back to article EU agency calls for clear consent on indelible and zombie cookies

New, more persistent cookies pose an increasing risk to the privacy of consumers online, according to an EU security agency report released on Friday. The advertising industry is pushing the adoption of new, more "persistent and powerful cookies" which profile users, often without users' awareness about what's happening. …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Simple Solution

    Ban advertisers from using Cookies and other forms of tracking.

    I'll wake up in a minute....

    1. Jim Morrow
      Megaphone

      death to cookies and all who promote them

      Why stop at advertisers? Ban cookies completely. They are evil.

      Any website that needs cookies to work is just broken and badly designed. The tossers responsible for these abortions should be put to more productive tasks like counting paper clips.

      1. Charles 9

        There are legitimate uses.

        The average e-tailer shopping cart uses cookies, and IINM it's rather difficult to implement practically any other way (because shopping sessions could cross browser sessions)...unless you can offer a better suggestion?

        http://www.straightnorth.com/blog/7-timely-shopping-cart-techniques-meeting-your-e-commerce-goals

        1. Matthew Collier

          @ Charles 9 & AC @ 18/02/11 23:20 GMT

          Steve Gibson at GRC.com wrote his own eCommerce system for the purchasing of Spinrite, and he has managed to do it without cookies (by including an encrypted session key as part of the URL)

          It can be done, but people who write these systems choose not to take the hard path, but the quicker and easier path (which is no surprise, they are trying to make money selling their system, and time is money...)

          Personally, I remember the web before ads, and it was a better place, and I have no problem paying for things I value, but I realise, that is probably a minority view. Also, people often forget, ads are pointless to someone who doesn'/t/won't click on them anyway - why bother displaying something you're never going to click on?

          Matt :)

          1. Anonymous Coward
            FAIL

            The Gibson

            According to Steve Gibson he uses an equivalent of viewstate with an email address as the session identifier.

            This is fine if you want to have to enter an email address with every POST request, fine if you don't mind losing state on subsequent GET requests, fine if you want to treat each tab as a separate app instance, fine if you don't mind breaking the browser's reload function, and fine if you only have one product to sell.

            In other words, it's not fine.

            Steve Gibson is fond of doing things that "no-one else has thought of". We have thought of it. A little bit harder than Steve has is all.

            Additional:

            (i) it seems I can have more than one basket per session;

            (ii) if I don't enter my email address, it is still maintaining state;

            (iii) he might not be using them to preserve basket state, but his site sets TEN cookies;

            (iv) he appears to actually be maintaining state via the URL.

      2. Anonymous Coward
        Anonymous Coward

        So, you kill cookies...

        What do you intend to replace them with to allow web based apps to work, exactly?

        Cookies only exist in the first place because there's no method in HTTP to allow a user session to persist between requests. Any website that has user sessions pretty much requires cookies, unless you do it entirely via the URL, which is far from clever.

      3. Anonymous Coward
        Anonymous Coward

        Security is bad design?

        Yeah. Let's carry state in the URL. Can you say session fixation?

        Are you one of the commentards who think that any old monkey can code for the web?

      4. Wibble
        Boffin

        @Jim 'troll' Morrow

        Cookies aren't evil; they're a necessary workaround to the limitations of HTTP. It's possible to code around using cookies in some circumstances, e.g. RESTful URLs, but this doesn't always work and can be a significant security risk.

        There's two types of cookies: session and persistant. Session cookies only last as long as the browsers left open and are generally vital for any application that stores state, e.g. Logon. Session cookies are really important for most modern applications.

        Persistant cookies are the ones that get misused buy the advertising community. These hang around for ages - years- and allow advertisers to re-connect your browsing history on the site.

        Browser manufacturers should have a setting that limits the maximum age of a persistent cookie to, say, 7 days.

  2. Anonymous Coward
    Anonymous Coward

    I think we can all agree

    That if the advertisers want to do something we should be sceptical of it, if not downright wary and seek to limit or even oppose (nonviolently) it.

  3. WonkoTheSane
    Thumb Down

    Negative reinforcement

    I inform any advertisers who cold call me that they just dropped off the bottom of my preferred supplier list.

    The same will happen to any firm I find using this type of cookie.

  4. A Non e-mouse Silver badge
    Grenade

    But we need advertisers

    Let me say this first: I'm not in favour of advertisers doing all sorts of "clever" stuff to track me across multiple websites without my consent.

    HOWEVER, we all have a choice: We either pay for stuff on the 'net, or we have to have adverts on sites.

    El Reg is free 'cause it's paid for by advertisers. If we don't have adverts here, then El Reg won't exist. Remember all the uproar when the Times went behind a pay-wall ? It's either that or adverts.

    We need to achieve a middle ground that is acceptable to advertisers, end users and web-site operators.

    1. TerryAcky
      Unhappy

      Nah...

      "We either pay for stuff on the 'net, or we have to have adverts on sites."

      Utterly incorrect IMHO. What you appear to pre-suppose is that, as consumers, we must all accept that the only successful business model is an ad-supported business model. This is a flawed logic. Granted, it is most certainly the most successful and others are well, lacking. However that does not mean that revenues cannot be generated in other manners.

      Dare I suggest that we do not "need to achieve a middle ground that is acceptable to advertisers, end users and web-site operators", but rather that business finds other more innovative revenue generating streams. Yes, if we want everything to be free, then ads are likely an essential part of the landscape. However, as freetards, should we have the right to expect everything to be free?

      As for other commentors who appear to be suggesting that cookies are essential, they are not. There are, and always have been, other ways of maintaining state. OK, they are more expensive in terms of development costs, network bandwidth and storage - however the option(s) have always been there and will always remain. Cookies are a cheap way of maintaining state (amongst other things), but to any developer who suggests they are essential (for example, in shopping carts, as some seem to suggest), I would suggest that you need to read a little more about basic methods of state management and basic development in general.

      1. Anonymous Coward
        Anonymous Coward

        I would suggest that you ...

        ... clue us all in.

        Reliably maintaining state without putting a token in the request somewhere ... how's it done? Never mind the "go read up on it". If you know, I'm sure you can outline it for us in five lines or so. Then we can go away and start building better apps.

        1. TerryAcky

          Dude, really...

          I would have though that someone bearing the same moniker as the Elizabethan Enochian magician Dr John Dee would be able to work a little magick ;o)

          Session variables and cookies can be dispensed with if necessary. It ain't difficult. Try using Google/Bing or whatever and you will find your answers.

          1. Charles 9

            YOU threw the lure...

            ...so YOU reel it in.

            You made the case it can be done reliably without cookies (and by extension without other techs such as JavaScript which may not be available/enabled on the client end). So spell some of them out. Oh, and putting the session into the URL? Isn't that ripe for hijacking and MitM-ing?

            1. TerryAcky

              Eek!

              Fact: I beileve I made no mention of Javascript, security or reliabiliy.

              Fact: I further believe I stated that other alternatives are available. They are.

              Fact: Such alternatives are available for use in household sites and software products from both the closed source and open source ecosystems. Whether I would use them is entirely a different debate.

              Fact: Session variables and cookies can be dispensed with if necessary.

              Avoiding a few specifics, there is little difference between cookieless and cookie if your system or connection has been compromised.

              Furthermore, I assume that you failed to read my posts... Nowhere did I use the words reliable or reliably. I therefore only made the case that it can be done. What I did not do however was state that it can be done reliably, as you claim. I can only assume that inference was drawn by you for the progression of your argument.

              As a final parting comment, cookies are in themselves, not a secure mechamism. They never have been, they likely never will be.

              1. Anonymous Coward
                Anonymous Coward

                No pithy title, all sarcasmed out.

                "Fact: I beileve [sic] I made no mention of [...]"

                That's a fairly stupid construction, no?

                "I made no mention of [...] security or reliabiliy."

                So ... you're offering an insecure and unreliable web app. What's your day job again?

          2. Anonymous Coward
            Thumb Down

            What I'm looking for ...

            ... is for you to suggest your "better" alternative so I can put holes through it.

            I'm aware of a bunch of methods and their various pros and cons. So. Stop playing all coy. Show us your bits.

            As for doing away with sessions ... there's this thing called usability.

  5. Stratman

    title

    If I remember correctly, some 'hackers' have been done under a law which prohibits 'altering the contents of a computer without authority' or somesuch.

    If I've deliberately deleted a cookie, it's a pretty fair assumption that I don't want it. Resurrecting it would be covered by the above law, would it not?

  6. Hooch181
    WTF?

    When I first saw this...

    "EU agency calls for clear consent on indelible and zombie cookies"

    I saw...

    "EU agency calls for clear consent on inedible and zombie cookies"

  7. Anonymous Coward
    Anonymous Coward

    Is it just me

    that keeps reading the title as inedible cookies?

  8. JaitcH
    WTF?

    Browser cookies only a small problem, how about ...

    turning their attention to the heavy back data flow that all mobile OS collect without permission from users AND AT THEIR EXPENSE.

    No one, other than the cellco. should get positional data without the explicit consent of a user whose consent must be informed and need specific selection of options.

    Why does Jobs need to know where all his flock are 24 hours a day?

    1. Charles 9

      Demographics.

      It's how they pay for the back-end stuff (since they get no extra from the OS, and app store have their own expenses). Oh, and you gave the explicit blanket consent when you ran the OS for the first time (I know that's true for Android, and I know Apple knows its legalese). Otherwise, it wouldn't let you through to the home screen.

This topic is closed for new posts.

Other stories you might like