Slashdot Mirror
Changes Are Coming To the EU's Cookie Directive, But It's Not Going Away (softpedia.com)
An anonymous reader writes: The European Commission is listening to suggestions regarding EU laws on privacy and electronic communications (e-Privacy), among which is also the EU Cookie Directive that has made the lives of EU Internet users a living hell. The EU Commission has started an open consultation on this topic and is inviting users and businesses to provide their opinion. From the consultation's text, which is nothing more than a survey, one could argue that the EU isn't intent on removing the directive at all, but only making small adjustments. In its current implementation, most companies ask users if they're OK with storing cookies on their PCs and then collecting their data. One of the questions the Commission asked and is currently looking for an answer is whether companies should be allowed to deny users access to a website if they don't want to accept using cookies. The EU wants Internet companies to build alternative (usable) websites for people that don't want to use cookies at all, and so respect their decision for privacy.
Waiting for my cheque to implement an entire alternate back-end in 3.. 2.. 1..
Shh.
No, if you don't want to accept the terms of using the website (cookies in this case) you DON'T GET TO USE IT.
WTF is wrong with these people?
No kidding, they do realize that building, maintaining, hosting, and running a website is NOT free?
Governments already require a number of things of companies that wish to operate in their jurisdiction. I'm inclined to think this is a bad idea, but it really isn't any more restrictive than any number of other restrictions; to make such a comparatively minor point a deciding factor in a referendum about broad ranging economic and political union seems like a complete inability to keep a sense of perspective when making decisions.
Without cookies being sent back to the server, the server doesn't know what you were doing a moment ago. The design does not maintain the state of the system between transactions. There are other ways of doing this, but this is how http was designed. Yes, cookies are being used to track things that are not involved in the state of the transaction. But, it is hard to eliminate something that is key to the way that http works.
If the UK leaves the EU, that doesn't automatically mean the UK won't have to comply. Various non EU countries already have to abide by all kinds of EU rules as part of trade agreements with them.
The major difference in leaving would be that the UK no longer has any power in influencing these kinds of rules.
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
None of this is going to make sense as long as the laws continue to be so completely disconnected from the reality. If a user wants or doesn't want to use cookies, then they have already instructed their browser to take the appropriate action, and it will be perfect in a way that the laws cannot even begin to approach.
Anything the governments do related to this, is irrelevant and wasted. The absolute best case that anyone can hope for, is that they'll do no harm. And that, realistically, will never be achieved.
I have not noticed anything more than "mildly annoying". Hyperbole much?
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Choice is obviously the right thing but can or should the law FORCE website to behave like that? What if you don't have the resource to make it working without cookie? What if you need them really? I think the cookie blocking feature is already implemented in the "privacy mode" from all browsers. If you don't want them to track you... use the privacy mode!
There is a really easy, simple way developers can handle this. Don't use cookies by default. When the user logs in or adds something to their basket have the "you accept we use cookies, here's the privacy policy" text, but when the user simply visits the site don't set any cookies.
That would eliminate 90% of the annoyance and not place an undue burden on developers. It might annoy site operators who were hoping to create profiles of visitors, but fuck those guys.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Your browser uses cookies. You have the power to disable cookies in your browser settings. This website may only request that a cookie be stored, it can not force your browser to store the cookie or return the cookie at a later time. This website can not stop your browser from sending it cookies. Only your web browser can disable or delete cookies. You are even sending this website global session cookies that you or some other website asked to be stored, and there is no possible way for the operators of this website to stop you from doing so. By sending cookies to this website you consent to sending cookies to this website.
Only you can prevent cookies, and you have always had the power to do so. The EU legislators are morons, and it is impossible for this website to actually comply with their insane demands.
They already have little or no power to influence these decisions. The EU does whatever it wants without considering if the people will like it or not. And frankly, who can blame them? They are the smartest, best educated people in Europe and they are best-suited to lead. People aren't educated and can't lead themselves out of a paper bag.
I can't even imagine why the EU is soliciting advice on this cookie issue, what can the Great Unwashed tell them that their experts don't know already? My guess is, they're scared and fear their own power decreasing. So, they're going to make a few attempts at showing that they will change their stripes if only people will vote in the EU's interest instead of their own interests. Then they can dispense with these silly polls and referenda and get down to the business of ruling.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
The EU wants privacy to be the default. So when you visit a random web site it initially respects your privacy instead of setting over 9000 random cookies, evercookies, advertising ping-backs, web bugs, browser profiling scripts and other nasties, with a little "btw we just shoved a cactus up your arse, click here to read our anti-privacy policy" notice at the top.
While clearly a lot of sites won't work fully without cookies, as many people who block them will tell you a lot of functionality doesn't need them. I'm okay with logging in or adding stuff to a shopping basket including the cookie notice. The main thing is that I actively opt-in, not get bombarded and then later opt-out by leaving the site and clearing cookies.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Laws should request the result, not the method of getting there.
Cookies have many important uses; most of them perfectly legitimate with no privacy ramifications. It is only abuse of cookies that pose a risk, and what might be regulated should be the potential result of motivations for abuse, not the means.
They should repeal the cookie directive and replace it with a "Privacy Directive", regarding retaining and linking personally identifiable information to web history gathered from 3rd party websites And only linking, making record of an association, or inferring personal information gathered by the same website when the information is requested and submitted through an interactive form, and all information that will be linked when information was provided is conspiciously disclosed.
I'm not sure that this is even a problem in practice (I've seen sites attempt to deny service when AdBlockers are used, but never when cookies are blocked), but since the EU would do a lot better to just fix the broken wording of the cookie directive to allow more flexibility in achieving compliance this might actually just be a flawed attempt to fix the problems the directive created in the first place. The only reason this is even an issue is because of the cookie directive's requirement that a site asks EU users for permission over cookies and tracking but then has to figure out how to remember that preference without using cookies or tracking URLs when a user declines to be tracked and has cookies disabled. Quite possibly they have to do that without using any JavaScript either, since there's almost certainly a significant overlap between those that disable cookies and those that run tools like NoScript. Given the number of sites that prompt for tracking permission on every page opened in that scenario this is apparently a problem that few website designers have been able to solve - although that's almost certainly a mix of poor coding ability, lack of imagination, limitations of the CMS, and deliberate attempts to frustrate site users into just accepting the cookies.
UNIX? They're not even circumcised! Savages!
If your business model depends on user agents accepting cookies, you are already screwed.
Users already had and have that choice, regardless of whatever laws EU enacts. They were working from a premise where the user is already 100% control of the situation. And that's why the laws look so hilarious (and pointless) to everyone who knows how the web works. Browsers store (or don't store) cookies at user direction, but I guess some lawmakers wanted to look like they exist for a reason, so they made up silly laws.
I've never understood the problem with cookies. Websites don't control cookies, the Web-browser does.
The browser should only maintain cookies associated with the browsing window for as long as that window is open. There's no use in anything else. No timers of any sort, short or long, it gets ignored.
Now scripting, that's another kettle of fish altogether.
This is the central disconnect with most politicians. They simply don't realize that doing things in business costs money, and you can't just get more of it from somewhere.
My Other Computer Is A Data General Nova III.
The problem is that this directive does not achieve that. The only thing you get (also here on Slashdot if you are in EU) is an interstitial asking you to accept the privacy policy/TOS/cookies. And then it is business as usual, with those 9000 random cookies, evercookies, adverts and pingbacks.
This law is addressing the symptom (cookies) and not the cause - companies wanting to hoard, mine and sell their visitors' data.
I think the intent of the EU was to make users aware that their activities were being tracked, unfortunately they focused on an implementation detail of how that could occur. Really they should be telling users precisely how they are being tracked, data retention and why.
The problem is that the legislators did not really understand the problem that they were trying to solve. The law was intended to require consent if you are tracking the user for longer than the current session. That's an entirely reasonable thing to do. The implementation was a complete disaster because it conflated a mechanism that's used for tracking (and more benign uses) with the act of tracking. To give a car analogy, it's like noticing that a lot of the people who drive dangerously drive red cars and then insisting that all red cars warn you of possible danger of accidents whenever they drive near you.
I am TheRaven on Soylent News
Now they want me to put seatbelts in my car?? Fuck that. Fuck that big time. If a customer doesn't like it, they can fuck off and buy some other car.
The cookie directive is about making users aware of surveillance. The EU (that is, the representatives of the member nations of the EU, collectively) have decided that surveillance by websites is potentially not in the consumer's interest, and the consumer should at least be aware of it.
As I understand it, now they're going a step further and saying, if you want to sell to EU customers, you must make your website work to some extent if the user opts out of the surveillance, rather than just telling them to fuck off. Just as, in other contexts (but also websites) you have to comply with regulations about disabled access, you can't just tell disabled people to go fuck themselves.
I understand that cookies are also used for legitimate reasons (session tracking by the website itself), but it's not impossible to write a website that doesn't break without cookies. (You should probably be making sure this is the case anyway, if you build websites.)
It mystifies me why anyone would object to regulation that benefits consumers. Aren't we all consumers? Isn't the power imbalance between us and business such that we should have someone regulating like this? And isn't it a good thing that it's done EU-wide rather than have a nightmarish piecemeal regulartory patchwork?
I hate 'webmasters' and how they think their job is to pull a fast one over the users.
ever look at yahoo's javascript, for example? its done on purpose to stop you from making meaningful global filters for adblock, etc.
the term 'webmaster' has devolved into something not worthy of respect (not sure it ever was, but now that web means 'content management engines' and not just content) and tricky ways to fuck you, the visitor, over, I am all for anything that makes THEIR lives harder and more painful.
see, they have become as slimey as salespeople and marketers. all people that are worthy of scorn and distrust.
they want to cry to me that they 'cant write web code' unless they force cookies and other stateful info on you?
fire them all and start all over again. 'nuke them from orbit' so to speak. the whole web thing is broken at this point and needs a complete redo anyway.
--
"It is now safe to switch off your computer."
It didn't inform me that the site uses cookies, but I checked, and there are 2.
Standard JSESSIONID and one that stores the value of whether the user has JS or not.
As an aside, the consultation is the least accessible piece of lawyer speak I have seen in a long time.
If you actually read the law, you would notice it's much more abstract as they do not even mention cookies. It is exactly as you described.
Furthermore storing data for functional purposes is totally fine on the condition that it's removed at the end of the session. If you go for permanent storage or you want to track your user then you need to ask permission. It doesn't matter if you want to achieve that through cookies, images, flash, localstorage.
I used cookies to keep track of the last message that users read and what files for download had been updated. It was a long time ago but you can use cookies for things other than tracking users for ads.
Frankly I thought I was respecting the user's privacy by storing that info on their system vs keeping it in a database.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
Cookies have many important uses; most of them perfectly legitimate with no privacy ramifications.
care to offer any proof for this asertion?
my experience - and likely that of EVERYONE ELSE - is that most cookes ARE there for tracking. did you ever look at them? ever see the 3rd party sites that store shit on your browser?
webmasters are out of control. they essentially report to the marketing dept, these days (unofficially, but the marketing guys run the show, which is why the web is in the ruined state it is, now).
pops, mouse-overs, model dialogs, all kinds of evil shit by these assholes and their minions. if I go to a popular website (which I rarely do) and see the adblock or noscript list of 'do you want to ok any of these?' the list is huge! more crap than content! this is what we now have. a web full of bullshit and junk for the 'regular people' and only the edge sites that are not mainstream can be viewed by those who have locked down their browsers and don't let them run rogue code from any old website.
so often, I'll go to a site, see a blank page, know that I was just saved a whole shitload of crap being thrown at me, I control-w it and move on to something else. fuck them and their javascript and cookie crap.
the web has, for the most part, turned as bad as television. both are sickening to view, when it comes to the mainstream sites.
again, its all the marketing and advertising pukes that have ruined a good thing. its always the case with those assholes, too. they can't leave good things alone.
--
"It is now safe to switch off your computer."
If a company doesn't want to meet the criteria for doing business in the EU, then the EU should be perfectly within its rights to stop it from operating within the EU. Companies, business and economy exist to serve human needs, not the other way around.
Enjoy your corporate overlords, then.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
If your business model depends on user agents accepting cookies, you are already screwed.
The girl scouts will be horrified to hear that...
Well currently the sites give the choice to accept or reject third party cookies in an annoying popup (this has already been forced by law), and if you say no, then as third party advertising is how they make money, the site will typically have to either present a limited experience, or no experience.
Now they want to force the sites to give an experience even if you reject the cookies. Maybe that would change the relationship between advertisers and sites (who would click yes in that situation!) so it is viable, or the sites will just not get any money and go out of business.
Sometimes I think that I should be able to pay a sub for "the techy website package" and have ad-free access to a range of techy websites, which share the income. Some sites do this themselves (e.g., Phoronix, Ars) already, but that's a PITA.
Oh, AdBlock.
Voters in the EU member countries elect both their national governments and European Parliament directly. So I have to ask: who wields the power of the tyrant within the EU, and how do they bypass democratic control?
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
Your ignorance never ceases to amaze me. Thank you once again for a wonderful insight into what it must be like living in your head. Truly terrifying.
Actually lawmakers seem to understand the technical issues extremely well. Take a look at the EU site on the subject.
They clearly differentiate between different types of cookie (session/persistent, first/third party) and list exemptions for things where cookies are necessary and don't interfere too much with privacy.
The real issue here is that sites haven't bothered to read the rules and just stuck a blanket "we use cookies" banner on everything, even if they don't need one. Reading the rules carefully, most sites could easily be implemented within the exemptions, as the EU is requesting. That includes advertising, as long as the ads don't use cookies.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
There's a simple solution: exempt session cookies, make the law harsher on persistent cookies.
All legitimate navigation needs are served well enough by session cookies. Legitimate uses of persistent cookies, such as "remember me" login or saving preferences require an explicit action of the user, and that can have a short cookie warning included.
By "make the law harsher", I propose requiring disclosing the actual purpose of gathering data, rather than saying just "to enhance your browsing experience".
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
You are respecting the user's privacy, and the EU specifically exempts the kind of cookies you are using: http://ec.europa.eu/ipg/basics...
So you don't need a statement on your site, your use is exempt from the rules.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I finally moved to the EU. I used to laugh at this back when it was first proposed but wholly crap is this annoying. There's almost no website I can visit which doesn't produce some boilerplate warning saying that for the site to work you need cookies. Worst part is it typically loads after the content, so if your computer if slow enough then you're already trying to click a hyperlink when the popup appears and the entire page moves and you click on the wrong link.
Nonsense. The EU parliament is elected directly, and the other two bodies (the Commission and the Council) are appointed by elected officials of each member state. If the electorates of Europe don't old them to account that's their own fault.
The EU tends to act in the interests of its citizens far more than the governments of many member states. To an extent that's because they are somewhat above national politics. For example, employment laws that favour workers, or ratings on vacuum cleaners so consumers can make an informed choice and not get ripped off by ever bigger motors that do little to improve cleaning ability.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
If a customer doesn't want to meet the criteria for using the website, then the website should be perfectly within its rights to refuse service.
N/quote>
It is perfectly reasonable to tell visitors that they are about to be spied on, if they enter a site, just like the law requires CCTV cameras to be accompanied by a warning message on a sign. It is part of being open, transparent and honest - something that is good for consumers and others; in fact, it is one of the many arguments in favour of remaining in EU. And anyway, using a thing like Privacy Badger in Firefox, you can selectively block cookies on any site very easily.
That system has been replaced by Drupal long ago but it didn't matter to me what the EU said. It was a US company and the website was hosted in the US. We respected our users privacy for the simple reason that they were our customers. They bought things from us and the website had 4 functions that justified it's cost.
1. Advertising our product.
2. Customer support and communications.
3. Updates.
4. An online store for customers to buy our products.
Most sales came from our sales force back then so the store was more for accessories and such.
We had no need to sell any advertising but our own.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
I've seen that interstitial when connecting from France, but not from the UK. I think maybe it's down to individual state's implementations.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I run a pretty good sized European news website an we manage to maintain a staff of about 100 without tracking our Users at all. Not Sure what you're doing wrong.
I run a pretty good sized European news website an we manage to maintain a staff of about 100 without tracking our Users at all. Not Sure what you're doing wrong.
You are running a good sized website without any analytics, or any login-functionality, or any Google ads or even the most basic ad targeting/frequency control that most ad buyers require today? It would be very interesting to know which site this is.
But browsers make this difficult. Either you accept ALL cookies (even the 99% that are evil) or you accept almost none. To accept cookies from just your own site most browsers do not give you an easy way to do this. Sometimes "don't accept third party cookies" will work but sometimes it won't because the cookie is coming from something that appears to be a third party site ("bringyourownbeer.com" uses cookies from "xyz.byob.com"). And the cookies have bizarre names with even odder contents, so if you're browsing through the cookies you can't tell if they're actually useful or if they're ad trackers.
I generally accept only first party cookies, but I discard them when the browser closes. With a few exceptions. And with those sites where I did add exceptions they still sometimes fail to remember what I've read; and it's too much of a hassle to track down the problem, and far too dangerous to allow third party cookies, so I don't bother and track it all up to yet another broken web site.
care to offer any proof for this asertion?
For starters..... Cookies are why I can navigate to http://slashdot.org/ every evening and post a comment without having to go through the repetitive task of typing in Yet another username and password every day.
Cookies are why I can go to Youtube and watch a video..... the first time I see one, there will be an Ad shown..... Then I can go back and visit Youtube.com a few minutes later, find a new video, and they will give me a break because i've just seen an Ad ---- they won't force me to sit through another 2 minute pre-roll Advert again for at least a while, because Cookies told them they already made me watch that crap on their website.
Those are just two uses of cookies that benefit me greatly and aren't a privacy issue.
'Webmaster'? Really? Is it 1996 again? You seem woefully out of touch with reality, ascribing all sorts of nefarious motives to people you've never met, without any evidence to support your rash judgements.
is the sole reason why I'm voting for the UK to leave the EU!
(Just joking, probably...)
And its another reason why I'm voting to stay....
A governmental organisation that it not, by default, automatically on the side of the seller instead of the consumer? Great! This, of course is why the most right wing, big money, parasites are keen to get us out so that we can head downhill to what people in the US have to put up with.
I'll see your Constitution and raise you a Queen.
Seriously, do i have to comply when i operate in the u.s?
Only if you want our money. If you have enough traffic, you are at liberty to geofence to your hearts content.
I'll see your Constitution and raise you a Queen.
Enjoy your surveillance state and complete lack of privacy in the UK.
I take it you have disbanded the NSA, FBI abd every other criminal TLA in your country?
People in most of the EU, even in the US/corporate friendly UK, have more privacy than you. They all would appear to have better internet privacy than you.
There is a difference between whining and boasting...
I'll see your Constitution and raise you a Queen.
If a user wants or doesn't want to use cookies, then they have already instructed their browser to take the appropriate action
That is true for people here but you should talk to some users sometimes...
I'll see your Constitution and raise you a Queen.
Thanks, that link was really useful
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
So, rather than denying access for those who don't wish to be tracked, can a company simply make its content pay-walled by default, but rather than paying $2 per month or something allow the users to accept tracking instead?