EU May Outlaw Cookies 287
Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.
not banned outright (Score:5, Informative)
They just want cookie confirmation? (Score:5, Informative)
To be honest, I think they're going about this thing entirely the wrong way. Don't attack a technology because it has the *ability* to do something you don't like. Attack those that are abusing the technology. In this case, full and proper support for the W3C's P3P initiative looks like it addresses all of the privacy concerns that go with cookies. Maybe they should be looking at this instead.
One thing Microsoft has done right recently is P3P support in IE6, and setting the browser to default itself to what I would consider a reasonable setting out of the box, which automatically blocks a significant number of 3rd-party cookies. I love seeing this in action.
Re:cookies (Score:1, Informative)
Yes it does.
See, for example, KB article Q299495 [microsoft.com]
Banning cookies might get unexpected support (Score:3, Informative)
Cookies, when used in a responsible way, can increase privacy. Of course, that is not true with those practically eternal cookies which expire some day in the year 2037 or so. On the other hand, there are other tracing methods such as exclusively dynamic URIs or even cache timing attacks [princeton.edu] (yet another interesting Felten paper, BTW).
In my opinion, you should not outlaw the tool, but the intention to gather data. Recently, we've seen so many attempts at restricting tools which have some negative potential, competely neglecting the positive possibilities such tools present. Shall we make the same mistake again?
Another /. flamebait, its not about cookies (Score:5, Informative)
The proposed legislation has nothing to do with browser cookies, it focuses on regulating what kinds of private information marketing scum can gather and share without permission. The bill aims to prevent marketing firms from using any data obtained through illicit or decietful means to be correlated with personal identities. It would also prevent marketing from using personal information to gather other info through other means.
Web sites could still set cookies on your browser, and even track sessions from one logon to the next. But the web sites would not be allowed to match that information with individual identities. They could still gather statistics, monitor actions, and anything else cookies are useful for, but not for targetting individuals.
This legislation was proposed before, but was stalled after the IAB and a few other telemarketing firms pooled their money to fight it. It has been delayed for a while, but is back for another round.
the AC
Looks like yahoo exaggerating here... (Score:3, Informative)
On this dudes homepage [wimvanvelzen.nl] (in dutch...) his official statement does not say he wants to ban cookies at all. He's only proposing legislation in order to abridge tracking users' browsing habits and then using these to send them advertisements based on their habits without the users knowledge. This is not a bad thing in my opinion; our normal use of cookies (e.g. no need to login to /. and tracking sessions on usefull web-applications) will not be affected at all. Wim van Velzen's official statement can be found here [wimvanvelzen.nl] (dutch).
He doesn't sound like he totally understands cookies, though; he says things like "it's still unclear wether cookies can be used to gather information about other sites the user has visited" and he proposes a "maximum validity date for cookies" which has been there since t=0.
So either I misunderstood all of this, Yahoo got this wrong, or Wim van Velzen's statement is incorrect, but I guess he wrote it himself so that's ok. Nothing to see here people ...move along.
Early Netscape Spec for cookies (Score:2, Informative)
Anyway, here's [netscape.com] an 'old' Nestscape Spec for on cookies, on why they think cookies are useful.
Re:HTTP is stateless (Score:4, Informative)
Cookies are needed for only one thing. Every other current use for cookies can be done better without them, or (IMNSHO) shouldn't be done at all. The best example is session tracking. Those of my websites which need to track sessions all use URI mangling to do so.
For instance, look at my website for AdAce [adace.com]. When you go there, you get immediately redirected to a URI that includes session information, that looks something like this: http://www.adace.com/0123456789abcdef0123456789ab
The long hex number and the comma-delimited string constitute your session id. No cookie needed. By using relative URIs in all the webpages, there's no problem with the mangled session information being lost: the browser thinks that its just a directory path. In those few places where we need to use absolute URIs, we use a cgi or an apache content handler to modify the URI in place to include the correct session id. This number is used to look up your session data in a daemon running a simple database for that purpose -- and to verify that the comma delimited string hasn't been tampered with. The database exists purely in RAM. I've even locked the pages in place so there's no danger of them getting swapped. None of your session data ever goes onto a hard disk; only the fact of the session, as it appears in the server logs. My cgis (and a couple special purpose apache modules) all use an API library that I wrote in order to communicate with this daemon. That lets them get data out of your session record, and put data into it. The point of all this is that we hold the burden of maintaining your session information. No need for cookies.
The only function provided by cookies that can't be done in any other way is what we in the advertising industry call "frequency capping". The idea is that you (the advertiser) have bought a big campaign with a lot of impressions, but you don't want one user to see your campaign more than, say, 3 times. So we need some way to track how often you've seen a particular campaign. If the campaign is all running on a single website, then it's easy enough to use other methods. But when the campaign is running across at least two unrelated websites, the adservers have to create and manipulate a cookie in order to track this.
If you've ever received a cookie whose name is RMID, and whose value is just a number, then you've received one of these cookies. They're generated by RealMedia's (not to be confused with Real Networks, the makers of realmedia player) ad server for campaigns that have frequency capping turned on.
These cookies are the only cookies ever generated or inspected by any AdAce machine. I am strongly opposed to the use of cookies in any situation where some other method is possible. And as CSO of AdAce, I've put my foot down on this issue: no cookies where we can do something else, and even if we can't do something else, no cookies if its possible for it to be exploited by acquisition, mismanagement, or subpeona, to violate someone's privacy.
(incidentally, this form of session tracking gives WebTrends conniption fits -- that's the main reason that I'm writing my own log analyzer)
Re:So, rather than use a cookie (Score:2, Informative)
The session information doesn't get logged, only the fact of the session, in the form of the session id. The session info never gets written to any hard disk. Anywhere. It is completely impossible to reconstruct the contents of the session info by looking at server or proxy logs. Every page you go to that asks a user to enter information that will end up in the session data block is an SSL (v3) page. Not just that page, but the IMG links, post address, etc, so I can protect the referrer URLs, too. Yes, you could reconstruct small portions of the session data block by seeing which pages the user went to, but by no means can you get anything interesting.
And you might want to try reading some web server configuration instructions some day. Not only can cookies get logged... not only do cookies get logged... but if you use cookies for session tracking and you want to use WebTrends to analyze your logs (as is precisely the case with most websites) then you
Note that not only do I not use cookies, I also don't use WebTrends (any more). But that's untrue of the vast majority of commerce sites out there.
Re:Privacy Paranoia (Score:1, Informative)
Re:This is almost already law, anyway. (Score:1, Informative)
Also, the EP is not elected proportionally in all member states. The council could not reach an agreement for a EP election law, and thus local legislation is used. This brings us to the problem. The UK does not have a proportional election system. In UK there are three large partys (proportionally) there is Labour (social democrats), Torys(sp?) (conservatives) and Liberal Democrats (liberals).
In the last election to the Brittish parlament the proportional votes turned out to be something like: Lab: 45%, Tor: 25% and LiD: 20%. The places in the palament turned to something like: Lab: 65% Tor: 25% and LiD: 3% (yes, three percent).
The same is true in the election to the Europeean Parlament. In UK wich has around 80 MEPs in the EP Labour recieved 45% of the votes and got 50-60 places in the EP. Now, do you beleve that Labour or the Torys want to change this system? The Liberal Democrats surely want to change this IMO undemocratic system.
I am not a Brittish citizen, I am a Swedish citizen. But the UK electorial system (for the EP) does concern all Europeeans I beleve.
--
Mattias Holm
mattias.NO.holm@SPAM.contra.TO.ME.nu