Forgot your password?
typodupeerror
EU Privacy Your Rights Online

New EU Net Rules Set To Make Cookies Crumble 290

Posted by samzenpus
from the covering-your-tracks dept.
NickstaDB writes "From the BBC article: 'From 25 May, European laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies." These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"
This discussion has been archived. No new comments can be posted.

New EU Net Rules Set To Make Cookies Crumble

Comments Filter:
  • by Anonymous Coward on Thursday March 10, 2011 @01:13AM (#35439486)

    They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.

    • by Anonymous Coward on Thursday March 10, 2011 @02:55AM (#35439898)

      Data protection legislation in the EU requires that explicit consent is given. That means clear, unambiguous, and upfront consent. You can't hide it in a blizzard of tick boxes or EULAs. Defaulting options to give consent won't work either.

      Big business might try tor rely on a "permissive environment" of weak national regulators but the EU commission takes these things seriously. After stunts like data loss and Phorm they're wise to the tricks. Any wiseguy is just going to get their ass handed to them.

    • by Dunbal (464142) *
      Explicit. That means exactly that you can NOT bury it anywhere, it has to be right there with a Yes/No BEFORE the cookie is installed.
      • Do you have to click yes to all 12 trackers to "authorize the page to load"?

        "Sorry, you didn't agree to all 12 trackers, so therefore we can't afford to give you the page."

        • Sounds fine to me. If your content is really that valuable to me, I'll agree. If not, then I'll go to your competitor.
        • Fabulous. At least I now:

          a) know you are wanting to load 12 trackers
          b) can decide whether you site is soooo critical to me I'm willing to load them.

          The answer to b is "unlikely" - great thing about the web, if you're doing it someone else probably is as well. I'll go there.

      • Surely the "remember me" tickbox next a login form just needs to be changed to "remember me with a cookie" and most sensible uses for cookies are covered (considering that the regulation has an exception for shopping cart contents).

        • by Joce640k (829181)

          Will the single checkbox apply to all twelve tracking sites which attached to the page?

      • by andrea.sartori (1603543) on Thursday March 10, 2011 @06:15AM (#35440874) Journal
        Yeah, sure, because a Yes/No guarantees the user has a) read the message, b) understood what this cookie stuff was, c) consciously clicked the "right" button.
        Real world situation: "It asked me something." "What did ask what?" "Dunno, I just clicked OK."
        Come on. 80% of the malware in the world is installed exactly after "gathering explicit consent from Web users".
    • by Niedi (1335165)

      They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.

      Actually that's not even that important, because right now pretty much no member state cares for the fact that it should put this into local legislature.

      Britain is the first state to actually implement the directive, all others are lagging hopelessly behind and still want further discussion with the EU about the details. With the ad-lobbyists heads firmly stuck to their backsides they will probably delay it until IP6 comes along or some other loophole (flashcookies...) is left in the directive/laws...

  • Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent. Time will tell how this all plays out, but it's safe to say that people get bored of clicking "allow" really quickly.

    Do browsers even ask if you want to allow cookies these days? I guess not? 10 years ago you did have to explicitly allow them (either globally or on a per-site basis) but I guess they are allowed by default these days? Can't remember seeing a cookie prompt in a long time.

    • by wvmarle (1070040)

      Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

      That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

      • Re: (Score:3, Insightful)

        by VortexCortex (1117377)

        Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

        That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

        Well, earlier today, I pasted this in my address bar:

        javascript:void(document.cookie = "reminder=Don't forget:\n\tCover page for TPS report.");

        Just now I pasted this in my address bar:

        javascript: alert( document.cookie );

        (Not a moment too soon -- I almost sent that report with the old cover sheet.)

        That message was sent to every website I visited today. I know damn well they don't have my explicit permission to read the cookie headers that my browser sends them -- Especially not when they contain

    • by Cimexus (1355033)

      I go with a whitelist approach. My browser is set to deny all cookies except those specifically allowed.

      The way I identified which ones to allow is by turning cookies on to 'accept all except third party', using the web as normal for a few days, then observing which cookies had been written. After filtering out the obvious ones that I didn't need, I added the rest to the whitelist. These are all from sites that I have to log into obviously, so I have [*.]slashdot.org, mail.google.com, etc.

      Only downside is i

      • by AmiMoJo (196126)

        I prefer to have cookies on but cleared when the browser is closed, with a whitelist of ones I want to keep. That way all sites work normally but their tracking cookies get deleted every time I close the browser, and I can stay logged in to sites I whitelist. It is a nice trade-off between privacy protection and ease of use, and as an added bonus it probably screws up a lot of tracking systems because they see me as a "new victim" every day.

    • You can set Mozilla to always ask, always accept, always reject, do one of those except for exceptions, accept for session only, remember your choices or not remember them, etc. At this point I don't know what the default it :-)

  • by mclearn (86140) on Thursday March 10, 2011 @01:30AM (#35439576) Homepage
    Cookies have legitimate uses that have nothing to do with "tracking". Perhaps the issue comes with trying to interpret the specific language used rather that knee-jerk "everyone must opt-in". If your cookies are not used to track -- if you do not use, for example, Google analytics -- then you are not in violation. The article basically states this.
    • by hedwards (940851)

      The problem is that a lot of sites include cookies for third parties without permission or any explanation. I regularly get requests for facebook to set a cookie for me. I'm not sure why most of those sites would do such a thing.

      But in general I've found very little help on sites explaining to me why various javascript or cookies are requesting to be loaded by my browser. And really it makes it tough for me to figure out what ones are really necessary and which ones might not be.

    • by Terrasque (796014)

      The norwegian wording of it does not make any exceptions. Translated back to english, its:

      Storage of information in the user's communication equipment or gaining access to such information data is not allowed.

      Such storage or access can still happen if the user has been informed by the data controller under the norwegian Data Protection Act and has given his consent.

      There have been some screaming about it in the technical press, but the rest of the country doesn't understand what the fuss is about (as usual)

  • by amirulbahr (1216502) on Thursday March 10, 2011 @01:32AM (#35439584)

    The web browser, whichever one it is, that the user has decided to use should make the decision about whether or not to ask the users permission to set a cookie. Website are not doing anything malicious by setting cookies, they are simply asking the client browser to keep a bit of information and return it on subsequent visits. The web browser can ignore the request, ask the user for permission first, or silently accept it.

    Many browsers can be configured to operate in either of those three modes. Effort would be better spent educating users... or better yet... just let it go already it isn't a big deal.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Some cookies are used to remember login details, others are used to track your behaviour. You can't tell your browser to allow one type and block the other because your browser can't tell which one is which. That's what this law is about.

    • by wvmarle (1070040)

      The old Mozilla suit made it very easy to set cookies acceptance to "visited site only". No third-party cookies. So if I visit say slashdot.org I only accept cookies from slashdot.org and not from say adnetwork.com who happens to put an ad on that page. I like that option. Cookies have their use, keeping you logged in for example - often needed even within a single session - or storing certain personal preferences, yet ad networks have no business in tracking me.

      Later Firefox only had an all-or-nothing opt

      • Re:Wrong Solution (Score:4, Informative)

        by Nursie (632944) on Thursday March 10, 2011 @04:15AM (#35440306)

        Find a FF extension called "Cookie Monster" and then revel in th granular control you have once again :)

      • Later Firefox only had an all-or-nothing option when it came to cookies: accept all, or block all (with option for exceptions).

        Firefox may still have it but it's buried; now in FF 3.6.15 I can not even find a cookies setting in the preferences at all! The only way I can find to get to the cookies configuration is via about:config. I may miss something but it certainly is not very obvious.

        Not true. Firefox 3.6.15 speaking here: Edit/Preferences/Privacy: Unset the checkbox on "accept third party cookies", and set "Keep Until" to "I close Firefox". No harder than it was before. Also it is not a setting I frequently change so from the UI point of view I do not want a button or two-click access to it.

  • The first time someone visits your website, you redirect them to a consent form and then if they opt out of being tracked, you just set a cookie showing that they've opted out so that you won't have to ask them again. See, problem solved.

    (I say that tongue-in-cheek, but it would actually probably work if you set a "don't track" cookie which wasn't personal to them. Most grocery stores also offer non-tracking versions of their loyalty cards. My dad has one for Harris Teeter and his card number is all zero

  • Have they costed how much it will be to make their own sites compliant?
    • Re:Clue stick (Score:5, Insightful)

      by Malc (1751) on Thursday March 10, 2011 @02:12AM (#35439738)

      I couldn't give a rat's arse how much it costs sites to comply. I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself. Cookies have been a fundamental feature of the web for a long time as a way to make the web a better experience for users, but I certainly didn't ask advertisers et al to abuse this functionality for things that aren't in my interest.

      • by agendi (684385)
        I don't mean corporates, I mean the Govt. agencies themselves that are currently using cookies, I bet they are the one of the first ones that work around it AND bill the tax payer for the effort of outsourcing the work to a foreign multinational. Yay! In the end it won't change squat.
      • I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself.

        Im going to assume you use internet explorer.

        1) Tools --> Internet Options --> Privacy
        2) Move the slider to "Block all cookies"
        3) Click apply. Youre done! Cookies can never threaten your freedom again!

        And that option has only been there for what....10 years now? I remember learning about that back in 2001 when people were getting all freaked out about cookies, when i was just a teenager with no technical skill. And I know that Firefox and Chrome and Opera and Lynx and Links (having used them on go

  • Do not set any cookies if person is not registered (here is your consent). Problem solved. Actually, that would be pretty nice.

  • Sure, cookies can be used for shady purposes but for heaven's sake - every useful website I can think of uses the hell out of cookies. It's the only practical way to maintain UI state. Browsers already have the ability to warn per cookies. They used to come with this turned on by default, but most have stopped that now. Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that. Even a once-off per site setup is absurd. This is the result of passionate but ignora

    • by Nursie (632944)

      "Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that."

      Yup, it's crazy the number of cookies now being set/read when you visit modern sites. This is a very strong positive for the legislation though.

      Me, I use "Cookie Monster" in firefox. It allows me to deny all third party cookies outright, and default-deny the rest. It has a neat little menu to allow cookies from a specific site on temporary basis (Let it set cookies until the browser is restarted), allow

    • by KiloByte (825081)

      Browsers already have the ability to warn per cookies. You can't possibly browse the web like that. Even a once-off per site setup is absurd.

      For you. For me, it's a vital functionality, and one of reasons I don't touch Chrome with a ten foot pole.

      Of course, I use once-off, with Cookie Monster to be able to alter the decision later as the built-in UI takes a couple minutes (!) to alter it.

      Most third-party bastards get onto my DNS-do-not-resolve list, too. Just blocking their cookie does hardly anything, they can use your IP and headers to get almost as much info. To the contrary, being warned about a new cookie is good since I know there's scu

  • How about a browser option of 'accept all cookies - but delete them once the session is over'?
    The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.

    • by Nursie (632944)

      They should build the "Cookie Monster" addon into FF by default, with a sensible set of defaults (like auto-deny third party cookies).

      That would cover it.

      • by KiloByte (825081)

        Cookie Monster is damn nice, it just lacks one thing: the ability to let permanent cookies stay if you allow the site to do so. Currently, you need to go to that site again and login/set up/etc once more.

        I guess it's a problem in Firefox core -- if set to session cookies by default, it probably overwrites the cookie's expiration so Cookie Monster can't restore it

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Already exists in Firefox ! Accept cookies from sites ... Keep until: I close Firefox

    • by wvmarle (1070040)

      You mean like Firefox's Private Browsing mode?

    • How about a browser option of 'accept all cookies - but delete them once the session is over'? The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.

      Done: Open Firefox > Tools > Start Private Browsing.

      This is the "mode" which you seek.

      The bullshit legislation won't matter. There are hundreds of hacks to store user state without cookies. All of the data can be stored server side, and if just one identifying piece of information correlates two user profiles (say, usage pattern, or time of day + IP address) then your data is being mined.

      Stop private browsing, go to a different website, the ads on that website link the current time of day

  • Ghostery for FF (Score:3, Interesting)

    by b4nd0ler0 (1597801) on Thursday March 10, 2011 @02:59AM (#35439924)
    As for third party cookies: I use Ghostery on Firefox and it works pretty well and it's pretty unobtrusive once configured. It's amazing to see how many of these cookies are used and abused. Some sites have literally dozens of them. (./ has two: Google analytics and Addthis). FB and Twitter are major culprits, they have no business tracking me when I'm visiting some other site, I'm not one of their users and I don't give a sh`t about what they do. I support this legislation, we just don't know how much user data these companies are gathering and for what use so it's basically saying that you cannot track people that doesn't want to be tracked.
  • This comes from anti-virus and anti-malware programs labeling cookies as threats in order to make themselves appear more usefull than they really are: "oh look boss, this cookie was going to kill your cat!". So the layman uses his computer and sees his Norton fuck-ur-comp2201 report that www.target.com is trying to H4X0R their computer. Knowing the insidious nature of the evil corporate entity known as target said layman writes his representative informing him of the ticking time bomb Norton shit-tron-11
    • by zmollusc (763634)

      Could you explain why cookies are 'absolutely needed'? Or provide a link? I can see how cookies are useful, but I don't see how they are vital.

      • I mentioned it in my post:

        The only reason web sites use cookies is because they have no other way to distinctly identify which computer is hitting their web site from the other side of a NAT (your firewall).

        It's so they can tell it's the computer in the living room and not the computer in the bedroom. Or if you like an office analogy, it's so Sue in accounting doesn't get the same Facebook page as Ted in IT.

        Technically speaking, the only information visible to the servers on the internet is the IP/MAC

    • Coolhand2120, you've hit the nail precisely on the head.

      I remember back when anti-virus apps first started to whine about cookies, I was like, "what? do these guys have ANY CLUE how the web works?". I eventually came to the conclusion that they did, but that they were benefiting from the appearance that they were stopping all this "evil" stuff.

      Cookies are an absolutely essential way to maintain state across multiple visits from a given user on a web site. As always, XKCD is on-the-ball ... http://www.xkcd. [xkcd.com]

    • by wvmarle (1070040) on Thursday March 10, 2011 @03:54AM (#35440198)

      Well I agree with you that a cookie may not physically harm you; and that they are very useful tools for web site programming.

      Yet the primary problem with cookies is the third-party cookies that ad networks place on your computer. So this ad network can track which web sites you visit. This has no use for you as end user; it only servers to give the ad network more information about you. They can see you visit slashdot, they can see you visit certain lolcat related sites, they see you visit amazon, they follow you whenever you hit a web site where their ads (and cookies) are served. And that is the problem they most likely want to tackle as that is where privacy is an issue.

      • Not only is the cookie essential for web programming (session handling), but people trying to track you don't even need a cookie. They have a whole slew of other methods of tracking you, the cookie is only the tip of the iceberg. These companies are sharing information to bolster their own databases. If you go to any site that uses google analytics for instance, any other site running the same or similar tracking software can piece together your entire visit by your IP address alone. And that's before t
  • NickstaDB writes

    "From the CNN article: 'From 25 May, US laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies". These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"

    And then consider how different the reactions and comments would be.

  • I have a perfect solution! Rather than continuing to use magical cookies which can follow you around and tell everyone where you've been, I'm going to re-implement a cookie-like thing which cannot possibly do anything you don't want!

    Here's how it will work: When you go to my website, I will send your browser a "brownie". The "brownie" will just be a short text string.
    Then, if you want me to track you, simply inform your browser that you would like to send back the "brownie". whenever you connect to my serve

"Love your country but never trust its government." -- from a hand-painted road sign in central Pennsylvania

Working...