"Breathtakingly Stupid" EU Cookie Law Passes 447
Reader whencanistop writes with some details on an upcoming EU law that slipped under the radar as it was part of the package containing the "three strikes" provision, which attracted all the attention and criticism. "A couple of weeks ago we discussed the EU cookie proposal, which has now been passed into law. While the original story broke on the Out-law blog from a law perspective ('so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point'), there has now been followup from a couple of industry insiders. Aurelie Pols of the Web Analytics Association has blogged on how this will affect websites that want to monitor what people are looking at on their sites, while eConsultancy has blogged on how this will impact the affiliate industry. In all of this the general public is being ignored — the people who, if the law is actually implemented, will have to proceed through ridiculous screens of text every time they access a website. I know most of you guys hate cookies in general, but they are vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."
Vital under what conditions? (Score:5, Insightful)
also vital to know people's sexual fantasies? (Score:1, Insightful)
It's also vital for TV advertisers to know people's sexual fantasies so they can work out how to improve the TV-watching experience for the viewer.
It's also vital for the RIAA/MPAA to know the contents of people's hard drives so they can deliver more-interesting music and movies for the consumer.
You have no right to stuff shit on my computer, period, and even less right to do so when the aim is to make you more money. There are these things called "server logs" that do an adequate job of letting a site owner know what parts of their site are found interesting and they do not require bugging my computer to do it.
In sum, you are every bit as much of an asshole as those RIAA lawyers who sue people for "contributory infringement".
Cookies? They is not necessairy, no. (Score:4, Insightful)
Since we're talking statistics, the largest problem is understanding. Most people don't. Maybe that's why people prefer to use external tracking services instead of using the information already on their own website: The access logs. Otherwise I really don't see why you'd use them. No, it won't get everything, but it _will_ give you general trends. And with a large enough sample those trends will be obvious enough.
Plus, all this focus on ``user experience'' gave us dancing rodents and several big fat stacks of proprietary, closed, and platform-dependent stupidity of the likes of flash. The most prevalent user experience therefore has to be ``confused boredom''. And in a score or two years, bitrot has ensured all that crap stays lost forever. That's a definite boon, but not good for general archiving, and therefore a problem.
My core concern with websites is what content they have to offer, and if I can't find it, I'm gone. Flash? bye-bye. Confusing layout? Two more clicks and I'm gone again. A sitemap? Click on it and search for a couple keywords. Nothing? Ciao! And so on, and so forth.
``User experience'' is overrated. Focus on the message; write it for me and not at me, make it easy to find, easy to flip through, easy to search, easily available. And for that, you really don't need cookies, and you especially don't need and therefore shall not require javascript, java, or some other proprietary plugin.
If you want to track your users, all you need is a small shell script to connect requests, referrers, and timestamps together and you'll have more info than you could possibly need already.
The time has come...end them. (Score:4, Insightful)
Oh please, pull the other one....we all know what cookies are ultimately used for.
Don't even try to feed us that line that this is needed for "proper feedback"
This isn't the 90's anymore....
Why exactly is an issue? (Score:3, Insightful)
Here's what's coming. The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".
An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.
~The Out Law Blog
So- some websites will have an EULA page. Big deal. Actually, that's not at all a bad idea now is it? So why all the hoopla?
(Note: The originally linked slashdot post linked a Yahoo News article that's no longer valid).
Do We Really Need Cookies? (Score:5, Insightful)
There are in fact still people who refuse to allow cookies, and there are still browsers like lynx that require explicit confirmation from the user before they accept them(In fact, the directive does not ban cookies. It simply mandates the default behavior of lynx.). Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms. Try thinking outside the box you've been in for the last 15 years.
Let us be frank. Cookies have been abused. Horrendously abused. Private companies have tagged, tracked, and stalked billions of people. We have allowed terabytes of data on the lives of everyday people to fall into the hands of completely unscrupulous entities. The information held by even smaller marketing outfits would 20 years ago have seemed like a treasure trove to organizations like the Stazi and the KGB. Does the fact that such information is akin to that desired by secret services mean that the collection and indexing of this information is inherently wrong? No; but it is a big hint that it probably is.
The EU may have blundered here, throwing the baby out with the bathwater. But I think their basic motivations were very admirable. As out lives move more and more onto the net, we cannot accept the current status quo of companies like Google, Yahoo, Microsoft and the rest being allowed to do as they please with data on other people. The Despite the unworkable nature of the law, the EU is moving in the right direction on this.
Cookies to store user variables (Score:3, Insightful)
Cookies are often used to store user variables when they go from one page to another - patching holes the stateless web protocol forces on the user experience. Session or server-side variables may also be used for this, but that's more work for the web designer, who usually is up to his neck trying to support different versions of IE misbehavior.
Sites I've worked on have never used cookies to send back personal information, but they have used them to improve the user experience.
reasonable (Score:5, Insightful)
This doesn't sound "breathtakingly stupid" to me. It's debatable. Maybe it's "breathtakingly stupid" that it slipped through without notice, but if we are talking about what's right and what's wrong, it can be argued (and often is, I'm sure) that one should expect to have privacy in regards to their browsing habits*. The fact that it negatively impacts businesses should be irrelevant, if we are talking about protections for the individual.
* Yes, you can turn off cookies from the user end, but laws are sometimes there to protect people who don't know any better, and there are a *lot* of them in this case.
Re:I RTFA and don't find it to be all that bad at (Score:3, Insightful)
They are also used by most PHP based web sites using the session feature.
What's the point to ask:
sessionID=zaFgGG13sddf.34ciuoy
Do you agree [Yes] [No]
Re:Why exactly is an issue? (Score:4, Insightful)
The site may have an EULA, but you still can't present cookies to the user until he has had a chance to read it and decide to either agree to the terms or go elsewhere. At the moment, you get a cookie when you first visit the site before you get a chance to read anything.
Re:I RTFA and don't find it to be all that bad at (Score:4, Insightful)
The problem is you need to show the user the text before they can view your website. Just imagine you are using google to search for something and once you click a link, you end up not on the content you expected but on a
"We use cookies to track users in the following ways, blah blah blah. Is this okay with you"
That would suck so much.
Re:I don't see the stupidity here (Score:5, Insightful)
I know this isn't going to be looked on well here, but here are my pro cookie, pro marketing comments...
1. Someone above complained about companies selling the data that they collect. As though it's the most terrible thing in the world to do. Guess what, every company that collects demographics about customers (grocery stores by example, the only way to not get tracked it to pay by cash. You don't need one of their store cards because they'll match your banking account numbers and STILL build a profile) and then sells them. How many useful websites on the internet are driven by 1. Selling demographics, 2.) Ad revenue. Making cookies opt-in kills both of those things. How much is /. charging you guys? Ask them what'll happen to their ad revenue if cookies are suddenly opt-in. Yeah, they can still technically serve the ads, but they will no longer be as accurate to the viewer, nor will they be tracked as well... meaning less profitable for the ad agency and the publisher.
2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.
So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.
I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.
AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.
Re:Vital under what conditions? (Score:2, Insightful)
I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.
No way.
Usage data is a direct measure, while user tests are a very rough estimate.
Tracking usage is key if you want to have a website that is good for its users.
Re:I RTFA and don't find it to be all that bad at (Score:5, Insightful)
Yeah, total agreement, here. This stupidly transparent, self-serving quote says it all:
"...but they is vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."
User experience? WTF? Sorry,but the only reason you need invisible-to-the-user cookies is so you can monetize them without them realizing just how much privacy/anonymity they're giving up. Because that might give users pause before they accept your cookies, if they had an informed choice.
And everybody here knows that. The quoted jackass in TFS is just trying to make his industry look like a victim, to drum up support from civil-liberties sympathizers on Slashdot. Too bad we're not that dumb...
As an employee of the advertising industry, I have zero problems with monetizing Internet traffic, or with using cookies to track user behavior, etc., etc. But I hate liars, and I hate people who try to manipulate me.
All cookies are always used with consent. (Score:5, Insightful)
This is an irrelevant and distracting question, because cookies are always used with consent.
A web server replies, in response to a request initiated by the user, with a header that says, "Here's a little piece of information and I hope you pass this back to me on subsequent requests."
The user's agent -- software chosen by the user to do whatever it is that they're trying to do -- sees this completely advisory information and decides, perhaps even with a confirmation dialog with the user (or not, if the user has decided that they usually want the same behavior every time without getting bothered), to store this information. And then it decides to pass this information with the next request.
The entity the user is communication with, ultimately has no choice about whether or not the user really does this. It's all up to the person who is using the browser. Or, in very old browsers that don't have dialog preferences for cookies, it's all up to the browser's author, to whom the user decided to defer to when they install the software.
Cookies don't do things. Users do things with cookies. Servers reward users for deciding to send the cookie.
If you have chosen to transmit cookies, take responsibility for your decision, instead of crying to the government and demanding that cookies never be offered to you.
Re:I don't see the stupidity here (Score:5, Insightful)
The stupidity is this:
You can, could, and still will be able to block cookies in your browser, so whatever web site operators are doing with them, it isn't going to affect your privacy or "trackability".
But, it sounds as if this new law requires the web site operators to show you screen after screen of "permissions" to continue. These permission requests are stupid as EULA dialogs, Vista-like "admin authorisation" dialogs, etc, because they (a) don't offer a meaningful change in values (be it trackability or privacy), and (b) annoy the hell out of users. I won't go into how (c) these crap warnings numb users to real warnings, which they will also mindlessly click through.
I can't decide whether this is Brazil [imdb.com]-style bureaucracy galore, or Eastern Standard Tribe [craphound.com]-style anti-productivity warfare.
Re:Cookies? They is not necessairy, no. (Score:5, Insightful)
If you don't understand why third party tracking is used, then you don't understand running a website with any appreciable advertising revenue. We don't use third party tracking to fix our web servers or for internal trending, we use those numbers to sell ad space. Advertisers are not going to believe you when you say that you get X amount of hits based on your web logs.
User experience can also be tracked in that way, of course, and certainly if the third party tools are well built, our user experience groups can use that data, but that is not why we spend the money on third party tracking.
Re:I RTFA and don't find it to be all that bad at (Score:4, Insightful)
Re:Cookies? They is not necessairy, no. (Score:3, Insightful)
make it easy to find, easy to flip through, easy to search, easily available
...so...provide a good user experience?
Re:Michael (Score:3, Insightful)
Re:Do We Really Need Cookies? (Score:4, Insightful)
Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms.
Semi-permanently modifying the page to the user's desires without server-side intervention.
Yes, it can be done server-side, using IP tracking, login and so on. But they require actual CGI to run and generate content, instead of the HTTP layer spitting out "Cache HIT" on page content and static Javascript.
Users hate registration, and IP tracking is useless with dynamic IP (there are ISPs that change it once a hour). But even then, you just have to do server-side work that would be better done client-side simply because servers cost. I've been working with a big IT/Portal/News company that had a big farm of servers that was at 80-90% of its load at all times. If not cookies combined with tons of static content kept client-side in browser caches and in a squid layer protecting the farm, refreshing the content of each page maybe once in 15 minutes vs ~1000 hits/second, we'd have to maintain about 2-3 times as many servers. And that would move us from "quite profitable" to "generating losses".
Re:Cookies to store user variables (Score:3, Insightful)
You forget, /. is overrun with out of work idealists that just want to 'hate the man'. They have no interest in the problems of a working developer.
Re:Cookies to store user variables (Score:3, Insightful)
Server-side variables are primarily more work for the server, which has to re-run the script instead of informing the content didn't change and can be retrieved from the browser cache (and modified client-side according to the cookie).
Are there any paranoids in the audience tonight? (Score:4, Insightful)
To quote Roger Waters: "Are there any paranoids in the audience tonight? Is there anybody who worries about things? Pathetic. "
Seriously. Not "most of us" hate cookies. A paranoid few do.
If it weren't for cookies, this site wouldn't remember my login. Google apps wouldn't work well. The browser would not retain my per-site preferences.
I rarely ever clear cookies.
Re:Vital under what conditions? (Score:5, Insightful)
So do you actually have any evidence to back up your doomsaying, or is it just your personal view that you'd like to shove down everyone else's throat?
We don't use cookies on the sites I run, yet I still have a pretty good idea of what our users do, because we have these things called server logs. They include something called a referrer field, which tells you where the visitor came from before they reached their current page, for example. Moreover, for more detailed analysis, it is far more valuable for site improvement to have a little JavaScript that can also identify things like screen resolutions and browser versions, which give us information that is directly useful to checking that our pages will look good on the systems our visitors are actually using. Cookies won't tell you any of that.
We are contemplating using cookies for a new system on one of our sites, because it will allow users to create an account and then filter data shown on various pages according to their personal preferences. All the cookie will do is remember whether the user has logged in, and if so, who they are, for the duration of their visit. And we're only doing that because the site will work fine without an account, so we don't want to throw up HTTP Authentication screens for every visitor. We would have no problem disclosing this fully to any visitor to our site at the time they create an account.
Re:Kudos for refuting your own argument (Score:4, Insightful)
BTW, we give discounts to customers using affiliate links. We WANT our affiliates to be profitable, if they aren't, we aren't. So we prefer that a customer goes through an affiliate. No cookie? No discount.
I guess you'd prefer we stored it all in the query string and pass it from page to page? Guess what,that's where we're headed. That, or every link becomes a POST.
Re:I don't see the stupidity here (Score:5, Insightful)
Lack of cookies does NOT prevent ads. Lack of cookies does not prevent ads from being linked to an alternate site. Lack of cookies does not prevent your userid from being included in the URL that takes you to the other site if you click on the cookie. Lack of cookies does not prevent your userid from being included in the URL that fetches the ad image from the other site. So ads are not really hindered. What is hindered is weak minded developers that only learned one way to do things.
Load Balancing (Score:3, Insightful)
Cookies are used to keep track of a user's session, especially when it crosses a load balancer and gets sprayed to any number of identical servers. Without the cookies, there is no way to keep your session on a consistent web server throughout a session. Remember things like "www3.netscape.com"? Cookie-based load balancers are what fixed that situation.
Yes, cookies are abused by advertisers, but quite frankly, I don't give a damn if a site wants to use them to follow me on their site. They DO use them to see which products are popular, what items are considered together - valid data that lets them make business decisions. I know from working with web design firms that they can be used to track flows through a site and tell what parts of navigation are difficult, and if users are missing the "intended" way of using a site.
There are lots of valid technical uses for cookies. I've never understood why they're vilified. It's a tiny chunk of usually random/hash data that's put on your computer by the remote site. Why should you care if they then retrieve it? The only objectionable use is cross-site cookies used by advertisers, and most decent browsers let you disable that class of usage, but not the rest.
Re:Are there any paranoids in the audience tonight (Score:4, Insightful)
If it weren't for cookies, this site wouldn't remember my login.
But then again, having a site "remember you" between sessions is a security risk. I mean ok, who cares if your brother starts trolling people with your slashdot account if he comes over for the weekend... but just the concept. You know, you CAN provide unique service to someone using a login, session ID's and designing your website with the appropriate GET/POST commands. Admittedly it is a LOT more work for the web designer, but far more secure than cookies. However you guarantee that the session "expires" the minute you close the web browser.
This is pointless (Score:3, Insightful)
Ok, no cookies. Poor me. You're just making it more difficult, but there are ways around it.
1. The malware and other scrupulous sites you hate so much... They wont obey your rules.
2. I hope you enjoy long query strings, because everything is going to be passed from page to page.
3. If you don't, expect every link to become a javascript POST.
4. You'll be required to create an account a lot more often so we can store everything server side and restore to SESSION variables when you return.
5. And expect a lot of free content sites to go belly up. No cookie, no revenue.
6. What percentage of sites these EU customers visit are hosted outside the jurisdiction?
Re:Do We Really Need Cookies? (Score:4, Insightful)
How do I implement sessions without mangling all the local URLs in the output (which is seriously non-trivial and poses its own problems, also with security and privacy), yet without the use of cookies?
Hey Government: LAWS ARE NOT FOR FIXING TECH (Score:5, Insightful)
Why do government people think that passing laws like this can fix a problem that is fundamentally a technology problem? The problem is that when lawmakers focus on tech, they often focus on regulating the tool instead of regulating behavior. So you get situation like this:
Trigger: People are killed with a hammer.
Response: Ban Hammers.
Unintended consequence: Entire construction industry out of business, everything falls to disrepair, screw industry explodes, scarcity of hammers lead murders to switch to using rolling pins.
In this case, the issue is user privacy. Regulating cookies does little other than break the web which is in many ways cookie dependent for many different dynamic interactions between applications on servers and browsers. So, you break the internet, reduce security, and move advertisers to using something that's not a cookie to tag visitors with (lots of ways to accomplish this).
It's that old guns don't kill people, people kill people thing.
Transparency is the name of the game (Score:3, Insightful)
Re:Do We Really Need Cookies? (Score:4, Insightful)
Regulating tools doesn't work. Regulating behaviors does. When governments try to regulate technologies, they usually focus on the tool instead of behavior with asinine results. It would be much easier to simple:
Outlaw the practice of collecting marketing information without the express permission of the person being collected, at the time the data is collected. Make it clear there is no "blanket" opt-in possible under the law.
Make it a civil tort with a big statutory fine (say something around $10,000) to skirt this so lawyers would go after abuse on contingency.
It's not that hard, but we have to help lawmakers better understand the difference between tools and behaviors.
Re:Do We Really Need Cookies? (Score:2, Insightful)
Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms.
Let's use URL rewriting. My friend shares a photo from their private album with me, I post a link to it on Twitter and the next thing I know half the world has my session id.
Re:Kudos for refuting your own argument (Score:4, Insightful)
The affiliate part can be argued to be necessary for user experience, and as such exempted. The cookie is a necessity to carry on the information that the user is expecting you to carry on in his/her behalf to/from affiliate sites.
E.g. I read a book review on your site, you say "it's available on Amazon, to order click here", then when clicking said link I would not expect any less than to go to Amazon to the page where that book can be ordered. And to get that promised affiliates discount Amazon has to know where I come from.
So nothing much to worry about for you under the proposal afaict.
Re:I don't see the stupidity here (Score:3, Insightful)
But if you don't like cookies, you can already disable them in your browser. I fail to see how this should be mandated on the server side.
Re:I RTFA and don't find it to be all that bad at (Score:5, Insightful)
Passing a session ID around in the querystring has more severe security implications than storing the session ID in a cookie. You can't link your friend to your cookie.
Re:I RTFA and don't find it to be all that bad at (Score:3, Insightful)
The approach is completely backwards. They're hampering all uses of a given technology, when what they want to control is bad behavior. It's like banning/limiting hammers because a fair amount of people tend to buy hammers and then hit people over the head with them.
The legitimate hammer users get hampered. The head bashers buy mallets.
The correct solution to the absurd hammer example here is to make hitting people over the head illegal.
The correct approach to information collection abuse would be to make collecting information subject to regulation. As numerous people have already pointed out, you don't need cookies to track people and collect information-- the well-financed information industry can get around this dumb rule trivially.
Re:I don't see the stupidity here (Score:5, Insightful)
There are ads on the Internets?
I totally agree with the EU legislation. (Score:4, Insightful)
firstly, its not all cookies, just those that are not directly related to the operation of the site the user went to.
That means this regulation is mostly attacking tracking cookies.
When I went to my favorite site, I never gave anyone called "fastclick" (or whoever)permission to store their stuff on my PC. Nor would I ever give them or anyone else permission to track my surfing habits, yet they are doing it without ever having asked or even informed me. This is a privacy issue.
I totally agree with the EU legislation.
Re:Why exactly is an issue? (Score:3, Insightful)
The web server says "hey, here's a cookie you can store for me, if you like, and send it back later to assist me. Do with it as you please." The user's browser either ignores it, or later sends a copy. If this isn't consent, I don't know what the hell is. So the HTTP protocol itself already ensures that all websites are compliant.
Re:I don't see the stupidity here (Score:3, Insightful)
Except you can already block all that with your web browser, if you don't like it.
Why put undue burden on site owners when cookie blocking features *already exist* in every browser out there? That's why this law is retarded-- not because of the intention (which I also kind of agree with, to an extent).
If the EU is really concerned, they could pass a law against third-party cookies. This would remove most of their concern, without unduely affecting site owners. (Most, if not all, ad networks and analytics packages already allow for this usage.) Or they could pass a law saying that cookies must contain *only* references to a secured database, and no personal information in plain-text. That would also make sense.
What they have here? Makes no sense.
Re:I don't see the stupidity here (Score:3, Insightful)
If I assume that watching ads is the payment for content
Why would you assume something so obviously wrong? As is so often quoted here, in advertising viewers are the product being sold. The payment comes from the advertiser.
I assume this is tounge in cheek and I don't have to go into the problems with the premise?
Yes, it is tongue-in-cheek, but it *does* have a subtle point behind it - either web advertising is undervalued, or print/TV advertising is overvalued. If print/TV advertising is overvalued, don't you think someone might have noticed by now? That leaves... web advertising being undervalued, which leads you to ask "why"? It's pretty obvious that it would be because the focus is on user tracking.. as that's the metric that receives the most focus.
Think about it: How many TV or magazine advertisements are valued on how many people immediately stop what they're doing and buy the product? How much is TV advertising worth? Magazine advertising? Web advertising is the only one that does this large-scale. It's also perceived as the one with the least value. You believe this is mere co-incidence?
Re:Kudos for refuting your own argument (Score:1, Insightful)
Re:Vital under what conditions? (Score:3, Insightful)
To get back on topic, if you have no cookies, how do you link your http queries to your cart (you know, so that the user can buy some stuff) ?
And please, no url rewriting nonsense that blows caches away and exposes your session tokens to every external website you link to with the referer field.
Re:I don't see the stupidity here (Score:3, Insightful)
Why is it that important to not see the same quote again?
Why is it so important to you that the government be involved in this decision?