BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law 98
Andy Smith writes "As of 26 May 2011 web sites in the UK must get a user's permission to set cookies. If you go to the BBC's commercial TV listings site Radio Times you'll see a message telling you about the new law. Go to the site again, though, and you don't see the message. How does the site know you've already seen it? By setting a cookie of course! It doesn't ask for permission."
Lack of tech know how (Score:2)
I guess that's what happens when law makers don't really get what's going on, and the techies tasked to implement this stuff don't really care.
Re: (Score:2)
un
Un
UN
UN!
Un Fucking Enforceable
Re:Lack of tech know how (Score:5, Informative)
No, that's what you get when the person writing the article doesn't understand what's happened - it's absolutely legal to store cookies that are required for the functionality of the site. This will clearly count. What's not legal is storing cookies that are only for tracking you without asking.
Re: (Score:2)
If you code the site to be non-functional without cookies, then every cookie will be required for the functionality of the site.
Re: (Score:2)
Wait . . .
Re: (Score:2)
Why do you think he's called the Cookie MONSTER?
Re: (Score:1)
Track users without asking? What sort of "cookie monster" would do such a thing?
Re: (Score:1)
Of course you can. But that is not the point. The point is that it's perfectly fine to store a cookie with field pair noticeshown=true. That is not information that can identify you. And don't start arguing that they could save it as noticeshown=id2458928 or some bullshit. Obviously they could. I could also try to rob a bank, but those things would be illegal to do.
Re: (Score:2)
Not in this position, but the HTTP_REQUEST does include the language of the user's browser (accept-language)... It is fairly safe to assume that your site visitor wants it in the language that their browser is, and give them the option to change that language with a cookie to save it.
As an added bonus, if the site automatically looks at the accept-language and serves up a German-language storefront without the user having to click on German after being presented with an English default, it may improve your
Re: (Score:2)
The UK's Information Commissioner issued some advice [ico.gov.uk] which isn't really finished but provides a good starting point. The big problem is that we don't have a good enough definition of what "strictly necessary" for the function of the site means. I've seen it interpreted (I think it was by a spokesman for the European Commission, but I didn't make a note at the time) as meaning cookies needed to perform a function requested by the user. The example given was a shopping cart - the user requests you to put an i
Re: (Score:2)
I really hope it doesn't try to guess by working it out from the client's IP address.
Because if it does, I hate you.
session cookies (Score:2)
Are session cookies OK?
I asked the ICO (Information Commissioner Office) exactly that question about a month ago, they have not replied in spite of a reminder. If they cannot answer a simple question like that then I have to assume that they don't know what they are talking about.
love it (Score:1)
shows how stupid the cookie law is
That's genius (Score:1)
Not all cookies are tracking cookies; legislators appear to have overlooked this.
idiot submission (Score:5, Informative)
The new cookie laws are only about tracking cookies, not session cookies or cookies necessary for the functioning of the website.
That cookie is not a tracking cookie, as such it isn't breaking the law. non-news.
Re: (Score:2, Informative)
Er, I don't want to be Captain Obvious here, but doesn't the cookie *track* who has seen or not seen the message about the cookies?
Re:idiot submission (Score:4, Informative)
Probably not, if the cookie only contains "Don't show the message again", it isn't tracking. Tracking is when the information makes you uniquely identifiable, which this clearly isn't.
Re: (Score:2)
Alright, I checked the cookie and all it says is "true". Which is OK.
Of course, they're still setting a couple of cookies at the moment. This cookie is just a cookie to let them know that they've let you know that sometime in the future they're going to do something about your preferences in regard to the setting (or conversely, not setting) cookies on your computer when you access their domain.
Onwards!
Re: (Score:3)
Re:idiot submission (Score:5, Informative)
By tracking cookies I think they mean uniquely identifiable, like an ID number for a specific user that they can then tie advertising preferences to. Tracking stuff like site settings seems like an actual valid use of cookies.
I do agree with you though on the "necessary for the functioning of the website" loophole, as they could just include advertising tracking as "necessary" (for financial reasons of course).
Re: (Score:1)
Your story sounds wonderful, it is just missing out on the small little detail that the server doesn't know the clients mac address...
Re: (Score:2)
How does a web server not on my network get my MAC address?
Re: (Score:2)
Re: (Score:2)
Okay I understand that now, but its not going to work in many places yet.
Re: (Score:1)
Re: (Score:2)
Maybe I'm not interested in them now. Perhaps I read in a magazine that Canon are better, or whatever.
I've used sites like that before. I find it annoying when a dumb machine tries to second-guess me.
Re: (Score:1)
The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?
The wording of the law is "strictly necessary", and is from the point of view of the consumer, not the website owner. Even in the case of affiliate marketing where the referring site doesn't get paid unless a cookie is set, you can't argue that a tracking cookie is strictly necessary because in that instance the consumer's experience is the same whether the cookie is set or not.
Re: (Score:3)
The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?
That's why we have these funny buildings called "courthouses" where we evaluate things critically instead of using the law like an algorithm.
Re: (Score:2)
Yeah, because the courthouses don't have anything important to do anyway and I bet the justice system love obscure laws where the outcome depends on intent and motivation rather than objective evidence............
Re: (Score:1)
Have you actually read the update to the law? I'm betting no.
6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.
Source [ico.gov.uk]
The bit not in bold is the law before 26th May - the bit in Bold is now in effect. It doesn't differentiate between different types of cookie, their functionality or anything else. Consent must be gained for any use.
It leaves open hundreds of questions, but under no interpretation can you say "it only applies to tracking cookies".
Re: (Score:2)
So forgive my ignorance, but what exactly does the law say?
I assume first-party session cookies are ok. Does it only ban third-party cookies? What about third-party session cookies? What about on sites that span multiple domains, where the third party cookie may be necessary for a user to remain logged-in?
There's a lot of debate here on what constitutes "tracking cookie" or "necessary for the site to function", but what does the actual law say?
Re: (Score:2)
Why would you think that it's only about tracking cookies? The legislation is quite clear:
(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal equipment -
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or
Re: (Score:2)
By which you mean "served via the Akamai caching network, which happens to use Linux". You might want to pick an example which is actually true.
Guess you didn't read their link (Score:4, Informative)
If you follow the link in the pop-up, the BBC website explains that the changes will be phased in gradually over the Summer.
"The government's view is that there should be a phased approach to the implementation of these changes. Over the summer, we will be working on developing the best methods for obtaining your consent.
In the meantime, you can control cookies by setting your device to notify you when a cookie is issued, or not to receive cookies at any time. We will ensure that we continue to provide you with clear and comprehensive information about the cookies we use, so that you can make informed decisions."
On top of that, the law only covers tracking cookies, but the BBC is going to include all cookies in it's policy. No story here.
Olo:Ha (Score:3)
But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.
Re: (Score:1)
But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.
Is there?. If the cookie is persistent (survives browser close) then it just contains a big random number that might uniquely identify you. This big random number is a key to the server side database that stores everything-we-know-about-you, including the bit about you having seen the message. You have no way of knowing if that is all they are tracking.
Re: (Score:2)
Or it might just contain "seen message = true".
Re: (Score:2)
JSESSIONID is not a persistent cookie, it'll be gone upon the restart of the browser.
Re: (Score:2)
Your comment is irrelevant - please read the legislation.
Any cookie (be it tracking/temporary/whatever) is covered.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Technically they're the same. That's true.
In practice the first should only store if the user has seen the the warning message.
No Permission (Score:1)
language (Score:2)
In the UK, cookies are called biscuits.
Don't use this to prove God doesn't exist (Score:3)
nt
Law is dumb (Score:2)
Re: (Score:2)
So it would be okay if there were stores where, when you went inside to shop, the owner pick-pocketed you and made photocopies of your driver's license, all your receipts, and one or two of your credit cards? And then they took everything they found and shared it will all the other businesses in town?
Is that okay, as long as people who don't want to be tracked notice this and tell him "no"? Even if, when you tell him "no", he orders you out of his store? Oh, also every other store in town does the same t
Re: (Score:2)
Re: (Score:2)
Has a store ever secretly slipped a loyalty card into your wallet? Then snuck it out each time you've visited? Even if you don't buy anything or pay cash?
Re: (Score:2)
Here's how it goes: (Score:4, Informative)
Your Browser: Hey BBC, gimme a web page with the URI: http://raidotimes.com/ [raidotimes.com]
BBC Server: Here is the web page you requested, with cookie notification text (since you did not provide any cookie), and also a cookie.
Your Browser: Thanks! Let's see, the user settings say, "Accept Cookie" I'm permitted by the user to store this cookie.
--- Later ---
Your Browse: Hey BBC, gimme a web page [...] and also here's that cookie that you gave me which my user already gave permission for me to save and return to you via their preferences.
BBC Server: Ah, I see you provided me the cookie that if you had not given your browser permission to send me, I wouldn't be seeing right now -- I guess I won't show you that cookie info text this time.
YOU HAVE THE POWER TO DISABLE THE MOTHER FUCKING COOKIES -- USE IT AND STOP FUCKING UP OUR INTERNET WITH YOUR NOOB LAWS!
P.S. If the basic cookie settings aren't enough for you, use an existing plugin like Cookie Monster for Firefox -- More power over your god damn cookies than you could ever want. Honestly, if you don't understand it, leave it the fuck alone, before you hurt someone!
Re: (Score:1)
You're an idiot.
There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.
Sure, cookies can be disabled. By default, they're not. Guess why? The reason is that browser makers realized that things would break if you disable them and that - more importantly - many people lack the expertise to selectively fix the problem.
Of course, enabling cookies has its own problems - e.g. track
Re: (Score:3)
Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it. Surely the better solution is at the browser level. Default it on to ask, give the user a way to turn it off. Or, default it to not ask, but show the user information about cookies and instructions to change the setting the first time they run their browser.
Education is an amazing thing. Web devel
Re: (Score:2)
Firefox has such setting, with the option to ask what to do for every cookie a website tries to set/update (which quiclky gets annoying), plus an option in to remember your choice for all subsequent cookies from that website. It's there in Preferences->Privacy->History->Use custom setting
Re:Here's how it goes: (Score:4, Interesting)
There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.
And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.
Did you know you can still track people you without cookies? You can use a combination of user-agent/IP/browser/language to track you with considerable accuracy.
So your solution for is to ask people that don't know/want to know what are cookies, if they want cookies? How kind of question box you suggest?
Something like this perhaps?
Do you accept cookies? If you press YES this site will work
properlly, and we can track you if we want to.
If you press NO this site won't work properly, but we can't
track you trough cookies. We can still track you by other means
if we want to but not with cookies!
| YES | | NO |
Re: (Score:1)
Thanks for the info. I knew about cookie preferences in browsers (which are a pain in the ass to turn on and use), but I wasn't aware of the Cookie Monster plugin for Firefox. I'll have to play around with that one... thanks.
BTW, I totally agree with your philosophy on "newb laws." If you're not smart enough to protect yourself on the internet, that's your fault.
Re: (Score:1)
The only people who should be against this, are marketing companies looking to exploit peoples privacy for their own commercially gain.
Are you both against the "Do Not Call" phone lists as well? Those are the lists of numbers which telemarketers are not allowed to call and can be fined if they do. You can find out every number registered by x company and block them from your cell phone account. You have the power, so why have a giant list? The answer is simple. Nobody wants to go through hundreds and thousa
Re: (Score:1)
You're wrong. There are measures within your browser to help you prevent this, so imposing it on everyone is stupidity.
Re: (Score:2)
Re: (Score:1)
Mod parent up, submitter / "editors" didn't check their facts as per usual.
I'm glad this is the case since I still haven't had a response from our company's webhost as to whether the session cookies our site sets are needed for the stats package, or just an unneccessary ASP default setting.
Similar to the PC-Mac add? (Score:1)
So I'll be like PC (http://www.adweek.com/adfreak/get-mac-security-94121) all the time, clicking Yes buttons when not needing them (while hating to see them), effectively priming me to approve one when I shouldn't.
Bert
RadioTimes sets Cookies to 2021 (Score:2)
.radiotimes.com LOG_ID 05/28/21
Google only goes up to 2013
.google.com PREF 05/27/13 ID= ******
See also, Radio Times recommends Internet Explorer 8 [imageshack.us]
Re: (Score:2)
Radio Times *advertises* Internet Explorer 8, not exactly the same as recommending it.
Re: (Score:1)
Broswer Detection Instead (Score:1)
I don't understand (Score:1)
Maybe we could require sites to provide milk if the serve any more than a couple of cookies...
yeah right (Score:2)