Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy The Internet Your Rights Online

Sweden Crunches Cookies 401

dillkvast writes "According to this article (swedish) at ComputerSweden swedish websites must now have the user's consent to use cookies. The law also states that the user is to be informed of what the information stored in the cookie is, and its intended use. This leaves swedish website with two options: No cookies at all, or a special page where the user is informed of the cookie use and can choose to either accept or reject the cookies. This represents a huge problem for swedish sites which use .asp and .php session variables, the article states, which will have to rewrite their sites to present the user with a chance to confirm that cookie use is ok. The law comes into force today."
This discussion has been archived. No new comments can be posted.

Sweden Crunches Cookies

Comments Filter:
  • by Neophytus ( 642863 ) on Friday July 25, 2003 @07:44AM (#6530869)
    mostly not a problem:
    do you want to remember my password (uses cookies) (x) yes ( )no
    Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.

    Actually, scratch that, most websites will just ignore the law and get on with life.

    • by mgkimsal2 ( 200677 ) on Friday July 25, 2003 @07:53AM (#6530935) Homepage
      There's a greater chance that your session would be hijacked accidentally if you fwd a URL that has your session ID in it to someone else.
      • Only if you use a brain damaged session ID system, where the secret part is the id. A far better way is to tie the id to a specific ip.
        • by maharg ( 182366 ) on Friday July 25, 2003 @08:11AM (#6531064) Homepage Journal
          A far better way is to tie the id to a specific ip.

          Wouldn't this present a problem where the user is behind a proxy ?
          • by Isofarro ( 193427 ) on Friday July 25, 2003 @08:19AM (#6531146) Homepage
            [tieing a session id to an IP address]
            Wouldn't this present a problem where the user is behind a proxy ?
            Indeed it does. AOL for example uses a number of caching servers, and one user uses a number of different caching servers during his visit. So by tieing a session id to an IP address effectively prevents users of AOL and other large ISPs from using a website.
    • Most forum software has the option to use/not use cookies (and as such sessions are passed through urls) so that shouldn't be a problem either for non-lazy coders.

      Well, Slashdot "works" when you disable cookies until you try to post a message. Then it seems that you always post as an AC even if you entered your name and login first, and even when the preview page acknowledges your logging in.

      I'm not sure if this is a bug or an intended design "feature", but it seems that despite all the hand-wringing her
    • by fiiz ( 263633 ) on Friday July 25, 2003 @08:10AM (#6531057) Homepage
      I beg to disagree--a few posts below also re-iterate your point.

      In PHP, URL-rewrite slows things down and bloats your script. It also makes your URLs look ugly: sometimes you may want them to stick in the user's mind.
      While for a forum this may be OK, for a fairly big user-centric website it is simply ridiculous to have to do away with cookies--they are a convenient way to deal with things "behind the curtain"; they also have the added security of not being immediatly visible to the user (he has to want to see them, by looking at his filesystem or other.)

      Privacy -wise, all decent modern browsers have some form of modern cookie filtering--the user can choose to block, etc.

      The only solution I see is, as suggested below, have a front page which tells the user and gives him the choice to leave.

      All in all, I find this law a little silly, although of course I understand the privacy concern.
      • by SmallFurryCreature ( 593017 ) on Friday July 25, 2003 @09:08AM (#6531547) Journal
        The reason is that if a problem is left unsolved for to long, the extremer the rememedy must become. It has been tried time and time again to get websites to obey the same privacy rules as the normal world. (remember this story is in sweden, not america)

        Cookies are often over used anyway. Check youre own cookie cache and check the number that are used to track you vs the number for youre convenience. (like slashdot remembering youre login). For me at least the first category by far outweighs the latter.

    • by JRSiebz ( 691639 ) on Friday July 25, 2003 @08:19AM (#6531142)
      You're wrong.

      When you have user log-in to a particular part of the site, you need to store username, password information, and some other session variables in a cookie, so that on subpages within the part that needs to be logged into can check to see is the user is properly logged in. I like to check to see if the user is the actual user I think they are.

      I guess you've never used php before.
      Especically a for site you need to log into.
      Hope this law never passes in the US, if you dont want cookies from a site, don't go there.

      Does this low allow you to deny service to a user who doesn't accept the use of cookies?
    • by swordboy ( 472941 ) on Friday July 25, 2003 @08:27AM (#6531219) Journal
      mostly not a problem:

      do you want to remember my password (uses cookies) (x) yes ( )no


      Hardly... Have you *ever* tried to disable cookies altogether? It is difficult to get things done. Most websites will simply refuse navigation without cookies. Microsoft's idea of a "session cookie" that disappears after you leave the site was a good idea but their implentation does not work (it is the same as turning cookies off).

      While this isn't a problem for advanced users, I do build and deploy a number of PCs for friends and family. IE is a requirement because many sites are not up to speed on Mozilla yet.

      Argh...
  • Seems a bit harsh (Score:5, Informative)

    by Mwongozi ( 176765 ) <slashthree AT davidglover DOT org> on Friday July 25, 2003 @07:45AM (#6530874) Homepage
    IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off. I'm sure other web servers on other OSs must do similar things too.

    It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.
    • Re:Seems a bit harsh (Score:5, Informative)

      by thesolo ( 131008 ) <slap@fighttheriaa.org> on Friday July 25, 2003 @07:58AM (#6530976) Homepage
      IIS for Windows assigns all clients an ASP session cookie by default. I'm not even sure how you turn that off.

      If you're using ASP scripts, put in
      @EnableSessionState = False
      at the top of your page. That will disable the default session cookies.
    • What annoys me even more is the fact that ASP doesn't have the features of PHP! There's no alternative to cookies. It certainly won't rewrite all the URLs in a page to include the session ID, which seems to be one of the more practical ways of working without cookies.
    • It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

      And if you don't know enough about ASP to disable cookies, perhaps your work should have been passed through some kind of expert panel before they let you lose on the internet?

      It's always irritating to get a site trying to set a cookie without saying why, and I _always_ block them if they do that. Places like slashdot, w
    • IIS for Windows...
      As opposed to, say, IIS for Linux? ;)
    • by Homology ( 639438 ) on Friday July 25, 2003 @08:23AM (#6531172)
      It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

      The new Swedish law does not mention cookies as such. The new law is, simply said, a response to the new technologies for collecting/storing/tracking information about private citizens, and the abuse these technologies may be used for. It attempts to give the private citizen some control of what type of information is collected, and what may be done with that information.

      In general, it appears the privacy/integrity is more respected/protected in Europe than in USA. While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime [tu-dresden.de]

      • by ReelOddeeo ( 115880 ) on Friday July 25, 2003 @08:42AM (#6531354)
        While US funds the Total Information Awareness Agency, the German State funds Anonymity is not a crime

        That is because we have not had our Police State experience yet. After the Untied Police States of America comes into being, and then eventually is overthrown, we will value things like anonymity. If we never have this experience, then we might instead just continue to have a gradual erosion of many rights. Of course, I suppose that eventually this would have to lead to the Unites Police States. The pendulum will probably have to swing fully one direction and then back.
    • by BoxedFlame ( 231097 ) on Friday July 25, 2003 @08:41AM (#6531346) Homepage
      PTS (the department responsible for this law) has a website at www.pts.se and they comply with this law and are using ASP. The reason for this law is simple: organizations are trampling all over peoples privacy rights because it's too damn easy to do so. The swedish law is designed to put the legal advantage at the side of the common man again.

      Btw, I might add that I know one of the major lawyers responsible for this law.
    • Re:Seems a bit harsh (Score:3, Interesting)

      by MeNeXT ( 200840 )
      It annoys me when legal types with an insufficient grasp of technology create laws without realising the consequences. Laws should have to pass through some kind of expert panel first.

      It annoys me that tech types with insufficent grasp of the law create products or services without realising the consequences.

      Most laws in democratic societies do pass through an "expert panel", the problem is who defines "expert". Unfortunately the same cannot be said about products and services, no expert panel required.

  • by Art_Vandelai ( 596101 ) on Friday July 25, 2003 @07:45AM (#6530876)
    results in 62 cookies being blocked by my browser. Seems these guys have a lot of work to do to comply with the new law :)
    • Well then you must have answerd "yeeh" to the following:

      Du yuoo eccept zee fullooeeng egreement, in vheech yuoo let svedeeshcheff.cum lueds toons und toons ooff cuukeees streeet frum oooor brund noo oofee durectly tu yuoor veb soorffer fur nu epperent coose-a et ell?

      Didn't you realise?
  • Will now compel Microsoft to tell users exactly what information it is extracting.. Great!

    We Know Where You Went Today
    -
  • Christ, what next (Score:5, Interesting)

    by joshv ( 13017 ) on Friday July 25, 2003 @07:45AM (#6530879)
    How is this any different than session IDs stored in URLs - i.e. URL re-writing. Sure, the person can see the info in the URL, but do they understand it any more than they would the contents of a cookie?

    -josh
  • PHP and cookies .. (Score:2, Interesting)

    by MadX ( 99132 )
    Well at least PHP will offer the option of allowing you to use the session ID as a variable in the request/post string .. ie : page.php?PHPSESSID=xxxxxxxxxx
    So you can effectively track the user on the server side like this ..
  • Implied Consent (Score:5, Insightful)

    by Gothmolly ( 148874 ) on Friday July 25, 2003 @07:45AM (#6530887)
    If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies? Seems to me that this is an attempt to legislate a human problem - people want 'privacy' but are too bothered to keep clicking the button to acknowledge the "this site wants to set another cookie - you already have 12345 cookies from this site. Continue?" button. So the State 'makes' things 'secure' and 'private' by passing a law that says that only 'bad' people will use hidden cookies.
    Wake up folks, know how to operate your browser. You can work an answering machine, a VCR, and an automobile, why not a web browser?
    • Re:Implied Consent (Score:3, Insightful)

      by jkrise ( 535370 )
      If you configure your browser to accept no cookies, some cookies, or all cookies, isn't that consent for websites to SET the cookies?

      What if your browser came pre-configured?
      What if you open Hotmail, and it says you need to enale Cookies to use it?
      What if sites used Cookies for purposes other than for the intended browsing experience?

      Wake up folks, know how to operate your browser.

      More than 60% Slashdotters use IE, use the default settings of Slashdot - /. can simply make the default threshold as -1
      • Re:Implied Consent (Score:3, Insightful)

        by aziraphale ( 96251 )
        > why should I learn to use my browser to avoid crooks?

        The car had a lock on it? Well, blow me down - I wondered what that little keyhole under the door handle was. Well, I never. Still, you can't expect me to learn how to lock the car just to avoid crooks, can you?

        Oh, you can?

        Oh.
        • you can't expect me to learn how to lock the car just to avoid crooks, can you?

          The fact is cookies are seldom essential, to improve the browsing experience. Car locks serve only to secure the car, no other useful purpose I can think of.
          Would you like if you had to use 6 keys to secure your car, and just 1 to open it? Would you like it if you had to change locks and keys every week to ensure no one 'sampled' your key when you were watching a movie?
          Can your car key be compromised, except without an identic
          • you said you wanted to avoid crooks, but didn't see why you ahould have to learn anything to do so. I was merely suggesting that ignorance in any field is a great way to become the victim of someone's malicious intent.

            I can invade the privacy of web clients without using cookies. I can do it with cookies. I can also build legitimate applications using cookies. So, why make using cookies harder? Why not legislate for privacy?

            The best way for legislation to protect you from crooks is not to ban their tools,
          • -The fact is cookies are seldom essential, to improve the browsing experience.

            Actually with the exception of embedding user state information in the url (which pretty much fscks up the url so the user can't add it to favorites or pass it around) it is the only way for the server to maintain state in multi page surf sessions to the same site. You know, like how Hotmail, Slashdot, etc... remember who you are once you put in your username and password (within the same session, not talking about coming back t
        • The point is that it's still illegal to steal the car even if you don't lock it. Note that I don't actually agree with the law, but your anology is poor. The govenment is making it illegal to steal the car; you should know that you're supposed to lock it.
      • Does the law require websites to work without cookies? Simply ask for permission and if the user declines, say "fuck off, go surf some other website". Kinda like those click-through EULAs work on software.
    • Most people don't know what a this type of cookie is, could care what this type of cookie is, and don't want to know how to disable this type of cookie.

      What disturbs me the most is that you people are supporting cookies when you are all privacy freaks.

      Not everyone has Konq or whatever other browser lets you block the cookies that you don't want and accept others. Not eveyone wants to download a third party application to do that either.

      They want to surf the web, safely, without people storing informatio
      • There's not a damn thing a cookie can "store" that the server can't do better. A cookie can't store anything you don't give it. A website can store whatever the hell it wants that you give it, including things like your CC number, without ever giving you a cookie. Cookies are a smokescreen that people use to bitch about when they don't have anything better to do.

        I suspect that you don't know what cookies do or how they work, either. If you did, they wouldn't bother you.

      • Comment removed based on user account deletion
  • by Eric Ass Raymond ( 662593 ) on Friday July 25, 2003 @07:46AM (#6530890) Journal
    Awww... poor Swedish website designers.

    I don't really think this matters that much. Especially, if you use something like Mozilla that can selectively block cookies. I let in cookies only from my netbank and Slashdot. If some other site won't let me in without cookies, they won't get a hit from me then.

    • So do I and I rarely have any problem visiting any site. That must mean that most of the cookies out there has no real meaning.
      Also the law text has some loop holes such as (my translation):
      ....this must not prevent any storage for technical reasons that is necessary to carry out or help a communication or something that is absolutely necessary to deliver a service that the user has explicitly requested.

      All this means is that you can never set a cookie for tracking purposes or to generate banner ads for
  • by upside ( 574799 )
    "The law comes into force today"

    Shouldn't that be "comes into farce"

    ?
  • by truffle ( 37924 ) on Friday July 25, 2003 @07:48AM (#6530904) Homepage

    There's no need to rewrite your site, just direct any visitor to this splash page. If they don't choose to use the cookies, they don't get to use your site.

    Sounds a bit harsh, but speaking as a Web developer, if you're working with a non static site it's simply too much of a pain to produce a good site. It's not impossible, it's just a huge pain. Almost all users will accept the restriction of cookies.

    A few years ago I wouldn't have said this, but browsers today who refuse to use cookies are just cutting themselves off from a large part of the Internet. Let them cut themselves off. When they're ready to join the rest of us, they're welcome to.

    As for privacy concerns, Mozilla has a nice warn-me-before-storing-a-cookie mode. Here's a clue for the Swedes, it should be the browser manufacturers providing consumers with options to protect their privacy.
    • ok lets say I am using Mozilla and I get this warning that some website, wants to store a cookie on my machine.

      how do I know if I should let it?
      I don't know what its tracking or what it will be used for.

      there needs to be more information than just its a cookie.
    • Actually it is even easier than that.

      Just host your site elsewhere. Given the hourly rate for rework, and that the entire damn site is going to be rewritten to come up with a hack that simulates session state cookies ... be easier, faster, and less prone to errors simply to have it hosted in some other country. No brainer. // Assert(girl && geek && bi && cute && humble)

      boolean Assert (boolean lotsOfThings)
      {
      Assert = false; // if you gonna dream, dream big.
      }
    • Try ASP.NET. It has a non-cookie mode where it inserts a guid into the URL automatically. You can switch from using cookies to not using cookies (but still preserving state) in seconds - literally - no recoding required at all.

      I believe it looks at the referring URL, gets the GUID, and then insert the guid into the response in the format:
      http://domain.com/yourfolder//page.aspx
  • by A55M0NKEY ( 554964 ) on Friday July 25, 2003 @07:48AM (#6530905) Homepage Journal
    A special web page where the user can choose whether or not to recieve cookies. What a good idea! All a web site needs to do is save the 'don't give me cookies' preference in a cookie and... wait.... Um.....
  • English version... (Score:5, Informative)

    by jmo_jon ( 253460 ) on Friday July 25, 2003 @07:50AM (#6530916) Journal
    Post och Telestyrelsen [www.pts.se] (the authority enforcing the law) has an english version of the "info text" needed for using cookies
  • by aziraphale ( 96251 ) on Friday July 25, 2003 @07:51AM (#6530925)
    I've said it before and I'll say it again - the terminology employed in internet law as it relates to internet standards is seriously screwed up.

    What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

    This is ridiculous - there's no law saying a client must obey set-cookie headers, there's no reason for Set-Cookie headers to have any more legal status than Cache-Control headers. Set-Cookie is just a suggestion from the server to the user agent that it would help the server if the user agent remembered the attached cookie data, and sent it back in a cookie header with any subsequent requests.

    Set-Cookie is a request, not an order. If the client chooses to accept the cookie, that's the client's business. If the client chooses to ignore the cookie, so be it.

    Legislation doesn't belong in this field. The protocol provides for the situation where the client has privacy concerns about the server. legislating to effectively override IETF standards is a dangerous direction to go in.
    • What they're legislating here is that before a server transmits an HTTP response featuring a Set-Cookie header, they must send a prior (human readable) HTTP response to the client saying that they'll be sending a response with a Set-Cookie header along next if the client doesn't mind.

      So, what's the essential difference to SMTP and opt-in legislation? Opt-in requires the consent of the recipient before any advertising can be sent. It is possible to configure SMTP server to reject messages just like it'

      • This is where laws like the UK Data Protection Act come in. Legislation dealing with specifics, like 'consent for cookies', miss the bigger picture, and make using cookies for little, non-privacy-infringing tasks harder. The goal of the legislation should be to prevent privacy infringements - not cookies.
        • Legislation dealing with specifics, like 'consent for cookies', miss the bigger picture,

          The law does not deal with specifics at that level. What will happen is that there is a Goverment agency interpreting the law and give regulations/rules when new technologies appear.

      • > Following your logic, it would be dangerous to regulate any SMTP traffic (whether opt-in, opt-out or whatever) because people can choose whether to receive messages or not.

        Slightly different; when I make an HTTP request, I'm expecting an HTTP response. No web server sends out unsolicited HTTP responses to clients on the offchance they'll pick them up and set a cookie :)

        HTTP responses are always solicited, including a Set-cookie header in there is not a huge burden on the client. SMTP servers are serv
  • by mikech@rbsgi ( 120719 ) * on Friday July 25, 2003 @07:51AM (#6530926)
    A compromise solution would have been to disallow cookies that live longer that the user's session. Session cookies are very useful for JSP, PHP, etc. Long-lived (persistent) cookies are the real concern of the privacy folk. I'm surprised that no one presented this.
  • This represents a huge problem for swedish sites which use .asp and .php session variables.

    Just use Java Web Application with JSPs. They automatically handle the generation of sessionId with cookie or URL rewritting without any modification to the source code. :-)
  • if you store state in an encrypted hash on an input hidden tag.
  • The assumption that you can and should be able to provide all kinds of programming through a web interface ignores the fact that many applications involve personal data and the web is fundamentally public even if you add SSL or whatever gizmos to try and avoid the fact. There are many services that should not be provided through a browser. That doesn't mean applications can't be network enabled, but perhaps they shouldn't operate within a browser.
    Although the web is where a lot of great open souce devel
  • Stupidest idea ever. (Score:2, Interesting)

    by Kjeks ( 259643 )
    Why can't just the paranoid people block cookies?
    I can't exactly see the big problem with cookies (other than that it's a unreliable solution for remembering user-data).

    As already mentioned, if PHP is using sessions, it will first try to set a cookie with the session-ID. If that fails, it will pass the session-ID along with the url or automagicaly add a hidden-field to forms.
    Good luck rewriting ALL php-sites that uses sessions.

    As I see this, cookies do more good then harm, and it's no problem disabling th
  • Just assign a session ID to each visitor who doesn't have one. When a page is served, take the session ID out of the URL and insert it into the link URLs of the pages served.

    I once wrote an othello game that played this way. You could take back moves because it was stateless on the server end. The pointer also changed over the legal move squares because they had URLs under them. I may still have C source somewhere.

    BTW, first one to patent this please send me a check as thanks.

    • by radish ( 98371 )
      Wow, genius.

      All a cookie is is a session ID, the actual data in the session is kept on the server. It's just neater not to have to rewrite every URL, and it's nice to have the option of persistance. For everyone who is pointing out ways of living without cookies, you're missing the point. Cookies don't allow you to do (much) you can't do otherwise, they just let you do it more neatly and more reliably.
  • Internet Explorer said it would block cookies that invalidated your privacy.

    Now I use Mozilla Firebird and block any cookie that isn't from a site that I'm logged into. Does anyone know what kind of heuristics MSIE used to determine which cookies are good and which are bad?
  • EU law (Score:5, Informative)

    by DaBj ( 168491 ) <dabj.dabj@net> on Friday July 25, 2003 @07:56AM (#6530962) Homepage Journal
    Actually it's "just" an implementation of an EU law according to a directive from the EU (2002/58/EG) not that it makes it any better though since all of EU has to have this law sooner or later (but before Oct 31st 2003 according to the directive).
  • meanwhile... (Score:5, Insightful)

    by Gavin Rogers ( 301715 ) <grogers@vk6hgr.echidna.id.au> on Friday July 25, 2003 @07:57AM (#6530967) Homepage
    Meanwhile back in real life millions of scam artists, spammers and paedophiles remain confident that legal loopholes exist that allow them to do what they do without fear of prosecution.

    Cookies security problems? That's so 1996... Get with the real problems the Internet needs laws to prevent.

  • by BELG ( 4429 ) on Friday July 25, 2003 @07:59AM (#6530986)
    The law doesn't apply to cookies used to supply the user with a service she asked for.

    That is certainly open to interpretation, but at the very least it means that sites that really need cookies can relax. Shopping online, logging in to a news site, or any form of web-based mail are all services the user explicitly asks for, after all.

    However, silent information gathering becomes illegal. Is that a bad thing? Hell no.
  • by Rogerborg ( 306625 ) on Friday July 25, 2003 @08:02AM (#6531009) Homepage

    Specifically:

    • How explicit does the acceptance have to be?
    • Does it apply to all content served, or just to that served to clients that can (reasonably) be identified as being in Sweden?
    • Does it mandate a mechanism?
    • Is the mandated mechanism pure HTTP/HTML (how do I click on a popup in lynx, for example?).
    • How do they distinguish between a human browser, and a robot?
    • Do sites have to implement blocking of deep linking to redirect browsers to a cookie acceptance page? Does that screw indexing engines?

    Seems to me like there's a metric buttload of questions to be answered before we can have anything like a reasoned debate on this.

  • Will we now see websites where any user running IE is banned, because all the other web browser users can be assumed to have made a choice about accepting cookies or not?
  • Why can't they legislate that browser makers (far fewer of them) make it stupidly easy to manage cookies and include some helpfile about what cookies are? The Mozilla and Konqueror tools are good first steps, but a big 'cookie' icon (with a bite taken out of it or something) that brought up a simple but detailed view of the state of cookies in the browser would help immensely.

    5-10 programs would be impacted instead of the tens of thousands of sites which will be impacted by this (stupid) law.

    If there wer
  • by SlowCoder ( 99587 ) on Friday July 25, 2003 @08:07AM (#6531047) Homepage
    ..if people actually read and understood the text before making headlines out of it..

    First, the law says that if you _requested_ the service, go ahead and use your cookies all you want. But only for the site you wanted to access.
    This effectively stops banner-ad companies from tracking your movement between sites using persistent cookies, since you never _requested_ to look at their banners.

    Second, it only outlaws _storing_ of the information, which in my mind comes to _persistent_ cookie, ergo PHP / ASP session-cookies should be allowed without problems.

    I don't see any problem with this law, but I do see alot of good things coming from it. Less spying from evil banner-ad companies for one.

    My 2 cents worth..
    • I would read and try to understand the text, but I don't understand Swedish. I'm waiting for a translation... ;) Anyway, this is /., haven't learnt from your observations of everybody else that RTFA is a fool's errand?
  • So redesign all Swedish web sites to adhere to the cookie legislation, and then send the bill to the government. If everybody does it then that may force them to reconsider the legislation. Did they even have any technologists or experts available when making this law?
  • How will they handle someone linking to a page well inside the site? I could see the cookie warning being a no-brainer to set up when people type in an url like www.swedishurl.com (or whatever) and get a page like on a porn site, warning you of the content (or in this case, the cookie usage) and giving you the option to bail out. But how can this be handled from users coming via links?
  • I thuooght iferyune-a knoo PHP fells beck tu useeng URL-incudeeng iff zee user's brooser dues nut sooppurt cuukeees oor iff cuukeees hefe-a beee deesebled. Bork bork bork! Hoo deefffficoolt vuoold it be-a tu roon $_SERVER['REMOTE_HOST'] thruoogh a regex und use-a URL-incudeeng fur /\.se$/ ??

    Bork bork bork!

  • Say I have an app that talks HTTP back to a server (in this case, located in the US). Now say that app uses embedded IE, and uses cookies. Is that covered by this?
  • Utterly moronic (Score:5, Informative)

    by Fweeky ( 41046 ) on Friday July 25, 2003 @08:19AM (#6531133) Homepage
    Cookies keep client-specific data outside URL's and in a well specified, preditable and easy to manage system. You can set your browser to accept or reject them at will quite easily; even IE's really quite good at handling this automatically.

    Compare this with storing the same data in the URL; instead of setting a SID=12345 cookie to track your session id, it gets tacked onto the end of every link, Referer header, etc; now you have no automated method to accept or reject the "cookie", nor much control over having it leaking into access logs all over the place by way of referer headers.

    Congratulations, by not using cookies you just reduced the user's control over their own privacy! Well done!
  • The most important- to my mind- part of this is that they have to tell you what info they're collecting. This tells a lot about a company.

    My browser is not set up to block cookies. My browser is set to notify me, however, & pops up a privacy notice everytime one gets sent, and gives me the option to block them. You know that AOL ad with the screen full of pop-ups? I was astounded, when i tested, to see how many sites such as MSN will send you. Including the ones for ad servers that deliver popups. My

  • by JanneM ( 7445 ) on Friday July 25, 2003 @08:28AM (#6531224) Homepage
    I don't mind when slashdot posters comment on things without actually checking the facts, but I get prtetty annoyed when a news site does the same thing. IDG has had a long campaign against any kind of privacy regulation or other things that may hamper their ability to do whatever they want. The article is factually bunk, in other words. These are the same people lobbying for a sales tax exemption to advertising in very shrill overtones.

    The law explicitly allows using cookies for session management, identity and presistance without consent by the surfer when it is needed for the functionality the surfer came to the site to use. Slashdot would be in the clear, no problem. So would shopping sites using cookies for keeping track of a shopping cart, for example. Most asp and php sites would have no problem either.

    The law _only_ regulates cookies that are not relevant to the site functionality. Specifically, ad tracking stuff, web bugs and other stuff that track you independently of the site functionality can not store cookies without your informed consent. That's it.

    Just ignore the hysterical rhethoric from IDG.

  • If you use IE6 then it only accepts cookies when you have a privacy statement.(default setting) It means that when you want to read/set a cookie you have to provide the browser with a privacystatement. This is actually 3 documents consisting of 2 xml files and a html file explaining what the cookie is trying to do.

    Bloody annoying if you are coding a webapplication, I assume it broke a lot of old stuff :)
  • Just generate a session id, store everything in a database. If they have to login to use the site, even better, just retrieve the data for their user ID and generate a new session ID.

    No cookies, and you can still track just how many times the user clicked on the link for dirty pics of smutty grannies. ;-)

    That said, I don't give a crap about cookies. I turn 'em on and leave 'em for every where I go. It doesn't matter to me what gets stored in a cookie on my machine. After all, it could just as easily be st
  • by McDutchie ( 151611 ) on Friday July 25, 2003 @08:36AM (#6531296) Homepage
    Since the Fish knows no Swedish, here is a quick translation... any errors are mine. NoT = Note of Translator.

    - M.

    Here is what the law says

    SFS 2003:389, chapter 6. Integrity protection

    18. Electronic communication networks may be used to store or gain access to information stored in a subscriber's or user's terminal equipment only if the subscriber or user of the personuppgiftsansvarige (NoT: "entity responsible for handling the personal data", i.e. the website) receives information about the operation's purpose and is given the opportunity to decline such operation. This shall not hinder such storage or access as is necessary to execute or facilitate to transfer an electronic message via an electronic communications network or as is necessary to provide a service that the user or subscriber has expressly requested.

    Hard to comply with new law on electronic communication

    (07/24/2003 4:24pm)

    Today, many sites are becoming illegal, as the new law on electronic communication takes effect. It says that sites must communicate what the cookies' contents is used for. The users must also be given the option to refuse.

    Starting today, Swedish websites may not utilise so-called cookies without explaining the purpose of the treatment of the data that's in them. I addition, users must be given the chance to stop the use of cookies.

    This is one of the consequences of the new law on electronic communication, SDS 200:389, which is taking effect.

    It is apparently not sufficient to set the web browser to automatically accept cookies. The website one visit must explain what the information will be used for and also give the user the option to refuse the use of cookies.

    Hard for sites

    This gives Swedish websites two options.

    "One alternative is to stop using cookies, making the website's functionality suffer", says Jonas Eriksson at Webkonsulterna in Östersund.

    The other option is one Jonas Eriksson doesn't even want to think about.

    It means that the majority of Swedish sites that use scripting languages with session variables such as asp and php become illegal insofar as they don't rebuild the websites so that the users can approve of cookie use before they enter the site.

    But it doesn't stop there.

    "It isn't enough that people get a load of banner and popup ads every day. Now even all ad networks must first start a Javascript to ask people if they want to set a cookie before viewing the ad", he says.

    PTS complies with the law

    The (supervision authority? watchdog?) for the electronic communications law is Post- och Telestyrelsen, PTS, and on their website it says the following:

    "Cookies are therefore used for purely technical reason and they are used today by most websites. According to the new electronic communications law, which takes effect starting July 25, 2003, all who visit websites shall be informed about cookie use and be given the option to refuse such use."
    Fine threat

    According to Charlotte Ingvar-Nilsson, biträdande rättschef (NoT: some high-up function that I don't know how to translate) at PTS, PTS will monitor how the market will act on the new law.

    "If websites don't comply with the law, we have to start with educating about the changes", she says.

    And if that doesn't work?

    "If we suspect someone of not comlying with the law, that website will get at least a month to fix that. After that we have the option to issue an order which could be accompanied with a fine", says Charlotte Ingvar-Nilsson.

    PTS also has the option to decide that people who neglect a debt entirely or partially shall cease operations if the infraction is not insignificant.

    "It remains to be seen whether it can become applicable in this case", says Charlotte Ingvar-Nilsson.

  • This Is Idiocy (Score:4, Insightful)

    by KrispyKringle ( 672903 ) on Friday July 25, 2003 @08:41AM (#6531341)
    I'm all in favor of privacy, but this is pure lunacy. It is entirely up to the end-user to accept cookies. The only reasons end users may feel they do not have a choice are that their browsers are configured by default to accept them and a few (not many) pages require cookies to work.

    So, if they really wanted to mix it up, they'd order the browsers to have them off by default (or ask the user on their first run) and make sure websites don't need them to function. But requiring them to get consent is silly. Cookies are an essential part of web design, misused, for sure, but I can misuse images or session headers or the REFERER field in HTTP/1.1 to track someone as well. Government should not be legislating technology, when possible, be it for corporate gain or perceived consumer safety.

  • P3P (Score:3, Informative)

    by Sebby ( 238625 ) on Friday July 25, 2003 @08:59AM (#6531486)
    Wouldn't it just have been easier to force them to issue P3P policies for their site?

    I can see a lot of businesses moving their site 'off-country' or making them "international" if that doesn't cut it....

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...