Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Security United Kingdom Your Rights Online

Confusion Surrounds UK Cookie Guidelines 143

pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."
This discussion has been archived. No new comments can be posted.

Confusion Surrounds UK Cookie Guidelines

Comments Filter:
  • There should be... (Score:5, Insightful)

    by myurr ( 468709 ) on Tuesday May 10, 2011 @01:25AM (#36079758)

    ...a law stopping people from making laws about things they simply do not understand.

    • by Nursie ( 632944 )

      What makes you think they don't understand?

      It's probably true, but in this case I don't think they're necessarily wrong.

      Cookies are horrifically overused, and outside of ~20 sites that both need them to function properly and I care about functioning properly, I've been getting on fine without them for months now.

      This tells me that an awful lot of them, especially third party cookies (of which I allow none) are totally unnecessary even without privacy concerns. Having users participate in their own tracking

      • by myurr ( 468709 )

        Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used. How else would slashdot know you were logged in, for example.

        This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this.

        • by Nursie ( 632944 ) on Tuesday May 10, 2011 @02:08AM (#36079932)

          "Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

          Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

          Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

          "This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

          Sure, and that's a valid use (IMHO). It could easily work this way though -
          User goes to front page
          Check for cookie
          If no cookie allow user to browse site
          When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

          If the cookie's there from the beginning then do the usual auto-login stuff.

          A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

          I realise all this makes things more complicated for end users as well, which is less than ideal.

          • A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

            That is not an answer to that technical problem.

            The only answer I can think of right now to track that someone has opted out of cookies is to append something to the URL &optou

            • by Nursie ( 632944 ) on Tuesday May 10, 2011 @02:59AM (#36080112)

              What's not an answer to the technical problem?

              Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

              I don't get why there's more of a problem than this.

              maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

              • What's not an answer to the technical problem?

                Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

                I don't get why there's more of a problem than this.

                maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

                It's easier than that... Use No-Script or the current version of Firefox4 (or a future version of IE9), and enable the "DNT: 1" (Do Not Track: [enabled] ) HTTP Header. This header will be sent with every HTTP request informing the websites that you have pre-opted out, you do not wish to be tracked.

                Obviously if you need to log-in you must agree to let them store some data about you (your login credentials & profile). The information they collect should be clearly stated on their privacy policy, and

                • by Nursie ( 632944 )

                  Can you tell me - does anyone in the advertising business care about DNT headers? They'd be pretty damn easy to ignore if there's no legislative backing.

                  Hell I can stick "yes I'd like fries with that" in a header, but I don't expect anyone will pay any attention.

                • by Pieroxy ( 222434 )

                  Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

                  Google has a built-in setting "Ignore exceptions and block third-party cookies from being set". This is enough for me so far. Sites can set any cookie they want. Third parties go to hell.

                  • The second every defaults that option to enabled, advertisers will simply create arrangements whereby all tracking is first party and the details are passed to them by a server side service. Same effect, slightly increased cost and complexity, less visibility.
                    • by Pieroxy ( 222434 )

                      It doesn't have the same effect at all!!! Let's take an example:

                      Actual situation for most people: all cookies accepted.
                      I go to amazon.com, some random JS drops a cookie from the website www.trackme.org. Then I go to best buy where such a JS is also included in all pages. My browser sends the same cookie to www.trackme.org, hence identifying me to them. The next day, www.trackme.org knows I've been to both sites and know which products I've had a look at.

                      My situation: Accept cookie only from the page's domai

              • ...and I don't want to be bothered with every website I go to telling me that I need to add another cookie. I'm a developer and when I have a problem, I search the internet for answers. Those answers could be on some guy's blog, or it could be an answer on a forum and is usually different every time. Having a box or click through page pop up over and over and over again is annoying as hell. You may want to know what sites are setting cookies, but I don't care, and neither does most of the non-technical

                • Exactly.

                  Look, I'm a big advocate for more privacy and believe we are currently giving away way too much private information and are tracked way too much, but this is something that should be addressed in browsers, not websites. Hell, make legislation that makes it mandatory to have a dedicated cookie-information page with a new tag that links to it if you must (so the browser can link to it, for instance with the infamous yellow bar), but the practical effect of legislation like this is that business is mov

            • Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing. That removes the entire issue of keeping track of who opted out - you simply assume everyone who doesn't already have a cookie doesn't want one until they ask for it.

              • Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing.

                Which can already be handled entirely by the browser. There is nothing a site can do to stop your browser from asking for permission before accepting a cookie.

                • Entirely correct, except that they can fuck up the site if you don't accept them. They can also do that when they have to ask you themselves, but from the ignorant user's point of view it is then the site that doesn't work properly, instead of the browser.

                  The difference is minor, I'll agree, and I'm not convinced that it is worth legislating over, but on the other hand it's not as if the industry is regulating itself. Time will tell.

          • by Jaruzel ( 804522 )

            When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

            Way to go - that's brilliant way to scare off potential customers...

            Most web users don't even know what a cookie is. All they care about is that the site they are shopping on remembers who they are, and makes adding things to their baskets and checking out as simple and easy as possible. No matter HOW you word the opt-in dialog, people will still get confused and click back to Google to find a less scary site.

            The anti-virus people have done such a good job (sarcasm btw) telling people not to trust any non r

            • by Nursie ( 632944 )

              "Way to go - that's brilliant way to scare off potential customers..."

              Eh, sorry, in my worldview privacy comes before commercial concerns.

              On the rest - why does it have to be a popup? Popups are evil anyway, in pretty much any situation I can think of. Just take them to a page saying - "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

              I mean, it's not like people actually purchase anything through any internet shop without agreeing to a huge set of terms

              • by Arlet ( 29997 )

                "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

                What about 3rd party cookies attached to ads ? There may be several different ones on a single page.

                • by Nursie ( 632944 )

                  As far as I'm concerned they're a non issue - i.e. they ought to be scrapped, effective immediately.

                  I can't find it in me to even start to care about a solution for these poor, poor advertisers that will allow them to keep tracking people.

                  • by Arlet ( 29997 )

                    If they can't have the cookies, the advertisers will just track you based on browser headers and/or IP address.

                    • by Nursie ( 632944 )

                      Which is there prerogative, recording what happens at their end.

                      Personally I see a line between people unwittingly participating in feeding their information to advertisers and server-admins recording who accesses what to analyse later.

                    • by Arlet ( 29997 )

                      There's little difference in providing browser headers/IP, and providing a cookie, when you visit a web site. With the right tools, they can be used in exactly the same way.

                      The only difference is that I can delete a cookie, but I have no influence over what the server does with my browser headers, or IP address.

                    • by Nursie ( 632944 )

                      An IP address is a fundamental part of the communication going on. Browser headers not so much. I have mixed feelings about browser headers anyway, especially given how often they are abused for "this site is only compatible with" reasons.

                      Yeah, don't know. It's less in the way of actively participating in your own tracking without you knowledge. And both browser versions and IP addresses change from time to time. Perhaps the "Do Not Track" legislation proposed in California is a better option.

                    • You're free to spoof your agent string or connect through a proxy.

                    • by Arlet ( 29997 )

                      A proxy ? And let them see all my traffic ? That's worse than what I've got now.

                    • Because right now, nobody sees your traffic? And if that really bothers you, you're unable to set one up yourself? Here's a hint: SOCKS proxying is built-in to openssh.

                    • by Arlet ( 29997 )

                      Only my ISP sees all my traffic, not some random 3rd party site I know nothing of. Given the choice, I'd stick with my ISP.

                      And no, it doesn't really bother me. But then again, cookies don't bother me either. I was just pointing out that banning cookies doesn't really improve anything regarding your on-line privacy.

                      Also, I have no idea how setting up a proxy improves anything regarding my traceability. They'll just use the proxy's IP address instead. The only solution would be to have a large pool of proxy

                • Those ad networks simply can't set them.

              • If you need a basket type session before this point then can you not use session id's in the url?

                I haven't read the new rules, but wouldn't this be the same thing as tracking through a session cookie? I'm curious if this is still covered in the rules. It would be a trivial thing to use the url based tracking string and pass it to the third party from the server. Would that be allowed?

          • by AmiMoJo ( 196126 )

            User goes to front page
            Check for cookie
            If no cookie allow user to browse site

            If only... I have Firefox clear most cookies between sessions, and it is surprising how many sites jump on you the moment you visit with a survey about your visit or a content-covering advert. All this will do is add "we need to set cookies, click YES to continue" messages to every site.

        • You might be fully right, but how does the browser differentiate ?

      • What makes you think they don't understand?

        It's probably true, but in this case I don't think they're necessarily wrong.

        Legislating that which is easily solved with technology is a dead giveway.

        There is no reason your browser can't be configured to ASK you first before storing cookies if you care so much.

        The technical solution works globally on all systems throughout the world.

        The legislative solution is limited to the handful of sites in the UK that comply.

        • by Nursie ( 632944 )

          Most people don't know they exist.
          99% of them are worthless.
          Tracking people without permission falls into the arena of the legal.

          There are good technological solutions to stopping people hacking into your systems too, doesn't stop us making it a crime.

          BTW, it's an EU directive, not UK only.

          • Re: (Score:2, Funny)

            by lxs ( 131946 )

            And as per usual, only in the UK they find it "confusing."

            • by Yer Mom ( 78107 )

              Usually because the UK government seems to insist on interpreting the EU directive in the most pedantic manner possible, while other EU countries take a more sensible and pragmatic approach...

          • > Most people don't know they exist.

            Tell them.

            > Tracking people without permission falls into the arena of
            > the legal.

            It's your browser that accepts cookies and it is your browser that honors requests for them. Why is it the site operator's problem that you are using a browser configured to do so silently?

      • > ...without permission...

        "Without permission? The site sends a cookie and your browser either accepts it and stores it away on your disk, or not. Whether or not your browser asks you for permission before accepting a cookie is entirely between you and your browser. The site operator is not reponsible for the fact that your browser may have been configured to accept cookies silently.

        > ...I applaud the effort to do something about it.

        Why not just inform people and let them make their own decisions

      • Are there really any benefits to the users to allow third party cookies? All browsers should just disallow third party cookies by default. There, solves that problem.
    • by Co0Ps ( 1539395 )
      Absolutely agree. The biggest mistake made in the HTTP standard was calling cookies "cookies". The familiar name invites politicians to mistakingly think that they know what their function and purpose is. They should have called it "state exchange identifier" instead and we wouldn't have none of this crap.
    • For a so called environment minister, you'd think she (Caroline Spelman) [wikipedia.org] would have SOME sort of science or engineering degree, but no, she has a BA First Class in European Studies. Like most politicians, they are NOT qualified in the areas they speak about, and is why such idiotic laws and outbusts are made.
  • IANAL(imey), so I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/

    • by Nursie ( 632944 )

      "I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/"

      Not all biscuits, only unsolicited internet biscuits :)

    • In UK English, a cookie is a specific type of biscuit with little bits of chocolate in it and usually soft and chewy rather than hard and crunchy.
      It is EU law than is banning them, not UK law.

  • So if they UK is having Wifi problems with global warming, what is that going to do to their cookies? Will their cookies only work for a certain range, and then turn into scones? I demand an irrational panel of useless government bureaucrats to investigate now! God save all our tea and cucumber finger sandwiches.....

  • by xenobyte ( 446878 ) on Tuesday May 10, 2011 @01:54AM (#36079894)

    It's just next to impossible to use the law as it is.

    To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

    This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

    • Thank you. I'm glad somebody answered in a logical thoughtful way instead of the goofy knee-jerk "Government is stupid/bad!" that seems to come up so often. The answer is simple and frankly should have been implemented years ago. Cookies are not that wonderful and while I enjoy using them to log in to non-secure websites for simple stuff I am not a big cookie fan otherwise. They're sneaky bastards.
    • by Chrisq ( 894406 )
      Redirect everyone without cookies to a page with a consent form describing all cookies set. Have an "accept" yes or no option. The no takes them to a page that says "sorry, you are unable to use our site", and an option to try again.
      • "Dear ChrisQ,

        I admire you for your adherence to regulation regarding our website. Your input into the compliance process has been valuable.

        Since you have provided the potential customers with the choice of accepting cookies or not using the site, our sales have dropped 35% and advertising revenue is now nill. We are no longer able to support your position with this company. Please clean off your desk and hand in your ID and keys to the receptionist on the way out.

        All the best for the future,
        Your ex-Bos
    • by Mouldy ( 1322581 )
      Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

      A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners. Something along the lines of "This website wants to set cookies which may be necessary for it to work correctly, do you want to allow this? yay/nay". S
      • by swright ( 202401 )

        A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners.

        This. I was wondering why nobody else was making this point.

        It could even be accompanied by a law mandating that cookies are associated with descriptive information about what they are for.

        A browser-based implementation would be impossible for sites to not comply with, more user friendly for the masses, better for sites, and better for privacy.

        I really don't understand why the onus has been placed on sites :(

    • It's just next to impossible to use the law as it is.

      To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies.

      Or, you can pre-opt out of ever website on the planet by sending the DNT: 1 (do not track: enabled) HTTP Header [w3.org] in every request for web resources.

      The current version of Firefox4 supports this header, as well as NoScript for previous versions of FF. MS has stated that IE9 will support this header option too. Google (and the MPAA) have expressed concerns with allowing users to automatically opt out of every tracking service by simply stating their wishes to not be tracked... Therefore, Chrome will not s

  • Session tracking really need new standard and some merging with the HTML5 client side storage. This with clear client enforceable client policy, server and DOM standard way of reading the access and store policy settings.

    The situation now is:
    - an obsolete RFC2965 cookies standard with no average user know/can manage safely,
    - and a still to be standardized HTML5 incompatible client storage and database.

    New cookies should become part and merge with the HTML5 client side storage, with backward compatible but m

    • The situation now is:
      - an obsolete RFC2965 cookies standard with no average user know/can manage safely,
      - and a still to be standardized HTML5 incompatible client storage and database.

      New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

      If you liked storing pointers to data kept on servers you will *LOVE* storing even more data from each site on your computer.

      Well I guess right up until the point where all the fine folks on the Intertubes intentionally design sites to consume massive amounts of disk space across an infinite number of attacker domains and or force erasure of legitimate content after the fixed storage pool is exhausted.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

      Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different user

      • by La Gris ( 531858 )

        Too bad you posted as Anonymous because I find you expose a very brilliant simple solution. I would have marked you as friend to more easily follow your next posts.

  • You could just use the browser "propmpt every time" setting if you want to decide which sites use cookies. (the prompt allows you to say "always for this site).
  • by troll -1 ( 956834 ) on Tuesday May 10, 2011 @03:34AM (#36080250)
    Remember the CAN-SPAM ACT 2003 in the US? That was another pointless law. Spam is at an all time high. You only stop spam with a spam filter. Governments only gets bigger, never smaller.
    • I'm pretty sure you can stop spam with a gun as well.

      Your computer is being used as a spam-relay-bot? It gets shot.

      You have more than three or more computers in your household being used as a spam-relay-bot? All residents gets shot in the knees, AND all computers in your household gets shot.

      Your company is selling wares through spam? The entire board of directors are shot in both knees and both elbows. Your stockholders gets shot in a foot.

      You responsible for running a spam-relay-botnet? You get shot in the

  • From the guidelines [ico.gov.uk] (pdf):

    The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for t

    • by Nursie ( 632944 )

      That sounds eminently reasonable to me, and neatly counters a lot of the "sky is falling" stuff people have said further upthread.

      • by JackDW ( 904211 )

        Wouldn't it be even more reasonable to require web browsers to use the sort of restricted cookie settings that you personally use? As in "block by default". The EU already demonstrated that it can force major browser makers to do weirder things [wikipedia.org]. If IE starts blocking third-party cookies and demanding confirmation for first-party cookies, then every other browser will be able to do the same thing too, because websites will quickly adapt to the new way.

        Going after websites is stupid because the law is unenfo

    • Who decides what is "strictly necessary" for a service, though? "My website is funded entirely by advertising from advertisers who implement third part tracking, without this advertising there is no service, it's the very definition of strictly necessary" sounds like the first line of reasoning for a lot of people. Are we just creating a law that will make convenience cookies difficult to implement but has a huge loophole the advertisers can drive a truck through?
  • Firstly, Cookies are generally tied to User-Agents, not to people. UK websites are not required to get consent from spiders, crawlers, or other bots.
    What I invite the ICO to do is to demonstrate a technical, non-invasive, means of being able to identify an individual from the information made available over a HTTP1.1 request.

    Secondly, regarding Session Cookies, it is trivial to replace a session cookie with a QueryString token - so what is the differentiating feature of these two that requires consent for

  • aren't they called "biscuits" ? :)

    • In the UK a 'cookie' is usually a biscut with chocolate chips in it. This is the icon representation they have in Chrome I think (in the address bar a cookie (with chocolate chips) icon appears that you can click to view the (website) cookie information).
  • This may come as a shock to many but cookies are not necessary.

The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam

Working...