Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

"Breathtakingly Stupid" EU Cookie Law Passes

kdawson posted more than 4 years ago | from the uac-plus-plus dept.

Privacy 447

Reader whencanistop writes with some details on an upcoming EU law that slipped under the radar as it was part of the package containing the "three strikes" provision, which attracted all the attention and criticism. "A couple of weeks ago we discussed the EU cookie proposal, which has now been passed into law. While the original story broke on the Out-law blog from a law perspective ('so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point'), there has now been followup from a couple of industry insiders. Aurelie Pols of the Web Analytics Association has blogged on how this will affect websites that want to monitor what people are looking at on their sites, while eConsultancy has blogged on how this will impact the affiliate industry. In all of this the general public is being ignored — the people who, if the law is actually implemented, will have to proceed through ridiculous screens of text every time they access a website. I know most of you guys hate cookies in general, but they are vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."

cancel ×

447 comments

Sorry! There are no comments related to the filter you selected.

1st (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30086768)

First Cookie!

Vital under what conditions? (4, Insightful)

gorfie (700458) | more than 4 years ago | (#30086772)

I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.

Re:Vital under what conditions? (1, Insightful)

orasio (188021) | more than 4 years ago | (#30087034)

I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.

No way.
Usage data is a direct measure, while user tests are a very rough estimate.
Tracking usage is key if you want to have a website that is good for its users.

Re:Vital under what conditions? (0, Flamebait)

whencanistop (1224156) | more than 4 years ago | (#30087036)

I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.

So how are you going to do this usability testing? Are you going to assume that everyone arrives at the home page and then navigates through your site? This is 2009, wake up to the real world. Most sites have 60%+ visits coming from Google in the middle of the site, to do any usability testing they need to know where they arrived to focus that usability. To get this information you need to have cookies. If you don't, you'll end up with a really nice home page, pointing to your good bits of content and you'll ignore most of your user base. This is the attitude that makes Murdoch think he can get away with putting all his content behind pay walls. It'll fail. If all EU content has to follow the new cookies rule, it will fail too and the only option you'll have in an EU country is to access non-EU content.

Re:Vital under what conditions? (4, Insightful)

Anonymous Brave Guy (457657) | more than 4 years ago | (#30087218)

So do you actually have any evidence to back up your doomsaying, or is it just your personal view that you'd like to shove down everyone else's throat?

We don't use cookies on the sites I run, yet I still have a pretty good idea of what our users do, because we have these things called server logs. They include something called a referrer field, which tells you where the visitor came from before they reached their current page, for example. Moreover, for more detailed analysis, it is far more valuable for site improvement to have a little JavaScript that can also identify things like screen resolutions and browser versions, which give us information that is directly useful to checking that our pages will look good on the systems our visitors are actually using. Cookies won't tell you any of that.

We are contemplating using cookies for a new system on one of our sites, because it will allow users to create an account and then filter data shown on various pages according to their personal preferences. All the cookie will do is remember whether the user has logged in, and if so, who they are, for the duration of their visit. And we're only doing that because the site will work fine without an account, so we don't want to throw up HTTP Authentication screens for every visitor. We would have no problem disclosing this fully to any visitor to our site at the time they create an account.

Re:Vital under what conditions? (1)

whencanistop (1224156) | more than 4 years ago | (#30087394)

Not that this is the purpose of cookies - but how do you differentiate between real people and robots/spiders?

More importantly how do you tell, from your server logs, how many of your users who arrived from a certain referring source stayed on the site? Do you know what they did afterwards? Do you know if they then went and performed the function your site is aimed at? Do you know if they came back at a future date to do it? Can you do any of these things without cookies?

And no, you can't do any of these things with IP address+Useragent lookup - it's far too inaccurate.

Knowing where a user came from and what they searched for is a bad way of trying to optimise your site. I can name hundreds of situations where someone was proud that they'd generated a huge volume of visits (or page views if you weren't using cookies) of users that then left straight away because it wasn't what they were looking for.

Usability testing is very useful. Not using to usability testing to try and increase revenue is the death of any business.

Re:Vital under what conditions? (1)

tomhudson (43916) | more than 4 years ago | (#30087306)

You don't need cookies to do usability testing - you can track mouse movements and keypresses in real time with javascript and log them to the server. Most of us would rightfully consider that level of intrusiveness as spyware.

You don't need cookies to make a fully functioning web site.

You don't even need cookies for affiliate marketing (unfortunately - the sooner "affiliate marketing" dies, the better).

Everything cookies do today, you can do without cookies.

Re:Vital under what conditions? (1)

spike2131 (468840) | more than 4 years ago | (#30087326)

This is the attitude that makes Murdoch think he can get away with putting all his content behind pay walls.

This move undermines the whole model free content supported by advertising.... so its a wet-dream for Murdoch and his pay wall.

Re:Vital under what conditions? (1)

Phroggy (441) | more than 4 years ago | (#30087238)

Usability testing doesn't tell you how customers are actually using your site under normal conditions as part of their daily workflow; it tells you how testers hypothetically could use your site under laboratory conditions. You can certainly get useful feedback from usability testing, but to borrow a phrase, people do breathtakingly stupid things in the wild that nobody would have dreamed of during testing.

First Post (-1, Offtopic)

ScytheLegion (1274902) | more than 4 years ago | (#30086774)

I'm going to toss my cookies...

Michael (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30086806)

It may make common folk like me think about the extent that our personal information is collected and used, information that is a valuable commodity in current society and it's bought and sold with very little compensation to the rightful owner - the individual.

Re:Michael (2, Insightful)

whencanistop (1224156) | more than 4 years ago | (#30087162)

Personal data almost always isn't stored on cookies. You give your personal data to a company. They probably don't even link that data up with what you do on the website via cookies. If that company then sells that information on to someone else or uses it for reasons that aren't ethical, that isn't down to cookies. That is down to the company being crap.

Re:Michael (0)

Anonymous Coward | more than 4 years ago | (#30087538)

Personal data almost always isn't stored on cookies. You give your personal data to a company. If that company then sells that information on to someone else...

they would get fined, if they were caught.

[sic] (0, Offtopic)

BigBadBus (653823) | more than 4 years ago | (#30086810)

"they is"??

Re:[sic] (0, Redundant)

archangel9 (1499897) | more than 4 years ago | (#30086848)

what, you think they isn't?

Re:[sic] (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30086888)

"Breathtakingly Stupid" Slashdot Editor's Typo Passes

Re:[sic] (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30086948)

IZ COZ E IZ BLACK INNIT?

Re:[sic] (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30087192)

fuck you

Re:[sic] (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30087084)

Summary was written by the swampling.

I don't see the stupidity here (4, Interesting)

Skapare (16644) | more than 4 years ago | (#30086832)

Maybe it's a bit harsh. But so are the abuses of cookies.

Cookies are used to keep a shopping cart. That out-law.com article spells that out. Cookies are used to track logins on forum sites. There might be an implied consent, there. But to be sure, just ask for consent when users register. Previously registered users would be directed to the consent request page once the next time they try to login. Explain that the consent is for the cookie used keep their login state. Explain that without consent, the login process cannot be completed and the user would be limited to the access level of a non-logged-in user.

Now, what else are cookies used for, that consent should not need to be given for?

Re:I don't see the stupidity here (0)

Anonymous Coward | more than 4 years ago | (#30087008)

Well, Microsoft claims that Hotmail's new requirement that you eat third-party cookies in order to log out is for security http://www.theregister.co.uk/2009/11/12/hotmail_cookies/ [theregister.co.uk] . If Microsoft says so, it must be true, right? They wouldn't lie to us, would they? Guys? Would they?

Re:I don't see the stupidity here (5, Insightful)

alta (1263) | more than 4 years ago | (#30087014)

I know this isn't going to be looked on well here, but here are my pro cookie, pro marketing comments...

1. Someone above complained about companies selling the data that they collect. As though it's the most terrible thing in the world to do. Guess what, every company that collects demographics about customers (grocery stores by example, the only way to not get tracked it to pay by cash. You don't need one of their store cards because they'll match your banking account numbers and STILL build a profile) and then sells them. How many useful websites on the internet are driven by 1. Selling demographics, 2.) Ad revenue. Making cookies opt-in kills both of those things. How much is /. charging you guys? Ask them what'll happen to their ad revenue if cookies are suddenly opt-in. Yeah, they can still technically serve the ads, but they will no longer be as accurate to the viewer, nor will they be tracked as well... meaning less profitable for the ad agency and the publisher.

2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.

So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.

I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.

AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.

Kudos for refuting your own argument (2, Interesting)

Anonymous Coward | more than 4 years ago | (#30087170)

Yes, grocery stores can match bank accounts and stuff. Reason why I pay cash and object vehemently to the "trend" where the combined stores are waging a vendetta against cash and are already trying to require use of electronic and therefore trackable means. All in the name of "safety" of course. Bunch of underhanded jackassholes.

Thing is, there exist alternatives for cookies, too. Only, you'll need access to the webserver to get the logs and that makes it much harder for third parties to gather the data. There was this trend, maybe it still exists, where sites required cookie acceptance. So I accept them all and safely store them in /dev/null. No ``user experience degradation'', heck, no discernible difference. Coincidence? I Think Not.

Re:Kudos for refuting your own argument (3, Insightful)

alta (1263) | more than 4 years ago | (#30087258)

BTW, we give discounts to customers using affiliate links. We WANT our affiliates to be profitable, if they aren't, we aren't. So we prefer that a customer goes through an affiliate. No cookie? No discount.

I guess you'd prefer we stored it all in the query string and pass it from page to page? Guess what,that's where we're headed. That, or every link becomes a POST.

Re:Kudos for refuting your own argument (1)

tomhudson (43916) | more than 4 years ago | (#30087384)

I guess you'd prefer we stored it all in the query string and pass it from page to page? Guess what,that's where we're headed. That, or every link becomes a POST.

Either one works without cookies. Or you could just pass along a unique session identifier. You can also do it via ajax - again no cookies required.

As for affiliate marketing - let it die.

Re:I don't see the stupidity here (4, Insightful)

Skapare (16644) | more than 4 years ago | (#30087284)

Lack of cookies does NOT prevent ads. Lack of cookies does not prevent ads from being linked to an alternate site. Lack of cookies does not prevent your userid from being included in the URL that takes you to the other site if you click on the cookie. Lack of cookies does not prevent your userid from being included in the URL that fetches the ad image from the other site. So ads are not really hindered. What is hindered is weak minded developers that only learned one way to do things.

Re:I don't see the stupidity here (2, Informative)

alta (1263) | more than 4 years ago | (#30087372)

I agree, but it will make the ads just a little less valuable.

Yes, I know there are other ways to store the data...
1. Every link becomes a javascript POST.
2. All data moved between pages via querystring.
3. Require a login to use the site so the data can be stored server-side.
4. FLASH COOKIES ;)

Re:I don't see the stupidity here (1)

jaypifer (64463) | more than 4 years ago | (#30087390)

+1

I was about to write the same thing. Tracking will not be as accurate, but there will still be tracking.

Re:I don't see the stupidity here (4, Interesting)

Maxo-Texas (864189) | more than 4 years ago | (#30087292)

You know the funny thing about companies that collect and sell my personal data?

Their prices are higher than companies who do not.

Krogers and Randalls both do this.

HEB & Foodtown don't.

Yet the same product at randalls and krogers *with the affinity card discount* is more expensive than the same product at HEB and foodtown. Sometimes dramatically so (25% or more- example, whipcream $5.29 with discount card vs $3.99 every day without card).

Re:I don't see the stupidity here (2, Interesting)

Skapare (16644) | more than 4 years ago | (#30087366)

2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.

Maybe you can explain why you think cookies is the only way to do this.

So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.

Maybe you can explain why the downstream site needs a cookie to accomplish affiliate marketing when other means, such as embedding a code in the URL, are available.

I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.

Why? So you can make up new ways to abuse cookies?

AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.

That can actually be dangerous. The next person to come along might link to the same site, and they figure it must be the same person, and re-use their identifying info that first person voluntarily provided. I don't see how knowing that it is the same computer, but not the same individual, helps in marketing, when marketing is targeted to people. Computers don't (yet) make buying decisions.

Re:I don't see the stupidity here (0)

Anonymous Coward | more than 4 years ago | (#30087460)

AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.

No, affiliate links want to identify the individual, they just dont know how to do it yet. Computers dont click affiliate links, people do.
They want to know what makes one person click a link and another person not.

Re:I don't see the stupidity here (1)

SharpFang (651121) | more than 4 years ago | (#30087020)

Polls.
On sites with thousands of clicks per second.
The cookie is fast and dirty method of determining whether given user has already voted in the poll or not.
To keep the results honest, the site keeps a database of IP numbers and ignores repeated votes of bots that ignore cookies or users who delete them, but for 99.9% of visitors the cookie is a perfectly adequate method and allows zero server-side intervention to distinguish between the content to be displayed (questions/results) and preliminary allowing of the vote.

All cookies are always used with consent. (5, Insightful)

Anonymous Coward | more than 4 years ago | (#30087052)

Now, what else are cookies used for, that consent should not need to be given for?

This is an irrelevant and distracting question, because cookies are always used with consent.

A web server replies, in response to a request initiated by the user, with a header that says, "Here's a little piece of information and I hope you pass this back to me on subsequent requests."

The user's agent -- software chosen by the user to do whatever it is that they're trying to do -- sees this completely advisory information and decides, perhaps even with a confirmation dialog with the user (or not, if the user has decided that they usually want the same behavior every time without getting bothered), to store this information. And then it decides to pass this information with the next request.

The entity the user is communication with, ultimately has no choice about whether or not the user really does this. It's all up to the person who is using the browser. Or, in very old browsers that don't have dialog preferences for cookies, it's all up to the browser's author, to whom the user decided to defer to when they install the software.

Cookies don't do things. Users do things with cookies. Servers reward users for deciding to send the cookie.

If you have chosen to transmit cookies, take responsibility for your decision, instead of crying to the government and demanding that cookies never be offered to you.

Re:All cookies are always used with consent. (0)

Anonymous Coward | more than 4 years ago | (#30087356)

If you aren't aware of something, you didn't consent to it.

Re:All cookies are always used with consent. (1)

Skapare (16644) | more than 4 years ago | (#30087396)

When browsers ask the user for the consent upon receipt of each new cookie, then I will believe you. So, should the law have addressed browser makers, to prohibit them from passing cookies to web sites without the consent of the user? Perhaps so.

Re:I don't see the stupidity here (5, Insightful)

KlaymenDK (713149) | more than 4 years ago | (#30087098)

The stupidity is this:

You can, could, and still will be able to block cookies in your browser, so whatever web site operators are doing with them, it isn't going to affect your privacy or "trackability".

But, it sounds as if this new law requires the web site operators to show you screen after screen of "permissions" to continue. These permission requests are stupid as EULA dialogs, Vista-like "admin authorisation" dialogs, etc, because they (a) don't offer a meaningful change in values (be it trackability or privacy), and (b) annoy the hell out of users. I won't go into how (c) these crap warnings numb users to real warnings, which they will also mindlessly click through.

I can't decide whether this is Brazil [imdb.com] -style bureaucracy galore, or Eastern Standard Tribe [craphound.com] -style anti-productivity warfare.

Re:I don't see the stupidity here (1)

mftb (1522365) | more than 4 years ago | (#30087294)

My site has a little skin selection list in the top corner that makes a cookie containing a single word (the name of the user's chosen skin). It is, however, not made clear that a cookie will be written so there is no implied consent. The cookie is processed entirely in javascript, though, and is never sent back to the server. Clearly, it's not a tracking cookie but it is certainly important to the user experience - without it, whenever the user changes page or refreshes the skin will revert to the default.
Would a little "(writes cookie)" next to the list be good enough?
I dunno, this is super vague, although as TFA points out, it is only a guideline, not yet a law. We shall see how this pans out.

Re:I don't see the stupidity here (1)

tomhudson (43916) | more than 4 years ago | (#30087354)

You don't need cookies for a shopping cart. You don't need cookies to track someone who is logged in. Ajax, or even hidden variables in a POST request, work fine.

Re:I don't see the stupidity here (1)

gregosaurus (1677982) | more than 4 years ago | (#30087388)

It's not a big deal, guys. You know the pages of "Terms and Conditions" that you agree to when you sign up to a new website without reading? It's now going to be one sentence longer.

Re:I don't see the stupidity here (2, Interesting)

Phroggy (441) | more than 4 years ago | (#30087412)

All kinds of things.

Every time you visit my web site, a random quote is displayed. Which quote you get is stored in a session cookie, so every page displays the same quote as long as your browser remains open (this was a better idea when I had fewer quotes in my list; I'll probably change it, but that's irrelevant to this discussion). Another cookie tracks which quotes you've already seen, to ensure that if you come back tomorrow (with a new session), you won't get the same quote you just got yesterday. Once you've cycled through all of the available quotes, of course, it resets.

Because I was extremely bored several years ago, there's some additional logic: if you've been to my site before, and I've added a new quote to the list since then, instead of choosing any quote at random, you'll be given the one that I just added. If you've never been to the site before, it just picks one randomly.

Also, because I was extremely bored even more years ago, my site can be displayed with a variety of themes, most of which are intended to resemble windows on a computer desktop, on a variety of operating systems. The first time you visit the site, a theme is chosen for you based on your platform (as determined by your user_agent string), but you can change it just by selecting another theme from the list. Your preference is saved in a cookie.

I do not track individual users. I have no idea who you are. I don't assign you a unique ID. But I am using cookies.

I RTFA and don't find it to be all that bad at all (3, Interesting)

Anonymous Coward | more than 4 years ago | (#30086834)

I don't see the problem at all.

If you are running an Amazon affiliate program you should have no problem telling your users that by clicking on the link to the product you are recommending that you get a portion of the sale. If you can't admit to that, then you aren't being honest with your users.

Likewise with Google Analytics. What's wrong with telling your users that you want to track how they access your site so you can improve it? Oh, there's the little bit about letting Google build up a profile on you. Well maybe someone will come up with an Analytics system that doesn't have a big brother behind the scenes.

Re:I RTFA and don't find it to be all that bad at (2, Insightful)

oliderid (710055) | more than 4 years ago | (#30086964)

They are also used by most PHP based web sites using the session feature.

What's the point to ask:

sessionID=zaFgGG13sddf.34ciuoy

Do you agree [Yes] [No]

Re:I RTFA and don't find it to be all that bad at (2, Informative)

tomhudson (43916) | more than 4 years ago | (#30087422)

You can use php sessions without cookies. Search for "php sessions without cookies". It's all there. And turn in your programmers' card because you didn't know something as basic as that.

Re:I RTFA and don't find it to be all that bad at (3, Insightful)

TheSunborn (68004) | more than 4 years ago | (#30087012)

The problem is you need to show the user the text before they can view your website. Just imagine you are using google to search for something and once you click a link, you end up not on the content you expected but on a

"We use cookies to track users in the following ways, blah blah blah. Is this okay with you"

That would suck so much.

Re:I RTFA and don't find it to be all that bad at (4, Insightful)

BlueWaterBaboonFarm (1610709) | more than 4 years ago | (#30087132)

Even if it seemed reasonable, give it a week or two and most would hastily click 'agree' without reading. It would be like UAC in Vista, not the worst idea at the core, but the poorest possible implementation.

Re:I RTFA and don't find it to be all that bad at (5, Insightful)

MoralHazard (447833) | more than 4 years ago | (#30087042)

Yeah, total agreement, here. This stupidly transparent, self-serving quote says it all:

"...but they is vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."

User experience? WTF? Sorry,but the only reason you need invisible-to-the-user cookies is so you can monetize them without them realizing just how much privacy/anonymity they're giving up. Because that might give users pause before they accept your cookies, if they had an informed choice.

And everybody here knows that. The quoted jackass in TFS is just trying to make his industry look like a victim, to drum up support from civil-liberties sympathizers on Slashdot. Too bad we're not that dumb...

As an employee of the advertising industry, I have zero problems with monetizing Internet traffic, or with using cookies to track user behavior, etc., etc. But I hate liars, and I hate people who try to manipulate me.

OK , so the first link... (4, Interesting)

Viol8 (599362) | more than 4 years ago | (#30086840)

... is to an old slashdot story which even says the initial write up is wrong and it has a link to a yahoo story which no longer exists. Come on guys , I know this is slashdot but try a little feckin harder for gods sake.

Re:OK , so the first link... (2, Funny)

Java Pimp (98454) | more than 4 years ago | (#30087220)

Seriously? That discussion was from just "a couple of weeks ago."

Either that or the submitter must have came in close contact with a micro-black hole...

"Necessary cookies" (1, Informative)

Anonymous Coward | more than 4 years ago | (#30086844)

If I tell a site to store some setting for me, it may set a cookie. If I click on some "automatically authenticate", it may set a cookie.

If I only change a setting of the current session or log in or things like that, that's no reason for a cookie.

Doing sessions via cookies is a blank check for the most trivial cross-site attacks, so do not do it.

If I'm happy to go with the default settings or if I have to authenticate anyway (so you know my name) there is no reason to make my browser send you stuff.

Thanks in advance.

Re:"Necessary cookies" (0)

Anonymous Coward | more than 4 years ago | (#30087256)

Dude, what are you talking about? Cookies define sessions. You obviously don't know how HTTP works -- when you click from page to page, the webserver doesn't know each page is in the same "session" without a cookie. We could try using IP addresses, but I think the privacy concerns there are worse. I'd rather ISPs randomize IPs.

Re:"Necessary cookies" (0)

Anonymous Coward | more than 4 years ago | (#30087530)

Umm... you don't understand how the Interwebs, HTTP and everything works, do you?

also vital to know people's sexual fantasies? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30086854)

It's also vital for TV advertisers to know people's sexual fantasies so they can work out how to improve the TV-watching experience for the viewer.

It's also vital for the RIAA/MPAA to know the contents of people's hard drives so they can deliver more-interesting music and movies for the consumer.

You have no right to stuff shit on my computer, period, and even less right to do so when the aim is to make you more money. There are these things called "server logs" that do an adequate job of letting a site owner know what parts of their site are found interesting and they do not require bugging my computer to do it.

In sum, you are every bit as much of an asshole as those RIAA lawyers who sue people for "contributory infringement".

Re:also vital to know people's sexual fantasies? (0)

Anonymous Coward | more than 4 years ago | (#30087360)

It's also vital for TV advertisers to know people's sexual fantasies so they can work out how to improve the TV-watching experience for the viewer.

Well they're doing a very poor job at the moment, all the female characters on TV are still wearing a top.

Cookies? They is not necessairy, no. (4, Insightful)

Anonymous Coward | more than 4 years ago | (#30086860)

Since we're talking statistics, the largest problem is understanding. Most people don't. Maybe that's why people prefer to use external tracking services instead of using the information already on their own website: The access logs. Otherwise I really don't see why you'd use them. No, it won't get everything, but it _will_ give you general trends. And with a large enough sample those trends will be obvious enough.

Plus, all this focus on ``user experience'' gave us dancing rodents and several big fat stacks of proprietary, closed, and platform-dependent stupidity of the likes of flash. The most prevalent user experience therefore has to be ``confused boredom''. And in a score or two years, bitrot has ensured all that crap stays lost forever. That's a definite boon, but not good for general archiving, and therefore a problem.

My core concern with websites is what content they have to offer, and if I can't find it, I'm gone. Flash? bye-bye. Confusing layout? Two more clicks and I'm gone again. A sitemap? Click on it and search for a couple keywords. Nothing? Ciao! And so on, and so forth.

``User experience'' is overrated. Focus on the message; write it for me and not at me, make it easy to find, easy to flip through, easy to search, easily available. And for that, you really don't need cookies, and you especially don't need and therefore shall not require javascript, java, or some other proprietary plugin.

If you want to track your users, all you need is a small shell script to connect requests, referrers, and timestamps together and you'll have more info than you could possibly need already.

Re:Cookies? They is not necessairy, no. (4, Insightful)

tnk1 (899206) | more than 4 years ago | (#30087116)

If you don't understand why third party tracking is used, then you don't understand running a website with any appreciable advertising revenue. We don't use third party tracking to fix our web servers or for internal trending, we use those numbers to sell ad space. Advertisers are not going to believe you when you say that you get X amount of hits based on your web logs.

User experience can also be tracked in that way, of course, and certainly if the third party tools are well built, our user experience groups can use that data, but that is not why we spend the money on third party tracking.

Re:Cookies? They is not necessairy, no. (2, Insightful)

D Ninja (825055) | more than 4 years ago | (#30087136)

make it easy to find, easy to flip through, easy to search, easily available

...so...provide a good user experience?

Re:Cookies? They is not necessairy, no. (1)

gx5000 (863863) | more than 4 years ago | (#30087454)

No, just don't worry about the "XPrience" ... Just put out what you promised to deliver... Your visitor count and business level will tell you if you're loved or hated. Buzzwords never live up to what they promise....

The time has come...end them. (4, Insightful)

gx5000 (863863) | more than 4 years ago | (#30086864)

"to know how people are accessing the sites so they can work out how to improve the experience for the user."

Oh please, pull the other one....we all know what cookies are ultimately used for.
Don't even try to feed us that line that this is needed for "proper feedback"
This isn't the 90's anymore....

Indeed, this isn't the '90s anymore (5, Informative)

schnablebg (678930) | more than 4 years ago | (#30087202)

Indeed, this isn't the '90s anymore. We have technology that allows us to better target advertising and better track our business. Why legislate ourselves back to the days of broadcast advertising and a stateless web? And to those who say to use log files for analytics, you have to be kidding me. You obviously don't run a website.

Well shucks pa! (0)

Anonymous Coward | more than 4 years ago | (#30086870)

Oh they is, is they?

There are other ways to gather info (0)

Anonymous Coward | more than 4 years ago | (#30086908)

There are other ways to gather info other than cookies. You can do a lot of stuff with javascript, forms, and php. All of which are connection oriented.

Why exactly is an issue? (2, Insightful)

DavidChristopher (633902) | more than 4 years ago | (#30086916)

From one of the linked articles:

Here's what's coming. The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

~The Out Law Blog

So- some websites will have an EULA page. Big deal. Actually, that's not at all a bad idea now is it? So why all the hoopla?


(Note: The originally linked slashdot post linked a Yahoo News article that's no longer valid).

Re:Why exactly is an issue? (3, Insightful)

jonbryce (703250) | more than 4 years ago | (#30086990)

The site may have an EULA, but you still can't present cookies to the user until he has had a chance to read it and decide to either agree to the terms or go elsewhere. At the moment, you get a cookie when you first visit the site before you get a chance to read anything.

Cookie consent at browser level? (2, Interesting)

RevWaldo (1186281) | more than 4 years ago | (#30086918)

Couldn't browsers be made "EU-compatible" and give users a settings checkbox that says (more or less) "I either don't care about cookies or I'm perfectly comfortable dealing with them on my own (either with plugins like CookieCuller or manually.) Bring 'em on!"? Or doesn't the new law allow that?

Hey I'm an American... (-1, Redundant)

tjstork (137384) | more than 4 years ago | (#30086930)

I have no intention of following this law.

Re:Hey I'm an American... (-1, Offtopic)

alta (1263) | more than 4 years ago | (#30087148)

Enjoy it while you can. Our current administration has every desire to eliminate the ability to say things like "I'm an American, I have freedoms." That's why Obama cohorts with nice freedom loving people like Chavez and Ahmadinejad. Anything that the EU is doing is viewed as an example of what we SHOULD be doing. Husein Obama has is on the fast track to a new world order.

I forgot the names of the 'scholars' that said it, but they said that the best way to move to socialism is to bankrupt the system. People will not have money, they will revolt, and the only answer is full goverment control. Banking? check. Automotive? check. Healthcare, almost there. Enery? You're next.

Bush spent his 8 years making this all possible. Obama is going to make sure he finishes the job.

Re:Hey I'm an American... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30087242)

yawn

Re:Hey I'm an American... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#30087246)

Holy fuck, it's Chuck Norris! HOLY FUCK! I didn't realize that you posted on Slashdot. And with such a low user id, too! HOLY FUCK!

Re:Hey I'm an American... (1)

alta (1263) | more than 4 years ago | (#30087336)

You are only here because I allow you to exist.

Do We Really Need Cookies? (4, Insightful)

ObsessiveMathsFreak (773371) | more than 4 years ago | (#30086942)

There are in fact still people who refuse to allow cookies, and there are still browsers like lynx that require explicit confirmation from the user before they accept them(In fact, the directive does not ban cookies. It simply mandates the default behavior of lynx.). Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms. Try thinking outside the box you've been in for the last 15 years.

Let us be frank. Cookies have been abused. Horrendously abused. Private companies have tagged, tracked, and stalked billions of people. We have allowed terabytes of data on the lives of everyday people to fall into the hands of completely unscrupulous entities. The information held by even smaller marketing outfits would 20 years ago have seemed like a treasure trove to organizations like the Stazi and the KGB. Does the fact that such information is akin to that desired by secret services mean that the collection and indexing of this information is inherently wrong? No; but it is a big hint that it probably is.

The EU may have blundered here, throwing the baby out with the bathwater. But I think their basic motivations were very admirable. As out lives move more and more onto the net, we cannot accept the current status quo of companies like Google, Yahoo, Microsoft and the rest being allowed to do as they please with data on other people. The Despite the unworkable nature of the law, the EU is moving in the right direction on this.

Re:Do We Really Need Cookies? (3, Insightful)

SharpFang (651121) | more than 4 years ago | (#30087184)

Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms.

Semi-permanently modifying the page to the user's desires without server-side intervention.

Yes, it can be done server-side, using IP tracking, login and so on. But they require actual CGI to run and generate content, instead of the HTTP layer spitting out "Cache HIT" on page content and static Javascript.

Users hate registration, and IP tracking is useless with dynamic IP (there are ISPs that change it once a hour). But even then, you just have to do server-side work that would be better done client-side simply because servers cost. I've been working with a big IT/Portal/News company that had a big farm of servers that was at 80-90% of its load at all times. If not cookies combined with tons of static content kept client-side in browser caches and in a squid layer protecting the farm, refreshing the content of each page maybe once in 15 minutes vs ~1000 hits/second, we'd have to maintain about 2-3 times as many servers. And that would move us from "quite profitable" to "generating losses".

Re:Do We Really Need Cookies? (2, Informative)

sdiz (224607) | more than 4 years ago | (#30087322)

Yes, it can be done server-side, using IP tracking, login and so on.

One word: NAT.

Re:Do We Really Need Cookies? (3, Insightful)

Enleth (947766) | more than 4 years ago | (#30087324)

How do I implement sessions without mangling all the local URLs in the output (which is seriously non-trivial and poses its own problems, also with security and privacy), yet without the use of cookies?

Re:Do We Really Need Cookies? (3, Insightful)

salesgeek (263995) | more than 4 years ago | (#30087418)

Regulating tools doesn't work. Regulating behaviors does. When governments try to regulate technologies, they usually focus on the tool instead of behavior with asinine results. It would be much easier to simple:

Outlaw the practice of collecting marketing information without the express permission of the person being collected, at the time the data is collected. Make it clear there is no "blanket" opt-in possible under the law.

Make it a civil tort with a big statutory fine (say something around $10,000) to skirt this so lawyers would go after abuse on contingency.

It's not that hard, but we have to help lawmakers better understand the difference between tools and behaviors.

Re:Do We Really Need Cookies? (1)

OzRoy (602691) | more than 4 years ago | (#30087522)

In what way are they being abused? Cookies are not some magical tracking device that can be accessed by anyone and everyone. They are a packet of data that is sent back to the originating domain. They are not cross-domain and can only be accessed by the domain that first created it. In other words a site can only track a customer that passes through their site.

This is no different to your credit card. Recently I went a made a purchase from an Apple store. I was incredibly surprised to recieve an email 5 minutes later with a pdf copy of my receipt. The only way they could have done this is by matching my credit card number to the one attached to my itunes account.

Re:Do We Really Need Cookies? (2, Insightful)

tkinnun0 (756022) | more than 4 years ago | (#30087540)

Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms.

Let's use URL rewriting. My friend shares a photo from their private album with me, I post a link to it on Twitter and the next thing I know half the world has my session id.

Cookies to store user variables (2, Insightful)

justfred (63412) | more than 4 years ago | (#30086946)

Cookies are often used to store user variables when they go from one page to another - patching holes the stateless web protocol forces on the user experience. Session or server-side variables may also be used for this, but that's more work for the web designer, who usually is up to his neck trying to support different versions of IE misbehavior.

Sites I've worked on have never used cookies to send back personal information, but they have used them to improve the user experience.

Re:Cookies to store user variables (2, Insightful)

alta (1263) | more than 4 years ago | (#30087188)

You forget, /. is overrun with out of work idealists that just want to 'hate the man'. They have no interest in the problems of a working developer.

Re:Cookies to store user variables (2, Insightful)

SharpFang (651121) | more than 4 years ago | (#30087210)

Server-side variables are primarily more work for the server, which has to re-run the script instead of informing the content didn't change and can be retrieved from the browser cache (and modified client-side according to the cookie).

Come on (1)

gbarules2999 (1440265) | more than 4 years ago | (#30086958)

Hey, Mr. Summary, enough with the fair and balanced. Make up my mind for me on this issue! Where does this law stand?

reasonable (4, Insightful)

J-1000 (869558) | more than 4 years ago | (#30086960)

This doesn't sound "breathtakingly stupid" to me. It's debatable. Maybe it's "breathtakingly stupid" that it slipped through without notice, but if we are talking about what's right and what's wrong, it can be argued (and often is, I'm sure) that one should expect to have privacy in regards to their browsing habits*. The fact that it negatively impacts businesses should be irrelevant, if we are talking about protections for the individual.

* Yes, you can turn off cookies from the user end, but laws are sometimes there to protect people who don't know any better, and there are a *lot* of them in this case.

This will be bad (0)

Anonymous Coward | more than 4 years ago | (#30087086)

So to get around cookies people will just make their website a giant piece of flash

Cookies? (1)

Kc_spot (1677970) | more than 4 years ago | (#30087110)

Well then, I guess I won't be going to europe for a while... Banning cookies... how can people enjoy chocolate chip or macadamia nut now?? ... Worst. Joke. Ever. Sorry Folks :)

A few bad uses = all bad? (2, Interesting)

Cogneato (600584) | more than 4 years ago | (#30087212)

There seems to be an assumption that cookies are almost entirely used for evil tracking of website visitors. People have brought up shopping carts and logins, but there are many, many other relatively minor uses for which cookies are useful. Are we to provide you with a disclaimer every time we want to make sure some little setting that you have clicked "sticks" as you jump between pages? Yes, there are other tools to do this job, but cookies are also a specific tool for a specific job.

I find it interesting to hear many people claim the evils of cookies are so bad that they need to be outlawed, when in the end, it is the user's choice if they want to accept them. Isn't this akin to saying that we need to ban content on television or the internet because sometimes it could be used for evil? If you can use the argument of "just turn the channel" or "just don't go to those websites" in those cases, then why isn't the same argument good for people to just turn off cookies? If enough people do that, then the web developers will use a different tool to get the job done, and cookies will fall by the wayside. You have an "off" button on your cookies. If you don't like them, then use it.

cookies = bad (0)

Anonymous Coward | more than 4 years ago | (#30087484)

The really bad about cookies is all that lazy sites that with their lazy developers that think sessions can only be done with cookies, and all the sites that store cookies where not needed.

This means that users almost have no chance to accept cookies. They either have to accept them blindly or have to pay by clicking a dialog box every time they visit one of the broken sites (and many of this newfangled stuff is severly broken).

Try setting network.cookie.cookieBehavior to 1 in firefox/iceweasel and surf the net. You will see how many sites thinks setting cookies is necessary.

The problem is: Those sites bear no penalty for it: As long as lusers accept them silently, noone sees how bad their code is written. And as too many sites are broken, noone can change the default in web-browsers properly to let users choose, because too many sites are broken. That means that sites have no disadvantage from flooding users with cookies, as only tech savy idealistic people are annoyed (and those do not buy crap anyway, so no income from them). And so the circle closes.

Please note that this is nothing new. Almost every policy out there has something like this in. (Remember Obama putting an special allowance for youtube cookies for his websites? because the state already had to be good and not do what now people are surpised to have always been judged too evil to be good).

Are there any paranoids in the audience tonight? (3, Insightful)

kimvette (919543) | more than 4 years ago | (#30087216)

I know most of you guys hate cookies in general,

To quote Roger Waters: "Are there any paranoids in the audience tonight? Is there anybody who worries about things? Pathetic. "

Seriously. Not "most of us" hate cookies. A paranoid few do.

If it weren't for cookies, this site wouldn't remember my login. Google apps wouldn't work well. The browser would not retain my per-site preferences.

I rarely ever clear cookies.

Re:Are there any paranoids in the audience tonight (3, Insightful)

Dunbal (464142) | more than 4 years ago | (#30087314)

If it weren't for cookies, this site wouldn't remember my login.

      But then again, having a site "remember you" between sessions is a security risk. I mean ok, who cares if your brother starts trolling people with your slashdot account if he comes over for the weekend... but just the concept. You know, you CAN provide unique service to someone using a login, session ID's and designing your website with the appropriate GET/POST commands. Admittedly it is a LOT more work for the web designer, but far more secure than cookies. However you guarantee that the session "expires" the minute you close the web browser.

Re:Are there any paranoids in the audience tonight (1)

vitriolum (1280610) | more than 4 years ago | (#30087406)

I'm with you on this one. For instance, I run a site that allows users to adjust the text size with handy javascript buttons. Cookies are what lets the site remember what text size a user prefers when they come back. Sure, I could use buttons that trigger a php script and store the preference in a session variable. But, then their preference is only saved for the duration of the session, and they have to reload the page just to change text size one notch... why bother? If we need cookie legislation, it should be crafted to target the problematic areas of the technology -- not the entire concept.

They are a sometimes food. (2, Funny)

AP31R0N (723649) | more than 4 years ago | (#30087244)

Om nom nom nom nom nom nom nom!

Really badly written... (1)

interval1066 (668936) | more than 4 years ago | (#30087254)

Who wrote this piece? English must be their second language...

Load Balancing (2, Insightful)

diamondsw (685967) | more than 4 years ago | (#30087290)

Cookies are used to keep track of a user's session, especially when it crosses a load balancer and gets sprayed to any number of identical servers. Without the cookies, there is no way to keep your session on a consistent web server throughout a session. Remember things like "www3.netscape.com"? Cookie-based load balancers are what fixed that situation.

Yes, cookies are abused by advertisers, but quite frankly, I don't give a damn if a site wants to use them to follow me on their site. They DO use them to see which products are popular, what items are considered together - valid data that lets them make business decisions. I know from working with web design firms that they can be used to track flows through a site and tell what parts of navigation are difficult, and if users are missing the "intended" way of using a site.

There are lots of valid technical uses for cookies. I've never understood why they're vilified. It's a tiny chunk of usually random/hash data that's put on your computer by the remote site. Why should you care if they then retrieve it? The only objectionable use is cross-site cookies used by advertisers, and most decent browsers let you disable that class of usage, but not the rest.

When you outlaw cookies... (1)

d474 (695126) | more than 4 years ago | (#30087304)

...only outlaws will have cookies.

Cookie Monster, yeah I'm talkin' about you dawg.

This is pointless (2, Insightful)

alta (1263) | more than 4 years ago | (#30087320)

Ok, no cookies. Poor me. You're just making it more difficult, but there are ways around it.

1. The malware and other scrupulous sites you hate so much... They wont obey your rules.
2. I hope you enjoy long query strings, because everything is going to be passed from page to page.
3. If you don't, expect every link to become a javascript POST.
4. You'll be required to create an account a lot more often so we can store everything server side and restore to SESSION variables when you return.
5. And expect a lot of free content sites to go belly up. No cookie, no revenue.
6. What percentage of sites these EU customers visit are hosted outside the jurisdiction?

Hey Government: LAWS ARE NOT FOR FIXING TECH (4, Insightful)

salesgeek (263995) | more than 4 years ago | (#30087348)

Why do government people think that passing laws like this can fix a problem that is fundamentally a technology problem? The problem is that when lawmakers focus on tech, they often focus on regulating the tool instead of regulating behavior. So you get situation like this:

Trigger: People are killed with a hammer.
Response: Ban Hammers.
Unintended consequence: Entire construction industry out of business, everything falls to disrepair, screw industry explodes, scarcity of hammers lead murders to switch to using rolling pins.

In this case, the issue is user privacy. Regulating cookies does little other than break the web which is in many ways cookie dependent for many different dynamic interactions between applications on servers and browsers. So, you break the internet, reduce security, and move advertisers to using something that's not a cookie to tag visitors with (lots of ways to accomplish this).

It's that old guns don't kill people, people kill people thing.

Transparency is the name of the game (2, Insightful)

houbou (1097327) | more than 4 years ago | (#30087364)

The reason this has come to the extreme is simple. If a website / web app uses cookies, it should clearly state so in it's disclaimer / privacy policy in such a way that people who visit the site should be able to know exactly what information is being taken from their visit by the website. If this was done upfront and in an honest fashion, this issue simply wouldn't be. As it is, many websites either keep this info in a generic way or just plain omit it. Now I'm not talking about fishing/scam websites, of course. These make the issue even worse. So now, cookies are being managed through legislation.

Hang On Europe! (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#30087386)

Our Congress and President are trying as hard as they can to turn us into a bloated, inefficient and ineffective nanny state just like you!

Signed,

The U.S. of A.

it's about annoying people... (1, Informative)

Anonymous Coward | more than 4 years ago | (#30087440)

I think here's a lot of misunderstanding about what this "\"Breathtakingly Stupid\" EU Cookie Law" is all about.

It does not BAN anything. It requires Website operators to prompt the user on first visit to agree to their cookies. So basically _it is_ damn stupid: nothing is done about cookies, another nuisance is created. Set your Firefox to prompt you every time a site wants to set a cookie and see if you will enjoy it.

The EU completely ignores that most browsers already have prompting/blocking mechanisms for cookies and it's just up to the user to turn it on, and instead they reinvent the wheel and force the Website-owner to bug everyone in the world visiting EU located sites.

TROLLkORE (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30087442)

election to the year Contract.

its the euro choice, no need to complain (0)

Anonymous Coward | more than 4 years ago | (#30087488)

Its is not stupid,just a choice made by the EU, who the fuck get elected the companies strategic dpt or the politics ? The EU assembly.
Everybody knows that there is a tradoff between privacy (eventually security) and usability

Session Cookies (0)

Anonymous Coward | more than 4 years ago | (#30087508)

Does this apply also to session cookies? I don't cry for doubleclick not able to track me, really, but session cookies are needed for core functionality of most websites (99% of those that require some sort of login).

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>