EU May Outlaw Cookies

Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.

Privacy Paranoia

[Argyle]

All modern browsers allow users to turn off cookies completely.

People all ready have the choice.

You can't legislate stupidity out of life...

Enforcement Nightmare!(tm)

[hlprmnky]

I like the EU legislating content and practices on the Internet no more than I like the US doing the same. That which I tell you three times is true:

Education is the key, not legislation.
*Education* is the key, *not* legislation.
EDUCATION IS THE KEY, NOT LEGISLATION!

Thank you, and goodnight.

Even session cookies?

[ccarr.com]

I can see banning long-duration cookies, but e commerse would collapse without the session cookie, or something functionally eqivelant. A better rule would be to require browser makers to provide better granularity in cookie preferences, and to make the settings more conspicuous.

Outlawing Cookies

[BoyPlankton]

While I realize their security concerns, in my opinion the problem isn't with the cookies. The bigger security concern, is really with web bugs. The rest of the stuff that the EU seems to be concerned about really is data that could be generated by analyzing web server logs. The problem is with sites that monitor people across multiple domains.

Let's no throw the baby out with the bathwater...

[closedpegasus]

Yes, cookies can be used to track browsing habits of users.

But don't I, as a website administrator, have a right to know the usage patterns of my users? If I set up a lemonade stand on the side of the street, I know exactly who comes to my store, how many times they come back, and if I'm smart enough, I can use this information to my advantage to sell more lemonade (e.g., I know that Tom buys lemonade on his lunch break at 12:15 everyday, so I better be open then). Why should online business be put at a huge disadvantage? Cookies are a great tool for maintaining a state over a stateless protocol, and differentiating one users "session" from another.

And also, a great deal of code to keep people "logged in" to web sites uses cookies to maintain state. Without cookies, web sites are forced to use the IP address as the unique identifier to distinguish between two users. What about proxy servers and firewalls? DHCP and dynamic IPs? Maintaining state over HTTP would be a nightmare without cookies.

The only problem comes up when cookies are used across different sites, or one company sells your browsing habits to another without your consent. But by browsing a site, you are implicitly giving that site the permission to see what you are doing.

Opt-In

[bwt]

They should allow opt-in cookies, but I'd still like every site to be required to state what data it keeps in its cookies and what it does with it as part of its privacy policy.

I'd like to see browsers with more refined cookie control. I should be able to set the cookie policy for each domain.

They aren't going to ban them.

[Todd Knarr]

From what I read, they aren't banning cookies per se. What they're banning is any collection of personal information without explicit informed consent. So you can use cookies all you want, as long as you tell the user what personal information you're storing in them and let them say whether they want to allow it or not. And if you use cookies for things like shopping carts, where there's no personal information in them, then there's no restrictions on them. All perfectly sensible to me.

Alternatives would be more invasive

[gentlewizard]

I was initially caught up in the scare about cookies, especially when I discovered some clueless webmasters were storing my site password in cleartext in them. But over time, I realized that the alternatives for creating a stateful session might be far worse. Can you say Java / ActiveX?

BTW, does Microsoft Passport use cookies, or some other method? If they use cookies, I can just imagine the wheels turning in Microsoft's heads right now at reading this story!

Re:they don't know the user can disable 'em?

[Anonymous Coward]

Right, but you have to worry about that with cookies too. Per-session cookies help, but if the user doesn't close the browser, the next person will have access. Ideally each user would have their own login, with their own history (or without a history file), and log out when they're done.

A "log out" button on your site will prevent this problem if people remember to use it. You should also have a session timeout, but that won't help much in a library (people can get to the computers before they time out). If you use hidden form values, those won't be saved in the history. Make sure to send a header (or use a meta tag) to disable the users cache, and use HTTPS for any sensitive information.

On UNIX systems with Netscape, you can disable persistent cookies by linking ~/.netscape/cookies to /dev/null. Per-session cookies will still be allowed. It's a bit better than rejecting all cookies, since most sites requiring cookies will still work.

Re:cookies

[Anonymous Coward]

Your browser can remember logins for you without opening a hole for websites and adtrackers to collect information about your surfing.

Re:they don't know the user can disable 'em?

[Anonymous Coward]

Yes, but many sites will not let you access without cookies. If this legislation passed, they would have to change their way of doing business.

Re:cookies

[lordvolt2k]

> Session information could and should be keep on the server.

Session information IS kept on the server. All that is placed in the cookie for a session is your session identifier, a random but unique string. If this string is placed at the end of a url, then everything goes all to hell, because if someone logs in, then sends that url to their friend, then that person is also logged in as the first person, and hence a much bigger problem than cookies.

I wish I could find the zealots who proclaim that cookies are so evil. I had to give a whole presentation on what cookies are and what they aren't to this university just to build a PHP app that used sessions!

I guess, we could really inconvienience our users by having them log in each and every time they want to do something....

Again, legislating or litigating away technological progress isn't going to help anything.