

Europe's war on cookies - Jaderberg
http://www.wired.co.uk/news/archive/2011-05/11/cookies-regulations?page=all

======
darklajid
> Traditionally, the US and the UK have taken a more relaxed approach to
> privacy. But the legislative and interventionist tendencies of Europe -- and
> of France and Germany in particular

Now, this is the first time in a decade that I couldn't avoid a smug face and
tiny bit of affection formy home country..

Seriously: As others pointed out here, this is a targeted law against privacy
breaches. If your company builds its business model on user tracking you'd
better ask them to opt in.

I seriously cannot even understand the negative sentiment.

~~~
relix
What's wrong with advertising geared towards your interests? Or do you enjoy
watching ads on penis enlargements, gambling, whitening teeth and How To Get
Rich While Sleeping?

~~~
barrkel
It implies that someone has built a profile describing your interests from
your behaviour. Many people find that creepy, and not worth targeted
advertising. It's reminiscent of secret police behaviour with their networks
of informants, and is not a distant memory in much of Europe.

~~~
relix
It's not much different than any other recommendation system though. It's also
funny how these ads exist because they work - i.e. the user actually does find
them interesting, clicks on them, and discovers a product they pay money for
because it brings them value.

~~~
nupark2
If you're certain I'll agree to being tracked as to receive a better
advertising experience, simply ask first.

------
chalst
The UK Information Commissioner's report on the coming legislation:

[http://www.ico.gov.uk/~/media/documents/library/Privacy_and_...](http://www.ico.gov.uk/~/media/documents/library/Privacy_and_electronic/Practical_application/advice_on_the_new_cookies_regulations.pdf)

There is no requirement to ask for permission to issue cookies if the cookies
are "strictly necessary" for the task, such as for logging into a user account
or using a one-click -style purchase. I have the impression that it will
principally affect user-tracking systems like Google Analytics and those used
in targeted advertising.

Something about the law is unclear to me: the ICO's summary of the law seems
only to apply if you store state about the cookie. If you insert Google's
javascript to issue an Analytics cookie, doesn't that make it Google's
problem, since they are storing the data about the cookie? Which would be kind
of harsh, since they have no control of the web page's behaviour. But the ICO
report talks of there being site owner's responsibility if they cause the data
gathering to happen, which suggests that is the problem of the Analytics
javascript embedder.

~~~
Jaderberg
Thats a good find. However "strictly necessary" is pretty vague. Tracking your
own users on your site to optimise it for them would potentially be out of the
question. Though if you sign up you could implicitly allow it with terms and
conditions.

Still doesn't help with anonymous users...

~~~
chalst
I'm still reading the ICO report. It does talk at some length about what kind
of measures are needed to comply with the coming legislation, and emphasises
that the rule is about privacy protection, and that uses of cookies that don't
build up a picture of users aren't what it targets.

The legislation does look bad for startups whose business plan revolves around
accumulating data on users or selling targeted ads, but the ICO report looks
pretty aware of how cookies are used in practice and not at all the "ignorant
intervention" that the article describes.

------
dave1010uk
There are other ways to track users than cookies[1]. With enough browser
information you can identify users fairly uniquely.

[1] <http://panopticlick.eff.org/>

------
JonoW
One thing I don't get is how a site-owner is meant to know what cookies a 3rd
party may send. If I add a Facebook "like" button to my site, does FB send a
cookie? What if they don't now but decide to later. And if FB does decide to
use cookies down the line, how do they ask your opt-in?

You can send cookies with any HTTP reply, so how do you know if that image you
are hot-linking from a 3rd party site doesn't send back a cookie?

There seem to be so many technical vagaries that make this so tricky to
implement properly.

~~~
chalst
This seems to be pretty hazy. The ICO report says _we would advise anyone
whose website allows or uses third party cookies to make sure that they are
doing everything they can to get the right information to users and that they
are allowing users to make informed choices about what is stored on their
device._

------
Knacker_Hughes
I see this also covers the use of Flash cookies, but I wonder about the use of
Etags as a tracking mechanism.

If I recall correctly, some of these sites use cookies, Flash cookies and also
unique Etags on an object in the browser cache to try to work around people
blocking cookies from their domains.

~~~
chalst
Any technology causes client machines to store information for later access
are within the scope of the law.

The exact wording is _a person shall not store or gain access to information
stored, in the terminal equipment of a subscriber or user unless the
requirements ... are met._

~~~
Knacker_Hughes
OK - that's great.

In practical terms though, all they're storing is a key. The actual data is
held elsewhere. In the same way, an entity tag on a cached object is like a
key to identify whether the object has been modified on the server since the
last time it was sent.

How would it be possible to spot that it was being used for tracking a user
rather than just part of the normal functioning of the browser?

~~~
chalst
That's really an enforcement problem, not a legislative problem.

Even so, I think the answer is clear: it depends on whether you store data
that permits you to infer privacy-intruding things about the user. If you
store a cookie that just encodes preferences and you store no persistent data
about the cookie on your side, you should be fine. It's the making a
relationship between client local state and your customer profiles that's key.

------
meow
I don't get it, how do users login to the websites (like gmail) without using
cookies ? Does this legislation target only permanent cookies that stay even
after the user has logged out ?

~~~
chalst
According to the ICO report on the legislation I linked to, use of cookies
needed to provide the user with a service they have requested is explicitly
permitted. Likewise, if your use of the cookie does not violate privacy (i.e.,
you don't build up a user profile), it is OK.

------
hardik988
Do the regulations say anything about localstorage ? I guess one could use
that in place of a cookie..

~~~
mooism2
AIUI it's not specific to http cookies, but applies to anything being used as
a cookie. So flash cookies, html5 local storage etc all count as cookies for
the purposes of this rule.

