EU May Outlaw Cookies

Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.

the wrong solution for the wrong problem

[fetta]

The EU appears headed toward a classic error - they haven't defined the problem correctly. Instead of asking "how can we protect the privacy of our citizens" they asked "how can we prevent organizations from using this specific technology to invade our citizens privacy."

Whoever proposed this absolute ban on cookies clearly has never done any kind of web development. Sheesh.

They should outlaw pencils and paper, too

[nate.sammons]

I mean, I could write some personal infomation
on that paper and slip it under your mousepad.
Then, later, I could update that piece of paper
with new information.

What's good about this:

- Someone, somewhere is taking privacy
seriously.

What's bad about this:

- It demonstrates a fundamental lack of
understanding about the modern world.

Overall, I say it's good. They are *thinking*
about privacy, which is more than the US
Government is doing (aside from thinking about

how to get rid of privacy).

-nate

Accept/Deny Cookies are good

[barnaclebarnes]

The Accept/Deny/Only this time cookie management idea that is turned on by default in Konquor is great (and an option in Mozilla). Once you have got through the first couple of weeks accepting cookies from the sites you trust/like and rejecting all the doubleclick and other ad site cookies you only have to accept/deny cookies every few days (depending on your surfing habits).

Why is privacy so desirable?

[Gray]

I don't understand the motivations..

If you have something to hide, the problem is not with people fiding out, it is with the reason you desire to hide it.

Privacy solves nothing, it just allows people to ignore problems.

Besides, technology will eventually make all of this moot. Dust sized video camera stuck to everything, only way to avoid that is a really trustworthy police state, and that sounds just *so* much better..

Re:not banned outright

[macdaddy]

"The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users..."

Then again binoculars and small video cameras 'may seriously intrude on the privacy...' of European people too. Are they going after things of that nature as well?

Why ban them?

[SonOfSam]

Wouldn't it make more sense for them to require companies/sites to ask permission before writing or accessing a cookie? I mean, anything can be used the wrong way, and abused.

It may be in the best interest of the Internet though, because many sites require cookies. Maybe that would force said sites to have a cookieless solution, or miss out on all the possible readership. Itll be interesting to see what happens in the future.

Typical Shortsighted Slashdotters

[sessamoid]

"you can already turn off cookies... blah blah blah"

This isn't about slashdotters, it's about end-users, the vast majority of which have no idea what the heck a cookie is, much less where they can be found and what they can do. The average web user only knows that if he "turns off all cookies" much of the stuff he wants to do on the net doesn't work anymore. If he elects to review each and every cookie, he ends up spending more time clicking "Accept" than actually using the web. Actually, let me correct that. The average web user doesn't even know there's a menu with "cookies" mentioned.

I think requiring web sites to expliciting notify and obtain permission to track and store personal information via cookies is not necessarily a bad thing. Not all cookies are about tracking where users go, nor about keeping personal information.

Does anybody have a link to the actual legislation? Rather than assuming what we think is going to be in it and screaming at the top of our lungs, does anybody actually know what they're proposing exactly?

Re:Why!

[Rob Simpson]

Darn right. If you set it to confirm, the #%!# sites just won't take no for an answer... they'll just keep asking. Over and over. Until you say yes. Can you say "harassment"?

And if you turn them off, a lot of things just won't work.

Browsers and Cookies

[vlad_petric]

It is pretty obvious that cookies are used for 2 main purposes: session tracking and navigation tracking. While the first is a legitimate use, the second is one of the worst violations of privacy EVER.

The real problem is that the most popular browsers only allow you to block/unblock cookies globally, therefore if you want privacy, the sites that rely on cookies won't work. Even scarier is the fact that, the more popular a site, the greater the chance that it requires cookies (personal observation). When given a choice (one might argue that it's not really a choice, since cookies are enabled by default) between lack of functionality and lack of privacy, most of the users prefer lack of privacy.

The Raven

Re:cookies

[mcramer]

Everything that's written correctly, session don't have to rely on cookies. The other most commond method is url rewritting.

Ugh. Please. URL rewriting is about as ugly a way to track sessions as I can imagine. Yes, it works. Yes, it works without cookies. But as soon as people start emailing links to other people, it all goes to hell. I've been there, I've done it, and I won't do it again.

How to have your cookies and eat them too

[Anonymous Coward]

Kinda off topic, but the best solution I have found for cookies is to allow them all, but make the cookies file read only. This fools sites into thinking you allow cookies and still allows session cookies, but stops persistent ones. When you want to add a cookie, "unlock" the file, accept the cookie and then lock it again.

Warning: I have only tried this with Netscape and Mozilla on PCs and Macs, otherwise YMMV.

Nonsense

[Anonymous Coward]

This is a rumour that seems to have popped up over the last couple of days which is total nonsense.

The truth is that there is an EU legislative proposal currently in drafting that includes some propositions on how to combat the threat to privacy which we are all starting to face from companies like Doubleclick.net and other advertising agencies which have systems in place which combine large scale website tracking with real world identification systems.

Basically allowing them to know who you are and which websites you are visiting, for how long, what you are doing there etc. all without you knowing.

The sort of stuff that we fear goverments may one day start doing which is already being implemented by various commercial organisations

Thankfully the EU have decided to do something about it. How this has been interpreted into a complete ban on cookies is beyond me.

The closest anything comes to being of the sort is a possible solution included among many that would stop 3rd party advertising cookies from tracking which websites people visit without the users consent.

Things will break

[whjwhj]

I have a number of customers in Europe (particularily in Germany) who express a great deal of trepidation and fear about cookies. Particularily from folks who aren't tech savvy. I once wrote an entire web app that maintained state using GET paramaters and hidden input fields, all because they fear cookies. But since then, I've written many apps that wholeheartedly rely on cookies. If the EU were to ban cookies altogether (which apparently they may not) ... well my customers are going to have to shell some good ol' US dollars my way to make things work! I say bring it on!

Re:How do you deal with bookmarks

[slazlo]

What if in my site there is content that the users may wish to bookmark? Do you use an url rewrite to strip out old session data and create a new one? Plus have you had any feedback from users that like may be turned off by the unappealing url appearance?

Alternative to cookie: URL-rewriting and its flaws

[fractalus]

Ultimately there are too many applications that run over the web that have to have session identifiers. Sometimes it's so that it can identify returning visitors, sometimes it's so it can just track some current information (like your shopping cart). Somewhere, it's going to have to stick that session identifier in there.

You can put it in the cookie, but that means people who disable cookies on general principles can't use your site. Sort of a nuisance.

You can put in on the URL, but if you do that, you have to be aware that people may send URLs containing session identifiers to their friends by e-mail, or they might post them to a newsgroup, or better yet, they might just put up their own web site with a link with that ID in it. I've seen all three in sites I've worked on that use URL-rewriting.

Because we wanted to avoid cookies, we started checking referrers on inbound requests. Yes, of course referrer can be spoofed; that's not the issue. We simply wanted to catch casual sharing of URLs containing session identifiers. Any referrer that doesn't match the site of the actual request, or where the session ID is different than the one in the request, is rejected; a new session is established at that point. If the request was for an interior page that requires logging in first, the user then gets booted back to the site entrance or a login page.

It really depends on whether you want to go ahead and use cookies or not. I prefer not. Cookies certainly are not the only way to manage sessions.