Watchdog "Not Ready" To Probe Cookie Complaints 166
nk497 writes "The UK data watchdog has admitted it doesn't have any staff investigating cookie consent complaints, more than a year after the law came in via an EU directive. The regulation requires websites to ask before dropping cookies and other tracking devices onto users' computers, and came into law in May 2011. The Information Commissioner's Office gave websites a year's grace period to update their websites, but failed to use that time to get its team together, meaning the 320 reports of sites not in compliance it's already received haven't been investigated at all."
Re:Cookies suck (Score:3, Insightful)
Says the guy logged into /. via cookies
They could have been a positive thing (Score:3, Insightful)
Why is the burden on millions... (Score:5, Insightful)
Re:Like anyone is going to follow this (Score:3, Insightful)
What actual technical purposes for cookies are there?
I wish you apologists for the privacy-violators had a better grasp of the technology; the whole point of cookies is to track the user, that's what they were invented for.
Now, some kind of tracking, like session tracking, may be necessary for the functionality of your site, but if you'd done your homework, you know that the makers of the directive considered that, and gave a specific exemption.
In other words: shut up, you fucking shill for the tracking industry.
Mart
Re:Dumb laws are dumb. (Score:5, Insightful)
I've been wanting to say exactly this every time I see another retarded story about cookies. Thanks for giving me a hand.
Just in case it was missed: COOKIES ARE HELPFUL TO YOU, YOU MORONS.
Want online shopping? Cookies.
Automatic login to 9000 different sites? Cookies.
Remembered configurations and searches? Cookies.
Convenient URLs that you can remember? Cookies.
As the parent explained, YOU hold the control in deciding what, how and when sites can store cookies on your machine. If you can't be arsed to spend a half hour learning to protect your privacy, you don't deserve it.
Dim-witted, pandering, posturing politicians passing some idiotic "cookie legislation" is going to cause you to have *less* privacy, security and convenience.
Some can't see the forest for the trees. (Score:4, Insightful)
I think a lot of comments here are focused on the wrong thing.
TFA says "the ICO has yet to investigate a single website... because its investigative team isn't ready to start work - more than a year after the new laws came into force". So TFA is more about a culture of "shoot first ask questions later" that is prevalent in government agencies - NOT about the validity/ethics of having the rules in the first place. It's already in place, people - arguments about whether cookies are good or bad should have already taken place ages ago when vetting the rule.
So the real question is, why pass a law when there's no clear indication on the lawmaker's capability to enforce it?
Re:Like anyone is going to follow this (Score:0, Insightful)
"All four of your examples are examples of user tracking."
No, they are examples of storing information. A shopping cart is as much tracking as the CRC handbook is a vast spy network focusing on chemists.
"And you know what? Numbers 1 and 2 are covered."
Do you mean technically? Or legally? Or magically? It's hard to tell with you, because facts do not seem to be required for you to yell something.
"You want to track me? You need my permission, and you don't get it by default."
You know, if you feel so strongly about this, why not take a trip to your fucking browser settings, you dumbshit. You can never be "tracked" again just by disabling them completely. Hell, most browsers either have the built in or plugin-supported functionality to ask you every time a site tries to save a password.
I guess that would be too hard for you. The world has to adapt to you and what you consider to be good and bad. You're not sure how they will, but they'll have to, because the great mvdwege decrees it.
--BKY1701
Re:Like anyone is going to follow this (Score:2, Insightful)
1. Maintaining an authenticated user session (logging in and out securely)
cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked
2. Storing the current state of the user's session (shopping carts and the like)
mysql
3. Remembering user preferences from one visit to the next
mysql
4. Analytics within your own site
mysql
even notwithstanding all this, if you're not decent enough to seek the user's permission before dropping a cookie, then you're not dropping cookies for anything other than secretly tracking them. if you need to drop a cookie for any legit reason, then the user is more likely to grant permission to retain functionality than deny for the sake of some misguided privacy paranoia. in any case, for my sites i offer the option of using a cookie or (by default) keeping track of a session using a hidden post parameter for the session ID in each form. they don't need to know the details, just that if they want to be able to revisit without logging on then a cookie is recommended, and even when they elect to use the cookie, there is a button to delete the cookie and revert to the post parameter
Re:Like anyone is going to follow this (Score:3, Insightful)
"cookies aren't required for that. they do offer the user the ability to automatically login (using a cookie) next time they visit, but you can do that without cookies too by either including a session identifier as a url get parameter (not recommended) or have a timeout set when you login that allows you to revisit without logging in again for a set period of time, authenticated by combination of IP address and username; IP address can be spoofed, so you might add a get parameter with a session ID as an additional requirement.
if the user is more interested in convenience than security that they would prefer a cookie, then a URL session ID probably isn't out of the question. at the end of the day, nothing is 100% secure, as cookies can be hijacked"
So opening a second browser window to the same site fails to be logged in (because it lacks the session). Or someone on your network is logged in as you, because lo and behold, they have the same IP.
More interested in convenience than security? For fuck's sake, get a clue about website design and security. Cookies, possibly with the ADDITION of the other two systems, are the industry standard for security. Cookies effectively allow re-authentication for every page view by sending a hash of identifying information to the server which can then be checked against the stored hash. IDs have usability issues enough to make them unsuited to general use, which is why they have not been used since the 90s. IPs alone are so insecure they are effectively not authentication. Cookies are the answer decided upon. Indeed, they are the onyl practical answer. I am sorry if you dislike that. Do not use the internet.
"3. Remembering user preferences from one visit to the next" - "'mysql'"
Sure... but what if you do not have user accounts? Are you going to store settings by IP? Yeah, we'll see how that goes. Obviously not by GET variable. So what, exactly, is your answer? Right. You have none. You're just a ranting idiot like the other one.
--BKY1701
Re:Like anyone is going to follow this (Score:5, Insightful)
Number 3 is covered once you asked for permission, which you can do using number 1.
Only if you force users to create an account just to keep your site's media player size the same or some other trivial but convenient detail.
That leaves 'analytics', which is usually PR-speak for 'tracking user browsing and selling it to the highest bidder'.
Nonsense. Every business I've worked with in recent years has used analytics to see how visitors are using their own site and ultimately provide a better experience for those visitors. Every single one. And for the record, exactly none of them sold any of that analytics data to anyone.
You want to track me? You need my permission, and you don't get it by default.
Then turn off cookies in your browser. It's not hard, and if you don't know how, a quick Google search will surely tell you.
However, I'm afraid I'm not going to compromise on the experience I can offer the other 99.997% of visitors to my sites because you want to make a fuss. No-one's forcing you to visit those sites, our policies are clearly stated and always have been, we're not doing anything even remotely shady in the eyes of just about everyone (except you, apparently) and just about everyone including us and many other visitors benefits if we pay attention to our analytics reports.
You might like to consider that if you really feel strongly about Internet privacy, you aren't doing anyone any favours either by scaremongering or by attempting to redefine commonly understood terms like "tracking" to mean something convenient for your argument but different to what everyone else means by them. When those of us who want to improve the privacy situation without throwing the baby out with the bathwater come to write to our politicians or send money to privacy groups, all it takes to counteract our reasoned arguments is one PR guy for a commercial ad network and someone hysterical like you, and the politicians who aren't experts are convinced that the advertisers are the only ones being calm and sensible, and therefore nothing needs to be done at all.