Sweden Crunches Cookies 401
dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
mostly not a problem: (Score:5, Interesting)
Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.
Actually, scratch that, most websites will just ignore the law and get on with life.
Bigger security risk (Score:5, Insightful)
Re:Bigger security risk (Score:3, Insightful)
Re:Bigger security risk (Score:5, Insightful)
Wouldn't this present a problem where the user is behind a proxy ?
Re:Bigger security risk (Score:5, Informative)
Re:Bigger security risk (Score:3, Informative)
OK - wouldn't that be a problem where the user is behind *multiple* proxies, so the ip address that the website sees could change from hit to hit ?
(I'm behind such a set of proxies right now..)
Re:mostly not a problem: (Score:3)
Well, Slashdot "works" when you disable cookies until you try to post a message. Then it seems that you always post as an AC even if you entered your name and login first, and even when the preview page acknowledges your logging in.
I'm not sure if this is a bug or an intended design "feature", but it seems that despite all the hand-wringing her
Re:mostly not a problem: (Score:4, Informative)
In PHP, URL-rewrite slows things down and bloats your script. It also makes your URLs look ugly: sometimes you may want them to stick in the user's mind.
While for a forum this may be OK, for a fairly big user-centric website it is simply ridiculous to have to do away with cookies--they are a convenient way to deal with things "behind the curtain"; they also have the added security of not being immediatly visible to the user (he has to want to see them, by looking at his filesystem or other.)
Privacy -wise, all decent modern browsers have some form of modern cookie filtering--the user can choose to block, etc.
The only solution I see is, as suggested below, have a front page which tells the user and gives him the choice to leave.
All in all, I find this law a little silly, although of course I understand the privacy concern.
Re:mostly not a problem: (Score:4, Insightful)
Cookies are often over used anyway. Check youre own cookie cache and check the number that are used to track you vs the number for youre convenience. (like slashdot remembering youre login). For me at least the first category by far outweighs the latter.
Re:mostly not a problem: (Score:4, Interesting)
When you have user log-in to a particular part of the site, you need to store username, password information, and some other session variables in a cookie, so that on subpages within the part that needs to be logged into can check to see is the user is properly logged in. I like to check to see if the user is the actual user I think they are.
I guess you've never used php before.
Especically a for site you need to log into.
Hope this law never passes in the US, if you dont want cookies from a site, don't go there.
Does this low allow you to deny service to a user who doesn't accept the use of cookies?
Re:mostly not a problem: (Score:4, Informative)
do you want to remember my password (uses cookies) (x) yes ( )no
Hardly... Have you *ever* tried to disable cookies altogether? It is difficult to get things done. Most websites will simply refuse navigation without cookies. Microsoft's idea of a "session cookie" that disappears after you leave the site was a good idea but their implentation does not work (it is the same as turning cookies off).
While this isn't a problem for advanced users, I do build and deploy a number of PCs for friends and family. IE is a requirement because many sites are not up to speed on Mozilla yet.
Argh...
Re:mostly not a problem: (Score:2)
..only if they chose "ja", otherwise it's illegal
Re:mostly not a problem: (Score:4, Interesting)
Seems a bit harsh (Score:5, Informative)
It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
Re:Seems a bit harsh (Score:5, Informative)
If you're using ASP scripts, put in at the top of your page. That will disable the default session cookies.
Re:Seems a bit harsh (Score:3, Interesting)
The point is: It is your job and duty to make sure that you are complying with the local law.
The argument is that a laws that implicitely makes it illegal to use IIS in its default configuration is an unfair law
Following your argument, no law should be passed if a software already exists that violates it ? That can't be it right? Sof
Re:Seems a bit harsh (Score:2)
Re:Seems a bit harsh (Score:2)
And if you don't know enough about ASP to disable cookies, perhaps your work should have been passed through some kind of expert panel before they let you lose on the internet?
It's always irritating to get a site trying to set a cookie without saying why, and I _always_ block them if they do that. Places like slashdot, w
Re:Seems a bit harsh (Score:3, Funny)
Re:Seems a bit harsh (Score:4, Insightful)
The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for. It attempts to give the private citizen some control of what type of information is collected, and what may be done with that information.
In general, it appears the privacy/integrity is more respected/protected in Europe than in USA. While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime [tu-dresden.de]
Re:Seems a bit harsh (Score:4, Insightful)
That is because we have not had our Police State experience yet. After the Untied Police States of America comes into being, and then eventually is overthrown, we will value things like anonymity. If we never have this experience, then we might instead just continue to have a gradual erosion of many rights. Of course, I suppose that eventually this would have to lead to the Unites Police States. The pendulum will probably have to swing fully one direction and then back.
Re:Seems a bit harsh (Score:4, Informative)
Alot of people here in Sweden are starting to call for dropping the neutrality clause since it was never actually followed anyway.
And as far as police states are concerned, we've had our touch of recording of "dangerous" people (like communists) by police.
PTS has a compliant website running IIS (Score:4, Informative)
Btw, I might add that I know one of the major lawyers responsible for this law.
Re:Seems a bit harsh (Score:3, Interesting)
It annoys me that tech types with insufficent grasp of the law create products or services without realising the consequences.
Most laws in democratic societies do pass through an "expert panel", the problem is who defines "expert". Unfortunately the same cannot be said about products and services, no expert panel required.
Clicking on the link... (Score:4, Funny)
Re:Clicking on the link... (Score:3, Funny)
Du yuoo eccept zee fullooeeng egreement, in vheech yuoo let svedeeshcheff.cum lueds toons und toons ooff cuukeees streeet frum oooor brund noo oofee durectly tu yuoor veb soorffer fur nu epperent coose-a et ell?
Didn't you realise?
Great! microsoft.com..piracy.. howtotell.. (Score:2)
We Know Where You Went Today
-
Christ, what next (Score:5, Interesting)
-josh
Re:Christ, what next (Score:2)
This does not change the fact that the Swedes are dumbasses.
Re:Christ, what next (Score:4, Informative)
Re:Christ, what next (Score:2)
Re:Christ, what next (Score:2)
PHP and cookies .. (Score:2, Interesting)
So you can effectively track the user on the server side like this
Implied Consent (Score:5, Insightful)
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?
Re:Implied Consent (Score:3, Insightful)
What if your browser came pre-configured?
What if you open Hotmail, and it says you need to enale Cookies to use it?
What if sites used Cookies for purposes other than for the intended browsing experience?
Wake up folks, know how to operate your browser.
More than 60% Slashdotters use IE, use the default settings of Slashdot -
Re:Implied Consent (Score:3, Insightful)
The car had a lock on it? Well, blow me down - I wondered what that little keyhole under the door handle was. Well, I never. Still, you can't expect me to learn how to lock the car just to avoid crooks, can you?
Oh, you can?
Oh.
Re:Implied Consent (Score:2)
The fact is cookies are seldom essential, to improve the browsing experience. Car locks serve only to secure the car, no other useful purpose I can think of.
Would you like if you had to use 6 keys to secure your car, and just 1 to open it? Would you like it if you had to change locks and keys every week to ensure no one 'sampled' your key when you were watching a movie?
Can your car key be compromised, except without an identic
Re:Implied Consent (Score:2)
I can invade the privacy of web clients without using cookies. I can do it with cookies. I can also build legitimate applications using cookies. So, why make using cookies harder? Why not legislate for privacy?
The best way for legislation to protect you from crooks is not to ban their tools,
Re:Implied Consent (Score:2)
Actually with the exception of embedding user state information in the url (which pretty much fscks up the url so the user can't add it to favorites or pass it around) it is the only way for the server to maintain state in multi page surf sessions to the same site. You know, like how Hotmail, Slashdot, etc... remember who you are once you put in your username and password (within the same session, not talking about coming back t
Re:Implied Consent (Score:2)
Re:Implied Consent (Score:2)
Re:Implied Consent (Score:2)
What disturbs me the most is that you people are supporting cookies when you are all privacy freaks.
Not everyone has Konq or whatever other browser lets you block the cookies that you don't want and accept others. Not eveyone wants to download a third party application to do that either.
They want to surf the web, safely, without people storing informatio
Re:Implied Consent (Score:2)
I suspect that you don't know what cookies do or how they work, either. If you did, they wouldn't bother you.
Re: (Score:2)
Re:Implied Consent (Score:3, Insightful)
Why do you fear cookies?
A few years ago, the public was against cookies. I had users calling me up all the time, because their web browser "didn't work". Frequently, the problem was that they had turned off cookies, and couldn't access a lot of sites.
When I asked them "why did you turn cookies off?" the answer was always the same - "I don't want them to know my credit card number."
I had to tell them again and again, cookies can only store information that you supply. And the si
Poor Swedish website designers (Score:3, Interesting)
I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.
Re:Poor Swedish website designers (Score:2)
Also the law text has some loop holes such as (my translation):
All this means is that you can never set a cookie for tracking purposes or to generate banner ads for
Misspelling? (Score:2, Funny)
Shouldn't that be "comes into farce"
?dumb but not a big deal (Score:5, Insightful)
There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.
Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.
A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.
As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.
Re:dumb but not a big deal (Score:3, Insightful)
how do I know if I should let it?
I don't know what its tracking or what it will be used for.
there needs to be more information than just its a cookie.
Re:dumb but not a big deal (Score:2)
Just host your site elsewhere. Given the hourly rate for rework, and that the entire damn site is going to be rewritten to come up with a hack that simulates session state cookies
boolean Assert (boolean lotsOfThings)
{
Assert = false;
}
Re:dumb but not a big deal (Score:2)
I believe it looks at the referring URL, gets the GUID, and then insert the guid into the response in the format:
http://domain.com/yourfolder//page.aspx
Re:dumb but not a big deal (Score:2)
A special web page (Score:5, Funny)
English version... (Score:5, Informative)
Legislating around IETF standards (Score:5, Insightful)
What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.
This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.
Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.
Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.
Re:Legislating around IETF standards (Score:2)
So, what's the essential difference to SMTP and opt-in legislation? Opt-in requires the consent of the recipient before any advertising can be sent. It is possible to configure SMTP server to reject messages just like it'
Re:Legislating around IETF standards (Score:2)
Re:Legislating around IETF standards (Score:2)
The law does not deal with specifics at that level. What will happen is that there is a Goverment agency interpreting the law and give regulations/rules when new technologies appear.
Re:Legislating around IETF standards (Score:3, Insightful)
Slightly different; when I make an HTTP request, I'm expecting an HTTP response. No web server sends out unsolicited HTTP responses to clients on the offchance they'll pick them up and set a cookie
HTTP responses are always solicited, including a Set-cookie header in there is not a huge burden on the client. SMTP servers are serv
Re:Legislating around IETF standards (Score:3, Informative)
A compromise solution (Score:4, Interesting)
Just use Java Web Applications ;-) (Score:2, Informative)
Just use Java Web Application with JSPs. They automatically handle the generation of sessionId with cookie or URL rewritting without any modification to the source code.
You really don't --need--- cookies (Score:3, Interesting)
This is a real problem with web based interfaces. (Score:2)
Although the web is where a lot of great open souce devel
Stupidest idea ever. (Score:2, Interesting)
I can't exactly see the big problem with cookies (other than that it's a unreliable solution for remembering user-data).
As already mentioned, if PHP is using sessions, it will first try to set a cookie with the session-ID. If that fails, it will pass the session-ID along with the url or automagicaly add a hidden-field to forms.
Good luck rewriting ALL php-sites that uses sessions.
As I see this, cookies do more good then harm, and it's no problem disabling th
Cookies not needed (Score:2)
I once wrote an othello game that played this way. You could take back moves because it was stateless on the server end. The pointer also changed over the legal move squares because they had URLs under them. I may still have C source somewhere.
BTW, first one to patent this please send me a check as thanks.
Re:Cookies not needed (Score:3, Interesting)
All a cookie is is a session ID, the actual data in the session is kept on the server. It's just neater not to have to rewrite every URL, and it's nice to have the option of persistance. For everyone who is pointing out ways of living without cookies, you're missing the point. Cookies don't allow you to do (much) you can't do otherwise, they just let you do it more neatly and more reliably.
Cookie blocking (Score:2)
Now I use Mozilla Firebird and block any cookie that isn't from a site that I'm logged into. Does anyone know what kind of heuristics MSIE used to determine which cookies are good and which are bad?
Re:Cookie blocking (Score:2)
Re:Cookie blocking (Score:4, Informative)
Internet Explorer 6 uses the Compact Privacy policy as specified in the W3C P3P spec [w3.org]. It uses this to determine whether a cookie is unsatsifactory [p3pwriter.com] (different rules based on whether it is a third party cookie or not). MSDN has documentation covering Internet Explorer's decision matrix [microsoft.com] (unfortunately framed).
EU law (Score:5, Informative)
meanwhile... (Score:5, Insightful)
Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.
Only really applies to information gathering (Score:5, Informative)
That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.
However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
Can someone translate this please (Score:5, Insightful)
Specifically:
Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.
Turning the tables? (Score:2)
Browser makers' responsibility? (Score:2)
5-10 programs would be impacted instead of the tens of thousands of sites which will be impacted by this (stupid) law.
If there wer
Wouldn't it be a wonderful world... (Score:5, Informative)
First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.
Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.
I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.
My 2 cents worth..
Re:Wouldn't it be a wonderful world... (Score:2)
Re:Wouldn't it be a wonderful world... (Score:2, Informative)
The link (IDG.se) contains false information.
My conclusions come from the actual law [riksdagen.se]..
This text is enormously long (and boring), so translating it isn't really an option for me. Sorry..
bill the government (Score:2)
Deep linking (Score:2)
And the Swedish Chef says... (Score:2, Funny)
Bork bork bork!
What about software (Score:2)
Utterly moronic (Score:5, Informative)
Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.
Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
What they gather (Score:2)
My browser is not set up to block cookies. My browser is set to notify me, however, & pops up a privacy notice everytime one gets sent, and gives me the option to block them. You know that AOL ad with the screen full of pop-ups? I was astounded, when i tested, to see how many sites such as MSN will send you. Including the ones for ad servers that deliver popups. My
Read the freaking law (Score:5, Informative)
The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.
The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.
Just ignore the hysterical rhethoric from IDG.
Microsoft solved this allready (Score:2, Informative)
Bloody annoying if you are coding a webapplication, I assume it broke a lot of old stuff
No Cookies? No Problem. (Score:2)
No cookies, and you can still track just how many times the user clicked on the link for dirty pics of smutty grannies.
That said, I don't give a crap about cookies. I turn 'em on and leave 'em for every where I go. It doesn't matter to me what gets stored in a cookie on my machine. After all, it could just as easily be st
Translation of article (Score:3, Insightful)
- M.
This Is Idiocy (Score:4, Insightful)
So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.
P3P (Score:3, Informative)
I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....
Re:Vhet is zee prublem? (Score:2)
Re:What? (Score:3, Insightful)
Yes, they do. But they also know that it is often hard for the user to know for which purposes the cookies are used.
This is not an anti-cookie law. This is a law that requires the website to tell the user what the cookies are used for.
Re:What? (Score:5, Informative)
Uh, false?
You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.
Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.
People who haven't used IE for years shouldn't go talking about it's features or lack thereof.
Re:What? (Score:2)
I rarely use IE and hate Microsoft as much as most people here, but I must correct factual errors. IE allows you to except specific domains from cookie controls.
I am prepared to be convinced otherwise, but this Swedish law seems misguided to me.
Re:What? (Score:2)
Re:What about your trusty DB? (Score:3, Informative)
Re:What about your trusty DB? (Score:3, Insightful)
Oh, and while storing the source IP is a partial solution, it's not 100% (think people behind a common proxy), and the whole point of the session id is that you DON'T re-enter your user/pw at every page. Cookies are the best, cleanest way to maintain state over a session. They're even better if you want to maintain state over multiple sessions (on the other hand, this can be dangerous and I'm not sure that it's usefull enough to outweight the se
Tripe! (Score:2)