Slashdot Mirror

← Back to Stories (view on slashdot.org)

Confusion Surrounds UK Cookie Guidelines

Posted by Soulskill on from the cookie-is-for-me dept.

pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."

17 of 143 comments (clear)

  1. There should be... by myurr · · Score: 5, Insightful

    ...a law stopping people from making laws about things they simply do not understand.

    1. Re:There should be... by Nursie · · Score: 2

      What makes you think they don't understand?

      It's probably true, but in this case I don't think they're necessarily wrong.

      Cookies are horrifically overused, and outside of ~20 sites that both need them to function properly and I care about functioning properly, I've been getting on fine without them for months now.

      This tells me that an awful lot of them, especially third party cookies (of which I allow none) are totally unnecessary even without privacy concerns. Having users participate in their own tracking this way, without permission, does seem wrong to me, and I applaud the effort to do something about it.

      If the laws are not clear then unfortunately that is par for the course these days. Hopefully that can be fixed.

    2. Re:There should be... by myurr · · Score: 2

      Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used. How else would slashdot know you were logged in, for example.

      This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this.

    3. Re:There should be... by Nursie · · Score: 3, Interesting

      "Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

      Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

      Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

      "This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

      Sure, and that's a valid use (IMHO). It could easily work this way though -
      User goes to front page
      Check for cookie
      If no cookie allow user to browse site
      When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

      If the cookie's there from the beginning then do the usual auto-login stuff.

      A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

      I realise all this makes things more complicated for end users as well, which is less than ideal.

    4. Re:There should be... by Nursie · · Score: 4, Interesting

      What's not an answer to the technical problem?

      Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

      I don't get why there's more of a problem than this.

      maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

    5. Re:There should be... by Nursie · · Score: 2

      As far as I'm concerned they're a non issue - i.e. they ought to be scrapped, effective immediately.

      I can't find it in me to even start to care about a solution for these poor, poor advertisers that will allow them to keep tracking people.

    6. Re:There should be... by Quince+alPillan · · Score: 2

      ...and I don't want to be bothered with every website I go to telling me that I need to add another cookie. I'm a developer and when I have a problem, I search the internet for answers. Those answers could be on some guy's blog, or it could be an answer on a forum and is usually different every time. Having a box or click through page pop up over and over and over again is annoying as hell. You may want to know what sites are setting cookies, but I don't care, and neither does most of the non-technical population.

      Browsers should provide the option for different security levels. It shouldn't be the responsibility of the website to do so because every user will be different. That way, you can be paranoid, and I can surf the internet in peace. It allows us to set our "permission" by default.

  2. Helpful instructional videos from across Atlantic by syousef · · Score: 4, Funny

    Correct way to handle cookies:
    http://www.youtube.com/watch?v=OqL7jyrXhLs
    http://www.youtube.com/watch?v=rHfEmIXkWfg
    http://www.youtube.com/watch?v=Cqz9ZXUoUcE

    --
    These posts express my own personal views, not those of my employer
  3. Question of terminology by jcwayne · · Score: 2

    IANAL(imey), so I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/

    --
    Failure to follow this advice may result in non-deterministic behavior.
  4. The idea is just fine by xenobyte · · Score: 3, Interesting

    It's just next to impossible to use the law as it is.

    To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

    This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

    --
    "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
    1. Re:The idea is just fine by Xeranar · · Score: 2

      Thank you. I'm glad somebody answered in a logical thoughtful way instead of the goofy knee-jerk "Government is stupid/bad!" that seems to come up so often. The answer is simple and frankly should have been implemented years ago. Cookies are not that wonderful and while I enjoy using them to log in to non-secure websites for simple stuff I am not a big cookie fan otherwise. They're sneaky bastards.

    2. Re:The idea is just fine by Chrisq · · Score: 2

      Redirect everyone without cookies to a page with a consent form describing all cookies set. Have an "accept" yes or no option. The no takes them to a page that says "sorry, you are unable to use our site", and an option to try again.

  5. Re:There are no cookies in the UK by Jaruzel · · Score: 2

    Not True.

    Yes we have biscuits, but we also have cookies. Cookies are typically rough circular baked sweet dough with added fruit or chocolate. Most Cookies are also moist in the centre. They are also baked fresh and bought from dedicated cookie or bakers shops (you can get pre-packed cookies but these are horrible and dry).

    Biscuits are dry (excluding the filling) and come in defined shapes. To use a common example, Oreos (also available in the UK) qualify as biscuits not cookies.

    -Jar

    --
    Together, We Can Make Slashdot Better. I Do NOT Mod ACs. - Check Me Out
  6. Re:RFC2965 need merging and update with HTML5 stor by Anonymous Coward · · Score: 2, Interesting

    There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

    Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different userids at the same time, something that doesn't work with cookies. When the user navigates from one domain to another, generate a new session id. When loading images or scripts from a different domain than the current page, load them with a new session id.

    No tracking possible.

    "Remember me" would no longer be a setting on the page, which writes a permanent cookie, but a setting in the browser, which makes the current session id fixed for the current domain.

  7. I can feel the heat cloing in by troll+-1 · · Score: 2

    Remember the CAN-SPAM ACT 2003 in the US? That was another pointless law. Spam is at an all time high. You only stop spam with a spam filter. Governments only gets bigger, never smaller.

  8. Bright side for those who run web apps by InsurrctionConsltant · · Score: 2

    From the guidelines (pdf):

    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

    So, by my reading of that, you do not need further consent merely for logins/session cookies:

    This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

  9. Re:You know you need to worry... by he-sk · · Score: 2

    The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
    That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

    That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

    Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

    Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

    Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

    Also, a database file is usually not a text-file, because it contains data that is not human-readable.

    --
    Free Manning, jail Obama.