Feeds

back to article UK.gov 'falls short' of legal obligation to enforce EC cookies Directive

On the eve of a new European Union directive on web cookies coming into force tomorrow, the UK government has issued only a "partial notification" to Brussels' officials on how it will implement the changes into UK law, The Register has learned. The Commission's spokesman Jonathan Todd confirmed to us this morning that it was …

COMMENTS

This topic is closed for new posts.

Open infringement procedures...

"We will closely monitor all Member States' implementation and will open infringement procedures against any Member State that fails to notify implementing measures by the 25th May deadline,"

Am I the only one who would like to think that that meant holding politicians to account in the legal sense rather than just issuing a telling off or issuing a fine. That is to say MPs facing criminal proceedings... I know it won't happen, I'm just enjoying the mental picture. Now that's an accountable government!

1
0
Grenade

crap

so fine upstanding websites like www.theregister.co.uk will spend time and money complying to this crap, while the real skankers, for example www.theregster.co.uk will carry on dropping an armful of tracking cookies.

Why is Vaizey such an idiot?

2
0
Silver badge

And I still don't understand

The ''news release'' of today claims that it is ''clear'' -- but not for me. I wrote to the ICO 2 weeks ago, they have not bothered to answer, so today I have asked them again -- I am not holding my breath while waiting for a reply.

What is worrying is that the ICO comments on their own web site now suggests that session cookies are covered by the new rules:

http://www.ico.gov.uk/news/current_topics/website_changes_pecr.aspx

Previously I understood they they were not as they were ''essential to the site operation''.

How on earth can we be expected to follow vague rules? Those responsible for setting them seem to be clueless; they have the ability to generate vast amounts of meaningless waffle while carefully avoiding any specifics. Are they waiting for the courts to provide the interpretation and then tell us that that is what they meant all along -- wallies :-(

4
2
WTF?

I know what you mean...

I'd always read their previous guidelines as meaning that session cookies would be covered, which as an ASP.NET developer worried me because cookieless sessions make for very ugly URLs.

However, I notice that their banner warning/consent form states "one of the cookies [...] has already been set", and their privacy page now lists out the session cookie explicitly:

http://www.ico.gov.uk/Global/privacy_statement.aspx

0
0
Joke

Amusingly

when you click 'continue' without checking consent the ico site says

"You must tick the 'I accept cookies from this site' box to accept."

wasn't that the purpose of the directive, to allow people to refuse to accept? :-D

1
0
FAIL

ICO still not complying

ICO still set a session Cookie without permission, which I thought was against their rules. http://http://www.ico.gov.uk/

3
0
WTF?

Apparently it's ok...

Because their consent banner states they have already set it.

0
0
Bronze badge
FAIL

So

A website can comply with the cookie law by relying on browser settings?

But you can't regulate browsers to make sure they offer the necessary functionality.

So how this going to work - maybe websites will refuse to work with non-defined browsers - remember those bad-old days "You need {browser} to view this website"

Maybe the EU will introduce some law requiring browser standardisation - that should be fun to watch.

0
0
Unhappy

What do you mean, remember....?

....those bad old days never left. Now, on top, you've also got sites which display no conent at all, until you allow half the planet to run Javascript on your machine...

2
0
Coffee/keyboard

In a word...

Well, a URL actually

http://ukip.org

2
3
Silver badge

Yeah ...

... because we'd be so much better off without any control over our corrupt and self-serving politicians.

[End sarcasm]

0
0

True but...

Little crooks have bigger crooks to bite e'm...

And so on up... until the Council of Minsters.

Though, at least our own Arthur Daleys are accountable, whereas the Al Capones of Brussels are not.

0
0

Its very simple...

Only use non persistent cookies to facilitate the service provided.

Dont use persistent cookies or any other form of retain between session data.

Don't send data to third parties like Omniture, do your own in house statistics, its not difficult.

Wont Comply?, well next year I will be after all those who don't comply, in the mean time I will carry on blocking all extraneous connections to Omniture etc (both the http/https streams)

For any body who thinks this isn't a problem, try Wireshark, also do a ssl mitm test, you will be amazed!!!

4
3
Anonymous Coward

hang on

Yes, that's very noble of you, but,

But a business has to generate stats around the usage of it's website, for many developing in hours would require as much overhead as putting the site together in the first place.

Spending money for an off the shelf product complete with SLAs and NDAs is very viable

If we can't report stats to those upstairs, they'd very likely come to the idea that no one was looking at our site, and the stats that upstairs want are exceptionally complex, including media streams, time on site, and most importantly new against repeat visitors.

what's wrong with that?

1
3

easy...

Stop contracting out to a 3rd party to track your stats and instead develop some web server log analytics - that will contain ALL the data that Omniture gathers, and it will NOT be sent to a 3rd party but will remain on YOUR servers!

Personally, I've been using Ghostery FF add-in for some time now which blocks tracking cookies but allows useful cookies through. I don't want Google, Omniture etc etc spying on my browsing habits by wasting my hard disk space and bandwidth. If you want to spy on me, use your own web logs and analytics software!

4
1

Well..

Bold Man answered the question as I would have done.

Its the third party issue that bothers me , coupled with the "wont tell you what we send because its commercially secret" attitude, followed by the condescending "we are fully in compliance with the DP legislation".

Now, when its on the http side of the fence, I can live with that, I can see it, but when its on the https side,

where I cannot, while I am carrying out secure personal financial or other transactions, no way.

Why do they need to send this data to a third party, out side the EU?

Omniture obfuscate the IP address allegedly, but it is still possible to make an educated assessment of the client id by other means.

What amazes me as why the beardy sandaled security guru's have not raised this, they have been informed.

2
0

Thanks for your response

couldn't have put it better.

However cookie tracking is only part of the problem, other scripts on the page will not get trapped.

I use a combination of adblock and iptables to stop the more sensitive third party traffic leaving my lan.

Paranoid, well yes as I do not trust the financial/commercial organisations to safeguard my data.

1
0
Thumb Up

EU Can't Comply with its own directive

Not to worry.

The European Parliament have done nothing at all on their own site.

www.europarl.europa.eu

Cookies galore.

1
0
This topic is closed for new posts.