Forgot your password?
typodupeerror
Privacy The Internet United Kingdom Your Rights Online

BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law 98

Posted by timothy
from the only-criminals-will-have-cookies dept.
Andy Smith writes "As of 26 May 2011 web sites in the UK must get a user's permission to set cookies. If you go to the BBC's commercial TV listings site Radio Times you'll see a message telling you about the new law. Go to the site again, though, and you don't see the message. How does the site know you've already seen it? By setting a cookie of course! It doesn't ask for permission."
This discussion has been archived. No new comments can be posted.

BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law

Comments Filter:
  • I guess that's what happens when law makers don't really get what's going on, and the techies tasked to implement this stuff don't really care.

    • by Larryish (1215510)

      un

      Un

      UN

      UN!

      Un Fucking Enforceable

    • by beelsebob (529313) on Saturday May 28, 2011 @07:19AM (#36272224)

      No, that's what you get when the person writing the article doesn't understand what's happened - it's absolutely legal to store cookies that are required for the functionality of the site. This will clearly count. What's not legal is storing cookies that are only for tracking you without asking.

      • If you code the site to be non-functional without cookies, then every cookie will be required for the functionality of the site.

      • Track users without asking? What sort of "cookie monster" would do such a thing?

  • shows how stupid the cookie law is

  • by Anonymous Coward

    Not all cookies are tracking cookies; legislators appear to have overlooked this.

  • idiot submission (Score:5, Informative)

    by Anonymous Coward on Saturday May 28, 2011 @06:30AM (#36272100)

    The new cookie laws are only about tracking cookies, not session cookies or cookies necessary for the functioning of the website.
    That cookie is not a tracking cookie, as such it isn't breaking the law. non-news.

    • Re: (Score:2, Informative)

      by ColaMan (37550)

      Er, I don't want to be Captain Obvious here, but doesn't the cookie *track* who has seen or not seen the message about the cookies?

      • Re:idiot submission (Score:4, Informative)

        by Anonymous Coward on Saturday May 28, 2011 @07:17AM (#36272218)

        Probably not, if the cookie only contains "Don't show the message again", it isn't tracking. Tracking is when the information makes you uniquely identifiable, which this clearly isn't.

        • by ColaMan (37550)

          Alright, I checked the cookie and all it says is "true". Which is OK.

          Of course, they're still setting a couple of cookies at the moment. This cookie is just a cookie to let them know that they've let you know that sometime in the future they're going to do something about your preferences in regard to the setting (or conversely, not setting) cookies on your computer when you access their domain.

          Onwards!

    • by Co0Ps (1539395)
      Ummm.. it tracks if you have given permission for cookie tracking. Doesn't that make it a "tracking cookie"? Isn't all cookies tracking cookies? The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?
      • Re:idiot submission (Score:5, Informative)

        by SilentChasm (998689) on Saturday May 28, 2011 @07:12AM (#36272208)

        By tracking cookies I think they mean uniquely identifiable, like an ID number for a specific user that they can then tie advertising preferences to. Tracking stuff like site settings seems like an actual valid use of cookies.

        I do agree with you though on the "necessary for the functioning of the website" loophole, as they could just include advertising tracking as "necessary" (for financial reasons of course).

      • by al4 (2208636)

        The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

        The wording of the law is "strictly necessary", and is from the point of view of the consumer, not the website owner. Even in the case of affiliate marketing where the referring site doesn't get paid unless a cookie is set, you can't argue that a tracking cookie is strictly necessary because in that instance the consumer's experience is the same whether the cookie is set or not.

      • by pclminion (145572)

        The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

        That's why we have these funny buildings called "courthouses" where we evaluate things critically instead of using the law like an algorithm.

        • by Co0Ps (1539395)

          Yeah, because the courthouses don't have anything important to do anyway and I bet the justice system love obscure laws where the outcome depends on intent and motivation rather than objective evidence............

    • by Anonymous Coward

      Have you actually read the update to the law? I'm betting no.

      6 (1) Subject to paragraph (4), a person shall not store or gain
      access to information stored, in the terminal equipment of a subscriber
      or user unless the requirements of paragraph (2) are met.
      (2) The requirements are that the subscriber or user of that terminal
      equipment--
      (a) is provided with clear and comprehensive information about the
      purposes of the storage of, or access to, that information; and
      (b) has given his or her consent.

      Source [ico.gov.uk]

      The bit not in bold is the law before 26th May - the bit in Bold is now in effect. It doesn't differentiate between different types of cookie, their functionality or anything else. Consent must be gained for any use.

      It leaves open hundreds of questions, but under no interpretation can you say "it only applies to tracking cookies".

    • by Blakey Rat (99501)

      So forgive my ignorance, but what exactly does the law say?

      I assume first-party session cookies are ok. Does it only ban third-party cookies? What about third-party session cookies? What about on sites that span multiple domains, where the third party cookie may be necessary for a user to remain logged-in?

      There's a lot of debate here on what constitutes "tracking cookie" or "necessary for the site to function", but what does the actual law say?

    • by quarkoid (26884)

      Why would you think that it's only about tracking cookies? The legislation is quite clear:

      (1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

      (2) The requirements are that the subscriber or user of that terminal equipment -
      (a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
      (b) has given his or

  • by Blahah (1444607) on Saturday May 28, 2011 @06:42AM (#36272128)

    If you follow the link in the pop-up, the BBC website explains that the changes will be phased in gradually over the Summer.

    "The government's view is that there should be a phased approach to the implementation of these changes. Over the summer, we will be working on developing the best methods for obtaining your consent.

    In the meantime, you can control cookies by setting your device to notify you when a cookie is issued, or not to receive cookies at any time. We will ensure that we continue to provide you with clear and comprehensive information about the cookies we use, so that you can make informed decisions."

    On top of that, the law only covers tracking cookies, but the BBC is going to include all cookies in it's policy. No story here.

  • by Fuzzums (250400) on Saturday May 28, 2011 @06:44AM (#36272136) Homepage

    But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

    • But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

      Is there?. If the cookie is persistent (survives browser close) then it just contains a big random number that might uniquely identify you. This big random number is a key to the server side database that stores everything-we-know-about-you, including the bit about you having seen the message. You have no way of knowing if that is all they are tracking.

      • by Fuzzums (250400)

        Or it might just contain "seen message = true".

      • There is a fairly simple way - does every user with the same settings get the same cookie? You can verify that DuckDuckGo is not tracking you via cookies, for example, because each setting you change sets or clears a specific flag in the cookie. You can set the same settings on two computers, with different browsers on different IPs, and get exactly the same cookie. In contrast, you can tell that Google is tracking you because they give you a cookie with a unique key that references an entry in their dat
    • If you're good at it, really there isn't.
      • by Fuzzums (250400)

        Technically they're the same. That's true.
        In practice the first should only store if the user has seen the the warning message.

  • CHUCK NORRIS doesn't need permission to set cookies in your system.
  • In the UK, cookies are called biscuits.

  • This law is an example of what happens when overly zealous do-gooders try to protect people from themselves. If you don't want cookies, turn them off.
    • So it would be okay if there were stores where, when you went inside to shop, the owner pick-pocketed you and made photocopies of your driver's license, all your receipts, and one or two of your credit cards? And then they took everything they found and shared it will all the other businesses in town?

      Is that okay, as long as people who don't want to be tracked notice this and tell him "no"? Even if, when you tell him "no", he orders you out of his store? Oh, also every other store in town does the same t

      • by mjwalshe (1680392)
        isn't that what store loyalty cards do? track your purchases?
        • Has a store ever secretly slipped a loyalty card into your wallet? Then snuck it out each time you've visited? Even if you don't buy anything or pay cash?

          • by mjwalshe (1680392)
            they plug the dam things hard enough in supermarkets - and another similar case newpapers break down their subscribes by analysing where they live and use that to monetize adverts and also sell targeted inserts.
  • Here's how it goes: (Score:4, Informative)

    by VortexCortex (1117377) <`VortexCortex' ` ... -retrograde.com'> on Saturday May 28, 2011 @08:07AM (#36272392) Homepage

    Your Browser: Hey BBC, gimme a web page with the URI: http://raidotimes.com/ [raidotimes.com]

    BBC Server: Here is the web page you requested, with cookie notification text (since you did not provide any cookie), and also a cookie.

    Your Browser: Thanks! Let's see, the user settings say, "Accept Cookie" I'm permitted by the user to store this cookie.

    --- Later ---

    Your Browse: Hey BBC, gimme a web page [...] and also here's that cookie that you gave me which my user already gave permission for me to save and return to you via their preferences.

    BBC Server: Ah, I see you provided me the cookie that if you had not given your browser permission to send me, I wouldn't be seeing right now -- I guess I won't show you that cookie info text this time.

    YOU HAVE THE POWER TO DISABLE THE MOTHER FUCKING COOKIES -- USE IT AND STOP FUCKING UP OUR INTERNET WITH YOUR NOOB LAWS!

    P.S. If the basic cookie settings aren't enough for you, use an existing plugin like Cookie Monster for Firefox -- More power over your god damn cookies than you could ever want. Honestly, if you don't understand it, leave it the fuck alone, before you hurt someone!

    • by Anonymous Coward

      You're an idiot.

      There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

      Sure, cookies can be disabled. By default, they're not. Guess why? The reason is that browser makers realized that things would break if you disable them and that - more importantly - many people lack the expertise to selectively fix the problem.

      Of course, enabling cookies has its own problems - e.g. track

      • by Cogneato (600584)

        Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it. Surely the better solution is at the browser level. Default it on to ask, give the user a way to turn it off. Or, default it to not ask, but show the user information about cookies and instructions to change the setting the first time they run their browser.

        Education is an amazing thing. Web devel

        • by ianezz (31449)

          Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it

          Firefox has such setting, with the option to ask what to do for every cookie a website tries to set/update (which quiclky gets annoying), plus an option in to remember your choice for all subsequent cookies from that website. It's there in Preferences->Privacy->History->Use custom setting

      • by ammorais (1585589) on Saturday May 28, 2011 @11:25AM (#36273464)

        There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

        And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.

        Did you know you can still track people you without cookies? You can use a combination of user-agent/IP/browser/language to track you with considerable accuracy.
        So your solution for is to ask people that don't know/want to know what are cookies, if they want cookies? How kind of question box you suggest?
        Something like this perhaps?


        Do you accept cookies? If you press YES this site will work
        properlly, and we can track you if we want to.
        If you press NO this site won't work properly, but we can't
        track you trough cookies. We can still track you by other means
        if we want to but not with cookies!

        | YES | | NO |

    • by ozone702 (1243146)

      Thanks for the info. I knew about cookie preferences in browsers (which are a pain in the ass to turn on and use), but I wasn't aware of the Cookie Monster plugin for Firefox. I'll have to play around with that one... thanks.

      BTW, I totally agree with your philosophy on "newb laws." If you're not smart enough to protect yourself on the internet, that's your fault.

      • by Anonymous Coward

        The only people who should be against this, are marketing companies looking to exploit peoples privacy for their own commercially gain.

        Are you both against the "Do Not Call" phone lists as well? Those are the lists of numbers which telemarketers are not allowed to call and can be fined if they do. You can find out every number registered by x company and block them from your cell phone account. You have the power, so why have a giant list? The answer is simple. Nobody wants to go through hundreds and thousa

        • by ozone702 (1243146)

          You're wrong. There are measures within your browser to help you prevent this, so imposing it on everyone is stupidity.

    • So how does that work if you never actually changed your web browser settings to accept cookies, but it accepts them anyway by default? Almost everybody's browser accepts cookies and almost nobody knows what they are. And the only browser settings anybody ever change are their homepage and bookmarks.
  • So I'll be like PC (http://www.adweek.com/adfreak/get-mac-security-94121) all the time, clicking Yes buttons when not needing them (while hating to see them), effectively priming me to approve one when I shouldn't.

    Bert

  • .radiotimes.com LOG_ID 05/28/21

    Google only goes up to 2013
     
    .google.com PREF 05/27/13 ID= ******

    See also, Radio Times recommends Internet Explorer 8 [imageshack.us]

    • by Spad (470073)

      Radio Times *advertises* Internet Explorer 8, not exactly the same as recommending it.

  • My personal opinion would be that the html standards needs to be changed. One change would be to create a session header, that does not write, and is cryptographically modified after each page access. This would prevent the websites from accidently storing session data, such as the recent linkedin session problem. Also I would change this so that only one session may be stored unlike cookies.
    Cookies then can be used for what they were intended, the storage of information relating to the site, such as p
  • How come I can't set my browser to detect what type of cookie it is and prompt me if a site wants to set a tracking cookie? Get that accomplished and... problem solved.
  • It's just cookies, who ever complained about cookies?

    Maybe we could require sites to provide milk if the serve any more than a couple of cookies...
  • I guess this comes from the Department of Redundancy Department.

Byte your tongue.

Working...