Sweden May Mandate Opt-in For Cookie Transfer 115
Vitdom writes "The present government in Sweden has published a proposition regarding 'Better rules for electronic communication.' Amongst other proposed amendments, it suggests that websites must inform the user of the 'purpose' regarding each individual cookie transferred to the user's browser upon connection. Secondly, it is suggested that the user must give his consent before the transfer of the cookie in question. The proposition is to be voted by the Swedish parliament on the 18 May this year. If accepted, the law will be in effect in June."
Yay (Score:1)
Yay for another obscure, legalese clause in the Terms and Conditions section of pretty much every web page that pretty much nobody ever reads.
Re:It goes beyond that. (Score:4, Informative)
From what I understand this proposition only covers tracking cookies, not the use of cookies in general.
Re: (Score:3)
But cookies in general does track users. This by far the most common use these days. Even they they are used to carry preferences it is often implemented with a tracking cookie that can then map user-id to preferences server-side.
Re:It goes beyond that. (Score:4, Informative)
AFAIU "tracking cookie" means a cookie set from a third-party site in order to track you across several sites. The cookies Slashdot uses to keep track of you when logged in are not tracking cookies, because they are only set or read if you are going to Slashdot (at least I hope so). The cookies advertisers set are tracking cookies, because you get them and send them back whenever you go to a page where the advertiser advertises. You can get a cookie at Slashdot, and send it back when visiting the New York Times, or vice versa.
A simple (but not completely accurate) rule of thumb is: If the cookie comes from a server other than that found in the URL of the site and contains identifying information, then it's a tracking cookie.
Re: (Score:2)
Ah - good, then I don't need to mess with the cookie handling of Drupal.
For what it's worth - then that's a good thing since I hate all those cookies that is on my computer for "tradedoubler" and stuff like that - I don't get any doubled trade for that. Cookies are meant to be eaten, not had.
I'm just waiting for opt-in law for telemarketers and other kind of junk too.
Re:It goes beyond that. (Score:5, Interesting)
And if you say no you won't get a cookie remembering that you've said no, so on the next page you get a pop-up asking if you want the cookie, right up until people give up and just accept the cookie.
Re: (Score:3)
Re: (Score:2, Interesting)
I use nginx and drupal in the USA.
my nginx has it turned off cause I didn't add the module ngx_http_userid_module.
drupal does use a PHPSESSION cookie though.
In an effort to be nice to Sweden (where my favorite death metal music comes from) and to help fellow nginx+drupalers in Sweden
I am wondering...
What exactly do I say to satisfy Sweden's new law?
I am thinking right now it would be, this site uses cookies, I think because of drupal, but I don't really know the fuck why. It certainly isn't for profit, or
Re: (Score:2)
Also this can not be fixed by adding it to the EULA since the typical Eula is not considered binding according to Swedish law unless it's a multistep process(ther
Re:Yay (Score:4, Informative)
I'll be happy if Sweden just fines Apple a few tens of millions because Safari's cookie management feature simply don't work. "Accept cookies : Only form sites I visit" has basically never worked. And cookies you delete using "Show Cookies" aren't actually deleted either.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
That is no use if it deposits a cookie on your computer before you get a chance to read the T&C.
Re: (Score:1)
And it totally enforceable! Go Sweden!
C is for cookie, (Score:1)
That's good enough for me.
Re: (Score:1)
http://www.youtube.com/watch?v=BovQyphS8kA [youtube.com]
Re: (Score:1)
Great move, Sweden. (Score:2, Insightful)
EU directive (Score:3, Informative)
This is of coursed based on an EU directive [europa.eu]. Not sure why Sweden was singled out.
Doesn't make it less stipid, but you know... maybe tone down the hyperbole a bit.
Re:EU directive (Score:5, Insightful)
This is of coursed based on an EU directive [europa.eu]. Not sure why Sweden was singled out.
Because we plan to kidnap Julian Assange and lose him on a small island in the Baltic sea where the only female inhabitants are sheep?
Seriously, it might be because we have decent media coverage of these things. This is just one in a series of daft technological decisions coming from the EU, and journalists in .se
are used to covering them. (And Slashdot readers in .se are used to submitting the results here.)
Re: (Score:2)
Seriously, it might be because we have decent media coverage of these things. This is just one in a series of daft technological decisions coming from the EU, and journalists in .se
are used to covering them. (And Slashdot readers in .se are used to submitting the results here.)
What? .se coverage of EU matters is horrendous. Sure, once the laws decided there start showing up in country, coverage may start happening, but covering the EU parliament and the doings of the commission? Perish the though!
If you say so -- I can't pretend that I'm following it closely. Although my argument still holds if coverage is even worse in other countries.
Re: (Score:2)
Let's make it harder for websites to use cookies for legitimate purposes such as persistent logins,
You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client, didn't you learn anything from Sony? Trust in the client is the only reason you would ever need multiple cookies. And all you need is one nice little notice saying "we will use this cookie to manage your login" and BOOM you're done.
And while we're on the subject, it takes only fractionall
Re:Great move, Sweden. (Score:5, Insightful)
You only need one cookie for all features if your site is competently designed: the one for tracking the user's session. Everything else should be stored on the server side anyway because you should never trust the client
There are perfectly valid reasons (not involving cross-site tracking) to use more than one cookie. If a session identifying cookie is used to identify an user account and grant privileges, it's usually a good idea to make that cookie disappear when the user closes his browser (i.e. a 'session' cookie). However, the user may have additional preferences on the site which are not personally identifiable, but for which it makes sense to store and use the setting even when the user is not logged in, for example, language selection on multilingual sites. Trusting the client is also a non-issue for things that are mapped to a single item from a set of possible choices (as long as the code implementing the parsing is reasonably sane).
(And for the Accept-Language header, try explaining to a client how they can change it. Or how to install a browser where they actually can change it.)
And while we're on the subject, it takes only fractionally longer for most users to make a POST request than to just do an HTTP GET, so unless your site is stupid and slow or your users are then you don't need ANY cookies. A quality CMS will degrade. If yours doesn't then it isn't.
Clicking on a link in a browser will cause a HTTP GET. Maintaining a session with URL parameters makes the URLs much less user friendly, and opens up a possibility for trivial social engineering exploits (e.g. lol paste your url here I'll have a look!).
Re: (Score:2)
Clicking on a link in a browser will cause a HTTP GET.
Uh no. You need to look at HTML some more. This isn't a true statement. Clicking a link MIGHT cause an HTTP GET. Thanks for playing, though.
Re: (Score:1)
If you read Swedish you can read the bill here http://www.riksdagen.se/webbnav/?nid=37&dok_id=GY03115 [riksdagen.se]
Spyware vs cookies (Score:4, Informative)
I just read the proposal [google.com] and it's purpose, as far as cookies go, is to make spyware illegal to comply with an EU directive. The discussion centers around how to do this without requiring an opt-in for every cookie because cookies are also used to spy on you.
Third party cookies should be illegal but I very much doubt that this proposal wants to go there.
Re:Spyware vs cookies (Score:5, Informative)
Here's the change we are discussing (google translate).
Old text:
Electronic communications may be used to store or access information that is stored in a subscriber or user-dares terminal equipment only if the subscriber or user of the controller is informed about the purpose of treatment and opportunity to prevent such treatment. This does not prevent such storage or access needed to perform or facilitate the transfer of electronic messages via an electronic communications network or which is necessary to provide a service that the subscriber or user has requested.
will be changed to:
Data may be stored in or retrieved from a subscriber or user equipment only if the subscriber or user will have access to information about the purpose of treatment and agree to it. This does not prevent such storage or access needed to transmit an electronic message via an electronic communications network or which is necessary to provide a service the subscriber or user has explicitly requested.
Not sure I've ever seen such an ambiguous law text.
Somebody is trying to break the Internet (Score:2)
Seriously.
Re: (Score:2)
Re: (Score:2)
Only local low end sites without legal experts would have to use "permission to save a cookie" pop ups.
Technology issues (Score:1)
Assuming this is even real, it is absurd.
Cookies are only transfered and saved on the user's computer because the web browser allows them to be. Every web browser I have seen has the ability to both black list and white list cookie requests. In other words, the final decision if cookies are saved on the user's computer is determined by the browser, not the web site.
Next there are issues with its implementations. Lets assume the user rejects you sending a cookie. How do you know on the next page they
Re: (Score:2)
You are talking about a lever that only few know about. The majority of users happily continue to use their browsers which in fact come preset with a very liberal (for the issuing end) policy of not only accepting cookies from pretty much ANYWHERE but also store them on disk as part of their browsing cache. In short, 9 out of 10 users are fed so much cookie, their teeth should grind to the roots. That's the reality. It's not about you and me who know how to fire up Preferences and set up our own policies.
Re: (Score:2)
Thats not an issue.
You embed a javascript that checks the local storage on the browser if cookie question has been answered and use that javascript to do the cookie management.
Users with js disabled will of course have to be presented with a page saying for legal reasons they can't browse the website.
Re: (Score:1)
I was going to reply something along these lines.
And feasibility aside, the EU directive is indeed mind-bogglingly stupid. How do you even enforce that? It's not meant only for EU websites, but also, and primarily, for any user browsing from the EU. How do you check that? Ridiculously inaccurate IP geolocation? What about Tor, proxies, etc?
Re: (Score:2)
I'm not aware of a setting to prevent the cookies from being read by other domains, but the settings to blacklist and whitelist cookies are typically not very good. I was doing that for a while with Firefox, and it was a huge pain. For some reason they decided to make it so that you end up having to either block everything or end up responding to hundreds of requests. And they won't let you edit a setting, no that would be too easy, if you change your mind about a setting you have to remove it then go back
Re: (Score:1)
Konqueror has an "always ask" option for cookies. And when Konqueror asks, you can allow or block the cookie, either :
-for the single cookie
-for every cookie from the same domain
-for all cookies
Nice sentiment (Score:2)
Re: (Score:1)
Have you even RTFS? It's right in there, and otherwise it's in RTFA, according to the EU directive that this law is based on, you don not have to confirm each and every cookie.
Mart
Re: (Score:3)
"Not sure how enforceable or practical it would be. Considering how central cookies are to today's web usage"
You know what, I've had cookies turned off for several months now, except for a few sites that I actually want the functionality they provide. My internet experience hasn't changed much on the whole, a few sites don't work so well. Most are just fine.
This tells me that the vast majority of the thousands of cookies that reside in the average browser are (at best) totally unnecessary, and are mostly un
Implementation issues (Score:4, Funny)
How is a website supposed to remember whether a visitor opted out of cookies?
Re: (Score:3)
It can't. But it can remember people who opted in for cookies with a cookie.
In fact, they really thought it trough.
Re: (Score:2)
Firefox Menu | Options | Advanced | General | Browsing | [x] Tell websites I do not want to be tracked
Browsers do this already... (Score:2)
How does this compare to an option in my browser that says "confirm by popup every cookie requested"?
Mandating that websites continue to function properly when the browser refuses to register cookies would at least be slightly smarter.
Consent is Implied: Dumbasses (Score:4, Interesting)
Consent is implied by each individual user's web browser. Cookie Censorship need not apply, we already have the tools to manage our own cookie states (visitor discretion is not just advised, it's mandatory).
Much like the way no one can force you to visit their website, websites can not force your browser to accept a cookie -- And, last time I checked both IE & Firefox by default alerted me that a website was requesting to set a cookie, and the default action was to "[x] remember my decision" -- I opted to not have to answer yes each time, and instead opted to set my cookies to be cleared on each exit...
I am in no way prevented from disallowing all cookies... I remember writing web login systems before cookies were widespread -- URL MUNGING -- UHG! Hell, we even used the HTTP-REFERER (sic) header to transfer logins across domains (it contains your last visited URL -- the one before the current page request).
While I do like to know what the little opaque tokens are being used for, there is no reason to mandate their purposes be posted somewhere. Cookies are DESIGNED to track some user specific state information. Cookies track users. End Of Discussion. We know what they are for! Guess what else tracks users? Their IP ADDRESS; This, combined with URL munging == cookies. Netscape just wanted a formalized and more flexible way to do things...
I can imagine requiring a user to click yet another security dialog each time I add a bit of info or change the way a cookie operates -- To get around this one or both of the following WILL occur:
1. URL Munging, CSS style color hacks, and other tricks (like decoding a cached .PNG with client side JS) will be used instead of cookies for more user state preservation purposes.
2. The users will be given a "[x] Remember my decision" option, and we're right back to where we are now!
Ignorant fools -- When will we mandate that you must pass a technology test before voting for or against said technology related laws? EG: Score a 100% on the "Web Cookie" tech test, and you're fully qualified to vote -- score a 25% and your vote would be worth 25% of a vote since you don't know shit about what you're voting for or against....
Until then we'll keep having people who don't know shit pass ignorant laws based on "feelings" instead of "facts".
Consent cannot be implied (Score:1)
The problem is that most people don't know that they can disable cookies, let alone selectively. Furthermore, they don't understand what it's all about, and since it's a complicated technical topic (if you disagree you need to meet some users) they probably cannot be made to understand. The only thing they know is "if I disable cookies some websites don't work". That they could allow these specific cookies wouldn't occur to them, and neither that they could delete them later. And even if the browser asked w
Re: (Score:2)
I disagree, until the cookie management settings are fixed and made to be functional there really is no basis for consent being implied. What I mean is that yes, you do have settings that work, but they're cumbersome, lacking in granularity and typically don't really give you much control. Plus, they're complicated and unless you're a power user, you don't necessarily know what you're doing, or even what cookies ought to be allowed.
Same goes for random javascript, sites rarely if ever tell you what javascri
Re: (Score:2)
Every hyperlink in HTML can potentially force you to a different website than the one serving the current page.
Re: (Score:2)
But your browser does automatically download a lot (images, icons, style sheets, scripts, video, etc.) any and all of which could involve some cookie processing. To say that a user should have to have detailed technical knowledge of which to permit and which not, that's just wholly unreasonable.
There are ways to work around this, and part of the solution must be legal. There can even be cases where cookies are deemed to be acceptable, requiring no notification to the user to use (e.g., if the information co
Links to the EU directive and the Swedish proposal (Score:2, Informative)
Always get your information straight from the horse's mouth. The IDG article is pretty clear for people that know the context and understand Swedish, but seem to totally confuse less informed slashdot readers and the really bad slashdot summary make the confusion even worse.
The proposal is based on an EU directive. Countries that are part of EU must implement all EU directives, or leave EU. Sweden don't have much choice in the matter. (Many other country parliaments implement undesired EU directives the sam
Re: (Score:1)
Hmm... I've heard both Brits and Dutch complaining that they implement all the directives but everyone else ignores them. So apparently at least three states implement all the directives and everyone else (including the other two states that implement them), refuse to implement directives.
Logical? Hardly... but neither is any other myth about the Union.
Of-course, directives should be implemented! The main problem now is the lack of reporting of Union centric news, it would be good if normal newspapers would
Age of consent (Score:5, Interesting)
Next comes the meme:
Hmmmm ....
Re: (Score:2)
Not really. For it to be seen as that it's required that the agreement is returned to the issuer so that it also knows that it has entered the agreement. It would be kind of scary if two parties could enter an agreement that only one part knew they had entered.
I don't know what the age of consent has to do with that, it's 15 and has an exception for even younger if the age difference is small. It has nothing to do with legal agreements or surfing the web, well, maybe about surfing the web if you need to fin
Re: (Score:2)
Re: (Score:2)
It would be kind of scary if two parties could enter an agreement that only one part knew they had entered.
It's possible in limited circumstances in English law (I believe it's where one party makes a public statement that "if anyone does X, then I promise to do Y" and someone else then does X, knowing about that general promise). Those wouldn't apply (AIUI) here as the parties are in proper communication (mediated by HTTP).
Can cookies be used to cache/accelerate torrents? (Score:2, Interesting)
A few minutes ago I was wondering if it would be possible to chop a file into lots of tiny snippets and distribute them across millions of PCs as browser cookies ... ? I think it would be a great way to make the web rethink the cookie policy.
You already gave permission (Score:1)
Here in the Netherlands we have the same kind of law, but after protests from the technical crowd it appears the simply enabling cookies in your browser is a valid opt-in for placing cookies. Nothing to worry about, the law is just finally adapted to what already happens technologically...
Re: (Score:1)
Of course it's only an opt-in if the browser is default-configured to not accept cookies without asking.
Re: (Score:2)
It's also opt-in if the user decided to install a browser which opts to both store and send back cookies. It's also opt-in if such a browser is already installed and the user decides to run it.
The reason this proposal (and others like it in the news lately) is so bad, is that it's based on a fundamental confusion. Someone seems to think cookies have something to do with web sites when really they're a web browser thing. The users' problem is that they are running software which isn't necessarily working
Re: (Score:1)
You have a very unusal interpretation of "opt-in". See below why it is utterly wrong.
I do
Re: (Score:2)
The web browser isn't responsible for the content, but certainly is responsible for what ends up being done with the content and how it is rendered. Likewise, the browser is responsible for 1) the cookie getting stored 2) the stored cookie being sent back.
The key word
so what is a cookie? (Score:1)
I've read the bill and it seems possible that the consent can be given by setting the browser to allow cookies. So this will do nothing. Do not track headers is much better!
And for websites that issue up to 20 cookies? (Score:5, Insightful)
I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.
Re: (Score:2)
The proposed law is ambiguous as hell and make explicit exceptions for cookies that are necessary to perform a service the user has requested. Thus session cookies should still be fine, as should the "remember me" checkbox you see on most web forums.
Re: (Score:2)
I pity the folks who, upon visiting a major website, have to wade through 10 dialogs where each more or less thoroughly tries to explain them the particular meaning of their "SC=" cookie and why they feel it is paramount for them to send it. It's suicide for both the user and the website.
That's certainly the reason no one ever turned on cookie checking, but it's fine to tentatively accept a cookie and then delete it later. After all, it's not like I care that a site knows that I just visited it, after all, that's in their server logs anyway.
If you did that, and the cookies were were displayed all at once for the page, it wouldn't be so bad. All you need then is a summary of where elements (cookies, images, flash, scripts) came from on the page, ideally with categories or descriptions looked
UK Government Ahead Of The Game Then? (Score:1)
This EU directive must be implemented by May 25th but Sweden is a bit late to the party - it was covered by the UK government a few weeks ago:
http://techlogon.com/2011/04/17/new-european-website-law-is-a-gift-to-america/
Although the UK Government are committed to it they have said "We do not expect to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies”. When a government advises its citizens that a law can be broken with
It'll make the Internet unusable (Score:1)
... especially on mobile phones...
Here's a little exercise. Go into your browser config and turn this feature on, and see how long you can tolerate using the web.
I imagine you won't last long.
Re: (Score:1)
I don't know about mobile phones, but I know from experience that disabling cookies by default works quite well on desktop browsers. I of course enable cookies for services where I log in (it would be pointless to deny cookies when I give them even more identifying data anyway). There are very few web sites which require cookies that I consider worthwhile enough to allow them cookies (and then, I mostly allow them only as session cookies).
Re: (Score:1)
Well, probably it would be a single sentence "this site needs cookies to work properly [link: site's cookie policy]. enable cookies for this site? [Yes] [No]"
Of course the cookie policy page should be readable without cookies enabled.
HTML5 (Score:1)
Re: (Score:1)
If you read Swedish you can read the bill here http://www.riksdagen.se/webbnav/?nid=37&dok_id=GY03115 [riksdagen.se]
Re: (Score:1)
9.4 Storage and retrieval of information, cookies etc.
9.4 Lagring och hämtning av information, cookies mm Regeringens förslag: Uppgifter får lagras i eller hämtas från en abonnents eller användares terminalutrustning endast om abonnenten eller användaren får tillgång till information om ändamålet med be
Re: (Score:1)
Ridiculous (Score:1)
Will they forbid the interpretation of TCP sequence numbers without explicit user permission too?
Couldn't the browser take care of this? (Score:1)
Re: (Score:2)
More stupid laws that are impossible to enforce (Score:1)
Unless there's a 'leak', you will never, ever know what is being gleamed from your computer.
Re: (Score:1)
Re: (Score:2, Offtopic)
~1630 wants it "Swedish Drink" back.