Forgot your password?
typodupeerror
Privacy The Internet United Kingdom Your Rights Online

Watchdog "Not Ready" To Probe Cookie Complaints 166

Posted by Unknown Lamer
from the cookie-monster's-reign-of-terror-continues dept.
nk497 writes "The UK data watchdog has admitted it doesn't have any staff investigating cookie consent complaints, more than a year after the law came in via an EU directive. The regulation requires websites to ask before dropping cookies and other tracking devices onto users' computers, and came into law in May 2011. The Information Commissioner's Office gave websites a year's grace period to update their websites, but failed to use that time to get its team together, meaning the 320 reports of sites not in compliance it's already received haven't been investigated at all."
This discussion has been archived. No new comments can be posted.

Watchdog "Not Ready" To Probe Cookie Complaints

Comments Filter:
  • by Anonymous Coward on Tuesday August 14, 2012 @12:21AM (#40981065)

    I have to wonder if the people who wrote this law even considered the complaints they likely received at the time to the effect that it would make the internet practically unusable. Yes, it's a good sentiment to not want to "track" people, but with the increasing use of cookies for actual technical purposes - not to mention logins and the like - this would quickly become unfeasible and irritating. Anyway, what of serverside tracking - you know, like Facebook almost certainly does using its extensive "Like this" and Facebook integration APIs? I am more worried about that than cookies.

    No other country's developers are going to give a crap what the EU/British government says. All this will do is hamper European businesses' internet presence and probably cause a few notable companies (Google, etc) to sever ties with the specific countries actually enforcing it. There are certainly plenty of other reasons to do so these days.

    It's kind of sad when the US is one of the less technically inept governments in the world, and it only is because of general failure to do anything.

    --BKY1701

    • Re: (Score:3, Insightful)

      by mvdwege (243851)

      What actual technical purposes for cookies are there?

      I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

      Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

      In other words: shut up, you fucking shill for the tracking ind

      • by Anonymous Brave Guy (457657) on Tuesday August 14, 2012 @03:05AM (#40981695)

        What actual technical purposes for cookies are there?

        Some obvious ones are:

        1. Maintaining an authenticated user session (logging in and out securely)

        2. Storing the current state of the user's session (shopping carts and the like)

        3. Remembering user preferences from one visit to the next

        4. Analytics within your own site

        I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.

        That simply isn't true. There are plenty of valid concerns regarding using cookies, particularly third party ones, but if they were only meant for tracking then why bother inventing things like session cookies?

        Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.

        And that specific exemption is so tightly worded that it doesn't even cover all of the examples above, which is why we then wound up with the formal opinion of the EU data protection authorities a couple of months ago covering things like first party analytics cookies.

        I'm a strong advocate of privacy, but I don't see any serious privacy problem with any of the usages mentioned above, there are obvious potential benefits to the user in each case. Regardless, how are all these "This web site uses cookies, and we know that no-one is enforcing the rules so we've put this token irritating box up even though we're relying on implied consent and we already set them all anyway" boxes doing anything useful whatsoever?

        • by mvdwege (243851) <mvdwege@mail.com> on Tuesday August 14, 2012 @03:35AM (#40981845) Homepage Journal

          All four of your examples are examples of user tracking.

          Face it, cookies are a workaround for the stateless nature of HTTP. Cookies are meant for tracking by definition

          And you know what? Numbers 1 and 2 are covered. Number 3 is covered once you asked for permission, which you can do using number 1. That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

          So of your three examples, 2 of them are covered, one of them is covered by extension, and one of them can be done without. I'd say, no great loss.

          You want to track me? You need my permission, and you don't get it by default.

          • by Anonymous Brave Guy (457657) on Tuesday August 14, 2012 @05:27AM (#40982197)

            Number 3 is covered once you asked for permission, which you can do using number 1.

            Only if you force users to create an account just to keep your site's media player size the same or some other trivial but convenient detail.

            That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.

            Nonsense. Every business I've worked with in recent years has used analytics to see how visitors are using their own site and ultimately provide a better experience for those visitors. Every single one. And for the record, exactly none of them sold any of that analytics data to anyone.

            You want to track me? You need my permission, and you don't get it by default.

            Then turn off cookies in your browser. It's not hard, and if you don't know how, a quick Google search will surely tell you.

            However, I'm afraid I'm not going to compromise on the experience I can offer the other 99.997% of visitors to my sites because you want to make a fuss. No-one's forcing you to visit those sites, our policies are clearly stated and always have been, we're not doing anything even remotely shady in the eyes of just about everyone (except you, apparently) and just about everyone including us and many other visitors benefits if we pay attention to our analytics reports.

            You might like to consider that if you really feel strongly about Internet privacy, you aren't doing anyone any favours either by scaremongering or by attempting to redefine commonly understood terms like "tracking" to mean something convenient for your argument but different to what everyone else means by them. When those of us who want to improve the privacy situation without throwing the baby out with the bathwater come to write to our politicians or send money to privacy groups, all it takes to counteract our reasoned arguments is one PR guy for a commercial ad network and someone hysterical like you, and the politicians who aren't experts are convinced that the advertisers are the only ones being calm and sensible, and therefore nothing needs to be done at all.

            • by mvdwege (243851)

              I'm not the one scare-mongering. You are acting as if the WWW will collapse if you have to ask users for consent to track them.

              Why are you so dead set on just being able to track me without asking me first? Have you no decency, or are you trying to hide what you want to do with my info?

              • by Anonymous Brave Guy (457657) on Tuesday August 14, 2012 @05:47AM (#40982267)

                You are acting as if the WWW will collapse if you have to ask users for consent to track them.

                You're still using that word "track" in a way that no-one else in the world does. You aren't going to win any debating points like that.

                Also, the WWW wouldn't collapse, but it would become significantly harder for those running web sites -- which you apparently value enough to visit them if any of this is a problem for you in the first place. It would be more difficult to optimise sites according to what users were actually looking for and how they were really using them. That would inevitably mean site operators couldn't convert as many visitors either, which in turn would inevitably mean that some good sites that were only borderline financially viable in the early days would fail unnecessarily, leaving no site to benefit anyone.

                Have you no decency, or are you trying to hide what you want to do with my info?

                What info do you think I am magically getting? It's not as if these things are giving up your name, DoB and home phone number. Your average analytics cookie is just a random number, and is completely anonymous. And even if I did collect personal information from you, which for example you might volunteer when signing up for an account, I would be constrained by exactly the same data protection laws as anyone else handling any other kind of personal data in my country, including filing (at my own cost) details of what I'm collecting and how it is used with my government's data protection officials, who will then make it available to the public so that anyone, including you, can read it.

          • 'analytics' also covers collecting data which allows you to see what your users are actually using on your page and even what form elements are the wrong shape or size (are users are missing them when going to click on them)

            Unless you think a map like bellow isn't useful to web developers:

            http://csscreme.com/images/heatmaps/detail/ishrs.jpg [csscreme.com]

          • You want to track me? You need my permission, and you don't get it by default.

            That is the single stupidest thing I've ever read.
            Your browser stores cookie information and sends it to web servers because YOU CONFIGURED IT TO DO THAT.
            If you don't want to send or store cookies, don't.

        • Re: (Score:2, Insightful)

          by crutchy (1949900)

          1. Maintaining an authenticated user session (logging in and out securely)

          cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an ad

          • Re: (Score:3, Insightful)

            by Anonymous Coward

            "cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an ad

  • Cookies suck (Score:3, Interesting)

    by symbolset (646467) * on Tuesday August 14, 2012 @12:22AM (#40981071) Journal
    The WWW is supposed to be stateless for a reason. I'm going to come right out and say that the cookie is the dumbest invention since Token Ring.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      Says the guy logged into /. via cookies

    • by mwvdlee (775178) on Tuesday August 14, 2012 @01:17AM (#40981331) Homepage

      The WWW is supposed to be stateless

      According to who?

    • Re:Cookies suck (Score:4, Informative)

      by dmomo (256005) on Tuesday August 14, 2012 @02:29AM (#40981599) Homepage

      No. HTTP is supposed to be stateless. WWW just makes liberal use of HTTP. Every HTTP request should be made in isolation. WWW can still be stateful while sticking to this convention.

    • by bky1701 (979071)
      It was also arguably made to be transferred over telephone lines and used by 16 bit computers.
  • Let's have some fun, otherwise this is a so "Not news" item it should be posted on Idle (the lest redundundundant title should have been: Watchdog "Not Ready"). So...

    Watchdog "Not Ready" to probe cookie! Complaints.

    Watchdog "Not Ready" to probe! Cookie complaints.

    Watchdog "Not Ready" to?! Probe cookie complaints!

  • Dumb laws are dumb. (Score:5, Informative)

    by VortexCortex (1117377) <(VortexCortex) ( ... -retrograde.com)> on Tuesday August 14, 2012 @12:43AM (#40981173)

    When you go to a web site that "stores cookies" in your browser, what happens is that a HTTP "Set-Cookie" header is sent to your browser. YOU HAVE THE POWER TO DISABLE COOKIES in your browser. It's not like the remote site can make your browser save the cookie.

    The user already has every capability to prevent the remote sites from storing any cookies. Simply DISABLE ALL COOKIES. Then, if you run across a site that has a feature requiring cookies (stateful sessions, like logging in), then and ONLY THEN DO YOU ENABLE COOKIES for that site alone. White list it. Oh your browser doesn't have a white list? YES IT DOES. IE does. FF has the Cookie Monster plugin among other ways, Chrome has -- Fuck Chrome! Chromium Exists. Chrome is closed source and has Google's secret advertising sauce added if you don't like cookies why would you use Chrome?! Google Sells Ads.

    Now, being a primordial deep one from time immemorial, I remember an age before cookies existed. I used caller ID, bitrate and handshake timings to log and verify my visitors' identity in the BBS era. Then came the Internet. I used a hash of the user agent, IP address, and other header strings along with URL munging (crazy crap you see after the ? in your address bar) to identify and verify users. Cookies allowed us to stop crapping up every URL on the page, and causing massive link rot... So, you want to make laws about cookies, eh? Well there are levels of tracking we are willing to accept, and we don't even need the damn cookies to do so. Enjoy server side storage of your IP address, browser signatures, and Query Strings cocking up your bullshit European URLs....

    Get bent morons. Cookies are good for you, at least YOU can control them. You can't very well control whether or not servers use URL munging....

    • The problem is that most people have no idea about anything. I agree though, making laws to ask sites to comply to some regulation is stupid. Browsers should have better and easier to use cookie whitelisting by default. This way, if a website detects its not on the whitelist, it will have to ask the user to add them to the whitelist.

      Also, people use Chrome because it's faster. It's just way faster than Firefox, at least on Windows on my slow PC.

    • by epp_b (944299) on Tuesday August 14, 2012 @02:21AM (#40981579)

      I've been wanting to say exactly this every time I see another retarded story about cookies. Thanks for giving me a hand.

      Just in case it was missed: COOKIES ARE HELPFUL TO YOU, YOU MORONS.

      Want online shopping? Cookies.
      Automatic login to 9000 different sites? Cookies.
      Remembered configurations and searches? Cookies.
      Convenient URLs that you can remember? Cookies.

      As the parent explained, YOU hold the control in deciding what, how and when sites can store cookies on your machine. If you can't be arsed to spend a half hour learning to protect your privacy, you don't deserve it.

      Dim-witted, pandering, posturing politicians passing some idiotic "cookie legislation" is going to cause you to have *less* privacy, security and convenience.

      • by Smauler (915644)

        As much as I am in favour of the intent of this law (restricting access to people you don't to access your browsing habits), it's not working in the slightest, and it was _never_ going to work.

        Firstly, people don't want it (popups asking if they want cookies enabled are annoying and counterproductive)

        Secondly, no one is actually complying with the law, including governmental bodies.

        Thirdly, the internet is global now (wait, when did that happen?)

        All that, and like parent said, cookies are a good thing in lo

      • by MrL0G1C (867445)

        Want online shopping? Cookies.

        Agreed and it should be read as implied when you visit such a site that you would want the shopping cart to work.

        Automatic login to 9000 different sites? Cookies.

        Ugh, no thanks, trackers wet-dream this one. Firefox and password-safe remember my passwords and that's the way I like it.

        Remembered configurations and searches? Cookies.

        With cookies this is for tracking, the browser can do this without cookies. If you like a site enough then fine, but 99% of sites I visit don't need 'configuring'.

        Convenient URLs that you can remember? Cookies.

        Eh, I don't even get this one, I don't need to remember any more than slashdot.org etc, and I use bookmarks, how d

    • It's not as simple as that. You are missing the usual "but we are geeks" syndrome. For a /.er disabling all cookies and then inspecting incoming ones individually to decide which to enable might be something they can do and willing to invest the time in. For normal people doing that for every website they use isn't really a viable option.

      Hence a law that forces website owners to breakdown cookies to roles and present Mr. Normal Person a simple explanation of what they do and allow them to enable them or not

    • by pe1chl (90186)

      Of course whitelisting cookies by site is useless. Many sites send different cookies, you want to block some of them but not all.
      Blocking by name is difficult because there is no name convention.
      When every session cookie would start with SESS and every tracking cookie with TRK, it would be easy.
      Now that there is no such naming convention, and no tools in place to do anything with cookie names, it is probably best to add
      another field to cookies, to convey cookie intent. Then users can allow or block cook

  • by Grayhand (2610049) on Tuesday August 14, 2012 @12:58AM (#40981239)
    I still remember back in the late 90s when we all blocked cookies. Now if you do it cripples a lot of the internet sites. Sad how badly abused our privacy is these days. Cookies could have been handled in an non evil manner but is wouldn't have helped the corporations invade our privacy.
  • by _Ludwig (86077) on Tuesday August 14, 2012 @01:03AM (#40981263) Journal
    This is stupid. Why is the burden on millions of websites instead of a handful of browsers? Mandate that any web browser distributed in the U.K. default to "Ask me before allowing cookies." It should be the default anyway.
    • by mvdwege (243851)

      Because the burden is on the one infringing on my right to privacy to prove necessity, not on me.

      Given the loud whines of Facebook-wannabe's and their shills, one wonders what they have to hide about why they collect all that browsing information?

      • by _Ludwig (86077)

        If a browser is allowing your privacy to be invaded via tracking cookies, that's a problem with the browser. Not that the shady sites are free of responsibility, but you the user don't have to prove anything in any case.

        An absurdly exaggerated analogy: If an OS shipped with all ports open by default and replied to any request with the contents of your address book, would it make more sense to make the manufacturer fix the faulty OS, or to try to prosecute everyone everywhere who took advantage of it?

        • by mvdwege (243851)

          Fuck you and the false dichotomy you rode in on.

          Why not do both?

          And again, it's the websites that want my personal info (yes, my browsing habits are personal info), they should have to justify themselves, not me.

          Mart

          • by _Ludwig (86077)

            Again, who is asking you to justify yourself?

            First-party cookies do not track your “browsing habits” anywhere but on the particular site that you are visiting, and they already know you’re there.

      • by bky1701 (979071)
        "Because the burden is on the one infringing on my right to privacy to prove necessity, not on me."

        Or, you could, you know, block their cookies. Or disable cookies entirely. Or get the fuck off the internet if you are THAT worried about privacy, because, let me tell you, cookies are the absolute least of most people's privacy woes here.

        Check the link in my signature. It's relevant.
        • by mvdwege (243851)

          Sure, and women could be safer by not walking down certain streets in too sexy clothing.

          I reiterate, it's up to you to prove to me why I should give something of mine up to you. All other public transactions work that way, and yet you want a blanket reversal for the personal info merchants. It is you who owes the public an explanation.

          And behaving like a spotty twerp with a bully complex is not helping your case.

  • by Nihn (1863500) on Tuesday August 14, 2012 @01:11AM (#40981293)
    They have been accepting money but not producing anything...politics as usual.
  • by maroberts (15852) on Tuesday August 14, 2012 @01:26AM (#40981377) Homepage Journal

    Am I the only one who thinks that these popups which state "we're using cookies" is highly annoying?

    Almost everyone apart from your aged grannie knows that you are tracked on sites by use of cookies, so what is the point of this bureaucratic nonsense? It's almost like a secret plot; a small step to making the net unusable.

      If you really want to ban something, block sites from opening 3rd party poker/porn sessions in windows behind your current window, not that such things happen to me of course.....

    [/rant]

    • by gagol (583737)
      My solution: AdBlock+ let you flag any DIV as bad evil advertising... just point to the anniying part and you are off the hook!.
    • by bky1701 (979071)
      It's just another group of governments trying to flex their muscle to prove how bravado they are over the internet. It'll fail, they'll destroy their own IT industry in the process while the companies move to some less problematic country (in this case, the US), and no one will ever call the governments on it. It happens often.

      Europeans especially seem to be unusually prone to this. At least us Americans tend to bitch about everything before, during, and after; that's arguably why we're still freer in a
    • by coofercat (719737)

      I actually agree with you - it's a futile law. However, what it has done is made website owners think about what they're doing. Granted, most just say "we use cookies, if you use our site you agree to get them from us", but some sites are dropping the 3rd party cookies they don't need because they don't want to have to argue the toss for something they don't use.

      This hasn't revolutionised anything, it hasn't even made an incremental change, but it's started a conversation. In that sense it's good. In most o

  • by epp_b (944299) on Tuesday August 14, 2012 @02:31AM (#40981601)

    Have a website? Disable and redirect EU visitors to a message explaining that they cannot use your website until they pester the morons in government who implemented this crap until it's reversed.

    I'd love to see something like this gain traction. All it would take is a big player like Amazon to make this happen.

    • That's certainly an idea but consider it from the website owner's point of view. They're already making their website less competitive (globally) with annoying pop-over nonsense. Some websites actually don't work until you've explicitly agreed to have cookies (a poor interpretation of the law, IMO).

      What do you think a user is going to do if they have to sit through a five minute, hell, even a 30 second political complaint before they can even use the site? Well, if that site, like many sites, has a billion

    • by bky1701 (979071)
      Or just hold no physical presence in those countries, and still sell to them. More or less the same thing done with sales tax in the US. All this sort of thing does is make EU countries less likely to compete in the internet market. I guess I should be happy about it: it means the US will be able to pick up a lot of the space left by them.
  • by martijnd (148684) on Tuesday August 14, 2012 @02:43AM (#40981635)

    The law in the Netherlands is that you have to inform users that you are going to put a cookie on their computer.

    EXCEPT if the cookie is required for the core functionality of your website. So your shopping cart can put its 1st party cookie, and you are not in hot water.

    Most websites use Google Analytics. That is where you have to start putting up the "Smoking Cookies Kills" banners that will likely hurt your websites traffic significantly. The best thing is to avoid the banner altogether and stay still within the law.

    Sot its time to drop Google Analytics; its cool, its nice and now a drag on business.

    I have already found one alternative that looks half decent and doesn't require me to put up any cookies at all: PiWik (http://piwik.org/ [piwik.org])

  • by el_flynn (1279) on Tuesday August 14, 2012 @02:51AM (#40981653) Homepage

    I think a lot of comments here are focused on the wrong thing.

    TFA says "the ICO has yet to investigate a single website... because its investigative team isn't ready to start work - more than a year after the new laws came into force". So TFA is more about a culture of "shoot first ask questions later" that is prevalent in government agencies - NOT about the validity/ethics of having the rules in the first place. It's already in place, people - arguments about whether cookies are good or bad should have already taken place ages ago when vetting the rule.

    So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

    • Re: (Score:3, Informative)

      by Dark$ide (732508)

      So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

      The UK Gov't is only implementing what the stupid folks in the EU Gov't told them to. The real problem is that the EU Gov't allowed this crap to go through in the first place. We need to get some (members of parlaiment) MPs and (members of the European parliament) MEPs who have a clue about IT, who have a clue about how the Internet works. That's the underlying problem - we've got clueless career politicians with a supporting organisation made from clueless lawyers and MBAs.

    • by Hatta (162192)

      So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?

      The real question is, why isn't there any recourse against an enforcement agency that refuses to enforce the law?

  • So we gonna have at the same level an annoying warning from sites that just need a session cookie to ease our users lives, and on the other hand the same warning from Facebook-like sites that require a once warning/cookie to track you the hard way through tons of other unsuspected sites having the Facebook "Like" button. Ridiculous.
  • facts (Score:5, Informative)

    by Tom (822) on Tuesday August 14, 2012 @04:23AM (#40982025) Homepage Journal

    I hate to burst everyone's babble with facts, but here you are:

    http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx [ico.gov.uk]

    important key points:

    • Implicit consent is valid in many cases
    • some cookie uses are exempt, especially session ids, shopping carts, etc.

    Sorry for brutally slaughtering half the comments posted so far.

    As I read it, what this basically asks me to do is put an information that my site uses cookies somewhere with a link to a page that explains what I use the cookies for. If you're doing the usual stuff (session ids), you're probably done with two sentences.

We can predict everything, except the future.

Working...