Forgot your password?
typodupeerror
Government EU Privacy The Internet Your Rights Online

Sweden May Mandate Opt-in For Cookie Transfer 115

Posted by timothy
from the cookie-monster-swedish-chef dept.
Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."
This discussion has been archived. No new comments can be posted.

Sweden May Mandate Opt-in For Cookie Transfer

Comments Filter:
  • by Anonymous Coward

    Yay for another obscure, legalese clause in the Terms and Conditions section of pretty much every web page that pretty much nobody ever reads.

    • Re:Yay (Score:4, Informative)

      by Weezul (52464) on Sunday May 01, 2011 @02:49AM (#35989052)

      I'll be happy if Sweden just fines Apple a few tens of millions because Safari's cookie management feature simply don't work. "Accept cookies : Only form sites I visit" has basically never worked. And cookies you delete using "Show Cookies" aren't actually deleted either.

    • by jonbryce (703250)

      That is no use if it deposits a cookie on your computer before you get a chance to read the T&C.

    • And it totally enforceable! Go Sweden!

  • That's good enough for me.

  • by tetromino (807969)
    Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins, habituate Swedish computer users to clicking on the "yes, allow" button, and make foreign companies face trial in Swedish courts for using standard web technologies, while doing nothing about advertisers' ability to track users without permission [eff.org]!
    • EU directive (Score:3, Informative)

      by Anonymous Coward

      This is of coursed based on an EU directive [europa.eu]. Not sure why Sweden was singled out.

      Doesn't make it less stipid, but you know... maybe tone down the hyperbole a bit.

      • Re:EU directive (Score:5, Insightful)

        by jgrahn (181062) on Sunday May 01, 2011 @04:38AM (#35989386)

        This is of coursed based on an EU directive [europa.eu]. Not sure why Sweden was singled out.

        Because we plan to kidnap Julian Assange and lose him on a small island in the Baltic sea where the only female inhabitants are sheep?

        Seriously, it might be because we have decent media coverage of these things. This is just one in a series of daft technological decisions coming from the EU, and journalists in .se are used to covering them. (And Slashdot readers in .se are used to submitting the results here.)

    • by drinkypoo (153816)

      Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins,

      You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client, didn't you learn anything from Sony? Trust in the client is the only reason you would ever need multiple cookies. And all you need is one nice little notice saying "we will use this cookie to manage your login" and BOOM you're done.

      And while we're on the subject, it takes only fractionall

      • by indeterminator (1829904) on Sunday May 01, 2011 @10:32AM (#35990526)

        You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client

        There are perfectly valid reasons (not involving cross-site tracking) to use more than one cookie. If a session identifying cookie is used to identify an user account and grant privileges, it's usually a good idea to make that cookie disappear when the user closes his browser (i.e. a 'session' cookie). However, the user may have additional preferences on the site which are not personally identifiable, but for which it makes sense to store and use the setting even when the user is not logged in, for example, language selection on multilingual sites. Trusting the client is also a non-issue for things that are mapped to a single item from a set of possible choices (as long as the code implementing the parsing is reasonably sane).

        (And for the Accept-Language header, try explaining to a client how they can change it. Or how to install a browser where they actually can change it.)

        And while we're on the subject, it takes only fractionally longer for most users to make a POST request than to just do an HTTP GET, so unless your site is stupid and slow or your users are then you don't need ANY cookies. A quality CMS will degrade. If yours doesn't then it isn't.

        Clicking on a link in a browser will cause a HTTP GET. Maintaining a session with URL parameters makes the URLs much less user friendly, and opens up a possibility for trivial social engineering exploits (e.g. lol paste your url here I'll have a look!).

        • by drinkypoo (153816)

          Clicking on a link in a browser will cause a HTTP GET.

          Uh no. You need to look at HTML some more. This isn't a true statement. Clicking a link MIGHT cause an HTTP GET. Thanks for playing, though.

    • by boldie (1016145)
      I've read the bill and it is supposed to be enough to set the browser to allow cookies. The bill actually does not mention cookies at all. It is more generic to be technology independent.

      If you read Swedish you can read the bill here http://www.riksdagen.se/webbnav/?nid=37&dok_id=GY03115 [riksdagen.se]
  • Spyware vs cookies (Score:4, Informative)

    by Adayse (1983650) on Sunday May 01, 2011 @03:14AM (#35989138) Journal

    I just read the proposal [google.com] and it's purpose, as far as cookies go, is to make spyware illegal to comply with an EU directive. The discussion centers around how to do this without requiring an opt-in for every cookie because cookies are also used to spy on you.

    Third party cookies should be illegal but I very much doubt that this proposal wants to go there.

    • by Morth (322218) on Sunday May 01, 2011 @04:48AM (#35989406)

      Here's the change we are discussing (google translate).

      Old text:

      Electronic communications may be used to store or access information that is stored in a subscriber or user-dares terminal equipment only if the subscriber or user of the controller is informed about the purpose of treatment and opportunity to prevent such treatment. This does not prevent such storage or access needed to perform or facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the subscriber or user has requested.

      will be changed to:

      Data may be stored in or retrieved from a subscriber or user equipment only if the subscriber or user will have access to information about the purpose of treatment and agree to it. This does not prevent such storage or access needed to transmit an electronic message via an electronic communications network or which is necessary to provide a service the subscriber or user has explicitly requested.

      Not sure I've ever seen such an ambiguous law text.

    • by AHuxley (892839)
      Just the free ad supported version. The paywall and social networking sites will be fine.
  • by Anonymous Coward

    Assuming this is even real, it is absurd.

    Cookies are only transfered and saved on the user's computer because the web browser allows them to be. Every web browser I have seen has the ability to both black list and white list cookie requests. In other words, the final decision if cookies are saved on the user's computer is determined by the browser, not the web site.

    Next there are issues with its implementations. Lets assume the user rejects you sending a cookie. How do you know on the next page they

    • by amn108 (1231606)

      You are talking about a lever that only few know about. The majority of users happily continue to use their browsers which in fact come preset with a very liberal (for the issuing end) policy of not only accepting cookies from pretty much ANYWHERE but also store them on disk as part of their browsing cache. In short, 9 out of 10 users are fed so much cookie, their teeth should grind to the roots. That's the reality. It's not about you and me who know how to fire up Preferences and set up our own policies.

    • by Splab (574204)

      Thats not an issue.

      You embed a javascript that checks the local storage on the browser if cookie question has been answered and use that javascript to do the cookie management.

      Users with js disabled will of course have to be presented with a page saying for legal reasons they can't browse the website.

      • I was going to reply something along these lines.

        And feasibility aside, the EU directive is indeed mind-bogglingly stupid. How do you even enforce that? It's not meant only for EU websites, but also, and primarily, for any user browsing from the EU. How do you check that? Ridiculously inaccurate IP geolocation? What about Tor, proxies, etc?

    • by hedwards (940851)

      I'm not aware of a setting to prevent the cookies from being read by other domains, but the settings to blacklist and whitelist cookies are typically not very good. I was doing that for a while with Firefox, and it was a huge pain. For some reason they decided to make it so that you end up having to either block everything or end up responding to hundreds of requests. And they won't let you edit a setting, no that would be too easy, if you change your mind about a setting you have to remove it then go back

      • by Anonymous Coward

        Konqueror has an "always ask" option for cookies. And when Konqueror asks, you can allow or block the cookie, either :
        -for the single cookie
        -for every cookie from the same domain
        -for all cookies

  • Not sure how enforceable or practical it would be. Considering how central cookies are to today's web usage, I think it would be simply annoying to have to confirm each and every cookie before you get it. I like the the way Cookie Monster [mozilla.org] for firefox does it myself. Although, if the Swedish government wants to pay someone to write plugins/extensions for all the other browsers that work the same way, I'd be smiling.
    • by mvdwege (243851)

      Have you even RTFS? It's right in there, and otherwise it's in RTFA, according to the EU directive that this law is based on, you don not have to confirm each and every cookie.

      Mart

    • by Nursie (632944)

      "Not sure how enforceable or practical it would be. Considering how central cookies are to today's web usage"

      You know what, I've had cookies turned off for several months now, except for a few sites that I actually want the functionality they provide. My internet experience hasn't changed much on the whole, a few sites don't work so well. Most are just fine.

      This tells me that the vast majority of the thousands of cookies that reside in the average browser are (at best) totally unnecessary, and are mostly un

  • by mwvdlee (775178) on Sunday May 01, 2011 @03:51AM (#35989266) Homepage

    How is a website supposed to remember whether a visitor opted out of cookies?

    • by Cigaes (714444)

      It can't. But it can remember people who opted in for cookies with a cookie.

      In fact, they really thought it trough.

    • by jonbryce (703250)

      Firefox Menu | Options | Advanced | General | Browsing | [x] Tell websites I do not want to be tracked

  • How does this compare to an option in my browser that says "confirm by popup every cookie requested"?

    Mandating that websites continue to function properly when the browser refuses to register cookies would at least be slightly smarter.

  • Consent is implied by each individual user's web browser. Cookie Censorship need not apply, we already have the tools to manage our own cookie states (visitor discretion is not just advised, it's mandatory).

    Much like the way no one can force you to visit their website, websites can not force your browser to accept a cookie -- And, last time I checked both IE & Firefox by default alerted me that a website was requesting to set a cookie, and the default action was to "[x] remember my decision" -- I opted to not have to answer yes each time, and instead opted to set my cookies to be cleared on each exit...

    I am in no way prevented from disallowing all cookies... I remember writing web login systems before cookies were widespread -- URL MUNGING -- UHG! Hell, we even used the HTTP-REFERER (sic) header to transfer logins across domains (it contains your last visited URL -- the one before the current page request).

    While I do like to know what the little opaque tokens are being used for, there is no reason to mandate their purposes be posted somewhere. Cookies are DESIGNED to track some user specific state information. Cookies track users. End Of Discussion. We know what they are for! Guess what else tracks users? Their IP ADDRESS; This, combined with URL munging == cookies. Netscape just wanted a formalized and more flexible way to do things...

    I can imagine requiring a user to click yet another security dialog each time I add a bit of info or change the way a cookie operates -- To get around this one or both of the following WILL occur:

    1. URL Munging, CSS style color hacks, and other tricks (like decoding a cached .PNG with client side JS) will be used instead of cookies for more user state preservation purposes.

    2. The users will be given a "[x] Remember my decision" option, and we're right back to where we are now!

    Ignorant fools -- When will we mandate that you must pass a technology test before voting for or against said technology related laws? EG: Score a 100% on the "Web Cookie" tech test, and you're fully qualified to vote -- score a 25% and your vote would be worth 25% of a vote since you don't know shit about what you're voting for or against....

    Until then we'll keep having people who don't know shit pass ignorant laws based on "feelings" instead of "facts".

    • by Anonymous Coward

      The problem is that most people don't know that they can disable cookies, let alone selectively. Furthermore, they don't understand what it's all about, and since it's a complicated technical topic (if you disagree you need to meet some users) they probably cannot be made to understand. The only thing they know is "if I disable cookies some websites don't work". That they could allow these specific cookies wouldn't occur to them, and neither that they could delete them later. And even if the browser asked w

    • by hedwards (940851)

      I disagree, until the cookie management settings are fixed and made to be functional there really is no basis for consent being implied. What I mean is that yes, you do have settings that work, but they're cumbersome, lacking in granularity and typically don't really give you much control. Plus, they're complicated and unless you're a power user, you don't necessarily know what you're doing, or even what cookies ought to be allowed.

      Same goes for random javascript, sites rarely if ever tell you what javascri

    • "Much like the way no one can force you to visit their website"

      Every hyperlink in HTML can potentially force you to a different website than the one serving the current page.
  • by Anonymous Coward

    Always get your information straight from the horse's mouth. The IDG article is pretty clear for people that know the context and understand Swedish, but seem to totally confuse less informed slashdot readers and the really bad slashdot summary make the confusion even worse.

    The proposal is based on an EU directive. Countries that are part of EU must implement all EU directives, or leave EU. Sweden don't have much choice in the matter. (Many other country parliaments implement undesired EU directives the sam

    • by lordholm (649770)

      Hmm... I've heard both Brits and Dutch complaining that they implement all the directives but everyone else ignores them. So apparently at least three states implement all the directives and everyone else (including the other two states that implement them), refuse to implement directives.

      Logical? Hardly... but neither is any other myth about the Union.

      Of-course, directives should be implemented! The main problem now is the lack of reporting of Union centric news, it would be good if normal newspapers would

  • Age of consent (Score:5, Interesting)

    by Alain Williams (2972) <addw@phcomp.co.uk> on Sunday May 01, 2011 @04:09AM (#35989304) Homepage

    Next comes the meme:

    1. Agreeing to accept a cookie is a legal agreement
    2. You can't enter a legal agreement until you are 18
    3. Ergo: you can't surf the web until you are 18

    Hmmmm ....

    • by kthreadd (1558445)

      Not really. For it to be seen as that it's required that the agreement is returned to the issuer so that it also knows that it has entered the agreement. It would be kind of scary if two parties could enter an agreement that only one part knew they had entered.

      I don't know what the age of consent has to do with that, it's 15 and has an exception for even younger if the age difference is small. It has nothing to do with legal agreements or surfing the web, well, maybe about surfing the web if you need to fin

      • Pretty sure he means age of majority - the age at which you can legally enter into contracts, join the armed forces and generally control your own legal, financial, living and life arrangements. In the US, this is generally 18, though there are exceptions (e.g alcohol age is 21). Nothing to do with age of consent, which is about sexual relations (and tis age varies widely from US state to US state).
      • by dkf (304284)

        It would be kind of scary if two parties could enter an agreement that only one part knew they had entered.

        It's possible in limited circumstances in English law (I believe it's where one party makes a public statement that "if anyone does X, then I promise to do Y" and someone else then does X, knowing about that general promise). Those wouldn't apply (AIUI) here as the parties are in proper communication (mediated by HTTP).

  • by Anonymous Coward

    A few minutes ago I was wondering if it would be possible to chop a file into lots of tiny snippets and distribute them across millions of PCs as browser cookies ... ? I think it would be a great way to make the web rethink the cookie policy.

  • by Anonymous Coward

    Here in the Netherlands we have the same kind of law, but after protests from the technical crowd it appears the simply enabling cookies in your browser is a valid opt-in for placing cookies. Nothing to worry about, the law is just finally adapted to what already happens technologically...

    • Of course it's only an opt-in if the browser is default-configured to not accept cookies without asking.

      • by Sloppy (14984)

        It's also opt-in if the user decided to install a browser which opts to both store and send back cookies. It's also opt-in if such a browser is already installed and the user decides to run it.

        The reason this proposal (and others like it in the news lately) is so bad, is that it's based on a fundamental confusion. Someone seems to think cookies have something to do with web sites when really they're a web browser thing. The users' problem is that they are running software which isn't necessarily working

        • It's also opt-in if the user decided to install a browser which opts to both store and send back cookies. It's also opt-in if such a browser is already installed and the user decides to run it.

          You have a very unusal interpretation of "opt-in". See below why it is utterly wrong.

          The reason this proposal (and others like it in the news lately) is so bad, is that it's based on a fundamental confusion. Someone seems to think cookies have something to do with web sites when really they're a web browser thing.

          I do

          • by Sloppy (14984)

            With your argument, I could as well say the web site isn't responsible for the site's content, because after all, it's the web browser which renders that content.

            The web browser isn't responsible for the content, but certainly is responsible for what ends up being done with the content and how it is rendered. Likewise, the browser is responsible for 1) the cookie getting stored 2) the stored cookie being sent back.

            I don't know a web browser which sets cookies without the web site requesting it

            The key word

  • Is it just the traditional HTTP cookie? HTML-5 will let all kinds of data to be stored on clients and then you can use one of the techniques behind Evercookie [wikipedia.org]!
    I've read the bill and it seems possible that the consent can be given by setting the browser to allow cookies. So this will do nothing. Do not track headers is much better!
  • by amn108 (1231606) on Sunday May 01, 2011 @05:35AM (#35989510)

    I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.

    • The proposed law is ambiguous as hell and make explicit exceptions for cookies that are necessary to perform a service the user has requested. Thus session cookies should still be fine, as should the "remember me" checkbox you see on most web forums.

    • by sco08y (615665)

      I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.

      That's certainly the reason no one ever turned on cookie checking, but it's fine to tentatively accept a cookie and then delete it later. After all, it's not like I care that a site knows that I just visited it, after all, that's in their server logs anyway.

      If you did that, and the cookies were were displayed all at once for the page, it wouldn't be so bad. All you need then is a summary of where elements (cookies, images, flash, scripts) came from on the page, ideally with categories or descriptions looked

  • by Anonymous Coward

    This EU directive must be implemented by May 25th but Sweden is a bit late to the party - it was covered by the UK government a few weeks ago:

    http://techlogon.com/2011/04/17/new-european-website-law-is-a-gift-to-america/

    Although the UK Government are committed to it they have said "We do not expect to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies”. When a government advises its citizens that a law can be broken with

  • ... especially on mobile phones...

    Here's a little exercise. Go into your browser config and turn this feature on, and see how long you can tolerate using the web.

    I imagine you won't last long.

    • I don't know about mobile phones, but I know from experience that disabling cookies by default works quite well on desktop browsers. I of course enable cookies for services where I log in (it would be pointless to deny cookies when I give them even more identifying data anyway). There are very few web sites which require cookies that I consider worthwhile enough to allow them cookies (and then, I mostly allow them only as session cookies).

  • What about local storage? http://en.wikipedia.org/wiki/Web_Storage [wikipedia.org]
    • by boldie (1016145)
      The bill does not mention cookies at all. It is more generic to be technology independent.

      If you read Swedish you can read the bill here http://www.riksdagen.se/webbnav/?nid=37&dok_id=GY03115 [riksdagen.se]
      • Actually it does read your own links. Unfortunately I cannot read Swedish and the Google translation is a big fail but here is an excerpt:
        9.4 Storage and retrieval of information, cookies etc. .... 133
        9.4 Lagring och hämtning av information, cookies mm Regeringens förslag: Uppgifter får lagras i eller hämtas från en abonnents eller användares terminalutrustning endast om abonnenten eller användaren får tillgång till information om ändamålet med be
        • 9.4 Storage and collection of information, cookies, etc., Government's proposal: Data may be stored in, or be derived from a subscriber or user's terminal equipment only if the subscriber or user should be access to information concerning the purpose of the processing and agrees to it. This does not prevent such storage or access for needed to transfer an electronic communication via an electronic communications network or which is necessary in order to provide a service which the user or expressly requeste
  • Will they forbid the interpretation of TCP sequence numbers without explicit user permission too?

  • What if browsers had an option to prompt the user for each cookie received, and what if the web standards allowed for a "purpose" field when setting a cookie?
    • They do. The option to prompt for each cookie received is an OLD option (had it back in Netscape). It makes browsing bloody near impossible. The "purpose" field is a nice idea though.
  • Unless there's a 'leak', you will never, ever know what is being gleamed from your computer.

  • So, how will they store the fact that the user denied opt-in for a cookie if they can't store it in a cookie? localStorage?

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...