Confusion Surrounds UK Cookie Guidelines

pbahra writes "The Information Commissioner's Office has, with just over two weeks to go, given its interpretation on what websites must do to comply with new EU regulations concerning the use of cookies. The law, which will come into force on 26 May 2011, comes from an amendment to the EU's Privacy and Electronic Communications Directive. It requires UK businesses and organizations running websites in the UK to get informed consent from visitors to their websites in order to store and retrieve information on users' computers. The most controversial area, third-party cookies, remains problematic. If a website owner allows another party to set cookies via their site (and it is a very common practice for internet advertisers) then the waters are still muddy. And embarrassingly for the Commission — it's current site would not be compliant with its new guidelines as it simply states what they do and does not seek users' consent."

There should be...

[myurr]

...a law stopping people from making laws about things they simply do not understand.

Re:

[Nursie]

What makes you think they don't understand?

It's probably true, but in this case I don't think they're necessarily wrong.

Cookies are horrifically overused, and outside of ~20 sites that both need them to function properly and I care about functioning properly, I've been getting on fine without them for months now.

This tells me that an awful lot of them, especially third party cookies (of which I allow none) are totally unnecessary even without privacy concerns. Having users participate in their own tracking

Re:

[myurr]

Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used. How else would slashdot know you were logged in, for example.

This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this.

Re:There should be...

[Nursie]

"Correct me if I'm wrong but even when you disable cookies the browser typically still allows session cookies to be used."

Not when you're using the Cookie Monster firefox plugin set up the way I have it set up, no. You can enable session cookies or all cookies on a per-site basis.

Slashdot is one of the few sites that I do care about having working though, so I allow them to set what they like.

"This new legislation also applies to temporary session cookies. Almost every site where users can log in will be using session cookies to enable this."

Sure, and that's a valid use (IMHO). It could easily work this way though -
User goes to front page
Check for cookie
If no cookie allow user to browse site
When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

If the cookie's there from the beginning then do the usual auto-login stuff.

A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

I realise all this makes things more complicated for end users as well, which is less than ideal.

Re:

[Idimmu Xul]

A lot of people say that if they're not allowed to set an opt-out cookie, how do they know the user's opted out and how can they then use the site without a popup on every page. My answer to that would be to get them to make sure they actually need that cookie, and if they do then make it clear that the site won't work without it.

That is not an answer to that technical problem.

The only answer I can think of right now to track that someone has opted out of cookies is to append something to the URL &optou

Re:There should be...

[Nursie]

What's not an answer to the technical problem?

Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

I don't get why there's more of a problem than this.

maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

Re:

[VortexCortex]

What's not an answer to the technical problem?

Don't set cookies without permission, if you really need a cookie then tell them they must have one to use the site. If they have previously allowed you to set one then there will be one there, or they'll have login details or whatever.

I don't get why there's more of a problem than this.

maybe I'm not getting it. Can you describe a situation in which this technical problem manifests itself?

It's easier than that... Use No-Script or the current version of Firefox4 (or a future version of IE9), and enable the "DNT: 1" (Do Not Track: [enabled] ) HTTP Header. This header will be sent with every HTTP request informing the websites that you have pre-opted out, you do not wish to be tracked.

Obviously if you need to log-in you must agree to let them store some data about you (your login credentials & profile). The information they collect should be clearly stated on their privacy policy, and

Re:

[Nursie]

Can you tell me - does anyone in the advertising business care about DNT headers? They'd be pretty damn easy to ignore if there's no legislative backing.

Hell I can stick "yes I'd like fries with that" in a header, but I don't expect anyone will pay any attention.

Re:

[Pieroxy]

Except Google (Chrome does not support DNT: 1 -- I hacked together a patch for Chromium...)

Google has a built-in setting "Ignore exceptions and block third-party cookies from being set". This is enough for me so far. Sites can set any cookie they want. Third parties go to hell.

Re:

[delinear]

The second every defaults that option to enabled, advertisers will simply create arrangements whereby all tracking is first party and the details are passed to them by a server side service. Same effect, slightly increased cost and complexity, less visibility.

Re:

[Pieroxy]

It doesn't have the same effect at all!!! Let's take an example:

Actual situation for most people: all cookies accepted.
I go to amazon.com, some random JS drops a cookie from the website www.trackme.org. Then I go to best buy where such a JS is also included in all pages. My browser sends the same cookie to www.trackme.org, hence identifying me to them. The next day, www.trackme.org knows I've been to both sites and know which products I've had a look at.

My situation: Accept cookie only from the page's domai

Re:

[delinear]

The social problem exists to prevent the bigger social problem of how you track user state between different pages on the site or different sessions. Cookies are a convenience to avoid asking the user to reset all their preferences for every single page (or having an incredibly static web - which I know a lot of people will say they prefer, but millions of others enjoy the rich web experience), the real problem lies in the lack of distinction (or at the very least clarity of distinction) between a cookie th

Re:

[Quince alPillan]

...and I don't want to be bothered with every website I go to telling me that I need to add another cookie. I'm a developer and when I have a problem, I search the internet for answers. Those answers could be on some guy's blog, or it could be an answer on a forum and is usually different every time. Having a box or click through page pop up over and over and over again is annoying as hell. You may want to know what sites are setting cookies, but I don't care, and neither does most of the non-technical

Re:

[The13thSin]

Exactly.

Look, I'm a big advocate for more privacy and believe we are currently giving away way too much private information and are tracked way too much, but this is something that should be addressed in browsers, not websites. Hell, make legislation that makes it mandatory to have a dedicated cookie-information page with a new tag that links to it if you must (so the browser can link to it, for instance with the infamous yellow bar), but the practical effect of legislation like this is that business is mov

Re:

[vegiVamp]

Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing. That removes the entire issue of keeping track of who opted out - you simply assume everyone who doesn't already have a cookie doesn't want one until they ask for it.

Re:

[John Hasler]

Once you start seeing cookies as a privacy issue, it becomes logical to also see them as an opt-in thing instead of an opt-out thing.

Which can already be handled entirely by the browser. There is nothing a site can do to stop your browser from asking for permission before accepting a cookie.

Re:

[vegiVamp]

Entirely correct, except that they can fuck up the site if you don't accept them. They can also do that when they have to ask you themselves, but from the ignorant user's point of view it is then the site that doesn't work properly, instead of the browser.

The difference is minor, I'll agree, and I'm not convinced that it is worth legislating over, but on the other hand it's not as if the industry is regulating itself. Time will tell.

Re:

[Jaruzel]

When an action is taken that requires a cookie, present the user with the user agreement explaining about the cookie, and also a login box (if they have a login they must have previously agreed to cookies). When they login or click through then set the cookie, session or permanent depending on your agreement or preference or whatever.

Way to go - that's brilliant way to scare off potential customers...

Most web users don't even know what a cookie is. All they care about is that the site they are shopping on remembers who they are, and makes adding things to their baskets and checking out as simple and easy as possible. No matter HOW you word the opt-in dialog, people will still get confused and click back to Google to find a less scary site.

The anti-virus people have done such a good job (sarcasm btw) telling people not to trust any non r

Re:

[Nursie]

"Way to go - that's brilliant way to scare off potential customers..."

Eh, sorry, in my worldview privacy comes before commercial concerns.

On the rest - why does it have to be a popup? Popups are evil anyway, in pretty much any situation I can think of. Just take them to a page saying - "As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

I mean, it's not like people actually purchase anything through any internet shop without agreeing to a huge set of terms

Re:

[Arlet]

"As this is the first time you've used our site, we need to set a cookie to help you continue shopping"

What about 3rd party cookies attached to ads ? There may be several different ones on a single page.

Re:

[Nursie]

As far as I'm concerned they're a non issue - i.e. they ought to be scrapped, effective immediately.

I can't find it in me to even start to care about a solution for these poor, poor advertisers that will allow them to keep tracking people.

Re:

[Arlet]

If they can't have the cookies, the advertisers will just track you based on browser headers and/or IP address.

Re:

[Nursie]

Which is there prerogative, recording what happens at their end.

Personally I see a line between people unwittingly participating in feeding their information to advertisers and server-admins recording who accesses what to analyse later.

Re:

[Arlet]

There's little difference in providing browser headers/IP, and providing a cookie, when you visit a web site. With the right tools, they can be used in exactly the same way.

The only difference is that I can delete a cookie, but I have no influence over what the server does with my browser headers, or IP address.

Re:

[Nursie]

An IP address is a fundamental part of the communication going on. Browser headers not so much. I have mixed feelings about browser headers anyway, especially given how often they are abused for "this site is only compatible with" reasons.

Yeah, don't know. It's less in the way of actively participating in your own tracking without you knowledge. And both browser versions and IP addresses change from time to time. Perhaps the "Do Not Track" legislation proposed in California is a better option.

Re:

[vegiVamp]

You're free to spoof your agent string or connect through a proxy.

Re:

[Arlet]

A proxy ? And let them see all my traffic ? That's worse than what I've got now.

Re:

[vegiVamp]

Because right now, nobody sees your traffic? And if that really bothers you, you're unable to set one up yourself? Here's a hint: SOCKS proxying is built-in to openssh.

Re:

[Arlet]

Only my ISP sees all my traffic, not some random 3rd party site I know nothing of. Given the choice, I'd stick with my ISP.

And no, it doesn't really bother me. But then again, cookies don't bother me either. I was just pointing out that banning cookies doesn't really improve anything regarding your on-line privacy.

Also, I have no idea how setting up a proxy improves anything regarding my traceability. They'll just use the proxy's IP address instead. The only solution would be to have a large pool of proxy

Re:

[icebraining]

Those ad networks simply can't set them.

Re:

[edumacator]

If you need a basket type session before this point then can you not use session id's in the url?

I haven't read the new rules, but wouldn't this be the same thing as tracking through a session cookie? I'm curious if this is still covered in the rules. It would be a trivial thing to use the url based tracking string and pass it to the third party from the server. Would that be allowed?

Re:

[Nursie]

"Well good for you. Now will you please bugger off. Some of us are trying to earn a living, not infringing anyone's privacy, and have better things to do than comply with stupid laws designed by cretins."

If you're not infringing on anyone's privacy then you have nothing to worry about. There are exceptions for cookies essential to the service (session cookies for baskets etc), but not for those that are cosmetic (site look and feel, autologin) or advertising related.

If you don't fit within that then, like o

Re:

[jonbryce]

And if your cookie is for cosmetic changes, you just need to have a check box that says "save these settings on my computer". If they tick it, they have given permission for the cookie.

Re:

[delinear]

While I wholly agree with your sentiment, in reality I suspect the severity of the implementation may render this impossible to police. Limit it purely to tracking cookies and there's a chance you can get sites to comply, expand that to convenience cookies and you've just created a huge additional development bill. I suspect this will go the way of disability regulations - it exists but it's never been used because practically no site on the web complies. If you limit it to tracking and analysis cookies the

Re:

[AmiMoJo]

User goes to front page
Check for cookie
If no cookie allow user to browse site

If only... I have Firefox clear most cookies between sessions, and it is surprising how many sites jump on you the moment you visit with a survey about your visit or a content-covering advert. All this will do is add "we need to set cookies, click YES to continue" messages to every site.

Re:

[vegiVamp]

You might be fully right, but how does the browser differentiate ?

Re:

[WaffleMonster]

What makes you think they don't understand?

It's probably true, but in this case I don't think they're necessarily wrong.

Legislating that which is easily solved with technology is a dead giveway.

There is no reason your browser can't be configured to ASK you first before storing cookies if you care so much.

The technical solution works globally on all systems throughout the world.

The legislative solution is limited to the handful of sites in the UK that comply.

Re:

[Nursie]

Most people don't know they exist.
99% of them are worthless.
Tracking people without permission falls into the arena of the legal.

There are good technological solutions to stopping people hacking into your systems too, doesn't stop us making it a crime.

BTW, it's an EU directive, not UK only.

Re:

[lxs]

And as per usual, only in the UK they find it "confusing."

Re:

[Yer Mom]

Usually because the UK government seems to insist on interpreting the EU directive in the most pedantic manner possible, while other EU countries take a more sensible and pragmatic approach...

Re:

[John Hasler]

> Most people don't know they exist.

Tell them.

> Tracking people without permission falls into the arena of
> the legal.

It's your browser that accepts cookies and it is your browser that honors requests for them. Why is it the site operator's problem that you are using a browser configured to do so silently?

Re:

[John Hasler]

> ...without permission...

"Without permission? The site sends a cookie and your browser either accepts it and stores it away on your disk, or not. Whether or not your browser asks you for permission before accepting a cookie is entirely between you and your browser. The site operator is not reponsible for the fact that your browser may have been configured to accept cookies silently.

> ...I applaud the effort to do something about it.

Why not just inform people and let them make their own decisions

Re:

[purpledinoz]

Are there really any benefits to the users to allow third party cookies? All browsers should just disallow third party cookies by default. There, solves that problem.

Re:

[Co0Ps]

Absolutely agree. The biggest mistake made in the HTTP standard was calling cookies "cookies". The familiar name invites politicians to mistakingly think that they know what their function and purpose is. They should have called it "state exchange identifier" instead and we wouldn't have none of this crap.

Re:

[Wowsers]

For a so called environment minister, you'd think she (Caroline Spelman) [wikipedia.org] would have SOME sort of science or engineering degree, but no, she has a BA First Class in European Studies. Like most politicians, they are NOT qualified in the areas they speak about, and is why such idiotic laws and outbusts are made.

Helpful instructional videos from across Atlantic

[syousef]

Correct way to handle cookies:
http://www.youtube.com/watch?v=OqL7jyrXhLs [youtube.com]
http://www.youtube.com/watch?v=rHfEmIXkWfg [youtube.com]
http://www.youtube.com/watch?v=Cqz9ZXUoUcE [youtube.com]

Question of terminology

[jcwayne]

IANAL(imey), so I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/

Re:

[Nursie]

"I'm having trouble understanding why the UK law bans the use of biscuits. /girds loins/"

Not all biscuits, only unsolicited internet biscuits :)

Re:

[jonbryce]

In UK English, a cookie is a specific type of biscuit with little bits of chocolate in it and usually soft and chewy rather than hard and crunchy.
It is EU law than is banning them, not UK law.

Wifi Cookie Global Warming?

[bryan1945]

So if they UK is having Wifi problems with global warming, what is that going to do to their cookies? Will their cookies only work for a certain range, and then turn into scones? I demand an irrational panel of useless government bureaucrats to investigate now! God save all our tea and cucumber finger sandwiches.....

The idea is just fine

[xenobyte]

It's just next to impossible to use the law as it is.

To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies. An advertiser needs to get opt-in consent before sending a cookie as it is unfeasible to obtain permission as you go. Basically this can be done in a simple way: A visitor to a site featuring ads from the advertiser will see nothing to requests to decide whether to accept cookies or not until this decision is made. The result is stored in a cookie which they need permission for as well. Now when sending ads the decision cookie is checked and if the answer is yes, the ads are sent with the tracking cookies, and if no, they are sent with no cookies.

This will obviously result in a lot of people saying no to the tracking cookies but that is as it should be. Tracking someone should only be done with consent.

Re:

[Xeranar]

Thank you. I'm glad somebody answered in a logical thoughtful way instead of the goofy knee-jerk "Government is stupid/bad!" that seems to come up so often. The answer is simple and frankly should have been implemented years ago. Cookies are not that wonderful and while I enjoy using them to log in to non-secure websites for simple stuff I am not a big cookie fan otherwise. They're sneaky bastards.

Re:

[Chrisq]

Redirect everyone without cookies to a page with a consent form describing all cookies set. Have an "accept" yes or no option. The no takes them to a page that says "sorry, you are unable to use our site", and an option to try again.

Re:

[L4t3r4lu5]

"Dear ChrisQ,

I admire you for your adherence to regulation regarding our website. Your input into the compliance process has been valuable.

Since you have provided the potential customers with the choice of accepting cookies or not using the site, our sales have dropped 35% and advertising revenue is now nill. We are no longer able to support your position with this company. Please clean off your desk and hand in your ID and keys to the receptionist on the way out.

All the best for the future,
Your ex-Bos

Re:

[L4t3r4lu5]

That's great if you want to work in a field for the rest of your life.

My point was that Hobson's Choice only works if you have all of the product and the only one selling. If Hobson had only half of the horses, he'd have been competed out of business within days by the others.

Further, principles don't feed your family. If you're happy living off value-range beans and sitting under blankets with the heating off during winter, you can afford that smug satisfaction of taking the moral highground. Some of us

Re:

[Mouldy]

Every result in [search engine of your choice] will be "You need enable cookies to use this website, yay or nay" because search engines won't be able to index the website's content without themselves accepting cookies.

A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners. Something along the lines of "This website wants to set cookies which may be necessary for it to work correctly, do you want to allow this? yay/nay". S

Re:

[swright]

A much better way to implement this unnecessary cookie law would be to put the responsibility on browser vendors instead of website owners.

This. I was wondering why nobody else was making this point.

It could even be accompanied by a law mandating that cookies are associated with descriptive information about what they are for.

A browser-based implementation would be impossible for sites to not comply with, more user friendly for the masses, better for sites, and better for privacy.

I really don't understand why the onus has been placed on sites :(

Re:

[VortexCortex]

It's just next to impossible to use the law as it is.

To me however it is very simple: A website can trivially obtain permission from the user for the site's own cookies.

Or, you can pre-opt out of ever website on the planet by sending the DNT: 1 (do not track: enabled) HTTP Header [w3.org] in every request for web resources.

The current version of Firefox4 supports this header, as well as NoScript for previous versions of FF. MS has stated that IE9 will support this header option too. Google (and the MPAA) have expressed concerns with allowing users to automatically opt out of every tracking service by simply stating their wishes to not be tracked... Therefore, Chrome will not s

Re:

[Nursie]

You'd be surprised how functional the internet is without cookies.

You need them for a lot of session-based stuff (login on forum sites, internet shopping/banking/etc) but most sites you visit don't really need them.

Re:

[mikael_j]

Most sites I visit need them since most sites I visit have some form of session handling.

It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online.

Re:

[Nursie]

"It's not 1995 anymore, these days people don't just use the web to read documents shared by others and not being logged in is often a major hurdle when communicating with others online."

Yup, so those sites that need it (there are about 20 that I care enough about to allow it) get permission and everything is fine.

But there's session handling and there's session handling. Slashdot needs a cookie. Dilbert does not. Wikipedia does not. Doubleclick can f*ck right off. It's actually still 1995 in a lot of place

Re:

[jonbryce]

Session cookies are allowed. The checkbox that says "remember me" needs to be renamed to say "save my login details on this computer and log me in automatically every time I visit". Then you are obtaining informed consent for the cookie.

Re:

[Arlet]

You also need them to store simple preferences, such as language settings. If you go to CNN, it lets you choose between international or US news, which is very convenient for people. A lot of sites have something similar. If you don't have cookies enabled, these things often break silently.

Re:

[Nursie]

Then ask if it's ok to store site preferences in a cookie, once, the first time someone changes a setting like that.

Re:

[Arlet]

The whole point of setting a preference is that it will be remembered for next time. Obviously it needs to be stored somewhere. Anybody who wants to set a preference and understands what they are doing is going to allow the cookie.

Or, perhaps you want to include 2 pages of legalese explaining all the conditions that are attached to the use of the cookie, that people aren't going to read anyway.

Re:

[Nursie]

It's simple, find another magic way of remembering, ask permission to store the data on the user's computer, or don't have the setting.

I'm sure it would be more convenient for me if every site on the internet knew my waist, collar and shoe sizes too, the minor inconvenience of having to tell them is the tradeoff for privacy in that case. Here, CNN asking once if they can stick a cookie on your machine is the price.

Re:

[Nursie]

I do control what's on my computer. Most other computer users don't know what a cookie is, let alone what they're used for or how many they have on their machine from advertisers and trackers. They might liek to know. They might like to be asked before they're set.

And if "replying honestly to people who reply to me" is now trolling then... wow. Why so angry?

Re:

[mjwalshe]

as would a lot of useability stuff want to set a site into its visually impaired style is one example

Re:

[icebraining]

People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors.

No they won't, because businesses aren't stupid and will cut back on cookies immensely to prevent confusing the users. The only reason every site nowadays sets a boatload of cookies is because they don't have to ask.

Re:

[VortexCortex]

Considering how cookies are important, like session-ID storing, the question should better be asked once only, by the browser. People answering "no" will suffer from the many "this site requires cookies" messages, and other unexpected behaviors. Pretty quickly, it will appear obvious that the law cannot apply to cookies.

::Sigh::

The website you are visiting has requested to store a cookie on your computer.

(o) Do not accept the cookie for this site.
( ) Do not accept cookies for any site.
( ) Allow only this cookie for just this session.
( ) Allow all cookies from the domain example.com for just this session.
( ) Allow all cookies from the domain example.com until they expire or you clear them.
( ) Use the recommended action of your chosen privacy advisor service: allow for 1 session only

[x] Remember my decision and do not ask me again.
(This setting can be changed later in the privacy tab of your profile options)

(Advanced: click here to see the content of the cookie and to set per cookie acceptance / expiration policies )

The cookie-monster plugin for Firefox gives you per site options, but I haven't used it in a while, basically, just the above dialog would suffice for all of my cookie related needs.

Re:

[VortexCortex]

( ) This is my first time using a computer/the internet and you're asking me to give an answer on something I consider a reasonably complex technical question which might, based on my uninformed answer, then go on to affect all my future experiences (example, by blanket banning cookies and having a poorer user experience or by blanket allowing them and suffering loss of privacy)

The reason we have a mechanism like cookies that silently writes this information in the first place is because sufficient users can't or don't want to understand what they are or how they work. We've had the ability to disable them almost since year dot and yet we're still having to implement laws because people can't or don't want to figure out what they are and how to turn them off. Badly thought out legislation will have huge development costs to business and confuse the hell out of users.

Perhaps you missed this option:
( ) Use the recommended action of your chosen privacy advisor service: allow for 1 session only

This could be made default...

To be perfectly fair: IMO, Computer illiterate people should not be using things they do not understand.

They may make bad decisions about their privacy and or fall for Trojans or Scare-Ware -- which happen to be the majority of the installed malware I encounter.

I work on my own cars; I recently rebuilt my manual transmission. I will not tamper

RFC2965 need merging and update with HTML5 storage

[La Gris]

Session tracking really need new standard and some merging with the HTML5 client side storage. This with clear client enforceable client policy, server and DOM standard way of reading the access and store policy settings.

The situation now is:
- an obsolete RFC2965 cookies standard with no average user know/can manage safely,
- and a still to be standardized HTML5 incompatible client storage and database.

New cookies should become part and merge with the HTML5 client side storage, with backward compatible but m

Re:

[WaffleMonster]

The situation now is:
- an obsolete RFC2965 cookies standard with no average user know/can manage safely,
- and a still to be standardized HTML5 incompatible client storage and database.

New cookies should become part and merge with the HTML5 client side storage, with backward compatible but marked obsolete API.

If you liked storing pointers to data kept on servers you will *LOVE* storing even more data from each site on your computer.

Well I guess right up until the point where all the fine folks on the Intertubes intentionally design sites to consume massive amounts of disk space across an infinite number of attacker domains and or force erasure of legitimate content after the fixed storage pool is exhausted.

Re:

[Anonymous Coward]

There shouldn't be any client side storage at all. If the browser makers would just drop this stupid cookie idea that Netscape had around the time of the blink-tag, web developers would be forced to design their sites to store anything they need on the server.

Make the browser send a UUID as a session identifier. When the user types in a new URL, or selects a bookmark, generate a new session identifier, even if it's the same site. That way, you could even be logged in to the same site with two different user

Re:

[La Gris]

Too bad you posted as Anonymous because I find you expose a very brilliant simple solution. I would have marked you as friend to more easily follow your next posts.

Its a pointless law

[Chrisq]

You could just use the browser "propmpt every time" setting if you want to decide which sites use cookies. (the prompt allows you to say "always for this site).

I can feel the heat cloing in

[troll -1]

Remember the CAN-SPAM ACT 2003 in the US? That was another pointless law. Spam is at an all time high. You only stop spam with a spam filter. Governments only gets bigger, never smaller.

Re:

[MartinSchou]

I'm pretty sure you can stop spam with a gun as well.

Your computer is being used as a spam-relay-bot? It gets shot.

You have more than three or more computers in your household being used as a spam-relay-bot? All residents gets shot in the knees, AND all computers in your household gets shot.

Your company is selling wares through spam? The entire board of directors are shot in both knees and both elbows. Your stockholders gets shot in a foot.

You responsible for running a spam-relay-botnet? You get shot in the

Re:

[Arlet]

Authenticated mail won't work as long as there is still malware that can steal your credentials.

Bright side for those who run web apps

[InsurrctionConsltant]

From the guidelines [ico.gov.uk] (pdf):

The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for t

Re:

[Nursie]

That sounds eminently reasonable to me, and neatly counters a lot of the "sky is falling" stuff people have said further upthread.

Re:

[JackDW]

Wouldn't it be even more reasonable to require web browsers to use the sort of restricted cookie settings that you personally use? As in "block by default". The EU already demonstrated that it can force major browser makers to do weirder things [wikipedia.org]. If IE starts blocking third-party cookies and demanding confirmation for first-party cookies, then every other browser will be able to do the same thing too, because websites will quickly adapt to the new way.

Going after websites is stupid because the law is unenfo

Re:

[delinear]

Who decides what is "strictly necessary" for a service, though? "My website is funded entirely by advertising from advertisers who implement third part tracking, without this advertising there is no service, it's the very definition of strictly necessary" sounds like the first line of reasoning for a lot of people. Are we just creating a law that will make convenience cookies difficult to implement but has a huge loophole the advertisers can drive a truck through?

A User-Agent does not uniquely identify a person

[mrthoughtful]

Firstly, Cookies are generally tied to User-Agents, not to people. UK websites are not required to get consent from spiders, crawlers, or other bots.
What I invite the ICO to do is to demonstrate a technical, non-invasive, means of being able to identify an individual from the information made available over a HTTP1.1 request.

Secondly, regarding Session Cookies, it is trivial to replace a session cookie with a QueryString token - so what is the differentiating feature of these two that requires consent for

In the UK

[assertation]

aren't they called "biscuits" ? :)

Re:

[coolmadsi]

In the UK a 'cookie' is usually a biscut with chocolate chips in it. This is the icon representation they have in Chrome I think (in the address bar a cookie (with chocolate chips) icon appears that you can click to view the (website) cookie information).

Cookies Are Nice But Not Necessary

[littlewink]

This may come as a shock to many but cookies are not necessary.

Re:

[Arlet]

It's close enough. Cookies are small pieces of text, and they are stored on your computer.

Re:

[quarkoid]

"Petrol is a metal tank attached to your car"

"Ink is the stick you use to write on paper with"

"Music is the big square boxes attached to your amplifier"

Close enough it may be, but to definitively state something as fact which is quite clearly not fact (or, even if it is, only in a limited number of cases) when describing why legislation applies is just wrong.

They could quite simply have said, "Cookies are small pieces of text which your computer may choose to store." - there, simple. It also has the plus th

Re:

[Nursie]

You going to explain about cookies to my mother?

I sure as hell don't want to. Somebody probably should though, as she's unwittingly feeding all sorts of info to whoever wants it on the internet, without her knowing.

Saying users have the choice is disingenuous here.

Re:

[Arlet]

The typical user just clicks on a web site, and has no idea what cookies are, and that they are getting stored on their computer. In most cases, there's no 'choosing' involved, since they are enabled by default. For those cases, saying that the text just gets stored on your computer is accurate enough.

Re:

[he-sk]

The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name."
That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

Most files below /proc are not even data at all, but s

Re:

[Arlet]

Also, a database file is usually not a text-file, because it contains data that is not human-readable.

There is little conceptual difference between a database and a file system. For the sake of the discussion it doesn't matter if cookies are stored in little individual files on a file system, or if they are combined in a small database implemented as a single file.

Re:

[he-sk]

Yes, but then why even mention the technical term text-file? Why not conceptionally describe what's going on, so that anybody can understand it?

Cookies are pieces of data that are stored on your computer, usually for preferences such as login information. They can also be used to track your browsing patterns.

Followup with a link to a broader discussion of the pros and cons of cookies. On the technical end, someone else mentioned a adblock-like approach for sites from which cookies should be blocked by default. This should be integrated into every modern browser, at least through a plugin that is advertised properly.

Re:

[VortexCortex]

The definition of a computer file, from wiktionary: "An aggregation of data on a storage device, identified by a name." That definition was what I was taught when I studied CS in the 80's too, it goes back to the 60's.

That definition clashes with the Unix philosophy of "Everything is a file" which allows us to abstract from different peripheral devices and treat them all uniformly.

Is /dev/disk0 a file? I'd say no, because it is the storage device, not just the data on it. (E.g. you can use it to query the SMART status of the storage device which I would not count as the data stored on it.)

Is /dev/kmem a file? It's data, but it's not on storage, but in volatile memory.

Most files below /proc are not even data at all, but state. (I.e. their informational value depends on the time they are queried.)

Also, a database file is usually not a text-file, because it contains data that is not human-readable.

Have you written any code to access those? Guess what, you use a FILE DESCRIPTOR. The goal is that everything in Unix be accessible as a file... If it looks like a turd; Smells, feels and tastes like a turd -- It's a pedant.

Re:

[he-sk]

You need a file descriptor to access any kind of file. Except on the shell, where you can use them directly as input or output. The principle that everything is a file is a big reason why shell programming is as powerful as it is. (I'm not saying it's pleasant. But it does get the job done in many instances.)

Re:

[Jaruzel]

Not True.

Yes we have biscuits, but we also have cookies. Cookies are typically rough circular baked sweet dough with added fruit or chocolate. Most Cookies are also moist in the centre. They are also baked fresh and bought from dedicated cookie or bakers shops (you can get pre-packed cookies but these are horrible and dry).

Biscuits are dry (excluding the filling) and come in defined shapes. To use a common example, Oreos (also available in the UK) qualify as biscuits not cookies.

-Jar

Re:

[ledow]

Really? I use Opera, with "Accept cookies only from the site I visited" set to on (which is the default) and have never run into a problem with this.

What sites specifically? Because I have *zero* cookies from either of those sites you mentioned and yet don't have a problem navigating any of what I would consider the major sites - the only sites that give me problems are ones where they don't have Opera compatibility at all, I can't even remember the last time I had a cookie issue (maybe with the inbuilt S

Re:

[lazybeam]

I thought the point of those domains was that they didn't have cookies, thus saving large amounts of bandwidth and time (more caching and concurrency) for the static files.

Re:

[Tim C]

I have had to explain the difference between it's and its twice now to an otherwise intelligent, native-born English speaker at work. Some people seem to just not have a head for grammar, distressingly enough.