Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy United Kingdom Your Rights Online

64 Complaints Received On UK Cookie Law 86

judgecorp writes "Privacy watchdog, the Information Commissioner's Office, has already received 64 complaints under the UK's Cookie Law, which requires sites to get permission to track users with cookies. The law only came into effect on Saturday, and many sites do not expect to comply soon. To make life more complicated, the ICO has updated its advice, apparently allowing 'implied consent' instead of actually making a user click a box to give permission for cookies."
This discussion has been archived. No new comments can be posted.

64 Complaints Received On UK Cookie Law

Comments Filter:
  • Implied Consent? (Score:4, Insightful)

    by Anonymous Coward on Tuesday May 29, 2012 @07:26AM (#40141021)

    "Implied Consent" is nothing more than a way to skirt responsibility of law. If THEY can do it, then so can we.

    • yeah i fucking hate this spam copout where implied consent seems to be accepted. resulting in my receiving 2 mobile spam texts a day recently.

    • by Errol backfiring ( 1280012 ) on Tuesday May 29, 2012 @07:35AM (#40141063) Journal
      "Implied Consent" is the most stupid term I ever read.
      • by Anonymous Coward

        I'll use that defense in my rape hearing. I thought drinking 12 beers and passing out on my floor was implied consent.

      • Its stupid in this case but smart when dealing with medical emergencies. If you are unconscious, implied consent gives someone there to help you the consent to save your life by giving you CPR. "Important in this case implied consent is." (Return of the Jedi)
    • Read the guidance. The constraints on "implied consent" are pretty stringent: whoever is setting the cookie needs to be able to prove that the user understood in advance that cookies would be set and what that means.
      • As a user of websites I know this can happen so they are fine under the law. As a user of my company's website I know this does happen because I'm in the development team so that is fine under the law.

        Oh, you meant some other user? How is a site supposed to know what a random user knows, let alone prove it when there is no definition of "user"?

        • If the site does not know the user consents, it should ASK him. Isn't this what this law is all about?

      • You say "need to" as though it has any meaning in the context of the ICO's toothless barking.

        If the tentacle of the State charged with enforcing a law obviously doesn't really give a damn about it, why would anyone else?

      • by tepples ( 727027 )

        whoever is setting the cookie needs to be able to prove that the user understood in advance that cookies would be set and what that means.

        But when someone logs into a site with a username and password, can't it be assumed that a reasonable person would understand that logging in bakes cookies?

        • whoever is setting the cookie needs to be able to prove that the user understood in advance that cookies would be set and what that means.

          But when someone logs into a site with a username and password, can't it be assumed that a reasonable person would understand that logging in bakes cookies?

          No. It can be assumed that a knowledgeable person would understand that, but I doubt most web users, however reasonable, would know that. Anyway, my concern is over analytics, which doesn't require the site user to log in.

    • by Xest ( 935314 )

      Maybe Gary McKinnon should just switch to this defence.

      "What? Sorry American military, I assumed because you had blank passwords that I had your implied consent I could login? Does this mean I don't have to be extradited"

      Like you say, implied consent is basically a way of saying "You don't actually have to really give a shit about this law".

  • by Anonymous Coward

    A power of 2!

  • by SJHillman ( 1966756 ) on Tuesday May 29, 2012 @07:37AM (#40141077)

    They've actually received several million complaints, but only had a 6 bit counter.

    • Nice try, but that would only allow for 63.

      • no, if indexes go from 0 to 63, and it allows 64 elements :->

        • 64 elements is not the same as tracking 0 to 64 complaints.

          • But 64 complaints is the same as a counter going from 0 to 63. To make it human readable, you'd just add 1 to the value of the counter.

            • by Anonymous Coward

              Ummmmm. no. If you are cheating by assuming that all bits '0' means 1 complaint, then how do you store the 0 complaint starting state?

              • by Chrisq ( 894406 )

                Ummmmm. no. If you are cheating by assuming that all bits '0' means 1 complaint, then how do you store the 0 complaint starting state?

                Real C programmers would say that starting at 1 is cheating.

              • There was no 0 complaint state. I complained before it became law.
              • Null pointer for the counter until a complaint is registered.

          • If you have an array of ints:
            int[] numberList = { 1, 2, 3, 4 }
            and someone asks you, how many ints are in this array? Do you say 3 or 4?

            • I say: "64 elements is not the same as tracking 0 to 64 complaints"
              You say: "and someone asks you, how many ints are in this array? Do you say 3 or 4?"

              You didn't add anything new to the conversation. I already said there are 64 elements. However, 64 elements is not the same as being able to track up 64 complaints. You must start with the initial condition of zero complaints, meaning you can track 0 to 63 complaints with a six bit number.

              • ah I get it. I was thinking of an array of 64 elements, where each element is a Complaint class, while you were thinking of a simple counter.

                • Yeah, the OP said counter, so I went with that. After my last post I started thinking more about it and figured you were going with some type of class or database record. It is amazing how frequently communications breakdowns happen on simple things. Enjoy the rest of your day :)

                  • Seriously guys, how many times do I have to say this. This is simply not the right way to settle an argument online.

                    You two made the elementary errors of trying to compromise, offering each other a chance to explain your positions, listening to one another, caring about a misunderstanding and finally added insult to injury by wishing him a nice day. For shame.

                    This should have proceeded immediately to name calling, threats to burn each others' houses down, childish and grammatically incorrect insults and f
              • Zero complaints = empty array
                Complaint #1 = array[0]
                ......
                Complaint #64 = array[63].
        • Vertex, vertices, matrix, matrices...index, indices?

      • The counter is 1-based and clamps higher amounts to 64. The guy who made the counter figured the law would get some complaint at some point (because party politics), and was inspired by the "Retweeted" counter below Twitter posts that clamps at 100 (the pay didn't motivate him enough to go that high).

      • by Anonymous Coward

        You're forgetting the implied complaint numbered 0.

      • by fatphil ( 181876 )
        The arithmetic is saturating and the overflow flag is set.
  • When can we have the same for needless javascript? And for flash?
    • Javascript and Flash can easily be disabled via your browser's settings, just as cookies can, which makes this law kind of pointless. If you browser doesn't have 'per site' settings for this, there's more than likely an extension to provide that capability.

      All this legislation does is force EU organisations (so no effect on anything outside of EU) to replicate the aforementioned browser cookie blocking functionality but using a method of trust instead of an explicit user setting tightly under a user's contr

      • Javascript and Flash can easily be disabled via your browser's settings, just as cookies can, which makes this law kind of pointless.

        ... and some sites are actually quite good at annoying people who do just that. One trick is to set up a meta http-equiv redirect to a nag page which kicks in if there is no javascript. Or the main content block's display property to none in CSS, and set to something sensible by javascript. Or same idea but with opacity: 0. Or links that point back to page itself (<a href="#"> ) rather than to the subpage they are supposed to point to. Fortunately, sites doing such nonsense are a minority, but they do

        • What you say is true, there are certainly sites out there that really want to get round any measures a user puts in place to block certain behaviour, but if a site is doing stuff like that, would you really trust them to conform with legislation anyway? From my personal experience, the types of sites that exhibit this kind of behaviour are typically not high on my trust list.

          And even if the legal repercussions of not conforming were enough to ensure these sites do conform, then why not just have legislation

          • What you say is true, there are certainly sites out there that really want to get round any measures a user puts in place to block certain behaviour, but if a site is doing stuff like that, would you really trust them to conform with legislation anyway?

            If legislation is in place, and a site blatantly misbehaves in such a way, this is actionable. At least the bigger sites (such as facebook) would have to comply.

            From my personal experience, the types of sites that exhibit this kind of behaviour are typically not high on my trust list.

            But sometimes, it may be a site whose service you absolutely need, such as directory look up... we have the case here in Luxembourg where one directory lookup service [yellow.lu] pulls such a shenanigan. Fortunately, theyre is a competitor [editus.lu]. But what if the competitor starts behaving in the same way?

            And ironically enough, luxtrust.lu [luxtrust.lu], the national Luxembourgish

  • Click here (Score:2, Funny)

    by Anonymous Coward

    to see this fabulous girl naked. And to accept cookies from our 100 affiliate analytics firms

  • With any luck all 64 complaints will be against government sites.
  • by ewanm89 ( 1052822 ) on Tuesday May 29, 2012 @07:59AM (#40141233) Homepage
    How does one opt out of cookies without using a cookie to remember it?
    • by ArsenneLupin ( 766289 ) on Tuesday May 29, 2012 @08:08AM (#40141303)

      How does one opt out of cookies without using a cookie to remember it?

      Using Etags [wikipedia.org]...

    • by Zocalo ( 252965 ) on Tuesday May 29, 2012 @08:26AM (#40141475) Homepage
      This isn't about banning cookies, it's about banning user tracking without consent - which includes far more than cookies; browser fingerprints being the main candidate, so the correct intent is there. For a start, it's perfectly OK within the law to set a cookie that tells the site to not track that user, which I suspect will form the bulk of the (incorrect) complaints received by the ICO, but you can't use that cookie to track the user across your site, or any affiliate sites.

      The problem with this legislation isn't the intent, it's the complete lack of clarity coming from the ICO who are responsible for its adminstration and enforcement. The law essentially boils down to "do not track your users without their consent", which the ICO has then muddied the waters over by making some vague remarks about implied consent being OK without explaining exactly what they mean. There is a great deal of confusion over whether the request to opt-in/out needs to be overt (i.e. a click-through or banner), whether or not you can set a "do not track" cookie (you can), and so on.

      It's not being helped by some totally lame implementations of the consent request, most probably due to lack of clarity from the ICO about what can and can't be done, in the cases of users with cookies and/or JavaScript disabled for a site. A frequent occurance in this case seems to be that such users either have to go through the consent request every visit or have a consent banner permanantly displayed on the screen. Both these problems could (and I'll emphasis that "could") go away quite simply if the ICO were to state that:
      1. If using a script to prompt for consent and if that script is blocked then default to "do not track"
      2. It's OK to try and set a cookie, read it back and if that fails assume cookies are blocked by the user and implied consent = "do not track", otherwise prompt the user for consent and act accordingly.

      But all that assumes that the websites are going to act in the best interests of their users over the best interests of their bottom line; in many cases sites will be dependant on the revenue they can raise from their users, and a tracked user is going to be better targetted with ads, and thus more likely to click through, than one that is not. The more inconvenient it is for users to opt out of tracking, the more likely we are going to see those sites taking that track. Kudos on that front to the BBC who have a well thought out and graded set of cookie policies [bbc.co.uk] you can opt into ranging from "necessary", through "functionality" and "performance", to "behavioural advertising".

      • It's worth noting that even the BBC's implementation may not be in compliance with the law. Although it's kind of hard to say, since nobody knows what the hell compliance even looks like at this point--

        what's that? The law's already taken effect and nobody knows how to comply with it? Tough crap, you get a complaint.

        Ridiculous.

      • by isorox ( 205688 )

        This isn't about banning cookies, it's about banning user tracking without consent - which includes far more than cookies; browser fingerprints being the main candidate, so the correct intent is there. For a start, it's perfectly OK within the law to set a cookie that tells the site to not track that user, which I suspect will form the bulk of the (incorrect) complaints received by the ICO, but you can't use that cookie to track the user across your site, or any affiliate sites.

        So would a temporary session cookie, often set without the programmers knowledge, be ok?

        How about a cookie which is used to remember you've done an action, but not track you. E.G. "color=red" and "color=blue".

        The problem with this legislation isn't the intent, it's the complete lack of clarity coming from the ICO who are responsible for its adminstration and enforcement. The law essentially boils down to "do not track your users without their consent", which the ICO has then muddied the waters over by maki

    • by AmiMoJo ( 196126 )

      You don't, you opt-in.

      This law is actually very sensible. There are exemptions for non-tracking cookies, stuff like session tokens used by online shops or banks, misc preferences and so forth. Cookies just primarily to track and target advertising at you need permission and the site has to allow you to opt-in.

      • This law is actually very sensible. There are exemptions for non-tracking cookies, stuff like session tokens used by online shops or banks, misc preferences and so forth.

        That is the whole point: there is not an exemption for session cookies -- only an exemption where they are strictly necessary -- which is a very high standard, also the legislation does not distinguish between a site specific session cookie and a 3rd party cross site cookie. This is what is stupid about it.

        See: cookies_guidance_v3 [ico.gov.uk] page 12:

        Where the setting of a cookie is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.

        Note the v3, they keep on tweaking what they expect people to do.

      • by fatphil ( 181876 )
        Firstly - if they recognise me - they are tracking me. I don't care if you call it a "session token" or whatever, it's simply a mechanism for tracking me, nothing more.
    • by grahamm ( 8844 )

      How does one opt out of cookies without using a cookie to remember it?

      By not storing a cookie. If you visit the site and do not opt out, it will send you cookies including one which indicates that you did not opt out of receiving cookies. Then on subsequent visits, if this cookie is presented then the site knows that you did not opt out and can continue to send/update cookies. It, however, mean that you will also have to opt out again on every subsequent visit to the site.

      • I really like the EU "law" / guide that the UK law was made from (found here [europa.eu]).

        Let me quote part 25 (with some added emphasis):

        However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions.

        Where such devices, for instance cookies, are intended for a legitimate purpose, such as to facilitate the provision of information society services, their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using.

        Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment. This is particularly important where users other than the original user have access to the terminal equipment and thereby to any data containing privacy-sensitive information stored on such equipment.

        Information and the right to refuse may be offered once for the use of various devices to be installed on the user's terminal equipment during the same connection and also covering any further use that may be made of those devices during subsequent connections.

        The methods for giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible. Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.

        So if they refuse to have a cookie or similar device stored on their device, we need to know that the user opted out for that and following connections. Since it's a legitimate purpose, we can store that information. But only if the user does not opt out to storing that information, which .. he already has .. What is this I don't even .. Are those fuckers completely clueless to basi

  • by jholyhead ( 2505574 ) on Tuesday May 29, 2012 @08:40AM (#40141585)
    I bet all 64 complaints were made by web developers against the .gov.uk sites that are non compliant.
  • by JimMcc ( 31079 ) on Tuesday May 29, 2012 @09:59AM (#40142441) Homepage

    I just visited a link on the dailyrecord.co.uk and received some kind of cookie notice. The notice appeared as a pop up in the bottom right corner (the last place an english speaker will scan to) with text in pale grey. The notice was clearly designed to be difficult to notice. Even though I saw it pop up right away, I didn't have a chance to read the text or see which link to use to opt out before the notice disappeared. It was clear from the first sentence that if I did nothing I was consenting to be tracked.

    I guess the law, which clearly had good intentions, has been eviscerated so that now the websites can just briefly display a hard to notice blob of text, remove it before you have a chance to read it, and continue tracking you with impunity.

  • I think that the biggest problem is that sites set too many cookies. It can get difficult to distinguish one type of cookie from another.
    Browsers have a cookie setting for "Ask me every time", which is practically useless as most of your time web browsing gets spent at clicking the popup dialogue.

    One example where no cookie needs to be set at default, is on a web site's front page. The user should then be able to give implicit consent to a cookie by clicking on a link inside the site. Not setting a cookie b

    • by laffer1 ( 701823 )

      Some sites have a login on the front page. It might be an ajax call. Your front page rule doesn't make sense in all cases.

      Plus, I don't think banning session cookies on a site is necessarily a good thing. Sometimes they're used to track users, other times, it's just convenience by the web app framework and not used for anything but managing logins, shopping carts or similar. Intent matters and this law does not take that into account. It has exactly one exception for a shopping cart.

  • So, if your browser is configured to keep cookies, does that imply consent to place cookies?

    If you configure your browser to disallow cookies from certain sites, you're denying consent, and it doesn't even require the sites to be changed at all.

    So, why does this law exist again? It looks -1, Redundant to me.

  • There is a similar law in Sweden, but instead of saying that the user have to permit cookies, the Swedish law just states that users have to be informed about them:

    • That cookies are used
    • What they are used for, in general and on the site
    • How to disable cookies
  • The law was causing havoc for retailers and given that there was no clear guidance on how to handle this, we have a host of implementations, from the BBC which embodies the spirit of the law as it was originally written, to the Financial Times and BT which are using weasel ways (bottom of page, fades out straight away), to Google (which has essentially ignored the guidance).

    The ICO, faced with overwhelming discontent from large retailers and retail associations, caved and has essentially ensured the status

No spitting on the Bus! Thank you, The Mgt.

Working...