"Breathtakingly Stupid" EU Cookie Law Passes 447
Reader whencanistop writes with some details on an upcoming EU law that slipped under the radar as it was part of the package containing the "three strikes" provision, which attracted all the attention and criticism. "A couple of weeks ago we discussed the EU cookie proposal, which has now been passed into law. While the original story broke on the Out-law blog from a law perspective ('so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point'), there has now been followup from a couple of industry insiders. Aurelie Pols of the Web Analytics Association has blogged on how this will affect websites that want to monitor what people are looking at on their sites, while eConsultancy has blogged on how this will impact the affiliate industry. In all of this the general public is being ignored — the people who, if the law is actually implemented, will have to proceed through ridiculous screens of text every time they access a website. I know most of you guys hate cookies in general, but they are vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."
"Necessary cookies" (Score:1, Informative)
If I tell a site to store some setting for me, it may set a cookie. If I click on some "automatically authenticate", it may set a cookie.
If I only change a setting of the current session or log in or things like that, that's no reason for a cookie.
Doing sessions via cookies is a blank check for the most trivial cross-site attacks, so do not do it.
If I'm happy to go with the default settings or if I have to authenticate anyway (so you know my name) there is no reason to make my browser send you stuff.
Thanks in advance.
Indeed, this isn't the '90s anymore (Score:5, Informative)
Indeed, this isn't the '90s anymore. We have technology that allows us to better target advertising and better track our business. Why legislate ourselves back to the days of broadcast advertising and a stateless web? And to those who say to use log files for analytics, you have to be kidding me. You obviously don't run a website.
Re:Do We Really Need Cookies? (Score:2, Informative)
Yes, it can be done server-side, using IP tracking, login and so on.
One word: NAT.
Re:I don't see the stupidity here (Score:3, Informative)
I agree, but it will make the ads just a little less valuable.
Yes, I know there are other ways to store the data... ;)
1. Every link becomes a javascript POST.
2. All data moved between pages via querystring.
3. Require a login to use the site so the data can be stored server-side.
4. FLASH COOKIES
Re:I RTFA and don't find it to be all that bad at (Score:3, Informative)
it's about annoying people... (Score:1, Informative)
I think here's a lot of misunderstanding about what this "\"Breathtakingly Stupid\" EU Cookie Law" is all about.
It does not BAN anything. It requires Website operators to prompt the user on first visit to agree to their cookies. So basically _it is_ damn stupid: nothing is done about cookies, another nuisance is created. Set your Firefox to prompt you every time a site wants to set a cookie and see if you will enjoy it.
The EU completely ignores that most browsers already have prompting/blocking mechanisms for cookies and it's just up to the user to turn it on, and instead they reinvent the wheel and force the Website-owner to bug everyone in the world visiting EU located sites.
Re:All cookies are always used with consent. (Score:3, Informative)
My browsers ask me. Maybe you don't use IE or Firefox?
Re:All cookies are always used with consent. (Score:3, Informative)
Horrible summary (Score:3, Informative)
Submitter apparently is counting on /. readers to not follow links but merely form opniions from TFS. This is presented as though it were a list of blogs bashing the new law from all angles... but in reality:
- The first link is to an old /. entry. TFS from that entry has an update acknowledging that the summary write-up is wrong and encouraging readers to RTFA, but its article link is broken.
- The 2nd link is to a blog hostile to the law. Its writing style clearly shows bias. It is light on facts or citations to authoritative references, and heavy on assumptions about how to interpret the law.
- The 3rd link is to another blog disagreeing with the interpretation from the blog in the 2nd link, and saying that the law doesn't really look that bad. ...and at that point I gave up. This information just isn't important enough to me personally to justify continuing to navigate a dishonest compilation.
Here's an idea for future attempts: how about a link to the damned law?
Read the actual text, not the FUD blog posts (Score:5, Informative)
You can, could, and still will be able to block cookies in your browser, so whatever web site operators are doing with them, it isn't going to affect your privacy or "trackability".
Unfortunately, that isn't really what happens.
For example, many sites now use local shared objects ("Flash cookies") to store data, rather than regular cookies. No mainstream browser controls these by default, so even if you have disabled all cookies in your browser's privacy settings or asked to clear all your private data, LSOs will still work. Moreover, use of LSOs is often not even mentioned in a site's privacy policy; even big-name sites like YouTube have been offenders in this respect. Moremoreover, the way to disable these little buggers in Flash is hidden in a settings dialog that most users wouldn't even know to exist.
Maybe I'm crazy, but I don't see how failing to disable something that is being used to do something you never asked for, which you don't know is happening, via an obscure dialog you don't know exists, can constitute implied consent, particularly if you've explicitly disabled all similar functionality that is presented in your browser's UI.
I can't decide whether this is Brazil-style bureaucracy galore, or Eastern Standard Tribe-style anti-productivity warfare.
Neither, it's basic privacy protection, and as far as I can see it's long overdue and a good thing. Why should we support out-opt monitoring rather than opt-in, just to make life easier for those who want to produce targeted advertising and affiliate blogspam?
If you have a legitimate need to use cookies, for example to help a user with a shopping cart or remember they've logged into your forum, then there will be no problem stating clearly at the point that they start to use these facilities that a cookie will be set for that purpose. If you manage to wade through all the FUD blog posts and find the actual wording [europa.eu] we're talking about here (you'll want article 2, clause 5, on page 76), you'll notice that this does not require UAC-style dialogs or 'screen after screen of "permissions" to continue'. In fact, there is even wording saying that the new rule doesn't apply in cases where the user has explicitly requested a service that needs to store cookie-like information to function properly.
Re:Vital under what conditions? (Score:3, Informative)
I mentioned the referrer point merely because it completely debunks the specific argument you made in your previous post: "Most sites have 60%+ visits coming from Google in the middle of the site, to do any usability testing they need to know where they arrived to focus that usability."
You seem to have ignored the fact that I also mentioned using JavaScript for more detailed analysis.
If you need to follow specific users around your site, you can do this without cookies by adding a suitable GET/POST field on your links/form submissions.
The only thing you've mentioned that can't be done without cookies is tracking users across visits, where they leave your site and then return again later. I'll concede that this might be useful, but to me it seems a small price to pay for saying that as a user, it means no-one else can track my movements between sites either.
Re:All cookies are always used with consent. (Score:5, Informative)
What browser do you use? IE, Firefox, and Opera all have a very simple user setting that you can turn on. It's off by default, but is really easy to turn on.
The instant you do, you'll be asked every time a site wants to set or use a cookie. With most of them you can even differentiate between first- and third-party cookies (so cookies that originate from the site you are visiting can be tracked differently from cookies that originate from other sites). Once a site has been asked about, most browsers allow you to choose between four functional options (they are presented differently in each browser):
1. Yes, and always allow cookies from this site or domain without asking.
2. Yes, just this once.
3. No, just this once. Ask me again next time.
4. No, and never allow cookies from this site or domain again, and never ask me again.
Actually, you owe it to yourself to turn this feature on, if only for a short time before the popup warnings drive you insane. It's a real eye-opener as to how much cookies are used on the Web today.
Ideally, all browsers would come with this set on in the beginning, with a large prominent button that said "never ask me this again - by pressing this I give my browser permission to gobble down all the delicious delicacies it wants". EU happy, users happy, trackers happy. And for those who really, REALLY care about tracking cookies, well, don't push the button.
The only breathtakingly stupid thing (Score:3, Informative)
I think the only breathtakingly stupid things here are Kdawson and Timothy, who both seem to have never read Slashdot before, despite being editors.
Re:All cookies are always used with consent. (Score:3, Informative)
A better, and more useful, solution is to use CookieSafe in Firefox, or the other extensions that do the same thing.
It bans all cookies, without prompting, but you can turn them on per site.
After a few times, you learn to automatically think 'I wish to register for an account at this website, I will enable cookies for it first' and click the icon and Allow the site.
Also you can override websites only set per-session ones for websites that 'need' them but really shouldn't, like sites that keep track of what 'page' you're on via them.
Re:Vital under what conditions? (Score:3, Informative)
ways wondered why they couldn't store transaction data on the server when doing this sort of this sort of thing.
They do, they're called "Sessions". The problem is, you still need cookies to store the session tokens.
Re:Vital under what conditions? (Score:3, Informative)
Well, only if you care even remotely about having some level of security. Surely you've run into a website (typically a forum) that has a ?sessid=2387498798ad87c2eea92 querystring. It's hideous and stupid, but technically you CAN use cookie-less sessions (see: php: session.use-cookies [php.net]).