

      This could be made default...

      To be perfectly fair: IMO, Computer illiterate people should not be using things they do not understand.

      They may make bad decisions about their privacy and or fall for Trojans or Scare-Ware -- which happen to be the majority of the installed malware I encounter.

      I work on my own cars; I recently rebuilt my manual transmission. I will not tamper with my GF's car's transmission -- It's automatic, I don't have the interest, time or money to learn about these more complex parts, ergo: I will not fiddle with them (in fact, I will not even buy them, but I will drive them because I have taken the time to learn how to operate them), I will higher other more capable individuals to perform tasks on my behalf that I do not fully understand -- To do otherwise is very risky!

      For whatever reason, people fail to apply the common sense wisdom of "If you don't understand it, don't mess with it" to computers. If you can't be bothered to learn how to operate them, then stay off of our information superhighway.

      Also note: I have taught several seniors computer literacy, and they would not be confused by a prompt such as this. Typically when one come across something that one needs help understanding, one should seek education, if not, who cares if they proceed blindly? (They aren't going to learn any way) -- I would hate to apply your logic to drivers' licenses, BTW.

      Lastly, for many people firing up their browser for the first time is not firing up A browser for the first time -- They could be computer literate individuals who have just installed a new browser or OS, or purchased a new computer.

  6. Grammar Nazi by Jack+Malmostoso · · Score: 0

    From the summary:

    it's current site would not be compliant with its new guidelines

    Which one is it? "It's" or "its"? I'm not saying you're supposed to know which one is correct, but at least be consistent.

    1. Re:Grammar Nazi by Anonymous Coward · · Score: 0

      I'm not saying you're supposed to know which one is correct

      He writes like someone who is fluent in English, so I would expect him to know which one is correct.

    2. Re:Grammar Nazi by Tim+C · · Score: 1

      I have had to explain the difference between it's and its twice now to an otherwise intelligent, native-born English speaker at work. Some people seem to just not have a head for grammar, distressingly enough.

      --
      It's official. Most of you are morons.
  7. cookies are dangerous by nyatty · · Score: 1

    Cookies can easily be used for spying that makes it dangerous.

    --
    me
  8. rofl by Anonymous Coward · · Score: 0

    It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites.

    Good luck with that.

    1. Re:rofl by Tasha26 · · Score: 1

      Actually I hate that my Facebook, Gmail, Yahoo, Twitter and Youtube data are stored on American servers. Now this data is freely available to scumbags like the FBI which can check it whenever they want and without a warrant. Server location in the financial industry (a.k.a domiciliation) is a very big decision before setting up funds and getting investors. Why shouldn't we do the same for our online data?

  9. RFC2965 need merging and update with HTML5 storage by La+Gris · · Score: 1

    Session tracking really need new standard and some merging with the HTML5 client side storage. This with clear client enforceable client policy, server and DOM standard way of reading the access and store policy settings.

    The situation now is:
    - an obsolete RFC2965 cookies standard with no average user know/can manage safely,
    - and a still to be standardized HTML5 incompatible client storage and database.

    New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

    --
    Léa Gris
  10. There are no cookies in the UK by Anonymous Coward · · Score: 0

    They call them biscuits. Or possibly scones. I dunno, but they serve them with Tea, at precisely 4pm everyday. It's like the whole country grinds to a halt.

    1. Re:There are no cookies in the UK by Jaruzel · · Score: 2

      Not True.

      Yes we have biscuits, but we also have cookies. Cookies are typically rough circular baked sweet dough with added fruit or chocolate. Most Cookies are also moist in the centre. They are also baked fresh and bought from dedicated cookie or bakers shops (you can get pre-packed cookies but these are horrible and dry).

      Biscuits are dry (excluding the filling) and come in defined shapes. To use a common example, Oreos (also available in the UK) qualify as biscuits not cookies.

      -Jar

      --
      Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
  11. Its a pointless law by Chrisq · · Score: 1

    You could just use the browser "propmpt every time" setting if you want to decide which sites use cookies. (the prompt allows you to say "always for this site).

  12. You know you need to worry... by quarkoid · · Score: 0

    ...when the people creating the law have no understanding of the subject they're legislating on.

    "[cookies] are text files placed on your computer"

    Say no more.

    1. Re:You know you need to worry... by Arlet · · Score: 1

      It's close enough. Cookies are small pieces of text, and they are stored on your computer.

    2. Re:You know you need to worry... by quarkoid · · Score: 1

      "Petrol is a metal tank attached to your car"

      "Ink is the stick you use to write on paper with"

      "Music is the big square boxes attached to your amplifier"

      Close enough it may be, but to definitively state something as fact which is quite clearly not fact (or, even if it is, only in a limited number of cases) when describing why legislation applies is just wrong.

      They could quite simply have said, "Cookies are small pieces of text which your computer may choose to store." - there, simple. It also has the plus that it tells the user it's up to them whether they're stored.

      But then we're not very hot on taking responsibility for what our computers do.

      Ho hum.

    3. Re:You know you need to worry... by Nursie · · Score: 1

      You going to explain about cookies to my mother?

      I sure as hell don't want to. Somebody probably should though, as she's unwittingly feeding all sorts of info to whoever wants it on the internet, without her knowing.

      Saying users have the choice is disingenuous here.

    4. Re:You know you need to worry... by Arlet · · Score: 1

      The typical user just clicks on a web site, and has no idea what cookies are, and that they are getting stored on their computer. In most cases, there's no 'choosing' involved, since they are enabled by default. For those cases, saying that the text just gets stored on your computer is accurate enough.

    5. Re:You know you need to worry... by Anonymous Coward · · Score: 0

      ...when the people creating the law have no understanding of the subject they're legislating on.

      "[cookies] are text files placed on your computer"

      Say no more.

      Uh, you don't understand the subject, that description of web-cookies is perfectly accurate and sufficient.
      The original web-cookies was implemented as small text-files existing in the traditional file system on your computer. Now cookies are stored together in a database-file by most browsers, but they are still files and they are still text-files.

      The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
      That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

    6. Re:You know you need to worry... by he-sk · · Score: 2

      The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
      That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

      That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

      Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

      Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

      Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

      Also, a database file is usually not a text-file, because it contains data that is not human-readable.

      --
      Free Manning, jail Obama.
    7. Re:You know you need to worry... by Arlet · · Score: 1

      Also, a database file is usually not a text-file, because it contains data that is not human-readable.

      There is little conceptual difference between a database and a file system. For the sake of the discussion it doesn't matter if cookies are stored in little individual files on a file system, or if they are combined in a small database implemented as a single file.

    8. Re:You know you need to worry... by VortexCortex · · Score: 1

      The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name." That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

      That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

      Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

      Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

      Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

      Also, a database file is usually not a text-file, because it contains data that is not human-readable.

      Have you written any code to access those? Guess what, you use a FILE DESCRIPTOR. The goal is that everything in Unix be accessible as a file... If it looks like a turd; Smells, feels and tastes like a turd -- It's a pedant.

    9. Re:You know you need to worry... by he-sk · · Score: 1

      Yes, but then why even mention the technical term text-file? Why not conceptionally describe what's going on, so that anybody can understand it?

      Cookies are pieces of data that are stored on your computer, usually for preferences such as login information. They can also be used to track your browsing patterns.

      Followup with a link to a broader discussion of the pros and cons of cookies. On the technical end, someone else mentioned a adblock-like approach for sites from which cookies should be blocked by default. This should be integrated into every modern browser, at least through a plugin that is advertised properly.

      --
      Free Manning, jail Obama.
    10. Re:You know you need to worry... by he-sk · · Score: 1

      You need a file descriptor to access any kind of file. Except on the shell, where you can use them directly as input or output. The principle that everything is a file is a big reason why shell programming is as powerful as it is. (I'm not saying it's pleasant. But it does get the job done in many instances.)

      --
      Free Manning, jail Obama.
  13. Re:RFC2965 need merging and update with HTML5 stor by WaffleMonster · · Score: 1

    The situation now is:
    - an obsolete RFC2965 cookies standard with no average user know/can manage safely,
    - and a still to be standardized HTML5 incompatible client storage and database.

    New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

    If you liked storing pointers to data kept on servers you will *LOVE* storing even more data from each site on your computer.

    Well I guess right up until the point where all the fine folks on the Intertubes intentionally design sites to consume massive amounts of disk space across an infinite number of attacker domains and or force erasure of legitimate content after the fixed storage pool is exhausted.

  14. Is it good enough? by Anonymous Coward · · Score: 0

    Industry players and content providers alike are confused by the new UK cookie legislation. An anonymous industry spokesperson who sports blue hair, googly eyes and bad table manners is against this new law, saying that cookies is (sic) good enough for him. In other news, a pig falls in love with a frog. Stay tuned after the break.

  15. Stalkers by Tasha26 · · Score: 1

    I hate the way major websites have perverted third-party cookies, because now if u block them, this will result in loss of website navigability... and Flash players not working properly in some cases. I believe those big websites deliberately created such 3rd-parties (ytimg.com, yimg.com?) to turn tracking into stalking.

    1. Re:Stalkers by ledow · · Score: 1

      Really? I use Opera, with "Accept cookies only from the site I visited" set to on (which is the default) and have never run into a problem with this.

      What sites specifically? Because I have *zero* cookies from either of those sites you mentioned and yet don't have a problem navigating any of what I would consider the major sites - the only sites that give me problems are ones where they don't have Opera compatibility at all, I can't even remember the last time I had a cookie issue (maybe with the inbuilt Steam browser not staying logged into Steam community - but I can't even *see* the cookie settings for that).

    2. Re:Stalkers by Tasha26 · · Score: 1

      Thanks for the tip, will try that! I haven't used Opera for Windows yet (but i do use it all the time on my Nokia and to access /. in the loo). I did read they have problems rendering some websites so I've stuck to Firefox and its new hunger for RAM & CPU resources.

    3. Re:Stalkers by lazybeam · · Score: 1

      I thought the point of those domains was that they didn't have cookies, thus saving large amounts of bandwidth and time (more caching and concurrency) for the static files.

      --
      --
      no sig for you. come back one year.
  16. Re:RFC2965 need merging and update with HTML5 stor by Anonymous Coward · · Score: 2, Interesting

    There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

    Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different userids at the same time, something that doesn't work with cookies. When the user navigates from one domain to another, generate a new session id. When loading images or scripts from a different domain than the current page, load them with a new session id.

    No tracking possible.

    "Remember me" would no longer be a setting on the page, which writes a permanent cookie, but a setting in the browser, which makes the current session id fixed for the current domain.

  17. Duplicate article, or rather triplet by Anonymous Coward · · Score: 0

    The EU directive is covered by this slashdot article:
    http://yro.slashdot.org/story/11/03/10/0123210/New-EU-Net-Rules-Set-To-Make-Cookies-Crumble

    The problems involved with implementing the EU directive is (better) described in this slashdot article:
    http://yro.slashdot.org/story/11/04/30/208236/Sweden-May-Mandate-Opt-in-For-Cookie-Transfer

    Replacing the word Sweden with UK, don't make this a new article (especially since the linked UK-article is very sparse on details).

  18. I can feel the heat cloing in by troll+-1 · · Score: 2

    Remember the CAN-SPAM ACT 2003 in the US? That was another pointless law. Spam is at an all time high. You only stop spam with a spam filter. Governments only gets bigger, never smaller.

    1. Re:I can feel the heat cloing in by Anonymous Coward · · Score: 0

      You will only reduce spam by defining a new authenticated mail system...

    2. Re:I can feel the heat cloing in by Arlet · · Score: 1

      Authenticated mail won't work as long as there is still malware that can steal your credentials.

    3. Re:I can feel the heat cloing in by MartinSchou · · Score: 1

      I'm pretty sure you can stop spam with a gun as well.

      Your computer is being used as a spam-relay-bot? It gets shot.

      You have more than three or more computers in your household being used as a spam-relay-bot? All residents gets shot in the knees, AND all computers in your household gets shot.

      Your company is selling wares through spam? The entire board of directors are shot in both knees and both elbows. Your stockholders gets shot in a foot.

      You responsible for running a spam-relay-botnet? You get shot in the head.

      See - you can stop spam with ... well, not ONE gune - just lots of them.

  19. necessary with effeciency by Anonymous Coward · · Score: 0

    I think all the permission has to come from the owner of the website before sending a cookie. I hope the law in this case will be necessary to control all this.African Safari Tanzania

  20. Hey, Idiots, this already exists! by Anonymous Coward · · Score: 0

    It is called Check-the-goddamn-options-page!
    If people are too stupid to go and enable popups for local storage requests, they shouldn't be on computers, period.

    Yeah, do that EC, do that, ban people from computers and require everyone take a test to gain a license to connect to the internet.
    Hell, I best not, they might actually seriously consider it...

  21. Bright side for those who run web apps by InsurrctionConsltant · · Score: 2

    From the guidelines (pdf):

    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

    So, by my reading of that, you do not need further consent merely for logins/session cookies:

    This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

    1. Re:Bright side for those who run web apps by Nursie · · Score: 1

      That sounds eminently reasonable to me, and neatly counters a lot of the "sky is falling" stuff people have said further upthread.

    2. Re:Bright side for those who run web apps by JackDW · · Score: 1

      Wouldn't it be even more reasonable to require web browsers to use the sort of restricted cookie settings that you personally use? As in "block by default". The EU already demonstrated that it can force major browser makers to do weirder things. If IE starts blocking third-party cookies and demanding confirmation for first-party cookies, then every other browser will be able to do the same thing too, because websites will quickly adapt to the new way.

      Going after websites is stupid because the law is unenforceable, and in any case only applies to websites in one part of the world. Security (and privacy) should be a default on the client side first. The opt-in should be within the browser.

      --
      You're an immobile computer, remember?
    3. Re:Bright side for those who run web apps by delinear · · Score: 1

      Who decides what is "strictly necessary" for a service, though? "My website is funded entirely by advertising from advertisers who implement third part tracking, without this advertising there is no service, it's the very definition of strictly necessary" sounds like the first line of reasoning for a lot of people. Are we just creating a law that will make convenience cookies difficult to implement but has a huge loophole the advertisers can drive a truck through?

    4. Re:Bright side for those who run web apps by InsurrctionConsltant · · Score: 1

      ...your use of the cookie must be related to the service requested by the user

      Clearly, in the case of advertising on the site, even if advertising is how the site is funded, this is not the case, so, if this law is upheld, this would be an illegal way to use a cookie without permission.

      However, this surely doesn’t mean advertising on the internet is Going Bye-Bye. Your advertisers may have to stop tracking your visitors, but they can do a certain amount with IPs.

      Actually, I very much doubt that this will materially impact sites’ potential ad incomes. The ad market will still exist and have the same basic value, so assuming the law is applied fairly evenly, hopefully it shouldn’t have very much effect, other than to prevent some of advertisers’ douchiest and most unpleasant tactics.

  22. Re:RFC2965 need merging and update with HTML5 stor by La+Gris · · Score: 1

    Too bad you posted as Anonymous because I find you expose a very brilliant simple solution. I would have marked you as friend to more easily follow your next posts.

    --
    Léa Gris
  23. More mental mastubation by countertrolling · · Score: 1

    That's what all this silly chatter over 'privacy' is.. If you're on the net, you are being tracked. You will always be tracked, whether you want it or not... and whether you know it or not, so kindly STFU over it. You only available option is to fill the system with as much junk info as you can. So make a script that does just that, through sockpuppets and other fake stuff. Raise the noise level high enough to render it useless. But whatever the hell you do, try to stop believing for half a second that you know what goes on deep in the bowels of Google, Apple, MS, *.gov, etc... Little by little they can download everything you have on your computer. They got your number, and that's that.

    It is just as lame to think a website can be regulated as it is to believe they can be censored, and it's even dumber when you consider that our various governments now pass laws in secret, demanding 'back doors' and keyloggers built into your hardware and more. They are not really interested in protecting your privacy. They only want to keep you pacified into thinking you have any at all.. Well, you don't have any.. none.. zilch.. To believe otherwise is simply naive.

    --
    For justice, we must go to Don Corleone
  24. A User-Agent does not uniquely identify a person by mrthoughtful · · Score: 1

    Firstly, Cookies are generally tied to User-Agents, not to people. UK websites are not required to get consent from spiders, crawlers, or other bots.
    What I invite the ICO to do is to demonstrate a technical, non-invasive, means of being able to identify an individual from the information made available over a HTTP1.1 request.

    Secondly, regarding Session Cookies, it is trivial to replace a session cookie with a QueryString token - so what is the differentiating feature of these two that requires consent for the former and nothing for the latter.

    Thirdly, hasn't anyone yet learned that the Internet doesn't follow state boundaries?

    --
    This comment was written with the intention to opt out of advertising.
  25. Session with cookies is cross-site-scripting attac by Anonymous Coward · · Score: 0

    Every session management only working with cookies is plain a simply a cross-site-scripting vulnerability. There should be a law against that. But having laws causing people to think twice before creating insecure solutions due to other reasons is a good step in my eyes.

  26. Maybe this will promote RESTful web development? by 5plicer · · Score: 1

    Switching to a RESTful design usually reduces the need for cookies (and completely eliminates session state cookies). Perhaps more developers will make their sites RESTful in order to comply with this retarded law.

    --
    The bits on the bus go on and off... on and off... on and off...
  27. In the UK by assertation · · Score: 1

    aren't they called "biscuits" ? :)

    1. Re:In the UK by coolmadsi · · Score: 1

      In the UK a 'cookie' is usually a biscut with chocolate chips in it. This is the icon representation they have in Chrome I think (in the address bar a cookie (with chocolate chips) icon appears that you can click to view the (website) cookie information).

  28. Recuerde que la ley CAN-SPAM de 2003 en los EE.UU. by Anonymous Coward · · Score: 0

    Recuerde que la ley CAN-SPAM de 2003 en los EE.UU.? Esa fue otra ley sin sentido. El spam es en su punto más alto. Sólo detener el spam con un filtro de spam. Los gobiernos sólo se hace más grande, nunca más pequeño.SI

  29. Cookies Are Nice But Not Necessary by littlewink · · Score: 1

    This may come as a shock to many but cookies are not necessary.

  30. Link to actual legislation? by GroovinWithMrBloe · · Score: 1

    Does anyone have a link to the actual legislation? So we can read and see for ourselves what the law states.