Sweden Crunches Cookies

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."

mostly not a problem:

mostly not a problem:

do you want to remember my password (uses cookies) (x) yes ( )no

Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.

Actually, scratch that, most websites will just ignore the law and get on with life.

Bigger security risk

There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.

Re:Bigger security risk

A far better way is to tie the id to a specific ip.

Wouldn't this present a problem where the user is behind a proxy ?

Re:Bigger security risk

[tieing a session id to an IP address]

Wouldn't this present a problem where the user is behind a proxy ?

Indeed it does. AOL for example uses a number of caching servers, and one user uses a number of different caching servers during his visit. So by tieing a session id to an IP address effectively prevents users of AOL and other large ISPs from using a website.

Re:mostly not a problem:

I beg to disagree--a few posts below also re-iterate your point.

In PHP, URL-rewrite slows things down and bloats your script. It also makes your URLs look ugly: sometimes you may want them to stick in the user's mind.
While for a forum this may be OK, for a fairly big user-centric website it is simply ridiculous to have to do away with cookies--they are a convenient way to deal with things "behind the curtain"; they also have the added security of not being immediatly visible to the user (he has to want to see them, by looking at his filesystem or other.)

Privacy -wise, all decent modern browsers have some form of modern cookie filtering--the user can choose to block, etc.

The only solution I see is, as suggested below, have a front page which tells the user and gives him the choice to leave.

All in all, I find this law a little silly, although of course I understand the privacy concern.

Re:mostly not a problem:

The reason is that if a problem is left unsolved for to long, the extremer the rememedy must become. It has been tried time and time again to get websites to obey the same privacy rules as the normal world. (remember this story is in sweden, not america)

Cookies are often over used anyway. Check youre own cookie cache and check the number that are used to track you vs the number for youre convenience. (like slashdot remembering youre login). For me at least the first category by far outweighs the latter.

Re:mostly not a problem:

You're wrong.

When you have user log-in to a particular part of the site, you need to store username, password information, and some other session variables in a cookie, so that on subpages within the part that needs to be logged into can check to see is the user is properly logged in. I like to check to see if the user is the actual user I think they are.

I guess you've never used php before.
Especically a for site you need to log into.
Hope this law never passes in the US, if you dont want cookies from a site, don't go there.

Does this low allow you to deny service to a user who doesn't accept the use of cookies?

Re:mostly not a problem:

mostly not a problem:

do you want to remember my password (uses cookies) (x) yes ( )no

Hardly... Have you *ever* tried to disable cookies altogether? It is difficult to get things done. Most websites will simply refuse navigation without cookies. Microsoft's idea of a "session cookie" that disappears after you leave the site was a good idea but their implentation does not work (it is the same as turning cookies off).

While this isn't a problem for advanced users, I do build and deploy a number of PCs for friends and family. IE is a requirement because many sites are not up to speed on Mozilla yet.

Argh...

Re:mostly not a problem:

Seems like this law is all about outlawing cookies that often come with banner ads.

Seems a bit harsh

IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.

It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

Re:Seems a bit harsh

IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off.

If you're using ASP scripts, put in

@EnableSessionState = False

at the top of your page. That will disable the default session cookies.

Re:Seems a bit harsh

It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for. It attempts to give the private citizen some control of what type of information is collected, and what may be done with that information.

In general, it appears the privacy/integrity is more respected/protected in Europe than in USA. While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime [tu-dresden.de]

Re:Seems a bit harsh

While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

That is because we have not had our Police State experience yet. After the Untied Police States of America comes into being, and then eventually is overthrown, we will value things like anonymity. If we never have this experience, then we might instead just continue to have a gradual erosion of many rights. Of course, I suppose that eventually this would have to lead to the Unites Police States. The pendulum will probably have to swing fully one direction and then back.

Re:Seems a bit harsh

They'd like you to think so, yes. Except, it was more of a "Let's call ourself neutral in order to not get our ass kicked" kind of situation, which progressed into a "sure, your nazi soliders can take the train straight across our country but call us neutral" kind of situation.

Alot of people here in Sweden are starting to call for dropping the neutrality clause since it was never actually followed anyway.

And as far as police states are concerned, we've had our touch of recording of "dangerous" people (like communists) by police.

PTS has a compliant website running IIS

PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.

Btw, I might add that I know one of the major lawyers responsible for this law.

Clicking on the link...

results in 62 cookies being blocked by my browser. Seems these guys have a lot of work to do to comply with the new law :)

Christ, what next

How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?

-josh

Re:Christ, what next

A session ID can be used to track a user within a single session only. Cookies can be used to track users over multiple sessions. From multiple sessions one can build a profile. I think that's the difference.

Re:What?

Do you use IE like most people do? You can only block all cookies (and lose the use of your netbank, for instance) or allow all cookies.

Uh, false?

You can accept, deny, or have IE prompt you for cookies. You can also diferentiate between third-party cookies and cookies from the originating site.

Not only that, but you can override the cookie handling for individual sites - just put your netbank on "Always Allow" and you're set.

People who haven't used IE for years shouldn't go talking about it's features or lack thereof. :-p That said, everyone should use Moz Firebird.

Implied Consent

If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?

Poor Swedish website designers

Awww... poor Swedish website designers.

I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.

dumb but not a big deal

There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.

Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.

A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.

As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.

A special web page

A special web page where the user can choose whether or not to recieve cookies. What a good idea! All a web site needs to do is save the 'don't give me cookies' preference in a cookie and... wait.... Um.....

English version...

Post och Telestyrelsen [www.pts.se] (the authority enforcing the law) has an english version of the "info text" needed for using cookies

Legislating around IETF standards

I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.

What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.

Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.

Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.

A compromise solution

A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.

You really don't --need--- cookies

if you store state in an encrypted hash on an input hidden tag.

Re:Cookie blocking

Does anyone know what kind of heuristics MSIE used to determine which cookies are good and which are bad?

Internet Explorer 6 uses the Compact Privacy policy as specified in the W3C P3P spec [w3.org]. It uses this to determine whether a cookie is unsatsifactory [p3pwriter.com] (different rules based on whether it is a third party cookie or not). MSDN has documentation covering Internet Explorer's decision matrix [microsoft.com] (unfortunately framed).

EU law

Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).

meanwhile...

Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.

Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.

Only really applies to information gathering

The law doesn't apply to cookies used to supply the user with a service she asked for.

That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.

However, silent information gathering becomes illegal. Is that a bad thing? Hell no.

Can someone translate this please

Specifically:

• How explicit does the acceptance have to be?
• Does it apply to all content served, or just to that served to clients that can (reasonably) be identified as being in Sweden?
• Does it mandate a mechanism?
• Is the mandated mechanism pure HTTP/HTML (how do I click on a popup in lynx, for example?).
• How do they distinguish between a human browser, and a robot?
• Do sites have to implement blocking of deep linking to redirect browsers to a cookie acceptance page? Does that screw indexing engines?

Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.

Wouldn't it be a wonderful world...

..if people actually read and understood the text before making headlines out of it..

First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.

Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.

I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.

My 2 cents worth..

Utterly moronic

Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.

Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.

Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!

Read the freaking law

I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.

The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.

The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.

Just ignore the hysterical rhethoric from IDG.

Translation of article

Since the Fish knows no Swedish, here is a quick translation... any errors are mine. NoT = Note of Translator.

- M.

Here is what the law says

SFS 2003:389, chapter 6. Integrity protection

18. Electronic communication networks may be used to store or gain access to information stored in a subscriber's or user's terminal equipment only if the subscriber or user of the personuppgiftsansvarige (NoT: "entity responsible for handling the personal data", i.e. the website) receives information about the operation's purpose and is given the opportunity to decline such operation. This shall not hinder such storage or access as is necessary to execute or facilitate to transfer an electronic message via an electronic communications network or as is necessary to provide a service that the user or subscriber has expressly requested.

Hard to comply with new law on electronic communication

(07/24/2003 4:24pm)

Today, many sites are becoming illegal, as the new law on electronic communication takes effect. It says that sites must communicate what the cookies' contents is used for. The users must also be given the option to refuse.

Starting today, Swedish websites may not utilise so-called cookies without explaining the purpose of the treatment of the data that's in them. I addition, users must be given the chance to stop the use of cookies.

This is one of the consequences of the new law on electronic communication, SDS 200:389, which is taking effect.

It is apparently not sufficient to set the web browser to automatically accept cookies. The website one visit must explain what the information will be used for and also give the user the option to refuse the use of cookies.

Hard for sites

This gives Swedish websites two options.

"One alternative is to stop using cookies, making the website's functionality suffer", says Jonas Eriksson at Webkonsulterna in Östersund.

The other option is one Jonas Eriksson doesn't even want to think about.

It means that the majority of Swedish sites that use scripting languages with session variables such as asp and php become illegal insofar as they don't rebuild the websites so that the users can approve of cookie use before they enter the site.

But it doesn't stop there.

"It isn't enough that people get a load of banner and popup ads every day. Now even all ad networks must first start a Javascript to ask people if they want to set a cookie before viewing the ad", he says.

PTS complies with the law

The (supervision authority? watchdog?) for the electronic communications law is Post- och Telestyrelsen, PTS, and on their website it says the following:

"Cookies are therefore used for purely technical reason and they are used today by most websites. According to the new electronic communications law, which takes effect starting July 25, 2003, all who visit websites shall be informed about cookie use and be given the option to refuse such use."

Fine threat

According to Charlotte Ingvar-Nilsson, biträdande rättschef (NoT: some high-up function that I don't know how to translate) at PTS, PTS will monitor how the market will act on the new law.

"If websites don't comply with the law, we have to start with educating about the changes", she says.

And if that doesn't work?

"If we suspect someone of not comlying with the law, that website will get at least a month to fix that. After that we have the option to issue an order which could be accompanied with a fine", says Charlotte Ingvar-Nilsson.

PTS also has the option to decide that people who neglect a debt entirely or partially shall cease operations if the infraction is not insignificant.

"It remains to be seen whether it can become applicable in this case", says Charlotte Ingvar-Nilsson.

This Is Idiocy

I'm all in favor of privacy, but this is pure lunacy. It is entirely up to the end-user to accept cookies. The only reasons end users may feel they do not have a choice are that their browsers are configured by default to accept them and a few (not many) pages require cookies to work.

So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.

P3P

Wouldn't it just have been easier to force them to issue P3P policies for their site?

I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....