Watchdog "Not Ready" To Probe Cookie Complaints

nk497 writes "The UK data watchdog has admitted it doesn't have any staff investigating cookie consent complaints, more than a year after the law came in via an EU directive. The regulation requires websites to ask before dropping cookies and other tracking devices onto users' computers, and came into law in May 2011. The Information Commissioner's Office gave websites a year's grace period to update their websites, but failed to use that time to get its team together, meaning the 320 reports of sites not in compliance it's already received haven't been investigated at all."

Dumb laws are dumb.

[VortexCortex]

When you go to a web site that "stores cookies" in your browser, what happens is that a HTTP "Set-Cookie" header is sent to your browser. YOU HAVE THE POWER TO DISABLE COOKIES in your browser. It's not like the remote site can make your browser save the cookie.

The user already has every capability to prevent the remote sites from storing any cookies. Simply DISABLE ALL COOKIES. Then, if you run across a site that has a feature requiring cookies (stateful sessions, like logging in), then and ONLY THEN DO YOU ENABLE COOKIES for that site alone. White list it. Oh your browser doesn't have a white list? YES IT DOES. IE does. FF has the Cookie Monster plugin among other ways, Chrome has -- Fuck Chrome! Chromium Exists. Chrome is closed source and has Google's secret advertising sauce added if you don't like cookies why would you use Chrome?! Google Sells Ads.

Now, being a primordial deep one from time immemorial, I remember an age before cookies existed. I used caller ID, bitrate and handshake timings to log and verify my visitors' identity in the BBS era. Then came the Internet. I used a hash of the user agent, IP address, and other header strings along with URL munging (crazy crap you see after the ? in your address bar) to identify and verify users. Cookies allowed us to stop crapping up every URL on the page, and causing massive link rot... So, you want to make laws about cookies, eh? Well there are levels of tracking we are willing to accept, and we don't even need the damn cookies to do so. Enjoy server side storage of your IP address, browser signatures, and Query Strings cocking up your bullshit European URLs....

Get bent morons. Cookies are good for you, at least YOU can control them. You can't very well control whether or not servers use URL munging....

Re:Cookies suck

[dmomo]

No. HTTP is supposed to be stateless. WWW just makes liberal use of HTTP. Every HTTP request should be made in isolation. WWW can still be stateful while sticking to this convention.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

What actual technical purposes for cookies are there?

Some obvious ones are:

1. Maintaining an authenticated user session (logging in and out securely)

2. Storing the current state of the user's session (shopping carts and the like)

3. Remembering user preferences from one visit to the next

4. Analytics within your own site

I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

That simply isn't true. There are plenty of valid concerns regarding using cookies, particularly third party ones, but if they were only meant for tracking then why bother inventing things like session cookies?

Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

And that specific exemption is so tightly worded that it doesn't even cover all of the examples above, which is why we then wound up with the formal opinion of the EU data protection authorities a couple of months ago covering things like first party analytics cookies.

I'm a strong advocate of privacy, but I don't see any serious privacy problem with any of the usages mentioned above, there are obvious potential benefits to the user in each case. Regardless, how are all these "This web site uses cookies, and we know that no-one is enforcing the rules so we've put this token irritating box up even though we're relying on implied consent and we already set them all anyway" boxes doing anything useful whatsoever?

Re:Some can't see the forest for the trees.

[Dark$ide]

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

The UK Gov't is only implementing what the stupid folks in the EU Gov't told them to. The real problem is that the EU Gov't allowed this crap to go through in the first place. We need to get some (members of parlaiment) MPs and (members of the European parliament) MEPs who have a clue about IT, who have a clue about how the Internet works. That's the underlying problem - we've got clueless career politicians with a supporting organisation made from clueless lawyers and MBAs.

Re:Like anyone is going to follow this

"I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for."

I am a C++ programmer, who has programmed numerous websites (several languages), currently in the third year of a Chemical Engineering degree, who uses (Arch) Linux as his main OS, and generally can handle just about any technical matter required of me. Why do I suspect you have never so much as executed a batch file? Oh, right. Because you're an idiot ranting about something you obviously do not understand.

"What actual technical purposes for cookies are there?"

If you actually knew what you were talking about - or maybe read the fucking post you replied to - you would be able to answer this question, rather than only pose it rhetorically as a vague insult.

"Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption."

Considering how little this will realistically accomplish (again, had you read my post, you would have been educated on a real privacy threat this does nothing to address), please do not expect me to have faith in their ability to make proper exclusions. According to others, they have not - it is not worth my time to read the actual directive in order to address a fool like yourself.

"In other words: shut up, you fucking shill for the tracking industry."

It is amazing the kind of dumbshits that come out on Slashdot sometimes. Let's see: 1. Ignore all facts, especially those stated in the post you are replying to, 2. Act as if no one knows the facts you just ignored, 3. Make unfounded claims, 4. Close with an ad hominem accusing someone of being a shill (because 'the tracking industry' would spend their PR money on making semi-anonymous posts on Slashdot. Pull your head out of your ass). What's more amazing is that it seems you were modded up once. Guess I need to go to metamod more. Standards are slacking.

I suppose I am partly to blame, as had I posted this under my account, you wouldn't have had the balls to post that nonsense. Unfortunately, I do not log in from insecure locations.

--BKY1701

facts

[Tom]

I hate to burst everyone's babble with facts, but here you are:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

important key points:

• Implicit consent is valid in many cases
• some cookie uses are exempt, especially session ids, shopping carts, etc.

Sorry for brutally slaughtering half the comments posted so far.

As I read it, what this basically asks me to do is put an information that my site uses cookies somewhere with a link to a page that explains what I use the cookies for. If you're doing the usual stuff (session ids), you're probably done with two sentences.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

You are acting as if the WWW will collapse if you have to ask users for consent to track them.

You're still using that word "track" in a way that no-one else in the world does. You aren't going to win any debating points like that.

Also, the WWW wouldn't collapse, but it would become significantly harder for those running web sites -- which you apparently value enough to visit them if any of this is a problem for you in the first place. It would be more difficult to optimise sites according to what users were actually looking for and how they were really using them. That would inevitably mean site operators couldn't convert as many visitors either, which in turn would inevitably mean that some good sites that were only borderline financially viable in the early days would fail unnecessarily, leaving no site to benefit anyone.

Have you no decency, or are you trying to hide what you want to do with my info?

What info do you think I am magically getting? It's not as if these things are giving up your name, DoB and home phone number. Your average analytics cookie is just a random number, and is completely anonymous. And even if I did collect personal information from you, which for example you might volunteer when signing up for an account, I would be constrained by exactly the same data protection laws as anyone else handling any other kind of personal data in my country, including filing (at my own cost) details of what I'm collecting and how it is used with my government's data protection officials, who will then make it available to the public so that anyone, including you, can read it.