Watchdog "Not Ready" To Probe Cookie Complaints

nk497 writes "The UK data watchdog has admitted it doesn't have any staff investigating cookie consent complaints, more than a year after the law came in via an EU directive. The regulation requires websites to ask before dropping cookies and other tracking devices onto users' computers, and came into law in May 2011. The Information Commissioner's Office gave websites a year's grace period to update their websites, but failed to use that time to get its team together, meaning the 320 reports of sites not in compliance it's already received haven't been investigated at all."

Like anyone is going to follow this

I have to wonder if the people who wrote this law even considered the complaints they likely received at the time to the effect that it would make the internet practically unusable. Yes, it's a good sentiment to not want to "track" people, but with the increasing use of cookies for actual technical purposes - not to mention logins and the like - this would quickly become unfeasible and irritating. Anyway, what of serverside tracking - you know, like Facebook almost certainly does using its extensive "Like this" and Facebook integration APIs? I am more worried about that than cookies.

No other country's developers are going to give a crap what the EU/British government says. All this will do is hamper European businesses' internet presence and probably cause a few notable companies (Google, etc) to sever ties with the specific countries actually enforcing it. There are certainly plenty of other reasons to do so these days.

It's kind of sad when the US is one of the less technically inept governments in the world, and it only is because of general failure to do anything.

--BKY1701

Re:Like anyone is going to follow this

[mvdwege]

What actual technical purposes for cookies are there?

I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

In other words: shut up, you fucking shill for the tracking industry.

Mart

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

What actual technical purposes for cookies are there?

Some obvious ones are:

1. Maintaining an authenticated user session (logging in and out securely)

2. Storing the current state of the user's session (shopping carts and the like)

3. Remembering user preferences from one visit to the next

4. Analytics within your own site

I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

That simply isn't true. There are plenty of valid concerns regarding using cookies, particularly third party ones, but if they were only meant for tracking then why bother inventing things like session cookies?

Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

And that specific exemption is so tightly worded that it doesn't even cover all of the examples above, which is why we then wound up with the formal opinion of the EU data protection authorities a couple of months ago covering things like first party analytics cookies.

I'm a strong advocate of privacy, but I don't see any serious privacy problem with any of the usages mentioned above, there are obvious potential benefits to the user in each case. Regardless, how are all these "This web site uses cookies, and we know that no-one is enforcing the rules so we've put this token irritating box up even though we're relying on implied consent and we already set them all anyway" boxes doing anything useful whatsoever?

Re:Like anyone is going to follow this

What actual technical purposes for cookies are there?

Start here, follow the citations and read the RFC's. It might prevent you from making an utter fool of yourself again in the future.
http://en.wikipedia.org/wiki/HTTP_cookie

Re:Like anyone is going to follow this

"I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for."

I am a C++ programmer, who has programmed numerous websites (several languages), currently in the third year of a Chemical Engineering degree, who uses (Arch) Linux as his main OS, and generally can handle just about any technical matter required of me. Why do I suspect you have never so much as executed a batch file? Oh, right. Because you're an idiot ranting about something you obviously do not understand.

"What actual technical purposes for cookies are there?"

If you actually knew what you were talking about - or maybe read the fucking post you replied to - you would be able to answer this question, rather than only pose it rhetorically as a vague insult.

"Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption."

Considering how little this will realistically accomplish (again, had you read my post, you would have been educated on a real privacy threat this does nothing to address), please do not expect me to have faith in their ability to make proper exclusions. According to others, they have not - it is not worth my time to read the actual directive in order to address a fool like yourself.

"In other words: shut up, you fucking shill for the tracking industry."

It is amazing the kind of dumbshits that come out on Slashdot sometimes. Let's see: 1. Ignore all facts, especially those stated in the post you are replying to, 2. Act as if no one knows the facts you just ignored, 3. Make unfounded claims, 4. Close with an ad hominem accusing someone of being a shill (because 'the tracking industry' would spend their PR money on making semi-anonymous posts on Slashdot. Pull your head out of your ass). What's more amazing is that it seems you were modded up once. Guess I need to go to metamod more. Standards are slacking.

I suppose I am partly to blame, as had I posted this under my account, you wouldn't have had the balls to post that nonsense. Unfortunately, I do not log in from insecure locations.

--BKY1701

Re:Like anyone is going to follow this

[mvdwege]

All four of your examples are examples of user tracking.

Face it, cookies are a workaround for the stateless nature of HTTP. Cookies are meant for tracking by definition

And you know what? Numbers 1 and 2 are covered. Number 3 is covered once you asked for permission, which you can do using number 1. That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

So of your three examples, 2 of them are covered, one of them is covered by extension, and one of them can be done without. I'd say, no great loss.

You want to track me? You need my permission, and you don't get it by default.

Re:Like anyone is going to follow this

"All four of your examples are examples of user tracking."

No, they are examples of storing information. A shopping cart is as much tracking as the CRC handbook is a vast spy network focusing on chemists.

"And you know what? Numbers 1 and 2 are covered."

Do you mean technically? Or legally? Or magically? It's hard to tell with you, because facts do not seem to be required for you to yell something.

"You want to track me? You need my permission, and you don't get it by default."

You know, if you feel so strongly about this, why not take a trip to your fucking browser settings, you dumbshit. You can never be "tracked" again just by disabling them completely. Hell, most browsers either have the built in or plugin-supported functionality to ask you every time a site tries to save a password.

I guess that would be too hard for you. The world has to adapt to you and what you consider to be good and bad. You're not sure how they will, but they'll have to, because the great mvdwege decrees it.

--BKY1701

Re:Like anyone is going to follow this

[crutchy]

1. Maintaining an authenticated user session (logging in and out securely)

cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked

2. Storing the current state of the user's session (shopping carts and the like)

mysql

3. Remembering user preferences from one visit to the next

mysql

4. Analytics within your own site

mysql

even notwithstanding all this, if you're not decent enough to seek the user's permission before dropping a cookie, then you're not dropping cookies for anything other than secretly tracking them. if you need to drop a cookie for any legit reason, then the user is more likely to grant permission to retain functionality than deny for the sake of some misguided privacy paranoia. in any case, for my sites i offer the option of using a cookie or (by default) keeping track of a session using a hidden post parameter for the session ID in each form. they don't need to know the details, just that if they want to be able to revisit without logging on then a cookie is recommended, and even when they elect to use the cookie, there is a button to delete the cookie and revert to the post parameter

Re:Like anyone is going to follow this

"cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked"

So opening a second browser window to the same site fails to be logged in (because it lacks the session). Or someone on your network is logged in as you, because lo and behold, they have the same IP.

More interested in convenience than security? For fuck's sake, get a clue about website design and security. Cookies, possibly with the ADDITION of the other two systems, are the industry standard for security. Cookies effectively allow re-authentication for every page view by sending a hash of identifying information to the server which can then be checked against the stored hash. IDs have usability issues enough to make them unsuited to general use, which is why they have not been used since the 90s. IPs alone are so insecure they are effectively not authentication. Cookies are the answer decided upon. Indeed, they are the onyl practical answer. I am sorry if you dislike that. Do not use the internet.

"3. Remembering user preferences from one visit to the next" - "'mysql'"

Sure... but what if you do not have user accounts? Are you going to store settings by IP? Yeah, we'll see how that goes. Obviously not by GET variable. So what, exactly, is your answer? Right. You have none. You're just a ranting idiot like the other one.

--BKY1701

Re:Like anyone is going to follow this

[crutchy]

apparently you're not familiar with a database, or hidden post fields, which in combination with server fields like remoteaddress and get params, can pretty much achieve anything that a cookie can (even clandestine third party tracking through single pixel iframes, which is what the law in question is meant to address, can be done with hidden post fields and a bit of javascript)

http://en.wikipedia.org/wiki/HTTP_cookie#Alternatives_to_cookies

perhaps you should read all of the page before making an utter fool of yourself again in the future

Re:Like anyone is going to follow this

The question of course then becomes: can that all not be used for "tracking" as well? Like, you know... the original post I made points out is occurring now?

The whole cookie thing is a tempest in a teapot largely propagated by people who have not felt the need to learn anything about computers since the late 90s. It is really telling when they think cookies are uniquely problematic, easily gotten rid of, or even, indeed, the worst threat to privacy.

Ineptness, and lack of critical thinking.

--BKY1701

Re:Like anyone is going to follow this

[crutchy]

currently in the third year of a Chemical Engineering degree... and generally can handle just about any technical matter required of me

i'm qualified in aerospace engineering, experienced in aeronautical engineering, and now developing structural engineering compliance software, with over ten years of programming experience in a few languages (delphi, php, c, js), but it doesn't mean i know what i'm talking about all the time. even if a matter is within your field of expertise, its very doubtful that you know every aspect of that field inside and out.

from one engineer to another... your qualification will never be proof that you have any idea what you're talking about, and when you do know what you're talking about you won't need your qualification as proof

Re:Like anyone is going to follow this

And yet I'm still one of the only two people in this conversation to actually bring any facts... and the other one was supporting what I said in the first place.

My statement, as you might notice by the position directly below a quotation, was to address the "wish" that "privacy-violators had a better grasp of the technology."

I also find it pretty hilarious you felt the need to show up my "qualifications" right before saying they're not proof of having any idea what you're talking about. Finally you said something I can agree with!

--BKY1701

Re:Like anyone is going to follow this

Disregard that, I suck cocks.

--BKY1701

Re:Like anyone is going to follow this

Oh boy, the idiots invade. I guess I am going to need to make a listing of which posts are really mine when I get back on my other computer.

Re:Like anyone is going to follow this

[crutchy]

So opening a second browser window to the same site fails to be logged in (because it lacks the session)

not if i keep the same session id between page transitions (using a hidden post field), which is no less secure than using a cookie

Cookies, possibly with the ADDITION of the other two systems, are the industry standard for security

no they're not... they're the industry standard for efficiency (quick, cheap and easy)

Cookies effectively allow re-authentication for every page view by sending a hash of identifying information to the server which can then be checked against the stored hash

why do you presume that cookies are required for that?

IPs alone are so insecure they are effectively not authentication

neither are cookies on their own. security in depth is the only security, and as i said nothing is 100% secure. whatever your point, it was pretty pointless

Indeed, they are the onyl practical answer

since you apparently aren't familiar with any other methods, then for you i guess they are... ifyou want to use cookies i won't even try to stop you :)

Sure... but what if you do not have user accounts? Are you going to store settings by IP? Yeah, we'll see how that goes. Obviously not by GET variable. So what, exactly, is your answer? Right. You have none. You're just a ranting idiot like the other one.

if you don't have user accounts then cookies are an alternative, but then security and logging in would be out of the question too. without cookies i could use a combination of IP and a miriad of parameters derived using javascript (check out https://panopticlick.eff.org/), but i could also use hidden post fields

you're just an insecure moron who loves cookies

Re:Like anyone is going to follow this

[crutchy]

mysql can be used for tracking

it can even be used for tracking third party website usage

but online marketing use third party cookies mainly because of their persistence... but surely you knew that

Re:Like anyone is going to follow this

[crutchy]

the "wish" that "privacy-violators had a better grasp of the technology

its funny that you assume your jibberish to be remotely factual

privacy violators are experts in the techology that you're referring to... and that's how they take full advantage of it. its also why the problem has arisen in the first place and why laws have been enacted in an effort to reduce it

I also find it pretty hilarious you felt the need to show up my "qualifications" right before saying they're not proof of having any idea what you're talking about. Finally you said something I can agree with!

right. whatever that means. i wasn't trying to "show up" anything, but merely show that just because i have a qualification doesn't mean i know any more than you do (quoting myself: "but it doesn't mean i know what i'm talking about all the time")... remember you're the one that keeps assuming that (throughout every comment you've made in this article thread). being an aeronautical engineer doesn't mean i know any more about aircraft than someone that isn't an aeronautical engineer, but i would never be so naiive to assume that, whereas you seem to think you know everything technical (quoting you: "can handle just about any technical matter required of me"). having said all that, just because i don't claim to know more than you doesn't mean i can't debate things

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

Number 3 is covered once you asked for permission, which you can do using number 1.

Only if you force users to create an account just to keep your site's media player size the same or some other trivial but convenient detail.

That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

Nonsense. Every business I've worked with in recent years has used analytics to see how visitors are using their own site and ultimately provide a better experience for those visitors. Every single one. And for the record, exactly none of them sold any of that analytics data to anyone.

You want to track me? You need my permission, and you don't get it by default.

Then turn off cookies in your browser. It's not hard, and if you don't know how, a quick Google search will surely tell you.

However, I'm afraid I'm not going to compromise on the experience I can offer the other 99.997% of visitors to my sites because you want to make a fuss. No-one's forcing you to visit those sites, our policies are clearly stated and always have been, we're not doing anything even remotely shady in the eyes of just about everyone (except you, apparently) and just about everyone including us and many other visitors benefits if we pay attention to our analytics reports.

You might like to consider that if you really feel strongly about Internet privacy, you aren't doing anyone any favours either by scaremongering or by attempting to redefine commonly understood terms like "tracking" to mean something convenient for your argument but different to what everyone else means by them. When those of us who want to improve the privacy situation without throwing the baby out with the bathwater come to write to our politicians or send money to privacy groups, all it takes to counteract our reasoned arguments is one PR guy for a commercial ad network and someone hysterical like you, and the politicians who aren't experts are convinced that the advertisers are the only ones being calm and sensible, and therefore nothing needs to be done at all.

Re:Like anyone is going to follow this

[mvdwege]

I'm not the one scare-mongering. You are acting as if the WWW will collapse if you have to ask users for consent to track them.

Why are you so dead set on just being able to track me without asking me first? Have you no decency, or are you trying to hide what you want to do with my info?

Re:Like anyone is going to follow this

[mvdwege]

Yes, the world has to adapt to me, indeed. When it comes to my personal info, it's the same as regards my personal property: if you want it, you have to justify yourself.

That you are incapable of nothing but invective when asked to do so shows just what you are: one of those who thinks they are above common decency and even the law when it comes to making a buck, a huckster of dreaming becoming part of the 1% one day.

In other words, a fucking sociopath the world could do without. Kill yourself. This is not a joke, seriously, kill yourself.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

So just to be clear, your proposed alternatives to cookies are:

1. sending exactly the same kind of state information (session ID etc.) but in places like hidden POST fields instead of cookies

2. using covert browser fingerprinting on the server side.

Exactly how is either of those approaches not at least as capable of covert tracking of your visitors? Not to mention being more than a little creepy, particularly in the latter case since even a user who has explicitly chosen to disable cookies and send Do Not Track is still probably going to wind up in your system. And of course being far more work to implement and test, because instead of using the tool designed for the job you insist on trying to force another tool designed for a different job to do the work instead.

Re:Like anyone is going to follow this

[mvdwege]

No, you're an anonymous coward on Slashdot, and I am the Pope.

Seriously, do you think you impress anyone waving your imaginary dick around? Especially since we'd need a microscope to see it?

I don't need to brag to have the facts on my site. Cookies were invented to bypass HTTP's inability to track state across requests. Any use of cookies is to persist state across HTTP requests; since requests come from users, cookies ipso facto track users.

If you are disputing even that basic fact, then no list of imaginary credentials is capable of hiding who is the idiot here.

Mart

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

You are acting as if the WWW will collapse if you have to ask users for consent to track them.

You're still using that word "track" in a way that no-one else in the world does. You aren't going to win any debating points like that.

Also, the WWW wouldn't collapse, but it would become significantly harder for those running web sites -- which you apparently value enough to visit them if any of this is a problem for you in the first place. It would be more difficult to optimise sites according to what users were actually looking for and how they were really using them. That would inevitably mean site operators couldn't convert as many visitors either, which in turn would inevitably mean that some good sites that were only borderline financially viable in the early days would fail unnecessarily, leaving no site to benefit anyone.

Have you no decency, or are you trying to hide what you want to do with my info?

What info do you think I am magically getting? It's not as if these things are giving up your name, DoB and home phone number. Your average analytics cookie is just a random number, and is completely anonymous. And even if I did collect personal information from you, which for example you might volunteer when signing up for an account, I would be constrained by exactly the same data protection laws as anyone else handling any other kind of personal data in my country, including filing (at my own cost) details of what I'm collecting and how it is used with my government's data protection officials, who will then make it available to the public so that anyone, including you, can read it.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

but online marketing use third party cookies mainly because of their persistence...

[Emphasis added]

You're moving the goalposts.

Re:Like anyone is going to follow this

[crutchy]

the problem with third party cookies is the ability to track a user across multiple domains due to their persistence (they can be stored on the client computer indefinitely until the user proactively deletes them). cookie hijacking is also a problem.

http://en.wikipedia.org/wiki/HTTP_cookie#Privacy_and_third-party_cookies

...but you're right that database-enabled pages are capable of coverty tracking visitors too, by serving a page with some javascript in a hidden iframe that talks to the parent window... i'm not saying that doing this is a good thing (it's not), but it doesn't exonerate third party tracking cookies either

Re:Like anyone is going to follow this

[crutchy]

i didn't realise there were goalposts

Re:Like anyone is going to follow this

[stridebird]

So just to be clear, your proposed alternatives to cookies are:

1. sending exactly the same kind of state information (session ID etc.) but in places like hidden POST fields instead of cookies

Which of course requires every link on the page to fire up the hidden FORM submit too. Didn't the wise guys at microsoft ASP try this for a while? Wrap every page in a FORM?

Re:Like anyone is going to follow this

[crutchy]

what's wrong with hidden post fields in forms? they work. if you don't like them, use cookies

Re:Like anyone is going to follow this

[maroberts]

You want to track me? You need my permission, and you don't get it by default.

You virtually get it by default. Some of the messages simply say - we use cookies for all sorts of purposes, if you don't like it f**k off and use someone else's site.

Put simply it is pointless form filling.

Re:Like anyone is going to follow this

[bky1701]

Well, hello there.

I'm not going to bother pointing out which posts made here under my name were not really me. I think only one was. It's probably pretty obvious anyway.

That said, I suspected you were a troll, and now you proved it. I will be quoting your fine post here in my signature to inform others of your nature.

Have a nice day.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

You've just attempted to quietly redirect the entire discussion from cookies in general (which have many valid uses) onto third party cookies (which have rather fewer valid uses and some obviously sinister ones).

Re:Like anyone is going to follow this

[bky1701]

Didn't you just finish ranting to us about how we SHOULDN'T use cookies, and SHOULD use your kludge, which results in the aforementioned massive forms?

It is obvious to anyone with a clue that abusing GET/POST that was was not intended, which is ironic, since you were in your other post going on about what HTTP/HTML was somehow intended to be. Every "bad" kind of tracking is just as easily possible on the server side, if not more so. Cookies are enforced per-domain. Access-based tracking is effectively cross-domain. Embed an image linked from Facebook in your website? There is a VERY good chance Facebook is recording the views, IPs, and domains from which they come, and comparing that against login data. All serverside: Facebook knows which porns sites you go to, with no cookie involved.

If you had sense, you would be worried about THAT, not bitching about cookies and spewing nonsense about what you think would be somehow better, despite numerous actual programmers pointing out the problems your ideas would cause.

Re:Like anyone is going to follow this

[bky1701]

I'm not personally worried about online marketing. I'm worried about massive online databases of the sites I access. Cookies are not the primary method by which those are constructed, nor is getting rid of cookies a feasible goal, nor is it sensible when so many other, bigger problems exist. The EU directive is nonsense written by idiots, and people like you are eating it up because it makes you feel all warm and fuzzy to be "protected" from Google.

Re:Like anyone is going to follow this

[crutchy]

tfa talks about a law that targets specific cookies, not cookies in general. i just attempted to quiety redirect the entire discussion from pointless ranting to the topic of tfa. if you prefer to restore the pointless ranting, be my guest

http://www.international-chamber.co.uk/components/com_wordpress/wp/wp-content/uploads/2012/04/icc_uk_cookie_guide.pdf

Re:Like anyone is going to follow this

[bky1701]

Again, my entire purpose for citing anything of my experience was to counter the statement that I must know nothing because I disagreed with the second-to-original retard poster. I am sorry it makes you feel inferior somehow that I do so. What you said is pretty obviously self-contradictory, and summarizing the exchange as I see it:

Me: "Well, I'm going to be an engineer."
You: "I am an engineer! A better one!"
You: "But qualifications don't matter!"

It's kind of self-contradictory and I am not sure what you hoped to gain. I was countering an ad homenin. Why you felt the need to make the discussion a dick sizing contest I am not sure. Perhaps because I am indeed the one quoting actual facts and you are just ranting about things?

Re:Like anyone is going to follow this

[bky1701]

If you took the 10 seconds it takes to put a username into the address bar (it's that one at the top of your browser), you'd see that I am indeed a real user, with the same writing style, who has the same opinion of idiots, as that "anonymous coward."

I am not disputing anything further with you. You're either a raw troll, or an abject fanatic with zero ability to see how stupid they appear to others. In either case, there is really not much point in actually discussing your talking points further. I already did, and you told me to kill myself when you noticed you had no idea what the words contained in my post meant.

Re:Like anyone is going to follow this

[crutchy]

i don't "eat it up" and i don't give a rats about tracking cookies personally. i'm just offering an alternative view to those morons that think cookies are the be all and end all. they're just cookies

the EU directive isn't nonsense. its not the ultimate answer to everything, but its at least a step in the right direction towards adressing some level of online privacy.

if you weren't whinging about online privacy laws, you would find something else to whinge about

Re:Like anyone is going to follow this

[bky1701]

"the EU directive isn't nonsense. its not the ultimate answer to everything, but its at least a step in the right direction towards adressing some level of online privacy."

If breaking the vast majority of technology on the market to accomplish absolutely nothing is a "step in the right direction," then please, let us slide far in the wrong direction.

I will again say: it's about feel-good-fuzzy-warm-cuddlies, as you just proved. Not technology. This does zilch to protect your privacy, and if you were concerned about this aspect of your privacy, it was already a browser option. The directive breaks things to give people a useless protection they could have had in approximately 30 seconds if they cared. That's not the right direction. That is not even stupidity. That is a shameful waste of government time and money, and every European should feel ashamed their collective government would undertake it.

Re:Like anyone is going to follow this

[crutchy]

get off your fucking soapbox you idiot before you fall off and break your neck

i have nothing against cookies, i actually use cookies (as i've said in other posts in this article) and they are useful for some things... what has completely gone over your measly mind is that they aren't absolutely essential to achieve the functionality that they are commonly used for, and i said this because morons like you were complaining about the law in tfa and blathering on about how awesome and necessary cookies are

get/post is designed for sending data to the server, and can be used in that capacity to achieve whatever you or i want it to. you're an idiot if you think using hidden post fields to transfer session ids is "abusing" its intent. what a fucking wanker.

i also haven't been suggesting that tracking isn't possible with post fields... in fact in other posts i have been confirming that it is

post isn't "better" than cookie, but cookie isn't better than post either. there have been no "problems" identified by "numerous actual programmers" (you are such a twit)... there has simply been bitches by idiots like you who can't comprehend alternative methods other than your own and like to complain about things you don't like about such alternatives

so how about you go back to smoking your boyfriend's cock

Re:Like anyone is going to follow this

[crutchy]

if you let go of you're cock for a second, i wasn't saying i was a better engineer or that i know more than you, although i'm starting to wonder. you're coming across as a total dipshit now

Re:Like anyone is going to follow this

[HungryHobo]

You seem to have some unresolved issues.
Please seek counseling or other professional help or take the pills they gave you if you've already consulted medical professionals.

And just to be clear before you decide to murder me in my sleep: I don't run any web services of any kind.

Re:Like anyone is going to follow this

[crutchy]

breaking the vast majority of technology on the market

there you go with your cookie fetish again... it won't "break technology", it will merely neccessitate some recoding (keeping programmers employed)

it's about feel-good-fuzzy-warm-cuddlies

you're not too bright are ya... there are also laws that prohibit murder, but it doesn't prevent people from being murdered... maybe such pointless laws should be dropped too? the law is about establishing a level of risk in doing what is against the law, so that if you engage in breaking the law there is a risk that you'll be caught and punished. the internet has operated for years with few laws, which means no risk, which means companies and criminals feel free do do as they please and abuse any priveliges they can get their grubby hands on, such as personally identifiable data in third party tracking cookies. introducing a law that prohibits using such cookies without user consent means that there is now risk in engaging in some (not all) online privacy invasion

surely you can't be as retarded as you seem

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

Thanks for the link, but some of us have been watching this one for literally years now and have actually spoken to real lawyers about it in the course of doing business. These rules do affect all cookies, and any other similar technologies as well, by default. There just happens to be a special case for those cookies that are strictly necessary, in a very tightly worded sense.

Re:Like anyone is going to follow this

[crutchy]

the rules may affect all cookies, but they clearly don't prohibit all cookies an there are categories that don't require consent. you don't need to be a lawyer to understand that... its the whole reason why the linked document was created, with specific "guidance for website operators". there may be grey areas, but if your intent is honest, its unlikely you'll get strung up, but hey if you can demonstrate cases that prove otherwise i'm all ears

Re:Like anyone is going to follow this

The only sociopathic behaviour in this thread is you thinking a small part of your opinion is worthy of someone else's entire life.

The reason you're channelling Bill Hicks is because he was an excellent marketer. If he wasn't you wouldn't have heard of him.

Re:Like anyone is going to follow this

[HungryHobo]

'analytics' also covers collecting data which allows you to see what your users are actually using on your page and even what form elements are the wrong shape or size (are users are missing them when going to click on them)

Unless you think a map like bellow isn't useful to web developers:

http://csscreme.com/images/heatmaps/detail/ishrs.jpg

Re:Like anyone is going to follow this

The point is more that I am not sure why you felt it necessary to make either statement, other than to either pull an argument from authority or to be an asshole, let alone both. It obviously did not add to the discussion, and effectively was a response to the strawman that I was somehow trying to myself pull an argument from authority.

Re:Like anyone is going to follow this

[bky1701]

"there you go with your cookie fetish again... it won't "break technology", it will merely neccessitate some recoding (keeping programmers employed)"

It will break it as it stands. That qualifies as "breaking" it in my book. The fact it can be fixed is irrelevant to the act of breaking it.

Also, broken window fallacy. Creating jobs is not an excuse to break things that work fine now.

"you're not too bright are ya... there are also laws that prohibit murder, but it doesn't prevent people from being murdered... maybe such pointless laws should be dropped too?"

If there was a law that stated you could not kill someone with a bladed weapon, and no law saying you could bludgeon them to death, then yes. It is stupid and ineffectual to have one but not the other, ESPECIALLY if part of the law calls for outlawing cooking knives.

"the law is about establishing a level of risk in doing what is against the law, so that if you engage in breaking the law there is a risk that you'll be caught and punished."

Or... people can simply do the same nasty things via still legal and not much more complicated means, effectively only harming the legitimate applications of the effectively banned technology.

"introducing a law that prohibits using such cookies without user consent means that there is now risk in engaging in some (not all) online privacy invasion "

Except:

1. Real privacy threats are outside EU jurisdiction, and will continue on their merry way.
2. It is trivial to shift tracking to other means.
3. It is NOT so trivial to shift legitimate uses, many of which lack good alternatives, as I and others have explained.

Costs: massive.
Benefits: near nil.

This isn't a well-reasoned policy. That leads me to think it is a feel-good policy.

Re:Like anyone is going to follow this

[crutchy]

sounds like you've wrapped yourself up in a feel-good policy

do everyone a favor and stick with your beloved cookies, douchebag

Re:Like anyone is going to follow this

So why not disable cookies in your browser by default, and whitelist specific sites as required?

Re:Like anyone is going to follow this

[AmiMoJo]

In other words, a fucking sociopath the world could do without. Kill yourself. This is not a joke, seriously, kill yourself.

You should be careful, encouraging someone to kill themselves is a crime in the UK. Considering the idiot police will arrest people for making clearly joking remarks on Twitter it probably isn't safe to state your opinion in public.

There is no free speech in the UK.

Re:Like anyone is going to follow this

Why not just turn off cookies in your browser?

Re:Like anyone is going to follow this

[bky1701]

So your answer to having it pointed out this helps nothing and hurts technology in general is... to call me a douchebag and continue to say nothing of substance (really, I can tolerate being called names if the person actually puts in an effort).

Well, I can see the supporters of this measure are as mature as they come.

Re:Like anyone is going to follow this

you were the first to "pull an argument from authority"...

I am a C++ programmer, who has programmed numerous websites (several languages), currently in the third year of a Chemical Engineering degree, who uses (Arch) Linux as his main OS, and generally can handle just about any technical matter required of me

by stating my qualifications and that they really don't matter a shit was simply pointing out then what you are pointing out now... but you still don't seem to get it

why do you you see my statement is "from authority"? why do you even give a shit at all about my qualifications? my whole point was to highlight that having them doesn't matter, but you still seem all wrapped up in it

i don't know many many ways i can word it, but how about...

so your a fucking chem eng student... who gives a rats? it makes you just as much an expert on the topic of conversation as my qualifications do me

now... get a fucking clue, grow the fuck up, build a fucking bridge and get the fuck over it

Re:Like anyone is going to follow this

[crutchy]

Facebook knows which porns sites you go to

you are an idiot. unless Facebook can access the cookies left by the porn sites (which according to you are "enforced per-domain" so shouldn't be possible - except it actually is in some cases), or there is a facebook iframe embedded in the porn site, there is no way Facebook could know about such porn sites... maybe your tinfoil hat is getting a bit tight and cutting off the circulation to your brain

Re:Like anyone is going to follow this

[mvdwege]

Oh yeah, Hacker X did those posts full of invective, but now that you've thoroughly shown yourself up as an idiot, you're going to whine about a Bill Hicks quote.

Fuck off.

Re:Like anyone is going to follow this

[mvdwege]

And if you had had the reading level of a twelve year old, you'd have seen that I didn't use 'anonymous coward' as a proper name, so I wasn't referring to the Slashdot usage, but simply to the inability to verify your imaginary expertise.

Which, apparently, is totally dependent on "Dick and Jane build a website".

Re:Like anyone is going to follow this

[mvdwege]

Hmm, I don't see you attacking the original poster for his invective. No, a Bill Hicks quote gets you all hot and bothered.

Nice try, sockpuppet.

Re:Like anyone is going to follow this

[bky1701]

The process is quite simple.

You link an image from Facebook, such as a "like" button. Every time someone views your page, that button is accessed, and your domain is the referrer. Facebook then sees the IP of the person viewing that image, and that referrer, and can potentially correlate that easily with the known IPs of Facebook users. Volla, Facebook knows every site you have been to.

This is not some kind of mythical concept. This was actually used to cause a brief hack scare on a site I used to administer.

That is not even getting into CSS hacks, which are still, effectively, open, and allow any site to access your browser history.

It's also pretty classic you're accusing me of being a tinfoil hat, considering you spent several hours going on about the evils of cookies and how this law is needed to protect your privacy, but that's ok, it's obvious you're a troll. I post this for the benefit of others, as I realize my original post was not totally clear.

Re:Like anyone is going to follow this

what "evils of cookies" have i been going on about exactly? geez this is getting old

and your facebook thing still doesn't work with porn sites... what porn site would have a facebook like button on it, or in case that's not what you meant, who would be stupid enough to post a porn image on facebook? i don't know what you're on about there but it doesn't make any ounce of sense technically. care to explain without using the word "viola"? and what the fuck is a "css hack"? i've heard of xss hacks. sorry but you'll have to enlighten me on css hacks too, because i'm concerned that my web server may be in grave danger

Re:Like anyone is going to follow this

[mvdwege]

Ooooohhh, you've added me to your signature. I'm terrified.

You do realise that those whose opinion is worth something, i.e. smart people, will see the context, don't you?

Don't bother answering, that was a rhetorical question. Of course you won't see that; and the only ones that care are the same sort of spotty bullying twerps that start whining for their Mum when they find their target doesn't meekly submits and hits back.

Re:Like anyone is going to follow this

[HungryHobo]

an extremely dedicated sock puppet.

Yes! It's all a conspiracy. a conspiracy against you mvdwege. we've been watching, waiting, for years!

finally. finally all the sock puppets we've been working so hard to make look like seperate people can swoop in and make you look mentally unbalanced.

Finally! the conspiracy pays off!

How did you see through our dasterdly plans?!?!

Re:Like anyone is going to follow this

[kumanopuusan]

You want to track me? You need my permission, and you don't get it by default.

That is the single stupidest thing I've ever read.
Your browser stores cookie information and sends it to web servers because YOU CONFIGURED IT TO DO THAT.
If you don't want to send or store cookies, don't.

Re:Like anyone is going to follow this

[Richy_T]

Just because you *can* wedge the word "track" in there doesn't mean it's correct usage. They are there to *maintain* state.

To those who are suggesting use of GET and POST instead, that these were less-than-optimal is the whole reason cookies were invented in the first place. I worked with those methods and they were a PITA. And storing that kind of state in a GET is just plain-arsed retarded about any way you slice it.

With that said, that's somewhat orthogonal to the issue of tracking (and third party cookies). I have no idea if this legislation addresses things properly and adequately (given the couple of websites where I have seen this crop up, I assume it's up to the usual competency of such legislation and only inconveniences the good guys while allowing the a-holes to continue unabated)

Re:Like anyone is going to follow this

[bky1701]

Yes. I do. The context of numerous people giving you factual information, and you acting like an asshole rather than actually refuting them. I hope they do, I really do. Your posts are far over-rated in this discussion at anything above -1. I would encourage everyone to keep watching your posts in general, in fact.

Cookies suck

[symbolset]

The WWW is supposed to be stateless for a reason. I'm going to come right out and say that the cookie is the dumbest invention since Token Ring.

Re:Cookies suck

Says the guy logged into /. via cookies

Re:Cookies suck

[symbolset]

I am not responsible for the design of /. If I were I'd take a flamethrower to this place.

Re:Cookies suck

[cheater512]

No, but you are responsible for creating an acocunt and being logged in.

What would you prefer? HTTP Auth?

Re:Cookies suck

[mark_elf]

Prefers flamethrower (ibid.).

Re:Cookies suck

[symbolset]

All the essential data can be passed in the URI. You need one short session signifier that can be added to the extant argument list. This is fine in https - which all websites should use for logged-in users, though it's a problem in http.

Re:Cookies suck

[symbolset]

Obviously adding this session signifier to all the links on the page requires an output filter.

Re:Cookies suck

[cheater512]

Not to mention an awful lot of code for more than a simple site. E.g. ajax, forms, etc...

How do you handle bookmarks? 'Remember me logged in on this site'? Session expiry? Links from a friend/email (would you get logged in as them)?

Re:Cookies suck

[mwvdlee]

The WWW is supposed to be stateless

According to who?

Re:Cookies suck

[symbolset]

None of these things require cookies. I had a proof laying hereabouts, but I've lost it. If you think about how to do each thing though, the solution is obvious.

Re:Cookies suck

[symbolset]

Tim Berners-Lee. The guy who invented the thing.

Re:Cookies suck

[Blakey+Rat]

And God-forbid someone copies their URL and pastes it to a buddy on IM or Twitter.

Oh wait, let me guess, you combine your URL session with an IP address, right?

In which case: God-forbid someone switch wifi networks expecting their session to still be valid. Ride mass-transit? Do they provide wifi with a constantly shifting IP as the train moves? Good luck getting on to my super-awesome no-cookies site! Cellphone? Idiot! Cellphones can no longer browse the web!

Re:Cookies suck

[symbolset]

This cannot be done in an https session.

Re:Cookies suck

[dmomo]

No. HTTP is supposed to be stateless. WWW just makes liberal use of HTTP. Every HTTP request should be made in isolation. WWW can still be stateful while sticking to this convention.

Re:Cookies suck

HTTPS sucks for a well protected dialup account. When you are restricted to 48Kb, any overhead to protect the sheep makes our connection even more unusable.
In the 1990's, I was able to stream two low band audio feeds while browsing. Now I can't even stream one audio connection.

Re:Cookies suck

[cheater512]

A forum?

If you has a session id in the url alone, bookmarking/linking to a page would log you out.
If you gave a link to a friend, it would log them out and depending on how secure it is, log them in to your account.
It would be impossible to remember your login for the site.
Search engines would get tripped up by them while crawling.

Session IDs should really be kept out of reach from humans. They make everything really messy.

Re:Cookies suck

[Anonymous+Brave+Guy]

The IETF disagrees. They know a thing or two about running the Internet, too, I hear.

Re:Cookies suck

Sure it can. Http only defines that you have ssl running below http. Everything above SSL/tls is fair game for the server and client. The common practices for https able browsers is just some common ideals. Don't cache stuff, keep cookies to sessions, etc. I can make lynx ignore those and keep cookies in a plain text cookie jar with http cached.

Re:Cookies suck

[Johann+Lau]

All the essential data can be passed in the URI.

What? If you pass it in the URL, use HTTP Auth, or use cookies, it doesn't matter.

GET /url_of_resource/session_id/ HTTP/1.1
Host: example.com
Cookie: BLAH=session_id_or_whatever
Authorization: Basic blah_blah_blah

And you're seriously saying shuffling it around from one line to the other makes a difference? That's just silly.

More importantly, you're still simulating state. Just in an ass-backward way, for example making copying & pasting links a pain, for no fucking reason. And of course, if you store it in the cookie, you store it once. If you append it to all internal links, you're just bloating every single page. And you send it either way, wether as cookie, HTTP auth, in the URL or whatever. It IS part of the request.

You said "the WWW is supposed to be stateless for a reason", and I say citation needed. You're confusing HTTP, which is stateless indeed, with the servers and clients using it.

Also, state is useful for more than logging in. Think a forum which allows anonymous users to set how many threads / posts per page they want to see, etc. There's plenty of good reasons for it, while you haven't offered anything but unfounded assertions so far.

Guys, if you've never seen a fucking HTTP header in your life, refrain from modding such stuff in the future. That would help.

Re:Cookies suck

[crutchy]

pass the session id in a hidden post field, and for hyperlink submits use javascript (slashdot is plagued by js anyway)

passing a session id in every submit adds to the size of the page, but have you seen all the garbage that pads web pages lately? maybe if developers focused on problems like div soup and an excess of eye-candy css and js, slashdot would be much more efficient even without cookies

Re:Cookies suck

[crutchy]

hidden post fields and mysql

Re:Cookies suck

[stridebird]

you keep saying "mysql" as a solution to this. Hey crutchy boy I've read enough of your shit already, but do tell how "mysql" is the solution to anything here?

Re:Cookies suck

[crutchy]

Hey crutchy boy I've read enough of your shit already

get over yourself, twat

how "mysql" is the solution to anything here

its not a solution to anything here, its just an alternative to cookies that twat bitches like you are so enamoured of

using a php/asp/perl script you can read get or post fields (you can even read cookies omg!) and store the data in a mysql database, so that the data is retained between page transitions. its not rocket science you stupid twink. wtf is so special about cookies anyway?

Re:Cookies suck

[bky1701]

It was also arguably made to be transferred over telephone lines and used by 16 bit computers.

Re:Cookies suck

[jimicus]

How exactly does MySQL solve the problem?

Re:Cookies suck

[crutchy]

what "problem"? mysql+post fields are an alternative to cookies... where's the problem with that? what the hell do people have against post fields, and what is so orgasmic about cookies? is cookies all that you cookie munchers understand? go read "PHP and MySQL For Dummies"

Re:Cookies suck

[jimicus]

That's well and good for a single session, but it doesn't deal with one that persists once the browser's closed and reopened.

Re:Cookies suck

[crutchy]

the mysql data isn't deleted when you close your browser... please explain?

Re:Cookies suck

[jimicus]

The MySQL data isn't stored on the browser, it's stored at the server end.

The content of pages may not be stored between browser sessions, but that's exactly where a hidden POST field lives. (In fact, if you've been following a site that uses hidden post fields, that would suggest that every page is generated as a result of something the browser POST'ed. RFC2616 effectively bans caching the result of such things, so there's no "may" about it. The content of such pages cannot be cached; the hidden POST field containing the session ID dies when you close the browser).

The only way the server can tie up the session data in the database with the browser that is connecting is if the browser submits some sort of information to the server to say "Hey, I want to use this session!". And it can't get that from the content, it can only get it from meta-data. The only bit of meta-data which can be cached across browser sessions and sent back from client to server is any cookies.

In principle you could, as you say, include a hidden POST field which the browser will submit back. Let me give a few examples which illustrate where this starts to break down.

SCENARIO 1: WHERE IT WORKS.

You visit my online shop and put some items in your cart.

Once you've chosen which items you want in your cart, you go through the purchasing process. Everything works just fine.

SCENARIO 2: WHERE IT WORKS. SORT OF. SUBJECT TO A FEW CAVEATS.

You visit my online shop and put some items in your cart.

You look at your cart and think "I need to buy something else". You right-click on a link somewhere else on the site and select "Open in new tab".

Provided I've accounted for this possibility - by ensuring that every link on the site is actually a submit button that forces your browser to POST the hidden fields as a form - this works just fine.

It's not ideal, however, for a number of reasons:

- It'll make the pages themselves larger - hence requiring more bandwidth.
- It'll make them more complicated - hence requiring more testing and introducing more scope for things to go wrong.
- Most existing shopping-type websites don't do this, changing them would be a lot of work.
- If I didn't write it myself but instead brought in the cart functionality from outside - maybe with a commercial product, maybe with a piece of F/OSS software - I may not be able to make these changes at all. This is something that the great majority of online shops do - very few people code their own cart functionality from scratch, it simply doesn't make sense.
- All of these changes cost money. Rather a lot of money, as it happens, particularly if I need to hire in outside expertise to make these changes because half-decent web developers aren't cheap. They're even dearer when you're asking them to re-architect a fundamental part of the site. It'd be a lot cheaper for my web developer to simply put a banner on saying "We use cookies, take it or leave it".

SCENARIO 3: WHERE IT STARTS TO BREAK DOWN.

You visit my online shop and put some items in your cart.

You look at your cart and think "I need to buy something else". You press Ctrl-T to open a new tab and, in that tab, visit my website by typing the URL into the URL bar.

Your browser doesn't submit the hidden value because you didn't visit the new tab via your existing session in the first one. You wind up with two separate sessions - and two separate carts - on the website.

The only way I can resolve this without using cookies is to force you to login in tab 1 and prompt you to login again in tab 2. Once you're logged in in both tabs, we can then merge your sessions. We'll have to do this again for each new tab you open.

Forcing people to login as part of the shopping process is a very good way to put prospective customers off, so I don't really want to do this. It's particularly a problem in this scenario because unless I force people to login, the shoppin

Re:Cookies suck

fair enough... cookies can be convenient, but you still haven't proven that they are essential, and security in online shopping is pretty important, so logging in isn't THAT bad, and if you deliberately open up a new window from anywhere other than the active session, it would make sense that it should be treated as a different session. opening windows from the active session can be performed using post fields (or get fields in the case of secured images)

interruptions to a secure session can happen, but if you present a login prompt, the user can be returned to the exact same screen as they were before the interruptions, without losing any oftheir cart selections or other preferences... you can also use IP address and a mixture of other parameters (yeah I know IP address can be spoofed, but cookies can be hijacked too)

one thing i like about post fields (doesn't make them better than cookies though) is the ability to have a rolling session ID, where the session ID changes every page transition. makes working in two windows impossible, but it has some security benefits (session hijacking is more difficult)

if you want convenience, then cookies are convenient, and please note that i'm not saying that cookies can't be useful in that situation (i use them myself), but there is usually a way of getting around any such perceived need for them

Re:Cookies suck

You say "cookies aren't needed" and then start enumerating ways to (poorly) emulate them. Kinda like saying knives aren't needed, because you can tear food apart with your hands and teeth - true, but not worth considering as you're doing the same thing in an ineffective way.

Is cookies some kind of a monster? Because "you can also use IP address and a mixture of other parameters" for tracking people across different sites as well, and it seems to be the biggest gripe with cookies for privacy advocates.

Re:Cookies suck

[Blakey+Rat]

I think it's hilarious that you think the solution to browsing the web without cookies is basically ASP.net WebForms.

Re:Cookies suck

[Richy_T]

Hey, I'm a Windows user*. Can I use Access or Excel instead of MySQL?

*Just kidding.

Re:Cookies suck

[Richy_T]

WTF is so special about MySQL?

Re:Cookies suck

[Richy_T]

You can roll cookie IDs with every page transition too.

Re:Cookies suck

[Richy_T]

The IP address is actually a bigger issue too. I can use private browsing or clear my cookies if I'm paranoid enough with little effort. Masking IP address is a whole other issue. It doesn't expire at the end of the session, typically bears some kind of relation to geographic location, in some cases can be used to see if a person is home/online or not, can remain the same for years at a time and is identical across all websites and services accessed.

Re:Cookies suck

[Richy_T]

So your solution to the "Cookie" fiasco is to require all users to enable Javascripts? Your subtle sense of humor is sublime.

Re:Cookies suck

[Richy_T]

+1

The stateless web was a design flaw based on assumptions about the content and the way things would be organized (the web is far different from what TBL envisioned). It was fixed (though maybe not in the best possible way). People need to get over it.

You're right about the header too. All this post gobblediegook basically translates to "server sends some stuff with a unique identifier, client sends back some stuff with same unique identifier, repeat until done". That's exactly what a cookie is but you don't have to tie your code in knots to accomplish it and management tools can be built into the browser because you're not dealing with some ad-hoc buggy code some backroom developer knocked together. As a bonus, if legislation were ever written properly, it could be targeted correctly. Can you imaging what would happen if they started trying to legislate POSTs and GETs?

Re:Cookies suck

[crutchy]

i didn't say cookies are needed, in fact i said that they aren't... learn to read, and misquoting is bad

cookies can be used, but all i'm trying to explain to those that are complaining about the law in tfa and their perceived need to flout it because they can't live without tracking cookies (the law doesn't prohibit all cookies), is that there are alternatives

i've never said that i don't personally like cookies. i use them too. i just also know how to use other technologies too.

i also never said that cookies were the only way to track users, or that the methods i mentioned were free of privacy concerns

are you people lacking sleep or something? you seem to be unable to read and comprehend simple things

Punctuation... FTW

[c0lo]

Let's have some fun, otherwise this is a so "Not news" item it should be posted on Idle (the lest redundundundant title should have been: Watchdog "Not Ready"). So...

Watchdog "Not Ready" to probe cookie! Complaints.

Watchdog "Not Ready" to probe! Cookie complaints.

Watchdog "Not Ready" to?! Probe cookie complaints!

Re:Punctuation... FTW

[Jade_Wayfarer]

Even better, space opera version:
Watchdog "Not Ready"! To probe! Cookie, complaints!

I can even picture some space marines storming important height, when their commander hears on the radio that other team codenamed "Watchdog" is not ready, so they have to retreat to some probe. "Cookie" is current team's engineer, who is commanded to deploy some "complaints" - proximity mines, maybe?

Hm, actually, I think I'd watch that movie...

Dumb laws are dumb.

[VortexCortex]

When you go to a web site that "stores cookies" in your browser, what happens is that a HTTP "Set-Cookie" header is sent to your browser. YOU HAVE THE POWER TO DISABLE COOKIES in your browser. It's not like the remote site can make your browser save the cookie.

The user already has every capability to prevent the remote sites from storing any cookies. Simply DISABLE ALL COOKIES. Then, if you run across a site that has a feature requiring cookies (stateful sessions, like logging in), then and ONLY THEN DO YOU ENABLE COOKIES for that site alone. White list it. Oh your browser doesn't have a white list? YES IT DOES. IE does. FF has the Cookie Monster plugin among other ways, Chrome has -- Fuck Chrome! Chromium Exists. Chrome is closed source and has Google's secret advertising sauce added if you don't like cookies why would you use Chrome?! Google Sells Ads.

Now, being a primordial deep one from time immemorial, I remember an age before cookies existed. I used caller ID, bitrate and handshake timings to log and verify my visitors' identity in the BBS era. Then came the Internet. I used a hash of the user agent, IP address, and other header strings along with URL munging (crazy crap you see after the ? in your address bar) to identify and verify users. Cookies allowed us to stop crapping up every URL on the page, and causing massive link rot... So, you want to make laws about cookies, eh? Well there are levels of tracking we are willing to accept, and we don't even need the damn cookies to do so. Enjoy server side storage of your IP address, browser signatures, and Query Strings cocking up your bullshit European URLs....

Get bent morons. Cookies are good for you, at least YOU can control them. You can't very well control whether or not servers use URL munging....

Re:Dumb laws are dumb.

[purpledinoz]

The problem is that most people have no idea about anything. I agree though, making laws to ask sites to comply to some regulation is stupid. Browsers should have better and easier to use cookie whitelisting by default. This way, if a website detects its not on the whitelist, it will have to ask the user to add them to the whitelist.

Also, people use Chrome because it's faster. It's just way faster than Firefox, at least on Windows on my slow PC.

Re:Dumb laws are dumb.

[epp_b]

I've been wanting to say exactly this every time I see another retarded story about cookies. Thanks for giving me a hand.

Just in case it was missed: COOKIES ARE HELPFUL TO YOU, YOU MORONS.

Want online shopping? Cookies.
Automatic login to 9000 different sites? Cookies.
Remembered configurations and searches? Cookies.
Convenient URLs that you can remember? Cookies.

As the parent explained, YOU hold the control in deciding what, how and when sites can store cookies on your machine. If you can't be arsed to spend a half hour learning to protect your privacy, you don't deserve it.

Dim-witted, pandering, posturing politicians passing some idiotic "cookie legislation" is going to cause you to have *less* privacy, security and convenience.

Re:Dumb laws are dumb.

[Smauler]

As much as I am in favour of the intent of this law (restricting access to people you don't to access your browsing habits), it's not working in the slightest, and it was _never_ going to work.

Firstly, people don't want it (popups asking if they want cookies enabled are annoying and counterproductive)

Secondly, no one is actually complying with the law, including governmental bodies.

Thirdly, the internet is global now (wait, when did that happen?)

All that, and like parent said, cookies are a good thing in lots of cases.

Re:Dumb laws are dumb.

Lots of sites are complying the the law. Uk based ones that is. I have had to make my companies web site compliant - with implied consent (ie you don't have to click a button to be considered to agree) as we are using 3rd party cookies.

It is still a pain in the arse and I am purposely ignoring the various requests from many sites because the law is stupid. Well intentioned, but stupid.

Re:Dumb laws are dumb.

[Post-O-Matron]

It's not as simple as that. You are missing the usual "but we are geeks" syndrome. For a /.er disabling all cookies and then inspecting incoming ones individually to decide which to enable might be something they can do and willing to invest the time in. For normal people doing that for every website they use isn't really a viable option.

Hence a law that forces website owners to breakdown cookies to roles and present Mr. Normal Person a simple explanation of what they do and allow them to enable them or not.

Think about it like Firebug's cookies tab for non-techies.

Re:Dumb laws are dumb.

[crutchy]

Cookies allowed us to stop crapping up every URL on the page, and causing massive link rot

so do hidden post fields and mysql

cookies are for sneaky single pixel iframes. anyone who thinks they "need" them for anything else is doing it wrong

Re:Dumb laws are dumb.

[crutchy]

and you're probably one of those morons who would complain about receiving too much spam

if you don't want to drive away users with useless prompts, don't use cookies

if you provide a cookie mechanism for user convenience, don't enable it by default and let the user click a link/button to proactively enable/disable it

having said that, most browsers have an option to disable third party cookies, and any site that requires them to work isn't worth visiting

Re:Dumb laws are dumb.

[MrL0G1C]

Want online shopping? Cookies.

Agreed and it should be read as implied when you visit such a site that you would want the shopping cart to work.

Automatic login to 9000 different sites? Cookies.

Ugh, no thanks, trackers wet-dream this one. Firefox and password-safe remember my passwords and that's the way I like it.

Remembered configurations and searches? Cookies.

With cookies this is for tracking, the browser can do this without cookies. If you like a site enough then fine, but 99% of sites I visit don't need 'configuring'.

Convenient URLs that you can remember? Cookies.

Eh, I don't even get this one, I don't need to remember any more than slashdot.org etc, and I use bookmarks, how does cookies even enter the equation?

Dim-witted, pandering, posturing politicians passing some idiotic "cookie legislation"

Yeah, pretty much, it's still a stupid law that hits at the wrong target, cookies are useful and I don't need the BBC asking me to use cookies every day, and how do they remember when I say no anyway? store a fucking cookie, doh.

Re:Dumb laws are dumb.

[pe1chl]

Of course whitelisting cookies by site is useless. Many sites send different cookies, you want to block some of them but not all.
Blocking by name is difficult because there is no name convention.
When every session cookie would start with SESS and every tracking cookie with TRK, it would be easy.
Now that there is no such naming convention, and no tools in place to do anything with cookie names, it is probably best to add
another field to cookies, to convey cookie intent. Then users can allow or block cookies based on intent. They can allow
cookies used to keep a login session, and refuse cookies used to track users.

Re:Dumb laws are dumb.

Cookies are very bad for pedophiles...

Re:Dumb laws are dumb.

[Richy_T]

I stopped receiving spam completely. It's really simple, I'm surprised more people don't do it.

Just bring up one of those command line thingies and type

# apt-get install mysql

My Athlete's foot went away also.

Re:Dumb laws are dumb.

whatever douche

Re:Dumb laws are dumb.

[Richy_T]

AC? Really? I guess if I emitted an insult that lame I wouldn't want my name associated with it either.

They could have been a positive thing

[Grayhand]

I still remember back in the late 90s when we all blocked cookies. Now if you do it cripples a lot of the internet sites. Sad how badly abused our privacy is these days. Cookies could have been handled in an non evil manner but is wouldn't have helped the corporations invade our privacy.

Re:They could have been a positive thing

[LMariachi]

How do non-third-party cookies invade your privacy?

Re:They could have been a positive thing

[Tom]

1st party cookies are exempt from this regulation in many cases.

Read, comprehend, think, comment - preferrably in that order.

Why is the burden on millions...

[LMariachi]

This is stupid. Why is the burden on millions of websites instead of a handful of browsers? Mandate that any web browser distributed in the U.K. default to "Ask me before allowing cookies." It should be the default anyway.

Re:Why is the burden on millions...

and how do you mandate that to a company that isn't in the UK?

Re:Why is the burden on millions...

[mwvdlee]

You politely ask Mozilla, Google, Microsoft, Apple, Opera and a few others. They put a developer on it for a few hours. Problem solved.

Re:Why is the burden on millions...

[irwiss]

No it should't be default.

You may want to deal with every single session cookie on every single site you visit, I don't.

If anything NoScript should be default browser functionality.

Re:Why is the burden on millions...

[SurfaceMount]

You may want to deal with every single session cookie on every single site you visit

Thats basically what the EU wants isnt it?
They want every website to give you a popup asking if they can set a cookie on your browser.
Of course if you say No the website cant store your choice in a cookie, so your going to have to say No every time you visit.
Sure browsers could be modified to always say Yes/No.....oh right thats exactly what they already do now.

Browser cookie blocking is superior, so why not just keep useing that instead of misguided server side permissions?

Re:Why is the burden on millions...

..."Ask me before allowing cookies." It should be the default anyway.

No, it shouldn't. I'd take seppuku to cookie prompts every time.

The default should be that cookies are manually downloaded by the user ("save my shopping cart", "log me in next time", etc.), and optionally inspected before being stored. Reading a cookie should consist of the user clicking a load button ("load my shopping cart", etc.) and selecting which (if any) cookie to send. They shouldn't be any different from an application-specific saved file, since that's what they are.

Re:Why is the burden on millions...

[mvdwege]

Because the burden is on the one infringing on my right to privacy to prove necessity, not on me.

Given the loud whines of Facebook-wannabe's and their shills, one wonders what they have to hide about why they collect all that browsing information?

Re:Why is the burden on millions...

[JDG1980]

If anything NoScript should be default browser functionality.

Running NoScript means essentially every web site is broken by default, and you have to whitelist whatever domains they use for scripting to make it work. Invariably, people will just choose "allow all" to get things going. What's the point?

Re:Why is the burden on millions...

[LMariachi]

If a browser is allowing your privacy to be invaded via tracking cookies, that's a problem with the browser. Not that the shady sites are free of responsibility, but you the user don't have to prove anything in any case.

An absurdly exaggerated analogy: If an OS shipped with all ports open by default and replied to any request with the contents of your address book, would it make more sense to make the manufacturer fix the faulty OS, or to try to prosecute everyone everywhere who took advantage of it?

Re:Why is the burden on millions...

[pe1chl]

The way it is implemented here in the Netherlands is that cookies required for technical operation,
like login sessions, store baskets, user preferences are allowed but cookies used for other purposes,
like tracking site visits and controlling ad placement, are not. (unless allowed explicitly by the user)

What is required now is an extra field in the cookies that conveys cookie intent, and a setting screen
in the browser to allow/deny cookies with given intent (as a default).
So users can opt-out of tracking and still be able to login and shop without having to confirm their
cookie acceptance for every site.

Re:Why is the burden on millions...

[mvdwege]

Fuck you and the false dichotomy you rode in on.

Why not do both?

And again, it's the websites that want my personal info (yes, my browsing habits are personal info), they should have to justify themselves, not me.

Mart

Re:Why is the burden on millions...

[bky1701]

"and how do you mandate that to a company that isn't in the UK?"

How do you mandate what sites do if they aren't in the UK?

The answer in both cases is: you do not, and that is by design.

Re:Why is the burden on millions...

[bky1701]

"Because the burden is on the one infringing on my right to privacy to prove necessity, not on me."

Or, you could, you know, block their cookies. Or disable cookies entirely. Or get the fuck off the internet if you are THAT worried about privacy, because, let me tell you, cookies are the absolute least of most people's privacy woes here.

Check the link in my signature. It's relevant.

Re:Why is the burden on millions...

The major problem with the EU law is that you are liable for the cookies that 3rd parties are setting (*even if* the cookie domain doesn't match your domain). To comply, you have to navigate to your site, extract all the hundreds of cookies that other companies might be setting and then try to explain what they are. In addition, you have to include a way to set a further cookie to prevent non-essential cookies from being set (i.e. horrible if-statements everywhere checking for the no-track cookie before including any 3rd party resources).

Here's a typical tracking cookie:
id=2245effe1e0100ba||t=1344946332|et=730|cs=002213fd48b559cebe69360659; expires=Thu, 14-Aug-2014 12:12:12 GMT; path=/; domain=.doubleclick.net

A better solution to the problem would be to add an 'intent' field to cookies (similar to 'path' and 'domain' fields) and then require by law that you specify the intent of the cookie when you set it. Example intents could be 'essential', 'authentication', 'session', 'analytics'. Browsers could then be updated to filter based on the intent. In the EU, you could automatically spider sites and if the intent is not set you could flag it for investigation.

The vast majority of malicious cookies would be 3rd party cookies with no intent. They could be filtered by default.

If you want to be sure that everyone continues to set your essential cookies, you ensure that you set the intent. If it's found that you've lied about the intent of the cookie (just like you could lie in your 'About cookies' section on your site) then you're liable to prosecution. Major players such as Google would only have to update their central codebases to include the intent field and the majority of the tracking around the world could be filtered.

Re:Why is the burden on millions...

[mvdwege]

Sure, and women could be safer by not walking down certain streets in too sexy clothing.

I reiterate, it's up to you to prove to me why I should give something of mine up to you. All other public transactions work that way, and yet you want a blanket reversal for the personal info merchants. It is you who owes the public an explanation.

And behaving like a spotty twerp with a bully complex is not helping your case.

Re:Why is the burden on millions...

[LMariachi]

Again, who is asking you to justify yourself?

First-party cookies do not track your “browsing habits” anywhere but on the particular site that you are visiting, and they already know you’re there.

Re:Why is the burden on millions...

[Richy_T]

Although I have ridiculed the use of POST and GET to replace cookies above, the truth is that once you have the user logged in with a cookie, it is then trivial to use POST or GET for the actual tracking. Unless the legislation is crafted carefully (haha), it's trivial to get around.

Re:Why is the burden on millions...

[mvdwege]

Goal-post shift noted. The law discussed has huge exemptions for first-class cookies, and you mentioned nowhere in your original post that you were merely discussing first-class cookies. I, however, have mentioned elsewhere that I have no problem with first-class cookies.

So, explain to me what justification websites have for using cookies to track my browsing habits without permission? A straight answer this time, no equivocation.

Mart

Re:Why is the burden on millions...

[LMariachi]

No argument here. The differentiation between cookie types has been frequently elided by people railing against them — they say “argh cookies” when they mean “argh third-party cookies;” the same thing I did s/third/first.

 

Fool's endevour

I can see this organisation getting slammed with complaints about sites that aren't even located in the UK. How do they expect to police that? (Yeah, I know we Yanks think we can police the world, but I thought you Brits would have more sense)

My complaint

Oreos are really terrible. So dry and grainy, you have to dip them in milk just to swallow them.

Get on that, watchdogs.

SO what your saying is

[Nihn]

They have been accepting money but not producing anything...politics as usual.

It's a damn stupid law

[maroberts]

Am I the only one who thinks that these popups which state "we're using cookies" is highly annoying?

Almost everyone apart from your aged grannie knows that you are tracked on sites by use of cookies, so what is the point of this bureaucratic nonsense? It's almost like a secret plot; a small step to making the net unusable.

  If you really want to ban something, block sites from opening 3rd party poker/porn sessions in windows behind your current window, not that such things happen to me of course.....

[/rant]

Re:It's a damn stupid law

[gagol]

My solution: AdBlock+ let you flag any DIV as bad evil advertising... just point to the anniying part and you are off the hook!.

Re:It's a damn stupid law

[bky1701]

It's just another group of governments trying to flex their muscle to prove how bravado they are over the internet. It'll fail, they'll destroy their own IT industry in the process while the companies move to some less problematic country (in this case, the US), and no one will ever call the governments on it. It happens often.

Europeans especially seem to be unusually prone to this. At least us Americans tend to bitch about everything before, during, and after; that's arguably why we're still freer in a lot of important ways, despite having a much larger number of right-wing loons. It's also why nothing passes on a federal level other than "we dislike Hitler" bills. I'd still rather that than the alternative, though.

Re:It's a damn stupid law

[coofercat]

I actually agree with you - it's a futile law. However, what it has done is made website owners think about what they're doing. Granted, most just say "we use cookies, if you use our site you agree to get them from us", but some sites are dropping the 3rd party cookies they don't need because they don't want to have to argue the toss for something they don't use.

This hasn't revolutionised anything, it hasn't even made an incremental change, but it's started a conversation. In that sense it's good. In most others it's an expensive waste of time.

Personally, Ghostery does all I need to stop this sort of thing. I pretty much recommend absolutely everyone uses it. The only places I've found it needs any manual intervention is on sites like Thingiverse that use a third party comment system. However, you can tell Ghostery just to block cookies and not all the other shenanigans that sites use to track you, and then you'll have slightly less privacy, but 100% functionality.

Re:It's a damn stupid law

[Flarston+Marston]

Totally agree. It is totally irritating - as if anyone would read 10 lines of extra boring bullshit for every web page they visit. Unbelievable.

Learn proper grammar!

According to who?

The word is whom, asshat.

Duh.

1984 was not about business

[Impy+the+Impiuos+Imp]

Meme: Business evil, stop them from minor thing.

So sayeth an organzation that demands backdoors so they can easily spy on you, "Trust us."

I suppose this is a small improvement, but business per se is by far the lesser problem compared to overbearing government, or overbearing government at the behest of well-connected business.

A Solution ...

[epp_b]

Have a website? Disable and redirect EU visitors to a message explaining that they cannot use your website until they pester the morons in government who implemented this crap until it's reversed.

I'd love to see something like this gain traction. All it would take is a big player like Amazon to make this happen.

Re:A Solution ...

[OliWarner]

That's certainly an idea but consider it from the website owner's point of view. They're already making their website less competitive (globally) with annoying pop-over nonsense. Some websites actually don't work until you've explicitly agreed to have cookies (a poor interpretation of the law, IMO).

What do you think a user is going to do if they have to sit through a five minute, hell, even a 30 second political complaint before they can even use the site? Well, if that site, like many sites, has a billion competitors - the user can go back and click the next site on the Google listings. That's what I do when a site isn't doing what I explicitly asked for, or doesn't load fast enough.

No, most websites in the EU are doing as little as possible to draw clients attention away from the product; inferring "implied consent" with a cookies link somewhere on the page is a common design metaphor, maybe a position:fixed link-image in a corner. Otherwise it's business as usual, thankyouverymuch.

What surprises me most about this story is that there are actually complaints in the first place for the ICO to investigate. Why don't people have better things to do with their time?

Re:A Solution ...

UK is not Europe.

Re:A Solution ...

[bky1701]

Or just hold no physical presence in those countries, and still sell to them. More or less the same thing done with sales tax in the US. All this sort of thing does is make EU countries less likely to compete in the internet market. I guess I should be happy about it: it means the US will be able to pick up a lot of the space left by them.

Re:A Solution ...

Sorry, "no physical presence in EU countries" is no magical escape. The relevant criterium is "doing business in EU countries". Break the rules, and you can be barred from legally doing business. Sure, in practice that means that you can smuggle goods. But good luck with taxes (say bye-bye to those Irish shell companies) or lawsuits (say bye-bye to your patents).

Your idea certainly was considered by Microsoft after their fine, but even they realized that they couldn't pull off such a boycott.

... just for 3rd party cookies

[martijnd]

The law in the Netherlands is that you have to inform users that you are going to put a cookie on their computer.

EXCEPT if the cookie is required for the core functionality of your website. So your shopping cart can put its 1st party cookie, and you are not in hot water.

Most websites use Google Analytics. That is where you have to start putting up the "Smoking Cookies Kills" banners that will likely hurt your websites traffic significantly. The best thing is to avoid the banner altogether and stay still within the law.

Sot its time to drop Google Analytics; its cool, its nice and now a drag on business.

I have already found one alternative that looks half decent and doesn't require me to put up any cookies at all: PiWik (http://piwik.org/)

Re:... just for 3rd party cookies

[gl4ss]

does this law make any comment about localstorage?

Some can't see the forest for the trees.

[el_flynn]

I think a lot of comments here are focused on the wrong thing.

TFA says "the ICO has yet to investigate a single website... because its investigative team isn't ready to start work - more than a year after the new laws came into force". So TFA is more about a culture of "shoot first ask questions later" that is prevalent in government agencies - NOT about the validity/ethics of having the rules in the first place. It's already in place, people - arguments about whether cookies are good or bad should have already taken place ages ago when vetting the rule.

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

Re:Some can't see the forest for the trees.

[Dark$ide]

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

The UK Gov't is only implementing what the stupid folks in the EU Gov't told them to. The real problem is that the EU Gov't allowed this crap to go through in the first place. We need to get some (members of parlaiment) MPs and (members of the European parliament) MEPs who have a clue about IT, who have a clue about how the Internet works. That's the underlying problem - we've got clueless career politicians with a supporting organisation made from clueless lawyers and MBAs.

Re:Some can't see the forest for the trees.

[Hatta]

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

The real question is, why isn't there any recourse against an enforcement agency that refuses to enforce the law?

You can't run without cookies

[Dark$ide]

If I choose the option to opt out of storing cookies, the website stores a cookie to remember that decision. This law was drafted by silly people who don't understand how a stateless protocol needs to store status information to work.

If you want your web browsing to be a useless and painful experience try running with cookies disabled. I hope you enjoy re-entering your password on every secure page.

The fact that the UK Gov't QUANGO can't afford, can't be bothered and doesn't have the time to enforce this crap law is a good thing, they can spend my taxes on doing something more useful.

Another meaningless law

[hcs_$reboot]

So we gonna have at the same level an annoying warning from sites that just need a session cookie to ease our users lives, and on the other hand the same warning from Facebook-like sites that require a once warning/cookie to track you the hard way through tons of other unsuspected sites having the Facebook "Like" button. Ridiculous.

facts

[Tom]

I hate to burst everyone's babble with facts, but here you are:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

important key points:

• Implicit consent is valid in many cases
• some cookie uses are exempt, especially session ids, shopping carts, etc.

Sorry for brutally slaughtering half the comments posted so far.

As I read it, what this basically asks me to do is put an information that my site uses cookies somewhere with a link to a page that explains what I use the cookies for. If you're doing the usual stuff (session ids), you're probably done with two sentences.