

Dear ICO, Sue Us - colinscape
http://nocookielaw.com/

======
gavinlynch
Every time I hear this cookie debate, I feel I must be missing something.

If you don't want to be tracked. TURN. COOKIES. OFF.

There is a reason all web browsers come with per-domain cookies policies. We
don't need a cookie law. We need some common sense. Everyone is looking to
make this someone else's responsibility. Guess what: Your digital security and
privacy is _your_ responsibility. I hate this entire debate because:

1) Cookies serve a very, very valuable purpose in website development. Client-
side storage is used in basically every major website on the internet.

2) This is hardly low-hanging fruit, and we have much, much bigger problems.

3) Who is the arbiter of what "allowed use" cookies are? We're going to have
someone who actually decides, for individual websites, whether cookie use is
proper or not? Is it going to work like a DMCA take-down request? An
individual sends a request to review a website's cookie policies, and that IT
department will have to submit a technical analysis and provide reasons for
their cookie usage when a user feels their rights have been violated?

4) You know where this is going? Every single website that you register on is
just going to give you a EULA-type agreement when you create an account. New
to Facebook? Enter your username, click this checkbox that says "I accept your
terms", and that's it.

Normal users will just roll with basically any terms you present to them.
Making this entirely ineffective except for the small minority of people, like
many here, who are hyper vigilante about digital privacy.

For the people this is meant to protect, they will likely never even think
about it and opt-in anyway.

5) I completely reject the notion of getting politicians to dictate
requirements to the tech industry in terms of how to handle the web stack. Let
the politicians get back to blaming each other for X failures and make Y
promises to the public, and get out of my internet.

~~~
rickmb
I nearly stopped reading after the second sentence, and I definitely stopped
after your first "argument".

I don't want to be stalked, period. Not turning cookies off should not mean I
immediately relinquish my rights, just like I don't relinquish my right to
privacy by stepping into the street.

Yes, cookies server a very valuable purpose in website development, and guest
what: _for those purposes the so-called cookie law (which btw covers all forms
of tracking, calling it the "cookie law" is sheer propaganda in itself)
doesn't affect any website in any fucking way_.

This underhanded tactic of spreading deliberate misinformation in order to
justify the massive violation of privacy caused by commercialized stalking
disgusts me.

It's like the mafia bitching about how it's so unfair and stupid that
politicians have made racketeering illegal.

~~~
gavinlynch
Okay, thanks for stating flat out, right away, that you didn't take the time
to understand my points or have an intelligent discussion.

That way, I can disregard your post too. I stopped reading after you told me
you stopped reading my post.

Have a nice day.

------
eckyptang
I think the general attitude here is pretty bad and I'm disgusted with the
replies. I hope the hell they do get sued.

The reason that the law exists is that people have abused the cookie
functionality terribly to track people all over the Internet using every
possible loophole that they can. Now the price is being paid through not very
good legislation.

You wrote functionality that tracks people and now you're whinging when people
are given their privacy back? Forget it - I have no sympathy.

Regarding legitimate use, you click accept and the problem goes away.

With respect to analytics, stop being cheap and lazy and do it from your logs.

~~~
oliveremberton
I'm the founder of Silktide and they guy who wrote that page.

Whilst I appreciate the law exists for a good reason, that doesn't mean the
law is good. In it's current form it simply doesn't help user privacy or
website owners. I'm hardly alone in saying as much.

We ourselves wrote no "functionality that tracks people" - our site merely
uses Google Analytics (anonymous measurement of visitors) and social plugins
like Disqus, the Tweet and Like buttons. By the letter of the law those have
to be concealed until a user has manually opted in to display them.

In practice everyone instead started showing slide-down banners which
accomplish nothing for privacy but piss off users.

Anyone who uses analytics properly knows there's no equivalent log-based
solution. Understanding the path users take through a site, how long they view
pages for, whether they buy when they came from one advert versus another -
these are common practice for good reason and they have ABSOLUTELY ZERO
implication for user's privacy, as all this data is anonymous.

The relatively few websites which genuinely might be jeopardising user's
privacy - Facebook, Google, Amazon etc - tend to be large, ubiquitous and
mostly ad networks. The average 10 page company website is not technically
sophisticated enough to subvert a user's privacy nor do they have the visitors
to do so.

My fight is with a stupid law, not with privacy.

~~~
eckyptang
I agree the law is bad. I actually stated that the legislation is not very
good. However, suing people is probably the best approach bar forcing Firefox,
Chrome and IE to ship Ghostery (then what are you going to do?) I mean you're
obviously annoyed, aware and scared of the consequences.

However, the fact that you plug oddles of stuff into your web site that
intentionally tracks people and hide under the banner of "we merely use" is
the sort of attitude we don't want and the sort that should get you sued.

Ignorance and laziness is not an excuse.

I don't want to be tracked by Google Analytics and for my usage to be profiled
and tracked across different sites (this almost certainly does happen as GA is
capable of reading enough info from the browser to identify a user or at least
build a persistent profile). Google do not have to operate under EU privacy
laws as they aren't EU based.

Disqus, Twitter, Facebook all track users through these buttons just by them
simply being there. None of these have to operate under EU privacy laws as
they aren't EU based.

Your buttons and analytics MUST be disabled until someone agrees because you
operate under EU privacy laws. That's your problem.

Either put the banner up or get rid of all the junk that you've plugged into
your web site.

Regarding analytics, it sounds like analytics has grown to encompass too much
of your business model. Have you thought that perhaps you are possibly not
entited to the information that you gather?

As for advertising - if your revenue is derived from that, good luck. You're
going to die miserably. Find a better model. Build something you can sell
rather than something you can scatter with crap to pay your bills.

Sorry don't I don't buy your argument. It seems naive and arrogant.

Users first, or to hell with the WWW.

~~~
sageikosa
Suing websites is going to force browser makers to do something? Perhaps that
chain of reasoning can be expanded upon...

Fighting urge to flame the revolutionary baiting in this post, such as use of
_we don't want_ in paragraph 2, and _possibly not entitled_ in paragraph 8. I
usually don't like deconstructing posts, but the tone rubbed me the wrong way
for an intellectual discussion.

All that laws designed to limit technology do is limit technology.

~~~
eckyptang
I think I covered that here:

<http://news.ycombinator.com/item?id=4479140>

~~~
sageikosa
So...the lawsuits will drive a demand (from site owners, presumably) for
legislation to force browser makers to do something...?

~~~
eckyptang
Not really. It's more that browser vendors are worried that it'll shoot their
market share so they won't turn this on by default. If users get used to it,
that is likely to be less of an issue.

~~~
18pfsmt
You know, I'm the type of person that operates as you would like most people
to (i.e. NoScript, Adblock, RequestPolicy, BetterPrivacy, etc.), and by
reading your comments you've made me realize how I've been kind of a jerk for
installing these things on friends' machines. They get annoyed and call me
asking what I did to their machines (and how to "fix" it).

Obviously, I should've explained the use of and showed them how to use these
add-ons, but such things are difficult to do in a casual/ social context. Many
of the concepts are foreign, and there is a whole set of jargon that requires
explanation in the first place. These are non-technical, yet educated, people
in their 30s for whom most of this seems academic. So, I've just installed,
and hoped they'd figure it out. I wish it were easy, but it's not; now, I'm
certain I will no longer do this because I don't want them to "get used to it"
for any reason other than that is what they choose to do.

~~~
eckyptang
That's a great approach and I admire your honesty. I think users should always
have a choice. At the moment, there is a big assumption made which is the
problem.

------
TomGullen
Popups/dropdowns etc semi-forced upon UK websites are extremely anti-
competitive in my opinion.

\- Visitors who the law is trying to protect (less savvy web users) could
easily be scared by cookie messages

\- It's another barrier to actually accessing content on the site

\- It's time consuming and difficult to implement sometimes. For example, if
your site requires cookies to function, what should it do if a visitor
declines permission?

These new laws seem to be addressing peoples irrational fears, and not the
actual problem. I'd like to see them go down the pan. I hope next year when
they start enforcing it they don't make examples of companies with cherry
picked large fines.

~~~
stordoff
> For example, if your site requires cookies to function, what should it do if
> a visitor declines permission?

If I'm reading the guidance[1] correctly (and I've only skimmed it), you don't
need permission for essential cookies. Most sites just display a message along
the lines of "We're using cookies; your continued use of this site gives
consent" etc..

[1]
[http://www.ico.gov.uk/for_organisations/privacy_and_electron...](http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx)

------
5h
Utter props to silktide to pushing this, I feel like half my posts on HN have
been about this retarded legislation. Those who misuse cookies will soon use
even more insidious means, those who don't are being forced into implementing
stupid confusing boilerplate, utterly ridiculous!

~~~
oliveremberton
Thanks! (I'm the founder of Silktide and author of that rant).

We had some constructive suggestions on what could be done instead, although
these are definitely up for debate. The gist would be using a rel element like
so:

<a href='privacy.html' rel='privacypolicy'>Privacy</a>

and then using that as a means of consistently linking to a privacy policy. As
a result, policies would have consistent language for users ('look for the
"Privacy" link') but could also be detected automatically by browsers or
testing tools.

That way you could actually test your site is properly linking to a policy,
and users could have browser preferences like "disable cookies until I've seen
a policy" or whatever.

It's just an idea but we've implemented it on our sites and will be interested
to see what others think:

<http://blog.silktide.com/2012/09/fixing-a-broken-cookie-law/>

~~~
loceng
Plus could then have a link to the privacy policy page added in the actual
browser, rather than intruding on the user experience.

------
jamiecurle
I'd like to see this legislation deleted and chalked up to a learning
experience for government.

In principal yes, I do want websites to be open about their cookie use, but
leaving the implementation down to the website owners has spawned many
different ways of dealing with the issue. This makes it less clear and likely
more confusing for the end user.

Let's try a solution at the user & browser level.

~~~
Isofarro
"Let's try a solution at the user & browser level."

That's not enough. Only the website really knows what the cookies are actually
being used for. That information needs to be surfaced in a manner where
customer preferences can be tailored.

Trying to keep track of which cookie domains are used for cross-site tracking
(which is what a user/browser level mechanism will max out to) becomes a big
game of whack-a-mole. Cheap domains, endless supply of subdomains; IP address
filtering can help, but there's a fair bit of collateral damage.

We have P3P, but it's too much of an all-or-nothing thing. It's quite ardous
for a website to implement correctly, and too easy to be unforthcoming with
accurate information. But, we need to be able to understand the purpose of
every cookie (and similar client-side storage mechanisms), and they need to be
done in a way that tracking-related storage can be disabled without disrupting
the storage related to the primary purpose of the site (from the customer's
point of view).

But the root cause of all this is that there are website owners who do not
accept that their customers or visitors have a right to privacy. That
perception needs to change for a viable solution to exist. It's a social
issue, solving it in a technical manner runs into a similar set of issues that
a legislative approach is currently doing.

~~~
jamiecurle
You're right, it is a whack-a-mole situation, which is why I'd move more
towards a browser and user level solution. The OP made a fine suggestion that
bridges responsibility between user, website owner and browser

> The gist would be using a rel element like so: <a href='privacy.html'
> rel='privacypolicy'>Privacy</a> and then using that as a means of
> consistently linking to a privacy policy. As a result, policies would have
> consistent language for users ('look for the "Privacy" link') but could also
> be detected automatically by browsers or testing tools. That way you could
> actually test your site is properly linking to a policy, and users could
> have browser preferences like "disable cookies until I've seen a policy" or
> whatever.

[edited for clarity]

------
grabeh
I think the ICO has acknowledged the issues with the law and as a result is
taking a gentle approach to enforcing the law (which the OP's crusade seems at
odds with...).

I think it's a good idea to attempt to increase user awareness of how
information about a person's visit to a site will be used. As the guidance
acknowledges, the type of most interest are third party advertising cookies
and if the law helps to increase awareness of such usage, then it will have
succeeded.

In terms of geographical location, my understanding is that the location of
the provider is irrelevant as if they are providing a service in the EU, they
should be complying with the law.

------
bbguitar
Having spent a good chunk of time implementing cookie permission popups across
our sites, Google Analytics showed a drop down to 10% of the normal traffic.
(The traffic is a bit higher according to the logs, but not normal. Also as
someone else pointed out the funnelling and reporting is harder to decipher)

Putting in an implied statement and removing the pop-up and we're back to the
regular levels.

Sorry but this law is flawed and I'm glad its getting a bit of airing again.
Come on ICO and the EU peeps who created this directive please rethink this
with some expert advice.

------
asg
Good to see them taking a stance. It is a great shame that this law does
absolutely nothing to improve privacy.

I typically do my casual browsing in incognito mode, which means that I'm
constantly bombarded with these cookie warnings. So this law has significantly
reduced the quality of my experience, for no benefit at all.

The people who want to track me still continue to do so.

------
r4vik
interim solution, add this to your adblock plus rules:
<https://github.com/r4vi/block-the-eu-cookie-shit-list> and send me patches
when you find a site with a cookie warning

~~~
mike-cardwell
Nice! Up until now I've been writing small GreaseMonkey plugins to handle
this. Added your list. Expect the occasional pull request. :)

[edit] First pull request sent.

~~~
r4vik
first pull request merged. look forward to many more :)

------
MattBearman
Can anyone who is more law savvy than I answer this question for me: Does a
European company have to put the cookie message on their site if the site is
hosted in the US?

~~~
MattBearman
Found a (sort of) answer in their cookie_guidance_v3.pdf

"An organisation based in the UK is likely to be subject to the requirements
of the Regulations even if their website is technically hosted overseas.
Organisations based outside of Europe with websites designed for the European
market, or providing products or services to customers in Europe, should
consider that their users in the UK and Europe will clearly expect information
and choices about cookies to be provided."

Of course, much like the rest of this legislation, the phrase "likely to be
subject to" is vague and ill defined. Sometimes I hate being base in England.

------
jpswade
I remember Silktide from ~2004 when they used to have SiteScore.

[http://web.archive.org/web/20041010040340/http://sitescore.s...](http://web.archive.org/web/20041010040340/http://sitescore.silktide.com/)

Nice to see they're still around.

------
Zirro
In Sweden, just about every non-government site has ignored this law. I don't
think we'll see anyone getting sued over it any time soon here.

------
jvvlimme
If instead of using cookies we would swap to using the browsers storage,
wouldn't we circumvent this entire rubbish law (+ the other advantages it
already provides)?

<http://www.jstorage.info>

~~~
prisonblues
The law states: "a person shall not store or gain access to information
stored, in the terminal equipment of a subscriber or user unless the
requirements of paragraph (2) are met."

Paragraph 2 then sets out how consent needs to be obtained, and the test that
the subscriber needs to have given their consent before information is stored
on their computer.

Cookies, flash cookies, HTML5 databases, etc. are all covered under the
general concept of storing on a subscriber's computer.

The original law is here -
[http://www.legislation.gov.uk/uksi/2003/2426/regulation/6/ma...](http://www.legislation.gov.uk/uksi/2003/2426/regulation/6/made)
\- and here are the recent amendments -
<http://www.legislation.gov.uk/uksi/2011/1208/made>

~~~
PJones
Isn't this vague enough that a site with an image is infringing?

"Sure, they requested the web site, but they never explicitly said they wanted
the image, and now you've gone and stored it in their cache."

~~~
alter8
How do you read back the tracking information from a cached object, page or
image without replacing it with a fresh new one?

