Feeds

back to article 90% of visitors declined ICO website's opt-out cookie

As we know, no one is on time in implementing the EU's cookies directive. Well, two countries managed to get their laws in place in time, the other 25 didn't bother. The UK has given everyone a year to comply, a year longer than we're supposed to have. Not fixing your website doesn't seem to be an option, given the £500,000 …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

So....

When will El Reg begin asking me if I want Cookies and milk?

14
0
Bronze badge
Trollface

we've all been softened up for this already

One fine day the Reg will ask if you want a platinum cookie, and most people will jump at the chance since they know what a wondrous thing it is. Most people won't read the fine print, obviously.

0
0
Thumb Down

opt in opt out

Fundamentally they want to go from opt out (find the software that blocks them) to opt in (tickybox). It's no wonder they end up with a massive difference.

http://danariely.com/2008/05/05/3-main-lessons-of-psychology/

(for folk who love the thinky sciences)

0
1
FAIL

ICO complies?

I don't think ICO complies as they use a session cookie, to use the session cookie without permission one needs to say that the cookie is "essential to the site function". They say "This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser."

I don't think an "Online notification form" is essential.

But hey, since they decided it is for them, perhaps it is for me too, though it's hard to tell as I can't find the "online notification form" that is so essential for the site to function...

1
0

This post has been deleted by its author

Silver badge
FAIL

Re: ICO compiles?

They don't comply because they install a cookie without your permission

It's no use installing a cookie then telling you about it. They have to tell ask beforehand.

The sessin cookie idea is rathy crafty because most people won't realise that all the information gathered is being stored on their server instead of locally, it will still be collected. The minor plus side is that the cookie expires when the session closes, however, even that that won't prevent them from connecting the dots to build up a profile from further sessions.

Big fail on the part of the ICO.

0
1

Session has nothing to do with it

You can install ANY cookie as long as it's for the essential functioning of the site ... the specifications don't say anything about expiry dates. If you wanted to, you could store a session that lasts indefinitely and tie that into data held in the database between visits, as long as it's essential for the functioning of the site of course - so session and user authentication cookies are fine.

However, anything that's used merely for analytical or ad-tracking purposes (indeed anything that's not essential) requires an explicit opt-in.

So the ICO is actually obeying the law - they even set a cookie which tells the site that you've opted out as that's "essential" to ensuring that they don't place any other cookies (a saner alternative, admittedly, would be to set a cookie that says the user has opted IN and therefore, if that cookie isn't set, then treat them as having opted out... but hey).

1
0
Boffin

Building a profile from sessions

If you can do this then you ain't using session cookies.

0
0

LSO may go here if it's allowed

Sorry, had a day off and am a bit wobbly: why not fuck up the LSO's rather than cookies? LSO's are evil nasty bastards that deserve all they get.

So what if I visit something with flash on - I want to leave the site and have no traces, yes I'm an anti-CCTV, privacy-issue twyt et.c. : when I leave a site I do not want anything left on my PC; in fact I really object to the idea/fact that you (sites) can write to my storage with no permissions when I have set some of the stringest policies I can.

Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers.

11
8
Alert

Pardon?

What have the London Symphony Orchestra done to upset you so much?

12
0
Silver badge
Meh

"not your fucking bottom lines or deals with advertisers"

No bottom lines? Enjoy your boy-scout supported circa-2000 website crap with lousy spelling and a couple of thumbnails. That you can't find coz no search engines.

4
8
Silver badge

@Destroy All Monsters

I find all those advertising supporting flashy sites do a bloody good job of stopping me finding what I'm really looking for. Usually so busy trying to look pretty they either forget to put any meat on or hide it under so much flashing crap it's not findable.

That 'circa 2000' bare web has a lot going for it. Perhaps if folk stopping pissing pounds away on graphics they could afford pennies on real information. And just maybe the more useless ones will just bugger off and stop polluting the web if the cookie ban fscks up their business plan enough ;)

17
0
Silver badge

So?

Possibly. But that's why you have paid portals.

Not advertising paid portals.

I run a teeny website. I mentioned it. Someone else said 'hey look at this' and before I knew it,. hits from all over.

I subscribe to the FT. dozens of links for people who are interested in economies, finance etc. Its worth paying the journalists to assemble the links.

And that's the point. Its worth paying for...if its worth paying for

0
1
Trollface

Title? Title!

"Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers."

So from this, can we assume all of your machines are permenantly offline, with no additional access to them excepting the keyboard, mouse and monitor? Because that would obviously be the best security, and you seem to be very concious about that. Or maybe you use a machine that's heavily locked down to Fort Knox standards, and you gov-wipe the HDD at least 6 times afterwards prior to restoring the image again?

Or, you know, you could just use the internet like a normal user, and stop being a petulant child who whines about every percieved injustice in case anyone actually listens ;O)

3
8
Happy

But apart from that, Mrs Lincoln...

Why don't you tell us what you really think?

1
0
Facepalm

@itzman

and yet here you are commenting on an ad-funded free website. Oh the irony...

1
0
Silver badge
Alert

The Death of European Websites

Worse than that, only European sites will be affected by this reduction in recorded traffic so advertisers will see sites in other parts of the world as having more traffic and representing better bang for thier buck. It is now no longer economically viable to run an internet company in Europe unless you have a paywall. That'll help our economic recovery. Well done EU!

5
1
FAIL

This policy will sure need a turn-about

This cookie opt in farce is beautifully illustrated on the ICO website. The header is taken up with a message to op out. You click continue to get rid of the box and it tells you that you have to opt-in to continue! Not sure if the website completely works without cookies?

It's another classic: Europe.UK.Gov.IT.Web.fail.

7
0
Silver badge
Thumb Up

"Over 90 per cent of site visitors...

"...declined to accept a Google Analytics cookie"

So just like all of us who block GA using NoScript...

10
4
Facepalm

Why, as a matter of interest?

Don;t you like the idea of the Web site that you're using doing basic analytics to improve their Web site?

3
3

Things like Google analytics are a pain in the arse

So many times I've sat waiting for a page to load and I see my browser saying it's waiting for ssl-google-analytics.l.google.com, s.ytimg.com or ad.be.doubleclick.net. So as far as I'm concerned, they're getting in my way so I'm going to block them.

18
1
Black Helicopters

banned some domains here

Various domains are banned here at Castle Wibble for precisely the same reason. The first time I became aware of google analytics (amongst others) was courtesy of the 'waiting for...' bit.

I have them resolving to an internal web server and the logs show the vast quantity of information passed on via request (with its referrer data) which I am glad is no longer subsumed into the various third-party data mountains.

It wasn't entirely down to being impatient - numerous sites have these things on their checkout pages and I didn't fancy the idea of someone's dodgy coding 'accidentally' handing my card details to some untrusted third party. Untrusted because I chose to trust the website/retailer, not their stats collector.

5
0
Megaphone

Totally Agree

As a small web-shop owner, I've had google-analytics installed since day one, but once the cookie monster law appeared over the horizon I looked into replacing what GA does with my own bit of code. After about 1 hour of fiddling with a bit of javascript and some backend ASP I ended up with almost the same data being collected but as an integrated (not third-party cookies) function in my site. It also ran much faster (at the page load end) than GA as well.

My point being, there are many Analytic systems out there but people continue to use Google's because it's free. Which is a shame, because bit by bit Google are strangling web innovation with their one-size fits all solutions. Most people don't bother looking at alternative ways of doing things because there's almost always a Google product that will do most of it for them...

Welcome to the turn-key Web, leave your ideas at the door.

1
0
Anonymous Coward

I block them with noscript

All the tracking sites etc get blocked automatically.

4
4

Do you block

Omniture?, including the ssl ones?

0
0
Thumb Up

Re: Do you block

Omniture? Blackholed on the firewall and has been for years. This is just a small portion of my blockthetossers script:

${addcmd} 205.216.15.64/27 # Omniture confirmed ARIN

${addcmd} 205.216.7.128/28 # Omniture confirmed ARIN

${addcmd} 207.108.181.0/24 # Omniture confirmed ARIN

${addcmd} 216.143.122.0/23 # Omniture confirmed ARIN

${addcmd} 216.194.125.0/24 # Omniture confirmed ARIN

${addcmd} 216.52.17.0/24 # Omniture confirmed ARIN

${addcmd} 65.119.25.152/29 # Omniture confirmed ARIN

${addcmd} 66.150.208.0/24 # Omniture confirmed ARIN

${addcmd} 66.150.217.0/27 # Omniture confirmed ARIN

${addcmd} 66.151.137.0/24 # Omniture confirmed ARIN

${addcmd} 66.151.146.192/27 # Omniture confirmed ARIN

${addcmd} 66.151.152.0/24 # Omniture confirmed ARIN

${addcmd} 66.151.244.0/24 # Omniture confirmed ARIN

${addcmd} 66.235.128.0/19 # Omniture confirmed ARIN

${addcmd} 67.133.240.0/24 # Omniture confirmed ARIN

${addcmd} 70.42.134.0/24 # Omniture confirmed ARIN

${addcmd} 74.201.95.0/27 # Omniture confirmed ARIN

Anyone else you'd like to ask about? Audience Science? Experian? Because those and many, many others have been blocked for the same length of time. Hardly any performance hit because Radix trees are quite efficient at this sort of thing. I see it's now becoming trendy, which means most people will get it horribly wrong. Ho hum...

1
0

you missed some!!!

see title

0
0
Facepalm

Self selecting sample

I'm going to guess that a large number of the visitors to the ICO website will be people who are concerned about privacy and their personal data.

This figure may not be as high on other websites.

4
0

Slight mistake here...

The article should read "....There's only one site I know of which *PARTIALLY* currently complies with the law: the Information Commissioner's site."

ico,gov.uk does indeed have the clicky ticky box, however if you go to the jobs section on the main page it launches a new tab at ico.jobs.

No clicky ticky in sight there....

Ho hum.

0
1
FAIL

Tracking website use with Google Analytics

... is for the lazy.

According to TFA, they are counting site visits using GA. Why not simply count visits using a script on their own server? Oh, sorry, the expensive content management system we paid for can't do that, and they have no process for chucking a few hundred quid at a Perl-savvy contractor to write one.

9
7

Yeah, make sure they feature match the rest of the list as well

http://www.google.com/analytics/features.html

2
1
FAIL

Huh?

http://www.google.com/analytics/features.html

returns error 404 (not found) for me.

0
0
Unhappy

Well, yes obviously..

.. but the ICO FOI data implies that GA was the *only* way they have of actually measuring site views and unique site visitors.

Since the ICO doesn't have advertising on its pages, it must only be using GA for tracking usage within the site. That kind of tracking should either be implemented locally, or built in to the ASP.NET application that runs it. In fact, the law (and the clumsy ICO site implementation) illustrates the problem. Site owners have used services like Google Analytics as a simple usage tracking system, whilst compromising the privacy of site visitors by adding to GA's record of their browsing habits.

1
0

Piwik

http://piwik.org/

GA clone running in PHP/MySQL that you install on your own hardware.

1
0

.com & .co.uk hosted in US?

Ok so someone answer me this.

I have a .com hosted in the US, do I need to change?

I have a .co.uk hosted in the US, do I need to change?

what about .net?

Is it based on who the domain is registered to?

I haven't been able to find a straight answer, I know it's government and laws so there probably isn't one but does anyone know?

1
0
Unhappy

Yes, you do.

It doesn't matter where the domain is registered, or where the site is hosted. If the business operates in the EU, it's subject to this law. Or at least, that's what the sainted Neelie Kroes says, and she ought to know. So to evade the law, you need to move your business registration and company seat out of the EU.

Looks like good news for the Isle of Man, Channel Islands etc.

0
0
Silver badge
Thumb Up

Indeed

Lets face it, if you could watch TV without adverts, and surf the net without hugely slow bandwidth wasting flash adverts why wouldn't you?

And as you so rightly point out, who will pay then?

My guess is that we will be pay per click some day. minuscule amounts. But we will pay.

And be free of advertising forever.

I personally cannot wait. If I want to research a product, fair enough.

1
0
Bronze badge

I can understand outsourcing your ad links

But surely a web server who wants geolocation data can just get it from their access logs, which store IP addresses. Shouldn't be too hard to collate those data with referring page information on the advertiser's site, or simply capture the click on the server and use a redirect to actual advertiser. Or is disintermediating Google just too costly/troublesome for most?

1
0
Unhappy

I really don't know what to say on this Law

So now I may end up in the situation of having less information which helps me manage our website.

We have no adds and flash!

But the thought of having to have a popup at the front of the site, makes me think “forget third-party analytics!”

Until you realise that stats from your server are generally "polluted" with robot spider visits.

Personally, if only the EU people would get a proper job, then maybe the rest of us can get on with ours!

2
4
WTF?

Ditto...

... I use Google Analytics to figure out which links should be on our Landing pages, the idea being that the most popular always get on the landing page making for a quicker journey to the most popular tasks.

Yup, I know we have server logs and such like but we don't have the money to throw at developers to get something in house that provides the kind of info GA does.

I know upper management are gonna insist on website surveys to replace the lost data which means all the work we've done to improve our site and site confidence with the users will be lost.

I get why the EU is doing it but I would like the UK to be successful in it's discussions of implementing this in a better way via the Browser manufacturers.

0
0
Bronze badge

Don't need no stinkeen cookies

And in other news Tescos new online banking service uses browser fingerprinting tech from arcot without telling you never mind asking for permission.

2
0
Anonymous Coward

Since i have a year, ill wait a year

Since the ICO has given UK webmasters a year to get it sorted then ill take my full 12 months thanks very much. But since the websites i run are of an 'adult' nature i doubt many people are going to go running to the police to report that a google analytics cookie was still on the websites after the 12 months has expired, and besides I opted for the whois privacy service of my registrar so the address the domains are registered to Suite 200, Olympic blvd, Los Angeles, US of A. along with 1556154 other domain names so good luck tracing them to me.

AC for obvious reasons

2
1
Silver badge
FAIL

Okay, I'll bite

"But the way we know [where a visitor is from] is by the cookies".

Mr Worstall has managed plumb new depths after the "standards" fiasco. This statement is entirely untrue, cookies are used for maintaining state and if you really want to know where some is from you can always use the HTML5 Geo extensions to ask their permission.

Is this the end of journalism on El Reg as we know it? Or just a cunning plan by El Reg to show us what we will have to read if we don't opt-in into snooper cookies?

A few answers to other questions in a possibly vain attempt to stop the spread of ignorance:

* LSO's are covered just as much as http cookies;

* If free analytics are really worth that much then why are they given away? Answer because visitors are unwittingly paying the price by providing lots of personal information about their browsing habits; there are alternatives

* Snooping advertisers are selling the information they gather on your customers to your competitors;

* Omniture already conforms to European data protection legislation. Same origin cookies would be preferable with scrubbing (anonymisation of the IP address) as soon as possible

* The legislation will not be the end of the world as we know it

2
1
Anonymous Coward

sure?

Omniture conforms?

So how does the front end of my site tell the Omniture beacon to not fire the t() call or the noscript ... oh *I* have to wrap the beacon in some conditional code do I ???

0
0

Lord who?

It was Lord Leverhulme, not Lord Lever

1
0
Anonymous Coward

accept cookies for session

firefox has for sometime now had the option to 'ask every time' when third party cookies are planted - always click 'for session' + 'use my choice for all cookies from this site' unless it is a site I plan to use again etc.

Just need all the other borwsers to have this feature and then there is no need for this new directive?

2
0
Thumb Up

browsers

Yeah, it looks like they hit the nail from the wrong side.

Requiring browsers to have the above mentioned behavior as default would actually change something for better.

0
0

IIRC

Bizarrely, IIRC, that's why we've got a year's grace - I think someone in UK.gov actually heard about this idea (I'd be beyond bloody amazed if they thought it up themselves) and actually pushed the idea of working with the browser makers to simplify their cookie processes so that, by default, the (spirit of) the law is complied with.

i.e. the user/browser configuration setting determines whether the user wants to accept cookies - their permission is taken as being given (or not) based on those settings and the websites don't have to do anything.

It's an iffy one with Google Analytics mind since their cookies seem to originate from the domain of the site you're visiting - therefore first-party/third-party permission systems don't actually work.

0
0
Happy

Some addons to FF..

Adblock+, Ghostery, BetterPrivacy, GoogleAnalytics Opt-out, NoScript.

Should keep most of the crap out. If you called me mad, you might be right :-)

1
1

Just another Googly.

Googles own opt-out extension is nothing more than a cunning PR job as clearly described by Noscript creator Giorgio Maone over here:-

http://hackademix.net/2010/05/26/google-analytics-opt-out-snake-oil/

The Noscript solution deals with the bullshit elegantly and terminally. Ciao, Giorgio.

0
0

Page:

This topic is closed for new posts.