BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law

Andy Smith writes "As of 26 May 2011 web sites in the UK must get a user's permission to set cookies. If you go to the BBC's commercial TV listings site Radio Times you'll see a message telling you about the new law. Go to the site again, though, and you don't see the message. How does the site know you've already seen it? By setting a cookie of course! It doesn't ask for permission."

Lack of tech know how

[MrDoh!]

I guess that's what happens when law makers don't really get what's going on, and the techies tasked to implement this stuff don't really care.

Re:Lack of tech know how

[Larryish]

un

Un

UN

UN!

Un Fucking Enforceable

Re:Lack of tech know how

[beelsebob]

No, that's what you get when the person writing the article doesn't understand what's happened - it's absolutely legal to store cookies that are required for the functionality of the site. This will clearly count. What's not legal is storing cookies that are only for tracking you without asking.

Re:Lack of tech know how

[Arancaytar]

If you code the site to be non-functional without cookies, then every cookie will be required for the functionality of the site.

Re:Lack of tech know how

[outsider007]

Track users without asking? What sort of "cookie monster" would do such a thing?

Re:Lack of tech know how

Of course you can. But that is not the point. The point is that it's perfectly fine to store a cookie with field pair noticeshown=true. That is not information that can identify you. And don't start arguing that they could save it as noticeshown=id2458928 or some bullshit. Obviously they could. I could also try to rob a bank, but those things would be illegal to do.

Re:Lack of tech know how

[Mitchell314]

And if you outlaw all cookies, only criminals will have cookies.

Wait . . .

Re:Lack of tech know how

[bryan1945]

Why do you think he's called the Cookie MONSTER?

love it

[Quick+Reply]

shows how stupid the cookie law is

That's genius

Not all cookies are tracking cookies; legislators appear to have overlooked this.

idiot submission

The new cookie laws are only about tracking cookies, not session cookies or cookies necessary for the functioning of the website.
That cookie is not a tracking cookie, as such it isn't breaking the law. non-news.

Re:idiot submission

[ColaMan]

Er, I don't want to be Captain Obvious here, but doesn't the cookie *track* who has seen or not seen the message about the cookies?

Re:idiot submission

[Co0Ps]

Ummm.. it tracks if you have given permission for cookie tracking. Doesn't that make it a "tracking cookie"? Isn't all cookies tracking cookies? The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

Re:idiot submission

[SilentChasm]

By tracking cookies I think they mean uniquely identifiable, like an ID number for a specific user that they can then tie advertising preferences to. Tracking stuff like site settings seems like an actual valid use of cookies.

I do agree with you though on the "necessary for the functioning of the website" loophole, as they could just include advertising tracking as "necessary" (for financial reasons of course).

Re:idiot submission

Probably not, if the cookie only contains "Don't show the message again", it isn't tracking. Tracking is when the information makes you uniquely identifiable, which this clearly isn't.

Re:idiot submission

Your story sounds wonderful, it is just missing out on the small little detail that the server doesn't know the clients mac address...

Re:idiot submission

[MichaelSmith]

How does a web server not on my network get my MAC address?

Re:idiot submission

Have you actually read the update to the law? I'm betting no.

6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Source

The bit not in bold is the law before 26th May - the bit in Bold is now in effect. It doesn't differentiate between different types of cookie, their functionality or anything else. Consent must be gained for any use.

It leaves open hundreds of questions, but under no interpretation can you say "it only applies to tracking cookies".

Re:idiot submission

[CapOblivious2010]

Even leaving aside the MAC address problem, why would the client "rage" about seeing ads for something he's actually interested in? If you're gonna have ads on the page anyway, isn't that better than ads for, say, feminine hygiene products?

Re:idiot submission

[al4]

The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

The wording of the law is "strictly necessary", and is from the point of view of the consumer, not the website owner. Even in the case of affiliate marketing where the referring site doesn't get paid unless a cookie is set, you can't argue that a tracking cookie is strictly necessary because in that instance the consumer's experience is the same whether the cookie is set or not.

Re:idiot submission

[pclminion]

The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

That's why we have these funny buildings called "courthouses" where we evaluate things critically instead of using the law like an algorithm.

Re:idiot submission

[walshy007]

By connecting to it over ipv6 with an autoconfigured ipv6 address. it uses your MAC address for the host portion.

Re:idiot submission

[Blakey+Rat]

So forgive my ignorance, but what exactly does the law say?

I assume first-party session cookies are ok. Does it only ban third-party cookies? What about third-party session cookies? What about on sites that span multiple domains, where the third party cookie may be necessary for a user to remain logged-in?

There's a lot of debate here on what constitutes "tracking cookie" or "necessary for the site to function", but what does the actual law say?

Re:idiot submission

[quarkoid]

Why would you think that it's only about tracking cookies? The legislation is quite clear:

(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a)for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The whole law is about storing and/or accessing data stored on a user's PC. Please tell me where 'tracking cookies' are mentioned?

Re:idiot submission

[MichaelSmith]

Okay I understand that now, but its not going to work in many places yet.

Re:idiot submission

[Co0Ps]

Yeah, because the courthouses don't have anything important to do anyway and I bet the justice system love obscure laws where the outcome depends on intent and motivation rather than objective evidence............

Re:idiot submission

[ColaMan]

Alright, I checked the cookie and all it says is "true". Which is OK.

Of course, they're still setting a couple of cookies at the moment. This cookie is just a cookie to let them know that they've let you know that sometime in the future they're going to do something about your preferences in regard to the setting (or conversely, not setting) cookies on your computer when you access their domain.

Onwards!

Re:idiot submission

[Hognoxious]

why would the client "rage" about seeing ads for something he's actually interested in?

Maybe I'm not interested in them now. Perhaps I read in a magazine that Canon are better, or whatever.

I've used sites like that before. I find it annoying when a dumb machine tries to second-guess me.

Guess you didn't read their link

[Blahah]

If you follow the link in the pop-up, the BBC website explains that the changes will be phased in gradually over the Summer.

"The government's view is that there should be a phased approach to the implementation of these changes. Over the summer, we will be working on developing the best methods for obtaining your consent.

In the meantime, you can control cookies by setting your device to notify you when a cookie is issued, or not to receive cookies at any time. We will ensure that we continue to provide you with clear and comprehensive information about the cookies we use, so that you can make informed decisions."

On top of that, the law only covers tracking cookies, but the BBC is going to include all cookies in it's policy. No story here.

Olo:Ha

[Fuzzums]

But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

Re:Olo:Ha

[lwoggardner]

But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

Is there?. If the cookie is persistent (survives browser close) then it just contains a big random number that might uniquely identify you. This big random number is a key to the server side database that stores everything-we-know-about-you, including the bit about you having seen the message. You have no way of knowing if that is all they are tracking.

Re:Olo:Ha

[Fuzzums]

Or it might just contain "seen message = true".

Re:Olo:Ha

[TheRaven64]

There is a fairly simple way - does every user with the same settings get the same cookie? You can verify that DuckDuckGo is not tracking you via cookies, for example, because each setting you change sets or clears a specific flag in the cookie. You can set the same settings on two computers, with different browsers on different IPs, and get exactly the same cookie. In contrast, you can tell that Google is tracking you because they give you a cookie with a unique key that references an entry in their database.

Re:Olo:Ha

[Cyberax]

JSESSIONID is not a persistent cookie, it'll be gone upon the restart of the browser.

Re:Olo:Ha

[Charliemopps]

If you're good at it, really there isn't.

Re:Olo:Ha

[Fuzzums]

Technically they're the same. That's true.
In practice the first should only store if the user has seen the the warning message.

Re:Olo:Ha

[quarkoid]

Your comment is irrelevant - please read the legislation.

Any cookie (be it tracking/temporary/whatever) is covered.

No Permission

[jmd_akbar]

CHUCK NORRIS doesn't need permission to set cookies in your system.

language

[rossdee]

In the UK, cookies are called biscuits.

Don't use this to prove God doesn't exist

[Provocateur]

nt

Law is dumb

[troll+-1]

This law is an example of what happens when overly zealous do-gooders try to protect people from themselves. If you don't want cookies, turn them off.

Re:Law is dumb

[SydShamino]

So it would be okay if there were stores where, when you went inside to shop, the owner pick-pocketed you and made photocopies of your driver's license, all your receipts, and one or two of your credit cards? And then they took everything they found and shared it will all the other businesses in town?

Is that okay, as long as people who don't want to be tracked notice this and tell him "no"? Even if, when you tell him "no", he orders you out of his store? Oh, also every other store in town does the same thing?

Is that really and truly okay with you?

Re:Law is dumb

[mjwalshe]

isn't that what store loyalty cards do? track your purchases?

Re:Law is dumb

[SydShamino]

Has a store ever secretly slipped a loyalty card into your wallet? Then snuck it out each time you've visited? Even if you don't buy anything or pay cash?

Re:Law is dumb

[mjwalshe]

they plug the dam things hard enough in supermarkets - and another similar case newpapers break down their subscribes by analysing where they live and use that to monetize adverts and also sell targeted inserts.

Here's how it goes:

[VortexCortex]

Your Browser: Hey BBC, gimme a web page with the URI: http://raidotimes.com/

BBC Server: Here is the web page you requested, with cookie notification text (since you did not provide any cookie), and also a cookie.

Your Browser: Thanks! Let's see, the user settings say, "Accept Cookie" I'm permitted by the user to store this cookie.

--- Later ---

Your Browse: Hey BBC, gimme a web page [...] and also here's that cookie that you gave me which my user already gave permission for me to save and return to you via their preferences.

BBC Server: Ah, I see you provided me the cookie that if you had not given your browser permission to send me, I wouldn't be seeing right now -- I guess I won't show you that cookie info text this time.

YOU HAVE THE POWER TO DISABLE THE MOTHER FUCKING COOKIES -- USE IT AND STOP FUCKING UP OUR INTERNET WITH YOUR NOOB LAWS!

P.S. If the basic cookie settings aren't enough for you, use an existing plugin like Cookie Monster for Firefox -- More power over your god damn cookies than you could ever want. Honestly, if you don't understand it, leave it the fuck alone, before you hurt someone!

Re:Here's how it goes:

You're an idiot.

There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

Sure, cookies can be disabled. By default, they're not. Guess why? The reason is that browser makers realized that things would break if you disable them and that - more importantly - many people lack the expertise to selectively fix the problem.

Of course, enabling cookies has its own problems - e.g. tracking. But these problems aren't noticeable. If a site uses cookies and doesn't work, the user realizes that something is wrong and adjusts his settings. If a site uses cookies and works but also tracks the user then... what? The user doesn't even notice.

And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.

Legislation that bans tracking cookies unless the user opts in is fine.

In fact, consider this. If there were no problem, as you appear to be saying, then not only would this legislation be unnecessary, it would also not have any effect, as users are already opting in by means of their browser accepting cookies, right? In other words, there would be nothing to get upset over. But you are getting very upset (seriously, three different kinds of emphasis, and expletives on top of that?)... so obviously this law will change things. And that means that your argument that users are already opting in is invalid.

Re:Here's how it goes:

[Cogneato]

Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it. Surely the better solution is at the browser level. Default it on to ask, give the user a way to turn it off. Or, default it to not ask, but show the user information about cookies and instructions to change the setting the first time they run their browser.

Education is an amazing thing. Web developers should not be subject to laws that are open to interpretation just because some people don't want to learn how to use something they are operating. Imagine if we applied the same philosophy to driving a car -- all owners of buildings need to post warnings that running into the building with your car can cause harm.

Yes, going on the internet takes a tiny bit of responsibility on the user's part. If the user is not smart enough to exercise responsibility with cookies when educated about them, imagine what they are doing with facebook, four square, hook-up dating sites, and so on.

Re:Here's how it goes:

[ammorais]

There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.

Did you know you can still track people you without cookies? You can use a combination of user-agent/IP/browser/language to track you with considerable accuracy.
So your solution for is to ask people that don't know/want to know what are cookies, if they want cookies? How kind of question box you suggest?
Something like this perhaps?

Do you accept cookies? If you press YES this site will work
properlly, and we can track you if we want to.
If you press NO this site won't work properly, but we can't
track you trough cookies. We can still track you by other means
if we want to but not with cookies!

| YES | | NO |

Re:Here's how it goes:

[ozone702]

Thanks for the info. I knew about cookie preferences in browsers (which are a pain in the ass to turn on and use), but I wasn't aware of the Cookie Monster plugin for Firefox. I'll have to play around with that one... thanks.

BTW, I totally agree with your philosophy on "newb laws." If you're not smart enough to protect yourself on the internet, that's your fault.

Re:Here's how it goes:

The only people who should be against this, are marketing companies looking to exploit peoples privacy for their own commercially gain.

Are you both against the "Do Not Call" phone lists as well? Those are the lists of numbers which telemarketers are not allowed to call and can be fined if they do. You can find out every number registered by x company and block them from your cell phone account. You have the power, so why have a giant list? The answer is simple. Nobody wants to go through hundreds and thousands of numbers and block them individually. It is a burden and a waste of time.

There are millions of websites which I can potentially visit. The last thing I want to do is go though each one I view and block their tracking cookies. Some can't even be detected if they are encrypted or not easily readable.

PS: The law only affects tracking cookies, not every cookie. Your enactment seems to imply that you don't care about privacy if you allow cookies. Most users who enable cookies are enabling it to save site settings. They don't do it so that they can be tracked and exploited.

Re:Here's how it goes:

[AmberBlackCat]

So how does that work if you never actually changed your web browser settings to accept cookies, but it accepts them anyway by default? Almost everybody's browser accepts cookies and almost nobody knows what they are. And the only browser settings anybody ever change are their homepage and bookmarks.

Re:Here's how it goes:

[ozone702]

You're wrong. There are measures within your browser to help you prevent this, so imposing it on everyone is stupidity.

Re:Here's how it goes:

[ianezz]

Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it

Firefox has such setting, with the option to ask what to do for every cookie a website tries to set/update (which quiclky gets annoying), plus an option in to remember your choice for all subsequent cookies from that website. It's there in Preferences->Privacy->History->Use custom settings.

Re:Can somebody explain how this works?

[realityimpaired]

Not in this position, but the HTTP_REQUEST does include the language of the user's browser (accept-language)... It is fairly safe to assume that your site visitor wants it in the language that their browser is, and give them the option to change that language with a cookie to save it.

As an added bonus, if the site automatically looks at the accept-language and serves up a German-language storefront without the user having to click on German after being presented with an English default, it may improve your sales by not driving away some customers who may think your site isn't available in their language.

Similar to the PC-Mac add?

[kanweg]

So I'll be like PC (http://www.adweek.com/adfreak/get-mac-security-94121) all the time, clicking Yes buttons when not needing them (while hating to see them), effectively priming me to approve one when I shouldn't.

Bert

RadioTimes sets Cookies to 2021

[doperative]

.radiotimes.com LOG_ID 05/28/21

Google only goes up to 2013
 
.google.com PREF 05/27/13 ID= ******

See also, Radio Times recommends Internet Explorer 8

Re:RadioTimes sets Cookies to 2021

[Spad]

Radio Times *advertises* Internet Explorer 8, not exactly the same as recommending it.

Re:Can somebody explain how this works?

[pjt33]

The UK's Information Commissioner issued some advice which isn't really finished but provides a good starting point. The big problem is that we don't have a good enough definition of what "strictly necessary" for the function of the site means. I've seen it interpreted (I think it was by a spokesman for the European Commission, but I didn't make a note at the time) as meaning cookies needed to perform a function requested by the user. The example given was a shopping cart - the user requests you to put an item in the cart, so you don't need to ask permission to use a cookie to associate that cart with the user.

Third party analytics software seems to be the target they're really shooting for, so I think we're going to have to move towards asking permission for those.

What I would prefer.

[dayton967]

My personal opinion would be that the html standards needs to be changed. One change would be to create a session header, that does not write, and is cryptographically modified after each page access. This would prevent the websites from accidently storing session data, such as the recent linkedin session problem. Also I would change this so that only one session may be stored unlike cookies.
Cookies then can be used for what they were intended, the storage of information relating to the site, such as preferences. This then can be user definable as if you want to store them, not store them, not accept them, etc.

Re:Unintended Irony

[Kalriath]

By which you mean "served via the Akamai caching network, which happens to use Linux". You might want to pick an example which is actually true.

Broswer Detection Instead

[ozone702]

How come I can't set my browser to detect what type of cookie it is and prompt me if a site wants to set a tracking cookie? Get that accomplished and... problem solved.

I don't understand

[itchythebear]

It's just cookies, who ever complained about cookies?

Maybe we could require sites to provide milk if the serve any more than a couple of cookies...

yeah right

[slick7]

I guess this comes from the Department of Redundancy Department.

Re:Postponed

[Ensign+Morph]

Mod parent up, submitter / "editors" didn't check their facts as per usual.

I'm glad this is the case since I still haven't had a response from our company's webhost as to whether the session cookies our site sets are needed for the stats package, or just an unneccessary ASP default setting.

Re:Can somebody explain how this works?

[Hognoxious]

Our website uses cookies for a couple of things, most importantly to determine which language to show the website in.

I really hope it doesn't try to guess by working it out from the client's IP address.

Because if it does, I hate you.

session cookies

[Alain+Williams]

Are session cookies OK?

I asked the ICO (Information Commissioner Office) exactly that question about a month ago, they have not replied in spite of a reminder. If they cannot answer a simple question like that then I have to assume that they don't know what they are talking about.