Watchdog "Not Ready" To Probe Cookie Complaints

nk497 writes "The UK data watchdog has admitted it doesn't have any staff investigating cookie consent complaints, more than a year after the law came in via an EU directive. The regulation requires websites to ask before dropping cookies and other tracking devices onto users' computers, and came into law in May 2011. The Information Commissioner's Office gave websites a year's grace period to update their websites, but failed to use that time to get its team together, meaning the 320 reports of sites not in compliance it's already received haven't been investigated at all."

Like anyone is going to follow this

I have to wonder if the people who wrote this law even considered the complaints they likely received at the time to the effect that it would make the internet practically unusable. Yes, it's a good sentiment to not want to "track" people, but with the increasing use of cookies for actual technical purposes - not to mention logins and the like - this would quickly become unfeasible and irritating. Anyway, what of serverside tracking - you know, like Facebook almost certainly does using its extensive "Like this" and Facebook integration APIs? I am more worried about that than cookies.

No other country's developers are going to give a crap what the EU/British government says. All this will do is hamper European businesses' internet presence and probably cause a few notable companies (Google, etc) to sever ties with the specific countries actually enforcing it. There are certainly plenty of other reasons to do so these days.

It's kind of sad when the US is one of the less technically inept governments in the world, and it only is because of general failure to do anything.

--BKY1701

Re:Like anyone is going to follow this

[mvdwege]

What actual technical purposes for cookies are there?

I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

In other words: shut up, you fucking shill for the tracking industry.

Mart

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

What actual technical purposes for cookies are there?

Some obvious ones are:

1. Maintaining an authenticated user session (logging in and out securely)

2. Storing the current state of the user's session (shopping carts and the like)

3. Remembering user preferences from one visit to the next

4. Analytics within your own site

I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

That simply isn't true. There are plenty of valid concerns regarding using cookies, particularly third party ones, but if they were only meant for tracking then why bother inventing things like session cookies?

Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

And that specific exemption is so tightly worded that it doesn't even cover all of the examples above, which is why we then wound up with the formal opinion of the EU data protection authorities a couple of months ago covering things like first party analytics cookies.

I'm a strong advocate of privacy, but I don't see any serious privacy problem with any of the usages mentioned above, there are obvious potential benefits to the user in each case. Regardless, how are all these "This web site uses cookies, and we know that no-one is enforcing the rules so we've put this token irritating box up even though we're relying on implied consent and we already set them all anyway" boxes doing anything useful whatsoever?

Re:Like anyone is going to follow this

[mvdwege]

All four of your examples are examples of user tracking.

Face it, cookies are a workaround for the stateless nature of HTTP. Cookies are meant for tracking by definition

And you know what? Numbers 1 and 2 are covered. Number 3 is covered once you asked for permission, which you can do using number 1. That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

So of your three examples, 2 of them are covered, one of them is covered by extension, and one of them can be done without. I'd say, no great loss.

You want to track me? You need my permission, and you don't get it by default.

Re:Like anyone is going to follow this

[crutchy]

1. Maintaining an authenticated user session (logging in and out securely)

cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked

2. Storing the current state of the user's session (shopping carts and the like)

mysql

3. Remembering user preferences from one visit to the next

mysql

4. Analytics within your own site

mysql

even notwithstanding all this, if you're not decent enough to seek the user's permission before dropping a cookie, then you're not dropping cookies for anything other than secretly tracking them. if you need to drop a cookie for any legit reason, then the user is more likely to grant permission to retain functionality than deny for the sake of some misguided privacy paranoia. in any case, for my sites i offer the option of using a cookie or (by default) keeping track of a session using a hidden post parameter for the session ID in each form. they don't need to know the details, just that if they want to be able to revisit without logging on then a cookie is recommended, and even when they elect to use the cookie, there is a button to delete the cookie and revert to the post parameter

Re:Like anyone is going to follow this

"cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked"

So opening a second browser window to the same site fails to be logged in (because it lacks the session). Or someone on your network is logged in as you, because lo and behold, they have the same IP.

More interested in convenience than security? For fuck's sake, get a clue about website design and security. Cookies, possibly with the ADDITION of the other two systems, are the industry standard for security. Cookies effectively allow re-authentication for every page view by sending a hash of identifying information to the server which can then be checked against the stored hash. IDs have usability issues enough to make them unsuited to general use, which is why they have not been used since the 90s. IPs alone are so insecure they are effectively not authentication. Cookies are the answer decided upon. Indeed, they are the onyl practical answer. I am sorry if you dislike that. Do not use the internet.

"3. Remembering user preferences from one visit to the next" - "'mysql'"

Sure... but what if you do not have user accounts? Are you going to store settings by IP? Yeah, we'll see how that goes. Obviously not by GET variable. So what, exactly, is your answer? Right. You have none. You're just a ranting idiot like the other one.

--BKY1701

Re:Like anyone is going to follow this

[crutchy]

currently in the third year of a Chemical Engineering degree... and generally can handle just about any technical matter required of me

i'm qualified in aerospace engineering, experienced in aeronautical engineering, and now developing structural engineering compliance software, with over ten years of programming experience in a few languages (delphi, php, c, js), but it doesn't mean i know what i'm talking about all the time. even if a matter is within your field of expertise, its very doubtful that you know every aspect of that field inside and out.

from one engineer to another... your qualification will never be proof that you have any idea what you're talking about, and when you do know what you're talking about you won't need your qualification as proof

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

Number 3 is covered once you asked for permission, which you can do using number 1.

Only if you force users to create an account just to keep your site's media player size the same or some other trivial but convenient detail.

That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

Nonsense. Every business I've worked with in recent years has used analytics to see how visitors are using their own site and ultimately provide a better experience for those visitors. Every single one. And for the record, exactly none of them sold any of that analytics data to anyone.

You want to track me? You need my permission, and you don't get it by default.

Then turn off cookies in your browser. It's not hard, and if you don't know how, a quick Google search will surely tell you.

However, I'm afraid I'm not going to compromise on the experience I can offer the other 99.997% of visitors to my sites because you want to make a fuss. No-one's forcing you to visit those sites, our policies are clearly stated and always have been, we're not doing anything even remotely shady in the eyes of just about everyone (except you, apparently) and just about everyone including us and many other visitors benefits if we pay attention to our analytics reports.

You might like to consider that if you really feel strongly about Internet privacy, you aren't doing anyone any favours either by scaremongering or by attempting to redefine commonly understood terms like "tracking" to mean something convenient for your argument but different to what everyone else means by them. When those of us who want to improve the privacy situation without throwing the baby out with the bathwater come to write to our politicians or send money to privacy groups, all it takes to counteract our reasoned arguments is one PR guy for a commercial ad network and someone hysterical like you, and the politicians who aren't experts are convinced that the advertisers are the only ones being calm and sensible, and therefore nothing needs to be done at all.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

So just to be clear, your proposed alternatives to cookies are:

1. sending exactly the same kind of state information (session ID etc.) but in places like hidden POST fields instead of cookies

2. using covert browser fingerprinting on the server side.

Exactly how is either of those approaches not at least as capable of covert tracking of your visitors? Not to mention being more than a little creepy, particularly in the latter case since even a user who has explicitly chosen to disable cookies and send Do Not Track is still probably going to wind up in your system. And of course being far more work to implement and test, because instead of using the tool designed for the job you insist on trying to force another tool designed for a different job to do the work instead.

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

You are acting as if the WWW will collapse if you have to ask users for consent to track them.

You're still using that word "track" in a way that no-one else in the world does. You aren't going to win any debating points like that.

Also, the WWW wouldn't collapse, but it would become significantly harder for those running web sites -- which you apparently value enough to visit them if any of this is a problem for you in the first place. It would be more difficult to optimise sites according to what users were actually looking for and how they were really using them. That would inevitably mean site operators couldn't convert as many visitors either, which in turn would inevitably mean that some good sites that were only borderline financially viable in the early days would fail unnecessarily, leaving no site to benefit anyone.

Have you no decency, or are you trying to hide what you want to do with my info?

What info do you think I am magically getting? It's not as if these things are giving up your name, DoB and home phone number. Your average analytics cookie is just a random number, and is completely anonymous. And even if I did collect personal information from you, which for example you might volunteer when signing up for an account, I would be constrained by exactly the same data protection laws as anyone else handling any other kind of personal data in my country, including filing (at my own cost) details of what I'm collecting and how it is used with my government's data protection officials, who will then make it available to the public so that anyone, including you, can read it.

Re:Like anyone is going to follow this

[crutchy]

i didn't realise there were goalposts

Re:Like anyone is going to follow this

[Anonymous+Brave+Guy]

You've just attempted to quietly redirect the entire discussion from cookies in general (which have many valid uses) onto third party cookies (which have rather fewer valid uses and some obviously sinister ones).

Cookies suck

[symbolset]

The WWW is supposed to be stateless for a reason. I'm going to come right out and say that the cookie is the dumbest invention since Token Ring.

Re:Cookies suck

Says the guy logged into /. via cookies

Re:Cookies suck

[mark_elf]

Prefers flamethrower (ibid.).

Re:Cookies suck

[mwvdlee]

The WWW is supposed to be stateless

According to who?

Re:Cookies suck

[symbolset]

Tim Berners-Lee. The guy who invented the thing.

Re:Cookies suck

[Blakey+Rat]

And God-forbid someone copies their URL and pastes it to a buddy on IM or Twitter.

Oh wait, let me guess, you combine your URL session with an IP address, right?

In which case: God-forbid someone switch wifi networks expecting their session to still be valid. Ride mass-transit? Do they provide wifi with a constantly shifting IP as the train moves? Good luck getting on to my super-awesome no-cookies site! Cellphone? Idiot! Cellphones can no longer browse the web!

Re:Cookies suck

[dmomo]

No. HTTP is supposed to be stateless. WWW just makes liberal use of HTTP. Every HTTP request should be made in isolation. WWW can still be stateful while sticking to this convention.

Dumb laws are dumb.

[VortexCortex]

When you go to a web site that "stores cookies" in your browser, what happens is that a HTTP "Set-Cookie" header is sent to your browser. YOU HAVE THE POWER TO DISABLE COOKIES in your browser. It's not like the remote site can make your browser save the cookie.

The user already has every capability to prevent the remote sites from storing any cookies. Simply DISABLE ALL COOKIES. Then, if you run across a site that has a feature requiring cookies (stateful sessions, like logging in), then and ONLY THEN DO YOU ENABLE COOKIES for that site alone. White list it. Oh your browser doesn't have a white list? YES IT DOES. IE does. FF has the Cookie Monster plugin among other ways, Chrome has -- Fuck Chrome! Chromium Exists. Chrome is closed source and has Google's secret advertising sauce added if you don't like cookies why would you use Chrome?! Google Sells Ads.

Now, being a primordial deep one from time immemorial, I remember an age before cookies existed. I used caller ID, bitrate and handshake timings to log and verify my visitors' identity in the BBS era. Then came the Internet. I used a hash of the user agent, IP address, and other header strings along with URL munging (crazy crap you see after the ? in your address bar) to identify and verify users. Cookies allowed us to stop crapping up every URL on the page, and causing massive link rot... So, you want to make laws about cookies, eh? Well there are levels of tracking we are willing to accept, and we don't even need the damn cookies to do so. Enjoy server side storage of your IP address, browser signatures, and Query Strings cocking up your bullshit European URLs....

Get bent morons. Cookies are good for you, at least YOU can control them. You can't very well control whether or not servers use URL munging....

Re:Dumb laws are dumb.

[epp_b]

I've been wanting to say exactly this every time I see another retarded story about cookies. Thanks for giving me a hand.

Just in case it was missed: COOKIES ARE HELPFUL TO YOU, YOU MORONS.

Want online shopping? Cookies.
Automatic login to 9000 different sites? Cookies.
Remembered configurations and searches? Cookies.
Convenient URLs that you can remember? Cookies.

As the parent explained, YOU hold the control in deciding what, how and when sites can store cookies on your machine. If you can't be arsed to spend a half hour learning to protect your privacy, you don't deserve it.

Dim-witted, pandering, posturing politicians passing some idiotic "cookie legislation" is going to cause you to have *less* privacy, security and convenience.

Re:Dumb laws are dumb.

[Post-O-Matron]

It's not as simple as that. You are missing the usual "but we are geeks" syndrome. For a /.er disabling all cookies and then inspecting incoming ones individually to decide which to enable might be something they can do and willing to invest the time in. For normal people doing that for every website they use isn't really a viable option.

Hence a law that forces website owners to breakdown cookies to roles and present Mr. Normal Person a simple explanation of what they do and allow them to enable them or not.

Think about it like Firebug's cookies tab for non-techies.

They could have been a positive thing

[Grayhand]

I still remember back in the late 90s when we all blocked cookies. Now if you do it cripples a lot of the internet sites. Sad how badly abused our privacy is these days. Cookies could have been handled in an non evil manner but is wouldn't have helped the corporations invade our privacy.

Re:They could have been a positive thing

[LMariachi]

How do non-third-party cookies invade your privacy?

Re:They could have been a positive thing

[Tom]

1st party cookies are exempt from this regulation in many cases.

Read, comprehend, think, comment - preferrably in that order.

Why is the burden on millions...

[LMariachi]

This is stupid. Why is the burden on millions of websites instead of a handful of browsers? Mandate that any web browser distributed in the U.K. default to "Ask me before allowing cookies." It should be the default anyway.

Re:Why is the burden on millions...

[SurfaceMount]

You may want to deal with every single session cookie on every single site you visit

Thats basically what the EU wants isnt it?
They want every website to give you a popup asking if they can set a cookie on your browser.
Of course if you say No the website cant store your choice in a cookie, so your going to have to say No every time you visit.
Sure browsers could be modified to always say Yes/No.....oh right thats exactly what they already do now.

Browser cookie blocking is superior, so why not just keep useing that instead of misguided server side permissions?

Re:Why is the burden on millions...

[JDG1980]

If anything NoScript should be default browser functionality.

Running NoScript means essentially every web site is broken by default, and you have to whitelist whatever domains they use for scripting to make it work. Invariably, people will just choose "allow all" to get things going. What's the point?

Re:Why is the burden on millions...

[pe1chl]

The way it is implemented here in the Netherlands is that cookies required for technical operation,
like login sessions, store baskets, user preferences are allowed but cookies used for other purposes,
like tracking site visits and controlling ad placement, are not. (unless allowed explicitly by the user)

What is required now is an extra field in the cookies that conveys cookie intent, and a setting screen
in the browser to allow/deny cookies with given intent (as a default).
So users can opt-out of tracking and still be able to login and shop without having to confirm their
cookie acceptance for every site.

SO what your saying is

[Nihn]

They have been accepting money but not producing anything...politics as usual.

It's a damn stupid law

[maroberts]

Am I the only one who thinks that these popups which state "we're using cookies" is highly annoying?

Almost everyone apart from your aged grannie knows that you are tracked on sites by use of cookies, so what is the point of this bureaucratic nonsense? It's almost like a secret plot; a small step to making the net unusable.

  If you really want to ban something, block sites from opening 3rd party poker/porn sessions in windows behind your current window, not that such things happen to me of course.....

[/rant]

Re:It's a damn stupid law

[coofercat]

I actually agree with you - it's a futile law. However, what it has done is made website owners think about what they're doing. Granted, most just say "we use cookies, if you use our site you agree to get them from us", but some sites are dropping the 3rd party cookies they don't need because they don't want to have to argue the toss for something they don't use.

This hasn't revolutionised anything, it hasn't even made an incremental change, but it's started a conversation. In that sense it's good. In most others it's an expensive waste of time.

Personally, Ghostery does all I need to stop this sort of thing. I pretty much recommend absolutely everyone uses it. The only places I've found it needs any manual intervention is on sites like Thingiverse that use a third party comment system. However, you can tell Ghostery just to block cookies and not all the other shenanigans that sites use to track you, and then you'll have slightly less privacy, but 100% functionality.

A Solution ...

[epp_b]

Have a website? Disable and redirect EU visitors to a message explaining that they cannot use your website until they pester the morons in government who implemented this crap until it's reversed.

I'd love to see something like this gain traction. All it would take is a big player like Amazon to make this happen.

... just for 3rd party cookies

[martijnd]

The law in the Netherlands is that you have to inform users that you are going to put a cookie on their computer.

EXCEPT if the cookie is required for the core functionality of your website. So your shopping cart can put its 1st party cookie, and you are not in hot water.

Most websites use Google Analytics. That is where you have to start putting up the "Smoking Cookies Kills" banners that will likely hurt your websites traffic significantly. The best thing is to avoid the banner altogether and stay still within the law.

Sot its time to drop Google Analytics; its cool, its nice and now a drag on business.

I have already found one alternative that looks half decent and doesn't require me to put up any cookies at all: PiWik (http://piwik.org/)

Some can't see the forest for the trees.

[el_flynn]

I think a lot of comments here are focused on the wrong thing.

TFA says "the ICO has yet to investigate a single website... because its investigative team isn't ready to start work - more than a year after the new laws came into force". So TFA is more about a culture of "shoot first ask questions later" that is prevalent in government agencies - NOT about the validity/ethics of having the rules in the first place. It's already in place, people - arguments about whether cookies are good or bad should have already taken place ages ago when vetting the rule.

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

Re:Some can't see the forest for the trees.

[Dark$ide]

So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

The UK Gov't is only implementing what the stupid folks in the EU Gov't told them to. The real problem is that the EU Gov't allowed this crap to go through in the first place. We need to get some (members of parlaiment) MPs and (members of the European parliament) MEPs who have a clue about IT, who have a clue about how the Internet works. That's the underlying problem - we've got clueless career politicians with a supporting organisation made from clueless lawyers and MBAs.

facts

[Tom]

I hate to burst everyone's babble with facts, but here you are:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

important key points:

• Implicit consent is valid in many cases
• some cookie uses are exempt, especially session ids, shopping carts, etc.

Sorry for brutally slaughtering half the comments posted so far.

As I read it, what this basically asks me to do is put an information that my site uses cookies somewhere with a link to a page that explains what I use the cookies for. If you're doing the usual stuff (session ids), you're probably done with two sentences.