The government is working with browser manufacturers to create new settings that will help businesses comply with a controversial new EU law on cookies that is due to come into force in May. The government has also insisted that the EU Directive will become UK law by the May deadline, despite a warning from the Information …
Can see what'll happen
The user will get asked, but won't be able to use the site unless they accept. For some things, this wouldn't matter, but if you are looking for an answer it'd quickly become annoying (Bit like how ExpertsExchange always seems to be the first link!)
Am I missing something?
Firefox already asks me if I want to allow cookies, because I told it to.
You even used the title I was going to
But yeah, every modern browser has this setting already. I guess the government really, really just wants to look like it is doing something.
Poor, abstract, laws.
Typically stupid, ill thought-out laws.
Rather than something like this, where the choice will be "agree to this carefully worded popup - or go away entirely", they should be dealing with the real problems.
Specifically, we need a browser settings that says items like "you may not pass my information outside the company, specifically not to advertisers" and "I don't want advertising junk from your website". Then we need a way to impose this on ALL companies, particularly american ones that typically don't understand privacy. I'd suggest a finite time, then blocking of any offenders - stone dead.
And while we are at it, can we have a cookie that says "you must never pass any of my information to governments or courts" - given that they are a much bigger privacy problem than doubleclick.
It should be a requirement that...
Two classes of cookie exist. Temp and permanent. Temporary can be written/read throughout a session but must be cleansed at exit. "Permanent' cookies could be sustained until purged by some housekeeping software. Each time a website/application asks to access a "permanent" cookie to write information to it it should request permission from the user of the machine unless the user has given logged consent. Reading what is there should not be an issue if the cookie was placed there by the application/website.
This displays my complete ignorance of how browsers operate?
@displays complete ignorance of how broswers operate
Not only do temporary "session" cookies already exist, but sites can set an expiration time on "permanent" ones.
I dont't know, however, whether browsers prompt for session cookies when they are set to 'Ask' before accepting cookies, but switch your browser into that mode and you'll quickly be overwhelmed by requests.
...."working with browser manufacturers".
Which ones? Do they realise there is more than IE out there? Even MS acknowledge (through their Browser Choice update) a whole raft of browsers. And what happens if I modify an open source browser, do I have to contact the Thought Police to ensure it has their seal of approval?
And what about all the Whitehall departments still using IE6: how is that going to work if a new browser version is required to comply with this half baked ill though through directive from some faceless EU civil servant who is too stupid to own a computer?
User clicks on number10.gov.uk - a message pops-up with a sweet Joanna Lumley voice "Sorry you browser is non-compliant with EU law. Goodbye"
It's marginally better to hassle everyone who makes a browser with this nonsense, than everyone who operates a website.
By government standards this almost qualifies as a good idea.
I'd love to see
...a browser factory. I can just picture all that heavy machinery stamping out the millions upon millions of individual bits and bytes than go into a modern browser and an army of workers diligently assembling them all in the right order.
I wonder if they do tours?
Um, since the MS Browser Choice thing you cite only exists as a result of European Commission action, it would seem fairly self-evident that, yes, they really do realise that there is more than IE out there. Maybe you need to think your prejudices through a little more carefully.
What will happen is that users will get a message saying that the site will not work without cookies, click here to accept. The user will get two options: Accept the cookies or don't use the web.
If the point of this law was to protect users, it does it no better than telling them to not use the internet (IMHO). Yes companies have to get permission to do it, but just that; they can just force everyone to give their permission.
If my local supermarket said that all shoppers had to be naked (to prevent shop-lifting, obviously), and that people had a choice; they could not shop there; I'm sure that the law would say different.
"cookies, small files placed in a user's browser"
No, they're small strings of data held in the browser's memory and stored in a single file per browser. Exceptionally more than one browser may access the same cookies file.
But the browser is the obvious place to control cookies. Otherwise what do you do about sites outside the EU and all the legacy sites that are no longer maintained but still online? How do you expect users of web-based packages and scripts to know whether they set cookies or not?
I'd much rather have a law that says if a company sends you an email message it must provide a valid email address to which you can reply.
"working with browser manufacturers"
You can just see the scene : a grimy factory, belching smoke, grim-faced workers enduring noise, soot and low-wages bashing out, probably with steam hammers, countless billion browsers a shift.
Won't be sufficient
How is getting browser manufacturers to make code changes sufficient to make the UK comply with the regulations? Given that IE6 still has a significant market share it is likely that there will be a large number of people that companies will be failing to get informed consent from as they haven't updated their browsers to the latest version.
Server side session 'cookies' and more
So, how do we go about server side sessions? This has nothing to do with browser settings! How can the ICO enforce this law unless they have access to our sessions folders / tables?
Also, can custom URL be defined as a cookie - say for instance
First person access site - gets ID of 1, so all links are written like www.example.com/index/1/page
Second person access site - gets ID of 2, so all links are written www.example.com/index/2/page
Does this come under the same regulations?
"The UK Government has previously said that it will simply copy the exact lettering of the EU Directive, adding no clarification or interpretation of its own when it creates regulations to turn the Directive into UK law."
i.e. they're going to make a nebulous and poorly worded law, using words that they copied and didn't consider, and then let the lawyers sort things out in the courts - legislation without cogitation.
Granularity of consent
"Debate has raged about whether sites will have to ask new users for that consent outright or whether web browser settings that permit cookies can be taken to mean that consent has been given."
"Debate has raged about whether men will have to ask new girlfriends for that consent outright or whether a non-virginal state can be taken to mean that consent has been given."
Of course we give consent to be tracked by everybody, rather than simply needing to enable cookies to access a particular service... scumbags.
What I want to know is: does this also cover session cookies ? These cookies only survive for a short while: as long as the browser is not restarted and the user keeps viewing a particular site's pages at least one every 25 minutes (or there abouts). The purpose is to stitch together a set of page views into a related sequence -- a session. Once the session is over it is completely lost.
It would be a pain to have to ask permission to set these.
I concur - escpecially when using ASP.NET - it sets session cookies without any explicit developer input.
To ban these until consent was granted would put great swathes of websites out of action!
Try reading the directive
Cookies that "are essential for the technical service" are excepted from the directive. However, I think this excludes cookies just being set by the application server. .NET and other environments will have to be patched not to set cookies when they are not required.
Link to the directive (woefully missing in the article) http://europa.eu/legislation_summaries/information_society/l24120_en.htm
Note: the directive considers cookies and data retention as separate issues. User tracking is likely to be pretty much impossible if countries that implement the law in this form.
Also worth noting that the UK is not the only country likely to be late in implementing the directive in national law but this is quite common with directives. Initially this just means a rap on the knuckles for naughty member states with fines to follow - many countries are often years late on legislation. Problems for sites and users will arise once the first country does legislate because anything dealing with countries outside the EU will be handled by the Commission.
corporate controlled government
are they not required to ask permission for "tracking cookies" only, those annoying flash,lso & normal ones that are used for target advertising?
the corporations dictate in the UK so were all fucked up the arse already...
Ask a bunch of clueless lusers...
Essentially someone somewhere perceived there was a problem, probably involving the EU data protection laws, with cookies being used to track user behaviour on websites, or on syndicated groups of websites. Rather than taking a good, hard look at how web browser cookie controls can be set up to prevent this sort of abuse (Firefox anonymous mode, say, or discard all cookies on exit), the EU defaulted to its normal mode of operation and set about making up a law.
Nobody in the EU lawmaking process actually properly understood the problem, therefore nobody there saw that the solution was to hint to browser makers that making the cookie controls finer-grained and easier for the dumb luser to (mis)use was probably the way to go; this shifts the onus onto the end user and takes lawmakers out of areas where they really shouldn't be treading in the first place.
Effectively a perfect solution would be similar to the Microsoft IE internet controls GUI; a simple slider from "Completely Open" to "Paranoid, almost unusable" plus an advanced section that users with a brain can use for fine-grained control, and every other luser can look at, go "Duh whazzat?", and resort to the simple slider instead. This would more or less solve the problem for a while, until the advertisers thought up a different tracking wheeze and the cycle would begin again.
This sort of arms race between websites and browsers has occurred before, with font size controls. HTML originally had no way for a website to easily specify an absolute text size; the user defined a useful basic text size themselves and all other fonts were relative to that. Then absolute font sizes were introduced, and shortly afterwards browser controls to override these directives were also introduced...
Yet again we see a bunch of clueless politicians setting out fearlessly to meddle with things they haven't taken the trouble to find out about - let alone understand. Presently we shall see the fruits of their tireless labours: it will become harder to browse the Web, without the slightest compensating benefit. Just as they set out to make sure customers were not cheated by banks or financial advisers, as a result of which we now cannot do the simplest thing without filling out a 12-page form in triplicate and waiting for two weeks - and we are still cheated and misled just as before (but much more slowly).
Essentially, what the politicians are trying to do here is to stop businesspeople from making money out of mugs. For their next act, they will make water run uphill.
If you want to opt-out you have to set a cookie. But, and this is where the evil genius bit comes in, the cookie is to opt-out of the targetted advertising. It doesn't stop them collecting data about your browsing habits.
It's blown any chance of me buying surprise gifts for my partner, though. If I search for gifts on-line she gets adverts for whatever I'm planning to buy for her on her browser even if I've opted out on mine.
Soon to be out of date
With HTML5 local and session storage?
EU makes you safer online
I feel so much safer, now that the EU has allowed me to delete cookies off my own computer.
fuck it: do the job properly
let's just ban cookies altogether and introduce a mandatory death penalty for the arseholes who design web sites that can't work without cookies.
this may be a slightly extreme position. but it will make the world a better place and do wonders to the gene pool. seems like a good trade-off to me.
Here we go again.
Please outline the best method of maintaining state without recourse to cookies.
Please outline the best method of maintaining state without recourse to cookies.
Er, quill pen and parchment ?
Lame satire alert.
Guns and bombs.
- NASA boffin: RIDDLE of odd BULGE FOUND on MOON is SOLVED
- Pic Mars rover 2020: Oxygen generation and 6 more amazing experiments
- Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
- Plug and PREY: Hackers reprogram USB drives to silently infect PCs
- Boffins spot weirder quantum capers as neutrons take the high road, spin takes the low