Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Courts Government News

EU May Outlaw Cookies 287

Millennium writes: "According to Yahoo News, The European Commission is considering a privacy directive which, among other things, completely bans the use of cookies. Forgive me for saying so, but considering all the legitimate uses of cookies, isn't banning them outright going just a bit too far?" Update: 10/31 19:21 GMT by M : The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.
This discussion has been archived. No new comments can be posted.

EU May Outlaw Cookies

Comments Filter:
  • at least some places are taking a serious interest in privacy.
  • Well then that would break my Yahell Mail sign in, Slashdot signin, hotmail sign in. What would work without session cookies?

    Sure, block illegitimate use of cookies. What other mechanisms do we have? Passport?Does passport use cookies too?
  • Browser... (Score:1, Redundant)

    by arson1 ( 527855 )
    Since just about every major browser allows you to accept/deny/view/modify/delete coolies... what's the big deal? Banning X10 ads... now that's something worth considering.
    • Unfortunately, when you set netscape (4) to ban all cookies, it removes the cookie file so when you get to a site where you want to use cookies, you have nothing to send.

      On the other hand, if you have cookie notification set, then some sites have so many cookies that you spend 15 minutes clicking on cancel before you can get around to seeing the page (or even hitting the 'stop' button.)

      I think that it may be appropriate to make it illegal to use cookies other than associated with a user making an explicit choice/setting (like cliking on a purchace, or chosing to save password settings, etc.). That's what cookies were originally designed for.

      This would, at least, get rid of all those cookies associated with images, etc. that get sent by various add sites. That, I think, is what they are really trying to ban.

  • not banned outright (Score:5, Informative)

    by brlewis ( 214632 ) on Wednesday October 31, 2001 @03:07PM (#2503577) Homepage
    "Banning them outright?" Read the article before you post the article:
    The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users. The use of such devices should therefore be prohibited unless the explicit, well-informed and freely given consent of the users concerned has been obtained.''
    • by macdaddy ( 38372 )
      "The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users..."

      Then again binoculars and small video cameras 'may seriously intrude on the privacy...' of European people too. Are they going after things of that nature as well?

      • It is a fact that here (Italy, EU) in front of banks and other buildings where video surveillance is used, signs stating the fact are appearing more and more often.
        Never mind that those cameras are usually plainly visible :)
      • Then again binoculars and small video cameras 'may seriously intrude on the privacy...' of European people too. Are they going after things of that nature as well?

        Just go right ahead and ignore the most important part of the amendment:

        'The use of such devices should therefore be prohibited unless the explicit, well-informed and freely given consent of the users concerned has been obtained.'

        So, video cameras or binoculars used for _surveillance_ could be illegal unless those watched give their consent.

        This privacy directive is supposed to make sure that personal information is not collected and (ab)used without the knowledge and/or consent of the people being tracked. This amendment only covers things like cookies - 'covert' digital tracking of use.

        This directive doesn't mean that the tourist standing on top of the Eiffel tower has to ask each and every pedestrian below for consent before he is allowed to take a picture. It does however mean that you have to ask for consent before you collect and use personal information.What's so terrible about that?
  • But I like cookies... especially the chocolate chip ones! :-)

    Seriously though, if you really don't like cookies, you can disable them through almost any (if not every) browser. The only problem is that some sites require them in order to use the site. Can you log in to Slashdot without cookies? I haven't tried, but I'm pretty sure you can't. And if you could, you would have to log in again every time you start your browser.
  • Banning cookies would be lame. Instead, they should make websites now with two methods of data tracking. Something like cookies, and something else. Now-a-days, if you don't have cookies turned on, you can't do many things. This is just wrong. Its like telling people if they don't allow a camera crew to follow them around, they can't shop/use cars/live normally.

  • How about revisiting the issue of cookies and listing the various ways they can be properly used as well as abused? I'm personally not really up on cookies; I know that's ignorant, but it's true. I can't be the only cookie dummy on slashdot. :)

    • There is nothing inherently evil in cookies.

      The evil is in intentional misuse or ignorance of proper use.

      Storing personal data (unencrypted password, email) in a cookie is stupid evil.

      Forcing users to accept cookies for a non-originating domain (like excite, so you login to one of their other domains) is questionably stupid or intentional. Since this then makes the problem of double-click type privacy issues more extreme.

      NOTE: Non-originating server cookies are not required to get into hairy tracking issues,
      all they have to do is fetch a document (usually
      image) from another server that will include a cookie in the headers. This is a prime reason next generation browsers allow you to deny
      images from non-originating servers (that and
      as a minimal means of preventing ads) not to
      prevent sucking bandwidth from servers because
      newbies are using images etc. off of someone elses server ;-)
    • Cookies are useful. Whether they are good or not depends on what they are used for. I think that the maintaining state idea came before the e-commerce idea, although I would be happy to be corrected on this.

      Anyway, here's [] an 'old' Nestscape Spec for on cookies, on why they think cookies are useful.

  • Privacy Paranoia (Score:3, Insightful)

    by Argyle ( 25623 ) on Wednesday October 31, 2001 @03:09PM (#2503589) Homepage Journal
    All modern browsers allow users to turn off cookies completely.

    People all ready have the choice.

    You can't legislate stupidity out of life...
    • All modern browsers allow users to turn off cookies completely.

      People all ready have the choice.

      No, we don't. The /. cookie is used only to save you some time logging in.

      However, do you know how all the cookies on all the other websites you surf are used, exactly what they track and how they use the information they collect?

      To comply with this directive is quite simple:

      Tell the user that you are using cookies, how you use them, and how you use the information gathered by the cookies/session tracking. Then we have a choice.
  • I like the EU legislating content and practices on the Internet no more than I like the US doing the same. That which I tell you three times is true:

    Education is the key, not legislation.
    *Education* is the key, *not* legislation.

    Thank you, and goodnight.
    • Education is not enough. Education is less effective, and more expensive, than legislation, for things like this.

      Note that the legislation being drafted (and in the EU, the bodies that draft the legislation are not the ones that pass it: there's a sense that politicians aren't really smart enough to write laws, so they prefer to leave that task to experts) bans the use of cookies without explicit permission from the user. That is perfectly acceptable, and is as much a protection of the user's property (restricting the ability to write to his hard drive without his permission or a request on his part) as his privacy.

      But if education and boycotts were enough to change corporate behaviour, more than 2% of the world would be using linux. Legislation is effective because you only have to enforce it occassionally: most EU businesses will cooperate willingly. It sets a bar - corporations that violate privacy won't have an unfair advantage over those who do not: that is what happens with a lot of unilateral modification of commercial behavior.

      The headline for this article was poorly written and provocative, because it omits the fact that the user can, in fact, opt in - but he has to do so explicitly, obviously.

    • What education are you talking about? I really don't understand what sort of education would address these issues.
  • Cookies (Score:3, Funny)

    by utdpenguin ( 413984 ) <john@kendric[ ]om ['k.c' in gap]> on Wednesday October 31, 2001 @03:09PM (#2503592) Homepage
    Cookie monster will be SO disapointed!!!

    And I hate to disapoint a monster. It's dangerous

    You tell him . .. .

  • by fetta ( 141344 ) on Wednesday October 31, 2001 @03:09PM (#2503594)
    The EU appears headed toward a classic error - they haven't defined the problem correctly. Instead of asking "how can we protect the privacy of our citizens" they asked "how can we prevent organizations from using this specific technology to invade our citizens privacy."

    Whoever proposed this absolute ban on cookies clearly has never done any kind of web development. Sheesh.
    • Clearly?

      I'm not so sure. Given that those organizations prone to using cookies are prone to keeping track of your personal information (msft,banks,insurance,advertisers,etc) to profitable ends, perhaps the EU really does understand the problem, and will force corporations to find an alternative solution.

      Mind you, with luck, that solution will be free certificates (as opposed to verisign et al. certs), so that cookies are no longer necessary to identify a user. Mind you, certificates will provide another point of failure in the identification schema. What we need is an certified anonymous user with the browser, but I doubt corporations sponsoring certification will go for that.

      The inherent problem with certificate idenfification is that most browsers now just send it implicitly, without asking you if you actually want to be identified to this system. (This is similar to NT/lanman hacks that give you the NT password of everyone who connects to your web in a nice, easilly decryptable form.)

      The problem of privacy is that it fights against personalization of the internet. Corporations will fight for personalization since personalization provides avenues of revenue and control. Cookies are a method of personalization. Banning them may not be the wosrt thing in the world; certificates could be worse (or much better, if done properly :/ ), or the alternative.

      Mind you, banning cookies somewhat stifles all existing infrastructure on the internet and attacks what should be a harmless technology of properties.
      • What on earth are you talking about? How do certificates come into this? Have you ever really looked into web application development?

        Point one, cookies are anonymous, unless you supply personal data to the site setting the cookie, so that they can put it in the cookie. They are not some magic trick that can scan your name and address straight from your brain!

        Certificates are good for proving you're a specific person, which if you're looking for anonymity, is a bit counter-intuitive.

        Web sites have no state maintenance method inherent to them. Unless cookies are available, the only way of keeping track of trivial details like your login, shopping basket etc. is by encoding every single URL the site sends you to, to include that data. This is horrifically inefficient, and tricky to ensure works correctly.

        This law would mean that almost every e-commerce site in the EU would have to be rewritten. Those sites would also increase significantly in complexity, as every page would have to become dynamic so they can ensure your data is in every single URL the sites gives you.

        I wish people would actually research technologies, rather than assuming everything they've ever heard about it is true!

        • let me clarify, because I'm bitchy due to a fried athlon, I'll be brief.

          cookies provide state. certificates provide state. (hidden form elements also provide state). cookies are not anonymous; useful cookies from banks, microsoft, et al., online stores require you to enter personal data. at one point, a good deal of that personal information was stored in cookes; that is no longer the case since the ns4.x and ie3.x cookie exploits permitting you to access all cookies regardless of their domains. that is no longer the case and cookies now reflect an identity for (1) sessions and (2) identification.

          anyway, ranting. the point is that the clear alternative to cookie-session states is certificate based session states (by enabling a random key passed over the asymetric cypher); since certificates are verified against a 3rd person, no MiM or hijacking is possible, if done properly and mathematically sound.

          there is a great deal of depth to the cert vs cookie debacle; for one on iis the change from cookie sessions to cert sessions is a single click (as is nt auth, with the lanman2/3 password problem noted), therein requiring virtually no code work.

          it's pretty clear that either I didn't write what I wanted to say very well or you didn't understand the gist. perhaps a combination. doesn't matter. it's slashdot.
        • The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users. The use of such devices should therefore be prohibited unless the explicit, well-informed and freely given consent of the users concerned has been obtained.''

          I don't see anything wrong with that stipulation. It sounds rather like the minimum decent requirement. Perhaps a bit less. Session cookies wouldn't be significantly challenged. For longer time use ... I'd rather have them ask my permission. (Actually, I periodically clean out my cookies, but ...)

          Side note: I wish Mozilla, Konqueror, et al. would let one set the expiration date on a cookie instead of just saying yes/no. With a user specifiable default (which could include "whatever they want").
  • They don't really call them cookies, I think the call them biscuits :)
  • by ( 262540 ) <[moc.rracc.todhsals] [ta] [rrac_sirhc]> on Wednesday October 31, 2001 @03:10PM (#2503601) Homepage
    I can see banning long-duration cookies, but e commerse would collapse without the session cookie, or something functionally eqivelant. A better rule would be to require browser makers to provide better granularity in cookie preferences, and to make the settings more conspicuous.

  • Outlawing Cookies (Score:5, Insightful)

    by BoyPlankton ( 93817 ) on Wednesday October 31, 2001 @03:11PM (#2503604) Homepage
    While I realize their security concerns, in my opinion the problem isn't with the cookies. The bigger security concern, is really with web bugs. The rest of the stuff that the EU seems to be concerned about really is data that could be generated by analyzing web server logs. The problem is with sites that monitor people across multiple domains.
  • But the sticky point about cookies is that they often store data without a users' explicit approval. The Commission has been debating whether individuals should have the last word (lawmakers call this the ``opt in'' method) on what bits of personal information are collected on them while online.

    Jeez. We already have that. Almost every browser in the world offers the ability to decline all cookies. It may make using any dynamic website an impossible task, but the Commission's inability to realize that this option is already there speaks to their poor understanding of the technology.
    • I think I know 2 or 3 people who routinely use the webs with cookies off, because the vast majority of commercial sites have been designed to be effectively unuseable without them. If there are restrictions placed on the ability to use cookies without permission, commercial sites (at least those targetting the EU market) will be redesigned to make opt-in explicit. The Commission seems to understand this, which is why the actual legislation calls for explicit opt-in.
  • by nate.sammons ( 22484 ) on Wednesday October 31, 2001 @03:11PM (#2503607) Homepage
    I mean, I could write some personal infomation
    on that paper and slip it under your mousepad.
    Then, later, I could update that piece of paper
    with new information.

    What's good about this:

    - Someone, somewhere is taking privacy

    What's bad about this:

    - It demonstrates a fundamental lack of
    understanding about the modern world.

    Overall, I say it's good. They are *thinking*
    about privacy, which is more than the US
    Government is doing (aside from thinking about

    how to get rid of privacy).

  • by mfarah ( 231411 ) <miguel @ f a r a> on Wednesday October 31, 2001 @03:11PM (#2503611) Homepage
    ... and, while we're at it, ban the cakes, too. And the spanish cocas. And all kinds of biscuits. And pretzels, too, just in case. It's easier to forbid the food that's Bad For You than to pass a directive requiring all european citizens to go on a diet.

    I just can't help buy wonder what will Cookie Monster say about this: "When cookies are outlawed, only outlaws will have delicious meals", or something like that.

    Oh, you mean software cookies? Oh...
  • by loraksus ( 171574 ) on Wednesday October 31, 2001 @03:11PM (#2503612) Homepage
    What will we do when cookie monster is removed from the cast of Sesamee Street?
  • Ut-oh (Score:2, Funny)

    by MentlFlos ( 7345 )
    The girlscouts are gunna be pissed!

    (yes, it was a joke)

  • What is really needed is a reasonable use policy or such that limits cookies in how they are used.
    The initial/original idea of using cookies was pretty much for productive things. But the use of cookies in ways it was not intended have evoloved.

    Perhaps this news item can be a good place to argure what is acceptable and what is not. And that these responces may then be forwarded to the EU.

  • I run [] which is basicly a gaming site quite similar to slashdot. I have something called message forums. These "message forums" use cookies to keep a user "logged on." Does that mean I'm going to get sued? Is keeping a user "logged on" a violation of privacy? Also, what can they do about it since I'm in an other country?

    Please check the time/date of this post before marking as redundant
  • The Accept/Deny/Only this time cookie management idea that is turned on by default in Konquor is great (and an option in Mozilla). Once you have got through the first couple of weeks accepting cookies from the sites you trust/like and rejecting all the doubleclick and other ad site cookies you only have to accept/deny cookies every few days (depending on your surfing habits).
  • Its not clear whether they wish to outlaw servers' giving a cookie to a client, or client's acceptance of them. Perhaps both.

    Dont they have enough on their minds with the Euro coming out in 2 months?

  • by Fastolfe ( 1470 ) on Wednesday October 31, 2001 @03:13PM (#2503631)
    It sounds like all they want is a method to have the user explicitely agree to accept a cookie whenever one's proposed. Many (most?) browsers already support that functionality. Maybe browsers just need to ship with that defaulted to "on" for EU countries. I don't really understand why they're making such a fuss.

    To be honest, I think they're going about this thing entirely the wrong way. Don't attack a technology because it has the *ability* to do something you don't like. Attack those that are abusing the technology. In this case, full and proper support for the W3C's P3P initiative looks like it addresses all of the privacy concerns that go with cookies. Maybe they should be looking at this instead.

    One thing Microsoft has done right recently is P3P support in IE6, and setting the browser to default itself to what I would consider a reasonable setting out of the box, which automatically blocks a significant number of 3rd-party cookies. I love seeing this in action.
    • The simple accept/deny facilities for cookies do not go far enough. From this the user cannot tell whether it is being used anonymously just to be able to count unique visitors, or whether it is being used to track visitors around/across sites and can also be cross-referenced against registration data they may have entered earlier.
      Your implication that they are attacking a technology is wrong, there are merely pushing companies into responsible use. For many sites this will take the form of the registration page having an extra (by default unticked) box on their registration page which asks the user whether they can track their viewing habits ("to help us deliver more targetted content" of course), and the backend software tweaked to filter those that do not opt-in. Other than that cookie use is unrestricted by the legislation as long as you cannot tie the information directly to an individual.

  • How would the EU block them? at the ISP level?

  • On Tuesday the EC voted to make the value of Pi equal to 3.

    This will simplify the design of capstans for cash registers in Belgian butter stores, while causing a tolerable 400% increase in the paperwork required to calculate the orbits of communications satellites when requesting permission to use public-owned gravity generated by EC member states.
  • I don't understand the motivations..

    If you have something to hide, the problem is not with people fiding out, it is with the reason you desire to hide it.

    Privacy solves nothing, it just allows people to ignore problems.

    Besides, technology will eventually make all of this moot. Dust sized video camera stuck to everything, only way to avoid that is a really trustworthy police state, and that sounds just *so* much better..
    • Why is privacy desirable? Because not everything society disagrees with is illegal. For example, if I was a nudist, but didn't want to be treated like a fruit cake hippy by society, I might be a nudist in my home and want it to remain private information in my home. Do I have something to hide? Yes, my personal, 100% legal practices that I don't want people to know.

      The same could be said for masturbation. Or the type of pornography I like to read in the privacy of my own home. The websites I read about health care (if I had genitle deformity, I sure as hell wouldn't want anyone to know that). If I'm politically against a war in Afghanistan, but I don't want to make that known for fear of being beaten up, I should have the right to keep that private from the world.

      Just because I want to keep something private doesn't mean I'm doing something wrong. You need to understand that. Hell, if I recall, when Ashcroft went before the House Committee, the House was upset over the violations of Martin Luther King's privacy in an effort to defame him and make him out to be a bad guy.

      THAT is why privacy is desirable.

    • If you have something to hide, the problem is not with people fiding out, it is with the reason you desire to hide it

      This is a strange statement. You've just plucked it out of the air and stated it without any kind of corroboration. To me and most other people it seems completely bogus. How have you arrived at it?
    • I have something to hide from white supremicists: my girlfriend is black. I have something to hide from spammers: my email address is g_pelcakATyahooDOTcom. I have something to hide from foreign governments, the mafia, and Rush Limbaugh. People who smoke marijuana have something to hide from the US Government; do you really think that smoking dope is morally wrong? It might be stupid, and it might be irresponsible or bad for your health or whatever, but are you really hurting someone? The problem is *often* with the people you are hiding it from, not necessarily with you, the hider.

      The theory that privacy will completely disappear as technology progresses is an interesting one. Personally, I doubt it will happen. There is always some way to stop from being seen or recorded or whatever. If you think your office is bugged you can bring jammers to work with you. If you think you are being videotaped it is more difficult, but not impossible to stop. Where technology provides a way to surveil it often provides a way to stop that surveillance.
  • its quite amazing how poor a rap that cookies have gotten, there are tons of usefull ways to uses them, we use them all the time to store variables that can be passed from page to page, we also use them to allow access to certain areas as determined by data contained within.

    my only real gripe with them is they just seem to take up room after a while...
  • by closedpegasus ( 212610 ) on Wednesday October 31, 2001 @03:15PM (#2503643)
    Yes, cookies can be used to track browsing habits of users.

    But don't I, as a website administrator, have a right to know the usage patterns of my users? If I set up a lemonade stand on the side of the street, I know exactly who comes to my store, how many times they come back, and if I'm smart enough, I can use this information to my advantage to sell more lemonade (e.g., I know that Tom buys lemonade on his lunch break at 12:15 everyday, so I better be open then). Why should online business be put at a huge disadvantage? Cookies are a great tool for maintaining a state over a stateless protocol, and differentiating one users "session" from another.

    And also, a great deal of code to keep people "logged in" to web sites uses cookies to maintain state. Without cookies, web sites are forced to use the IP address as the unique identifier to distinguish between two users. What about proxy servers and firewalls? DHCP and dynamic IPs? Maintaining state over HTTP would be a nightmare without cookies.

    The only problem comes up when cookies are used across different sites, or one company sells your browsing habits to another without your consent. But by browsing a site, you are implicitly giving that site the permission to see what you are doing.

  • Did you know everytime you dunk an Oreo into a glass of milk, it sends information back to Nabisco via an embedded 802.11 interface? Here's just some of the private details being sent without your knowledge:

    * Type of milk (skim, 1%, 2%, etc.)
    * Brand of milk
    * Length of dunk
    * Whether you double-dunk or not
    * When you dunk (watching TV, in bed, etc.)
    * Any health problems it finds as it works its way down your body

    I praise the EU for finally doing something about this.
  • The Data Protection directive (which is law in all EU states, AFAIAA) already makes it illegal to store any identifying information about any citizen of a country of the EU outside the EU's borders, as well as requiring all companies to surrender all information they hold, with catagorisation, proper sourcing, and defense of ownership, about a person within a short time period for minimal charge; see The Register []'s coverage here [] and here [] for more info.

    As an aside, unlike the US, the rest of the world has a-political civil servants; the European Commision is the civil service of the EU, as it were, and they form laws, not pass them (that is done by the proportional-representation-wise-elected European Parliment).


  • It's like banning alcohol, drugs, or guns, really. :)

    Seriously, this is a tough issue. How do you specify "acceptable" use of cookies?

  • Next thing you know the British government is going to ban dental work. Ooops, "The Big Book of British Smiles" provides evidence they already have...
  • Why ban them? (Score:2, Interesting)

    by SonOfSam ( 15164 )
    Wouldn't it make more sense for them to require companies/sites to ask permission before writing or accessing a cookie? I mean, anything can be used the wrong way, and abused.

    It may be in the best interest of the Internet though, because many sites require cookies. Maybe that would force said sites to have a cookieless solution, or miss out on all the possible readership. Itll be interesting to see what happens in the future.

  • by Florian Weimer ( 88405 ) <> on Wednesday October 31, 2001 @03:22PM (#2503710) Homepage
    Banning cookies might get unexpected support: from the law enforcement camp. After all, if cookies are no longer permitted, those interesting session IDs have to be placed in the requested URIs. And these URIs are logged all over the place: by the web server itself, by proxies along the way, by the browser (in theory, session cookies should expire when then browser is terminated). So banning cookies makes session tracing much easier for everyone but the actual web server developer.

    Cookies, when used in a responsible way, can increase privacy. Of course, that is not true with those practically eternal cookies which expire some day in the year 2037 or so. On the other hand, there are other tracing methods such as exclusively dynamic URIs or even cache timing attacks [] (yet another interesting Felten paper, BTW).

    In my opinion, you should not outlaw the tool, but the intention to gather data. Recently, we've seen so many attempts at restricting tools which have some negative potential, competely neglecting the positive possibilities such tools present. Shall we make the same mistake again?

  • Opt-In (Score:3, Insightful)

    by bwt ( 68845 ) on Wednesday October 31, 2001 @03:24PM (#2503736) Homepage
    They should allow opt-in cookies, but I'd still like every site to be required to state what data it keeps in its cookies and what it does with it as part of its privacy policy.

    I'd like to see browsers with more refined cookie control. I should be able to set the cookie policy for each domain.
    • They should allow opt-in cookies, but I'd still like every site to be required to state what data it keeps in its cookies and what it does with it as part of its privacy policy.

      "They" don't store any data in "their" cookies. They're on your machine in plain-text format and ready for your inspection at any time you wish to look at them. Always have been, probably always will be. Some places have tried encrypting the data within the cookies but it's not usually done very securely. Invariable somebody cracks whatever bunk some web monkey came up with.

      I'd like to see browsers with more refined cookie control. I should be able to set the cookie policy for each domain.

      As far as I know every major browser does this, or at least you can be asked each time if you want them. If you're using IE I have no idea where it'd be though. NS 6 and Mozilla can do it. Another poster mentioned that Konquerer can also.
      • "They" don't store any data in "their" cookies. They're on your machine in plain-text format and ready for your inspection at any time you wish to look at them.

        Thank you for stating the obvious. Nothing you said has much bearing on my feeling that every site to be required to state what data it keeps in its cookies and what it does with it as part of its privacy policy.

        Me: I'd like to see browsers with more refined cookie control. I should be able to set the cookie policy for each domain.

        You: As far as I know every major browser does this, or at least you can be asked each time if you want them.

        I don't know of any browser that does this other than by asking "each time". As I said, I want more refined cookie control, with firewall type rule sets: deny, *.edu accept site, default * accept, *.com deny
  • ... something's wrong...

    The existence of such a technology, the amendment states, ''may seriously intrude on the privacy of these users. The use of such devices should therefore be prohibited unless the explicit, well-informed and freely given consent of the users concerned has been obtained.''

    Now, aside from porno sites, when is the last time you've ever been asked for your "explicit, well-informed and freely given consent?" Explicit... ok, yes or no, pretty simple. Well-informed... ha! right! Not if it might contain proprietary information. Definitely no well-informing going on if we're talking about Microsoft. Freely given... another ha! right! "Either you agree, or you can't use any of our service." That seems to be the uniform quote. When's the last time you had a third option on a license agreement. Heck, with MSN, you don't even have a choice, if you don't have the right browser, they won't even let you attempt to view the site.
  • by Todd Knarr ( 15451 ) on Wednesday October 31, 2001 @03:24PM (#2503740) Homepage

    From what I read, they aren't banning cookies per se. What they're banning is any collection of personal information without explicit informed consent. So you can use cookies all you want, as long as you tell the user what personal information you're storing in them and let them say whether they want to allow it or not. And if you use cookies for things like shopping carts, where there's no personal information in them, then there's no restrictions on them. All perfectly sensible to me.

  • I was initially caught up in the scare about cookies, especially when I discovered some clueless webmasters were storing my site password in cleartext in them. But over time, I realized that the alternatives for creating a stateful session might be far worse. Can you say Java / ActiveX?

    BTW, does Microsoft Passport use cookies, or some other method? If they use cookies, I can just imagine the wheels turning in Microsoft's heads right now at reading this story!
  • "you can already turn off cookies... blah blah blah"

    This isn't about slashdotters, it's about end-users, the vast majority of which have no idea what the heck a cookie is, much less where they can be found and what they can do. The average web user only knows that if he "turns off all cookies" much of the stuff he wants to do on the net doesn't work anymore. If he elects to review each and every cookie, he ends up spending more time clicking "Accept" than actually using the web. Actually, let me correct that. The average web user doesn't even know there's a menu with "cookies" mentioned.

    I think requiring web sites to expliciting notify and obtain permission to track and store personal information via cookies is not necessarily a bad thing. Not all cookies are about tracking where users go, nor about keeping personal information.

    Does anybody have a link to the actual legislation? Rather than assuming what we think is going to be in it and screaming at the top of our lungs, does anybody actually know what they're proposing exactly?
  • by Znork ( 31774 )
    As long as cookies are allowed if consented to I dont see any problem at all. What it will force is the browser vendors adding a specific 'allow cookies from this site' or 'dump all cookies from this site into /dev/null' option.

    Some cookies are useful and should be allowed, but personally I dont give a rats ass if DoubleClicks buisness model requires them to be able to track people all over the web. It should be up to the user to allow or deny any corporate entity the right to gather data on their habits. The current method of allow/deny could be improved a lot to allow more finely grained control.
  • All right, I know I am being blinded by flashes of the obvious non-pun, but let me expound:

    Conspiracy theorists, reeling from the news of an attempted ban on cookies, blame the secretive Adeno-Triphosphate-Lateral Commission for attempting to strange the world's supply of nutritious sugars. Danish and croissant manufacturer's associations, as well as independent bakeries throughout western Europe, have barraged Brussels with calls to reconsider what they see as unwarranted government intrusion in the pastry sector. Echoing these calls is French PM Mitterand, who stated yesterday, "The right to freely make pastries of whatever type a French citizen chooses is integral to our society. Liberty, equality and delicious treats, that is our national motto."

    In a typical move, late night comedians on the Continent mocked innocent Ukraine, which is attempting to join the EU. "Hello my name is Zyrgz Yakobinksky and I am our President, of the Ukraine. What are these cukeis of which you speak? We of the Ukraine only eat rocks, raw fish, and discarded Communist literature. If you ban the cukeis in the West we would be happy to take them." A nutritional scientist with some university pointed out that neither rocks nor the works of Engels and Marx are considered edible in virtually all cultures, excepting tribesmen on the far reaches of the Indonesian archipelago.

  • Sometimes I think slashdot does away with cookies since I get randomly logged out and can't even login again. YAY!
    • I've had the same problem. think there's some kind of timeout problem or some sloppy code.

      One question would be, from the viewpoint of industry coders, as opposed to the marketing viewpoint: how difficult have you found it to write opt-in cookies instead of opt-out cookies?

      Is the user-identifiable tracking nature of the information that valuable? Or is it more that there is a lot of demand to fine-tune the ads and promos to individual consumer slices?

      I guess what I'm getting at is this - let's say the US wakes up and gets a cluestick and requires opt-in cookie technology. How difficult, in the experience of someone who has had to switch from opt-out to opt-in cookies, is it to convert?

      Or is it mostly just the marketing and information resale portions of the business that are driving the opt-out-is-our-god approach?

  • by anticypher ( 48312 ) <> on Wednesday October 31, 2001 @03:37PM (#2503808) Homepage
    Reading the Yahoo story, its pretty clear the author took the Internet Advertising Board's press release and printed it almost verbatim.

    The proposed legislation has nothing to do with browser cookies, it focuses on regulating what kinds of private information marketing scum can gather and share without permission. The bill aims to prevent marketing firms from using any data obtained through illicit or decietful means to be correlated with personal identities. It would also prevent marketing from using personal information to gather other info through other means.

    Web sites could still set cookies on your browser, and even track sessions from one logon to the next. But the web sites would not be allowed to match that information with individual identities. They could still gather statistics, monitor actions, and anything else cookies are useful for, but not for targetting individuals.

    This legislation was proposed before, but was stalled after the IAB and a few other telemarketing firms pooled their money to fight it. It has been delayed for a while, but is back for another round.

    the AC
  • About time! (Score:3, Funny)

    by nowt ( 230214 ) on Wednesday October 31, 2001 @03:43PM (#2503829)
    Those hockey pucks my english mother-in-law makes should be outlawed!

  • by zmooc ( 33175 ) <(zmooc) (at) (> on Wednesday October 31, 2001 @03:47PM (#2503848) Homepage
    The amendment, proposed by Dutch Parliament member W.G. van Velzen, likens cookies to ``hidden identifiers'' that track and store information on an Internet users' surfing habits.

    On this dudes homepage [] (in dutch...) his official statement does not say he wants to ban cookies at all. He's only proposing legislation in order to abridge tracking users' browsing habits and then using these to send them advertisements based on their habits without the users knowledge. This is not a bad thing in my opinion; our normal use of cookies (e.g. no need to login to /. and tracking sessions on usefull web-applications) will not be affected at all. Wim van Velzen's official statement can be found here [] (dutch).

    He doesn't sound like he totally understands cookies, though; he says things like "it's still unclear wether cookies can be used to gather information about other sites the user has visited" and he proposes a "maximum validity date for cookies" which has been there since t=0.

    So either I misunderstood all of this, Yahoo got this wrong, or Wim van Velzen's statement is incorrect, but I guess he wrote it himself so that's ok. Nothing to see here people ...move along.

    • > and he proposes a "maximum validity date for cookies" which has been there since t=0.

      Yes, he merely wants to legislate a mandatory expiration interval for cookies.

      I'm so damn glad governments are here to protect us from all these insidious uses of HTTP, since we have after all eliminated all problems of violence and corruption, giving them nothing better to do...
  • So how does the EU figure that a site can maintain session data without the use of cookies? Most people come from behind proxies or firewalls, making it necessary to store data on their own computers in order to maintain state. There's really no other way to do it.

    I guess they don't want people actually doing useful things like online banking and such with the web, huh? You really can't do any type of semi-complex form-driven web database without using cookies.
    • of course u can write a semi-complex form-driven web database without using cookies .. just use ur imagination about the other toolsets. i.e. use an HTTP AUTH to identify user/session, then store the cookie data server side (keyed with the AUTH login)

    • Re:HTTP is stateless (Score:4, Informative)

      by sinster ( 518986 ) <> on Wednesday October 31, 2001 @04:44PM (#2504251) Homepage
      That's just crap.

      Cookies are needed for only one thing. Every other current use for cookies can be done better without them, or (IMNSHO) shouldn't be done at all. The best example is session tracking. Those of my websites which need to track sessions all use URI mangling to do so.

      For instance, look at my website for AdAce []. When you go there, you get immediately redirected to a URI that includes session information, that looks something like this: def/guest,0,1,1/index.html
      The long hex number and the comma-delimited string constitute your session id. No cookie needed. By using relative URIs in all the webpages, there's no problem with the mangled session information being lost: the browser thinks that its just a directory path. In those few places where we need to use absolute URIs, we use a cgi or an apache content handler to modify the URI in place to include the correct session id. This number is used to look up your session data in a daemon running a simple database for that purpose -- and to verify that the comma delimited string hasn't been tampered with. The database exists purely in RAM. I've even locked the pages in place so there's no danger of them getting swapped. None of your session data ever goes onto a hard disk; only the fact of the session, as it appears in the server logs. My cgis (and a couple special purpose apache modules) all use an API library that I wrote in order to communicate with this daemon. That lets them get data out of your session record, and put data into it. The point of all this is that we hold the burden of maintaining your session information. No need for cookies.

      The only function provided by cookies that can't be done in any other way is what we in the advertising industry call "frequency capping". The idea is that you (the advertiser) have bought a big campaign with a lot of impressions, but you don't want one user to see your campaign more than, say, 3 times. So we need some way to track how often you've seen a particular campaign. If the campaign is all running on a single website, then it's easy enough to use other methods. But when the campaign is running across at least two unrelated websites, the adservers have to create and manipulate a cookie in order to track this.

      If you've ever received a cookie whose name is RMID, and whose value is just a number, then you've received one of these cookies. They're generated by RealMedia's (not to be confused with Real Networks, the makers of realmedia player) ad server for campaigns that have frequency capping turned on.

      These cookies are the only cookies ever generated or inspected by any AdAce machine. I am strongly opposed to the use of cookies in any situation where some other method is possible. And as CSO of AdAce, I've put my foot down on this issue: no cookies where we can do something else, and even if we can't do something else, no cookies if its possible for it to be exploited by acquisition, mismanagement, or subpeona, to violate someone's privacy.

      (incidentally, this form of session tracking gives WebTrends conniption fits -- that's the main reason that I'm writing my own log analyzer)
      • What if in my site there is content that the users may wish to bookmark? Do you use an url rewrite to strip out old session data and create a new one? Plus have you had any feedback from users that like may be turned off by the unappealing url appearance?
  • The submitter's write-up is wrong. Read the story. Keep in mind, as usual, that a "news" story whose sole source is an executive with an agenda to push is unlikely to portray the situation accurately.

    So why the hell do you publish stuff like this? Maybe I'm missing something, I thought the job of an "editor" is to filter crap like this out?
  • It is pretty obvious that cookies are used for 2 main purposes: session tracking and navigation tracking. While the first is a legitimate use, the second is one of the worst violations of privacy EVER.

    The real problem is that the most popular browsers only allow you to block/unblock cookies globally, therefore if you want privacy, the sites that rely on cookies won't work. Even scarier is the fact that, the more popular a site, the greater the chance that it requires cookies (personal observation). When given a choice (one might argue that it's not really a choice, since cookies are enabled by default) between lack of functionality and lack of privacy, most of the users prefer lack of privacy.

    The Raven
    • there is a third (whicjh I use quite a bit), data storage...
    • Actually there's a legitimate use for navigation tracking: to tell where people go on your site and how they get there. That lets you spot confusing navigation points, for example, or lets you see how people find content so you can eliminate confusing or awkward paths in favor of obvious-to-the-user ones based on actual user patterns instead of vague theories. What's bad is tying navigation tracking to personal information. Knowing that N visitors followed path X is quite different from knowing which visitors followed path X.

  • The real discussion re the new EU law is that it would require opt-in instead of opt-out, and most of the industry's cookies are opt-out.

    It's a simple matter of proper cookie creation and management.

    Their objection is not truly about the cookies, it's that they want to do opt-out, and the wise EU wishes to maintain their citizen privacy rights by insisting on opt-in.

    So, it is a red herring.

    The sad thing is that the EU is about ten years ahead of where the US should be in regards to requiring opt-in instead of opt-out.

    Opt-out sounds great until you see it in practice. I get about 20 spam a day that are opt-out - more than my standard message traffic. And on visiting a web site, I don't want to have opt-out sub me to lists for all their business partners, affinity lists, and everything that I never even knew they would start sending me spam on or tracking without my consent.

    The amusing thing is that Europe is actually discussing an issue that is never discussed by US legislators. They assume that you should have privacy as a consumer; we in the US do not.

  • I can't think of many. Shopping cart type uses can be done through URLs, and saving login passwords can be done through HTTP-AUTH. I guess the only usefulness for cookies which can't be replicated would be storing preferences client-side and tracking people. As for storing preferences client-side, I can't think of a single major site which uses cookies for that purpose.
  • We have websites that link multiple companies content and authorization into 1 site. So if you travel between them, the session cookie identifies you. Using the old 1 pixel image trick.
    We also use 64 bit hashed urls that include information in a non-readable format. Its pretty good if your not doing ecommerce, since the key doesnt change. We also use an xml auth service, so content procviders can authenticate users onto our service.

    There are zillion ways to do session authentication, but the session cookie seems to be the easiest to implement.

    Speaking of "User privacy" did you know that IE's "Userdata Persistence" isnt turned off if you disable cookies. You have to go into security and turn them off. Not sure if anyone is using this xml data (think cookies on steriods).

    The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' (I found it!) but 'That's funny ...' - Isaac Asimov (1920 - 1992)
  • If you go to a site that mandates cookies, but don't want them what do you do? You turn off write permissions to your cookie directory.
    Alls the site know is wheather or not you accept, not that they really got written.
    Cookies are just a way for companies to off load data to there customers.
    There is no reason why they can't store a user info on their machines.
  • Things will break (Score:3, Interesting)

    by whjwhj ( 243426 ) on Wednesday October 31, 2001 @05:33PM (#2504511)
    I have a number of customers in Europe (particularily in Germany) who express a great deal of trepidation and fear about cookies. Particularily from folks who aren't tech savvy. I once wrote an entire web app that maintained state using GET paramaters and hidden input fields, all because they fear cookies. But since then, I've written many apps that wholeheartedly rely on cookies. If the EU were to ban cookies altogether (which apparently they may not) ... well my customers are going to have to shell some good ol' US dollars my way to make things work! I say bring it on!

Research is what I'm doing when I don't know what I'm doing. -- Wernher von Braun