
New net rules set to make cookies crumble - joelhaus
http://www.bbc.co.uk/news/technology-12668552
======
prodigal_erik
I'm mystified that they're trying to pressure countless advertisers rather
than a handful of browser vendors who could make the problem go away by
changing the defaults from "persist every cookie from anywhere forever".

~~~
jeza
Don't forget flash cookies.

~~~
code_duck
And there's precisely one vendor in charge of the defaults and capabilities of
those.

------
djg38
The ad networks and such will just track you through browser/device
fingerprinting instead of cookies. Except for extremely tightly controlled,
homogenous systems in corporations, it doesn't take _much_ info beyond your IP
and user agent to uniquely identify a PC. Your history/cache, fonts, plugins,
screen/viewport size, etc. are all discoverable from the browser.

~~~
wladimir
Indeed -- it'd be the browsers job to make this kind of profiling less
effective. Just restricting cookies is not enough.

Does anyone know of a firefox addon (or for another browser) that
'homogenizes' the info sent to sites?

~~~
JoachimSchipper
TorButton does that (and, of course, allows you to switch Tor on/off).

------
Tichy
"Specifically excluded by the directive are cookies that log what people have
put in online shopping baskets."

I am speechless beyond words about this total lack of imagination. So the only
ebusinesses endorsed by the government are shopping sites?

Thinking about it, this will probably just strenghten Facebook. Facebook will
hide a "consent checkbox" somewhere in their intractable pricavy settings.
Then all sites that use Facebook authentication are good to go.

I suppose Facebook might even be able to provide some sort of server side
cookie service. Perhaps it could be a JavaScript from Facebook that reads the
Facebook cookie from Facebook and sends a hash value to the server. The server
can then ask Facebook for the identity. Or something like that.

~~~
code_duck
I heard that some people also use Google, Yahoo, MS Live and other services
besides Facebook.

~~~
Tichy
Not for logging in, though. And in the future more and more sites could turn
to Facebook as their single login solution, because they solve the tracking
consent problem.

~~~
code_duck
Facebook is popular for that, but personally I use Twitter, Google and Yahoo
(via their openid services) for login to several sites, including this one.
Facebook has by no means won the contest to provide a 'single login'. I don't
think anybody is going to.

Facebook is my _last_ choice for signing into a site, as they give the site
access to more data then is needed.

------
ZoFreX
This article isn't clear whether it means all cookies or just cookies that are
tracking users cross-website. I really, really hope it means the latter.

~~~
deadbadger
From para 66 of the Directive ( [http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...](http://eur-
lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:En:PDF) ):

"Exceptions to the obligation to provide information and offer the right to
refuse should be limited to those situations where the technical storage or
access is strictly necessary for the legitimate purpose of enabling the use of
a specific service explicitly requested by the subscriber or user."

I would take this to mean that session cookies, shopping cart cookies and
wotnot are exempted. But I'm a coder, not a lawyer, so pinch of salt 'n all
that.

Edit: in fact reading it more closely, it would appear that this statement
merely places a restriction on exemptions that individual nations implementing
the Directive might carve out. If they make exceptions, they must be limited
to the situations described, but they don't _have_ to exempt all such uses.
Which is a less-than-comforting thought.

~~~
ZoFreX
Paragraph 66 in full:

Third parties may wish to store information on the equip­ ment of a user, or
gain access to information already stored, for a number of purposes, ranging
from the legiti­ mate (such as certain types of cookies) to those involving
unwarranted intrusion into the private sphere (such as spy­ ware or viruses).
It is therefore of paramount importance that users be provided with clear and
comprehensive infor­ mation when engaging in any activity which could result
in such storage or gaining of access. The methods of pro­ viding information
and offering the right to refuse should be as user-friendly as possible.
Exceptions to the obligation to provide information and offer the right to
refuse should be limited to those situations where the technical storage or
access is strictly necessary for the legitimate purpose of enabling the use of
a specific service explicitly requested by the subscriber or user. Where it is
technically possible and effective, in accordance with the relevant provisions
of Directive 95/46/EC, the user’s consent to processing may be expressed by
using the appropriate settings of a browser or other application. The
enforcement of these require­ ments should be made more effective by way of
enhanced powers granted to the relevant national authorities.

(apologies for linebreaks, PDF copy/paste fail)

This isn't nearly as bad as what the BBC are saying. In fact this seems
perfectly reasonable.

------
rexreed
Does this include use of cookies in analytics services such as Google
Analytics, KISSMetrics, etc?

