Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New EU Net Rules Set To Make Cookies Crumble

samzenpus posted more than 3 years ago | from the covering-your-tracks dept.

EU 290

NickstaDB writes "From the BBC article: 'From 25 May, European laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies." These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"

cancel ×

290 comments

Sorry! There are no comments related to the filter you selected.

Thanks EU (0, Troll)

Anonymous Coward | more than 3 years ago | (#35439480)

Great - what the internet needs is more regulation.

Thanks EU.

Re:Thanks EU (3, Insightful)

plover (150551) | more than 3 years ago | (#35439500)

Great - what the internet needs is more regulation.

Thanks EU.

I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.

Re:Thanks EU (5, Interesting)

mrcaseyj (902945) | more than 3 years ago | (#35439546)

IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.

Re:Thanks EU (1)

Anonymous Coward | more than 3 years ago | (#35439864)

Well until IPv6 routers start randomizing the addresses... then it won't be much different from NAT.

Re:Thanks EU (1)

zill (1690130) | more than 3 years ago | (#35439876)

IPv6 will give almost every computer practically static addresses

What if multiple people share the same computer?

Re:Thanks EU (4, Informative)

Bobakitoo (1814374) | more than 3 years ago | (#35440024)

What if multiple people share the same computer?

The kids get to see pornography advertisments because you browser for porn last night. Fun for the whole family!

Re:Thanks EU (0)

Anonymous Coward | more than 3 years ago | (#35439992)

Wait, what?! ISPs and home router manufacturers are no longer moving at the pace of a geriatric slug in treacle (which has been nailed to a breeze block) ?

Re:Thanks EU (1)

wvmarle (1070040) | more than 3 years ago | (#35440052)

In my experience with ADSL and cable you have a fixed address already. It is just not guaranteed to be fixed but a new IP every few months is fixed enough for lots of tracking purposes. Just leave your own router connected; usually DHCP will give you the current IP address upon renewal. There is no reason it would have to change to begin with.

Re:Thanks EU (0)

Anonymous Coward | more than 3 years ago | (#35440232)

Comcast for one is simply based on the WAN MAC address. Write an ifup script to change it and you'll always have a new IP.

Re:Thanks EU (1)

martijnd (148684) | more than 3 years ago | (#35440182)

Remind me to generate a new IPv6 address for every hour of the day...

Re:Thanks EU (5, Informative)

Snowblindeye (1085701) | more than 3 years ago | (#35440250)

IPv6 will give almost everybody practically static addresses, the ultimate undeleteable cookie. So the EU regulation will be futile very soon.

That problem has been solved by RFC 4941, otherwise known as the Privacy Extensions [ietf.org] . Most OSes support it, though I believe some don't enable it by default. IIRC the iPhone is one of the devices that doesn't support it, but that should be fixable once IPv6 becomes more widespread.

Re:Thanks EU (1)

Malc (1751) | more than 3 years ago | (#35439746)

Hosts your sites as you like, but companies doing business in the EU will still need to comply or it will become expensive for them. Perhaps advertisers in this situation won't want to pay per click if they're not doing business in the EU any way, which will affect US hosted sites too. Also, the US courts have set plenty of precedent by feeling free to take legal action outside their own jurisprudence

Re:Thanks EU (2, Informative)

Samantha Wright (1324923) | more than 3 years ago | (#35439800)

HAPPY FUN GRAMMAR NAZI ADVENTURE: "Jurisdiction [thefreedictionary.com] ", not "Jurisprudence [thefreedictionary.com] ". Remember, a dictionary page per day keeps the lurking trolls at bay!

Re:Thanks EU (1)

Malc (1751) | more than 3 years ago | (#35440054)

Haha - I was think about both, and in this case the difference between jurisprudence in both places. Jurisdiction is indeed what I meant. It's been a long day...

Re:Thanks EU (1)

goombah99 (560566) | more than 3 years ago | (#35439748)

Great - what the internet needs is more regulation.

Thanks EU.

I think that's exactly what America needs: more EU regulation. We'll just host their sites over here, because we don't have to comply with their stupid laws.

Or Sealandia or Naru or Libya or Russia.

Which of course simply undermines your own homegrown industry and once based outside the country other exploits are now feasible.

The way we deal with this for physical goods is tariffs. e.g. your country has no OSHA laws, or pays to low a minimum wage then we may slap a tarrif to equalize the playing field and protect the home industry.

This of course eventually leads to protectionist tariffs.

Re:Thanks EU (5, Insightful)

DarwinSurvivor (1752106) | more than 3 years ago | (#35439756)

HAHAHA. Says the guy who's country created the patriot act! American VPS companies have been losing lots of money because people don't want to put their data on a server in a country where the government can just go "This server is running on the same hardware as someone who MAY have sent a secret message to someone in IRAQ with a picture of a child, thus we are confiscating everything!"

Re:Thanks EU (5, Interesting)

Narcocide (102829) | more than 3 years ago | (#35439886)

You got modded flamebait but in reality you've understated the situation quite significantly. When the feds come to bust a private host for something they usually take everything in the room that is even plugged into the same power line and all the networking hardware out to the wall, then they leave it up to the owners of the hardware to litigate for return of their property.

Re:Thanks EU (2)

TubeSteak (669689) | more than 3 years ago | (#35439842)

I think that's exactly what America needs: more EU regulation.

Actually, it probably is.
The Europeans take their privacy laws very seriously and, unlike the USA, they enforce the shit out of them.
The USA has a lot of laws, but enforcement is hit or miss, especially when it comes to consumer protection.

They will just bury it (4, Insightful)

Anonymous Coward | more than 3 years ago | (#35439486)

They will just bury such "consent" in the EULA, privacy policy, terms and conditions, legal notices, and other such crud that no one reads.

Re:They will just bury it (0)

Anonymous Coward | more than 3 years ago | (#35439890)

" explicit consent" must be gathered from web users

Happy trollin'

Re:They will just bury it (5, Insightful)

Anonymous Coward | more than 3 years ago | (#35439898)

Data protection legislation in the EU requires that explicit consent is given. That means clear, unambiguous, and upfront consent. You can't hide it in a blizzard of tick boxes or EULAs. Defaulting options to give consent won't work either.

Big business might try tor rely on a "permissive environment" of weak national regulators but the EU commission takes these things seriously. After stunts like data loss and Phorm they're wise to the tricks. Any wiseguy is just going to get their ass handed to them.

Re:They will just bury it (1)

Dunbal (464142) | more than 3 years ago | (#35439982)

Explicit. That means exactly that you can NOT bury it anywhere, it has to be right there with a Yes/No BEFORE the cookie is installed.

What the fuck (1)

atari2600a (1892574) | more than 3 years ago | (#35439488)

What do they think the 'Remember Me' checkbox is for!?

Useless (0)

Anonymous Coward | more than 3 years ago | (#35439490)

That wouldn't work considering that most people click 'Yes' on everything.

Re:Useless (0)

tnk1 (899206) | more than 3 years ago | (#35439772)

That wouldn't work considering that most people click 'Yes' on everything.

True, but honestly, how far do you have to go to make sure? Sometimes, when people try to protect your freedom, its sort of like they've gone so far that they have whipped around full circle and now won't let you do anything.

"Click Yes if you are sure you want to accept a cookie." Yes

"Are you sure?" Yes

"PRIVACY ALERT: Clicking Yes means that you will get a cookie on your computer. Click No if you want to avoid this affront to your dignity" Yes

"ARE YOU INSANE??? Click No now! Its a COOKIE!!! COOOOOKIE. C IS FOR COOKIE, COOKIE IS FOR FASCISM!!" Yes

"EU Regulations require this program to click No for you unless you file form EU 34-3-C in French. You'll thank us later. Bon chance, Citoyen!"

NO!!! (0)

Anonymous Coward | more than 3 years ago | (#35439498)

I don't want to have to provide the EU with explicit pictures just so I can use cookies!

Don't worry (0)

Anonymous Coward | more than 3 years ago | (#35439592)

Most people aren't interested in explicit pictures of people who overuse cookies.

EU = make things harder (0, Troll)

syousef (465911) | more than 3 years ago | (#35439506)

Does the EU do anything apart from make things harder for people? This effectively means no anonymous cookies. I'm guessing it's more about controling and monitoring citizens than about protecting their privacy. The thing is there are lots of legitimate uses for anonymous or one time cookies for which consent.isn't practical, so if this flies, it will detract from the Internet as we know it. And not just in the intended ways.

Re:EU = make things harder (0, Informative)

Anonymous Coward | more than 3 years ago | (#35439658)

The sole purpose of the EU is to make things harder for people, and enrich/empower the bureaucrats and politicians involved in the circus. It has ever been thus witih governments.

Don't blame the EU (1)

Anonymous Coward | more than 3 years ago | (#35439668)

Blame Privacy International, who are basically the only ones lobbying for this.

Re:EU = make things harder (1)

Nursie (632944) | more than 3 years ago | (#35439686)

Make it harder for people to track other people for financial gain?
Sure.

Protecting the privacy of EU citizens seems more important to me than your transient concerns about having to do a bit more work.

Re:EU = make things harder (5, Informative)

cbope (130292) | more than 3 years ago | (#35439802)

Sorry, you are looking at it from the wrong direction. The difference between the US and the EU is that the EU (or by extension the state governments that form it) are protecting their citizens from violations of privacy by corporations. You see, over here, we actually care about privacy and our governments do actually help to protect it. Done properly and where needed, regulation is a Good Thing(tm). Corporate Fascism hasn't yet fully taken over here in the EU as it has in the US.

All you have to do is look at areas such as telecommunications: The EU's mobile phone operators and ISP's provide FAR better service, better prices and a LOT more competition in this area than in the US. I live in a small country of only 5.2 million, and I can choose from literally dozens of mobile phone operators and I have multiple ISP's to choose from with very competitive offerings. I can shop for the best price and/or service. I am not limited to one or two major monopolistic operators or ISP's like in some parts of the US.

Just like the 2-party political system, which is a joke, you guys over in the States need to get over your long-held belief that regulation is bad. Regulation in the EU generally *protects* the consumer and their privacy and prevents monopolistic business practices. In the US, practically everyone believes in the invisible hand of the free market. The problem is the invisible hand is stealing from consumers pockets and stuffing the pockets of corporations. The invisible hand is NOT working in YOUR favor, it's working in favor of the corporations.

Now before a troll comes along and says I do not know what I am talking about, I am an American living abroad in the EU, for more than 10 years. I have lived and worked in both places and I have worked for both American and EU based companies. I can assure you, the EU way really is better and I cannot really consider living and working in the US anymore. It is a major downgrade on practically every metric.

Back to the original topic: tracking cookies. This regulation is in response to companies who abuse users by tracking them using cookies. This is unwanted behavior. Cookies were not originally intended for this use and since companies have been abusing cookies (and by extension the consumers/users), it calls for regulation since companies in the free market cannot be held responsible for acting responsibly. Companies will only do what they can to increase profits and/or market share unless forced to do something else. Regulating cookies for tracking behavior is needed and I do not have a problem with this. It protects me as a consumer since it is widely known to be abused. This is precisely why regulation is sometimes needed.

You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.

Re:EU = make things harder (2)

syousef (465911) | more than 3 years ago | (#35440030)

You may be willing to allow corporations to perform uncontrolled data mining of your online habits but I prefer to have control over that information since the information is open to abuse. There is no legitimate justification for corporations to collect this information other than to use it for their benefit. They are certainly not collecting it to help you as a consumer.

This move won't give you that. In fact it does the exact opposite. Corporations are going to force you to sign EULA that includes allowing them to track you for EVERYTHING. Think of Google requiring login (no anonymous searches). The first thing you're going to have to do no matter what URL you type in, is log in.

Re:EU = make things harder (1)

Anonymous Coward | more than 3 years ago | (#35440074)

I don't know where you live, but here in the EU those EULAs are not enforcible.

Re:EU = make things harder (0)

Anonymous Coward | more than 3 years ago | (#35440226)

except that

  • you still have to 'agree' to them
  • most people don't know they are not legally binding
  • most people don't care about the arbitrary 'rules' they are being asked to follow
  • but those people think that they are acting wrongly
  • this is opression
  • ???
  • Profit!

Re:EU = make things harder (5, Insightful)

lordholm (649770) | more than 3 years ago | (#35440146)

Google requiring log-in = people start using bing (have they renamed it again yet?) / yahoo / altavista.
Really... this is what would happen.

I have seen plenty of people who, when encountering a log-in / register window, they just close the web-page and do something else. Come, to think of it, all sites requiring log-ins, would be a huge boost for productivity.

Re:EU = make things harder (2)

SydShamino (547793) | more than 3 years ago | (#35440156)

Hahaha, that's pretty funny. Just exactly how many sites do you know that moved behind a registration wall and gained readership?

Re:EU = make things harder (1)

Anonymous Coward | more than 3 years ago | (#35440108)

You have total control over the cookies you allow to be set in your browser, and the data you send to someone. You always have. This is regulation for the sake of appearances, nothing more. It's also going to prove nearly impossible to enforce or track, and it's going to effect very negatively things that are well beyond it's scope. This is because typical of most regulation, it will be broadly worded, and poorly understood.

Re:EU = make things harder (3, Interesting)

cynicist (1112505) | more than 3 years ago | (#35440174)

There is no free market in the US. There are lots of regulations and government intervention here, they just happen to be on behalf of corporations rather than individual citizens. One of the reasons you can choose multiple ISP's and we cannot is due to monopoly agreements granted to ISP's in the US. You have more favorable regulation in the EU to be sure, but don't pretend the problems in the US have anything to do with a lack of government involvement...

Re:EU = make things harder (-1)

Anonymous Coward | more than 3 years ago | (#35440318)

Just like the 2-party political system, which is a joke, you guys over in the States need to get over your long-held belief that regulation is bad. Regulation in the EU generally *protects* the consumer and their privacy and prevents monopolistic business practices. In the US, practically everyone believes in the invisible hand of the free market. The problem is the invisible hand is stealing from consumers pockets and stuffing the pockets of corporations. The invisible hand is NOT working in YOUR favor, it's working in favor of the corporations.

Buy some stocks.

Nothing new here, move along.. (0)

RenHoek (101570) | more than 3 years ago | (#35439518)

Aren't they going to do it the way they've done it so far already anyway? Simply bury "By visiting this website you give consent to..." somewhere deep in your legal notices like all the other "We're going to sell your info" notifications.

I don't see the advantages of this new law, since if they really needed to _ask_ you for permission, it would simply become unworkable. To browse the internet, you'd spend 20 minutes of each hour clicking cookies notices away.

Re:Nothing new here, move along.. (0)

Anonymous Coward | more than 3 years ago | (#35439558)

From what it sounds like, they will need to expressly ask your permission. That means pop-ups or new landing pages that require you to check a checkbox that says you allow them to place cookies. That is really going to suck...

Re:Nothing new here, move along.. (1)

hedwards (940851) | more than 3 years ago | (#35439820)

Yes, especially since the site now has no way of knowing whether or not it has previously asked for permission unless the answer was yes. Meaning that if you say yes then that's the last you hear of it, but if you say no, then it'll ask you for permission every time you visit the site.

My main concern is that there's not really any information given about why a lot of these sites are setting cookies for facebook and random other sites.

Re:Nothing new here, move along.. (1)

wvmarle (1070040) | more than 3 years ago | (#35439580)

TFA mentions "explicit consent" is needed. Burying stuff in some legal notices will be considered implicit consent at best. So at least from the face of it every site will have to ask for it. TFA specifically mentions more use of pop-up windows... interesting... are there still people without pop-up blockers then?

Allowing cookies = consent? (2)

Max Romantschuk (132276) | more than 3 years ago | (#35439554)

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent. Time will tell how this all plays out, but it's safe to say that people get bored of clicking "allow" really quickly.

Do browsers even ask if you want to allow cookies these days? I guess not? 10 years ago you did have to explicitly allow them (either globally or on a per-site basis) but I guess they are allowed by default these days? Can't remember seeing a cookie prompt in a long time.

Re:Allowing cookies = consent? (1)

wvmarle (1070040) | more than 3 years ago | (#35439590)

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

Re:Allowing cookies = consent? (2, Insightful)

VortexCortex (1117377) | more than 3 years ago | (#35439952)

Some are arguing that allowing cookies in the browser is basically equivalent to giving your consent.

That sounds to me like implicit consent, while the EU requires explicit consent. Though I suppose asking permission once per site is enough - not every single visit. And after receiving such explicit permission the site may store a cookie on your computer indicating that they have that permission already.

Well, earlier today, I pasted this in my address bar:

javascript:void(document.cookie = "reminder=Don't forget:\n\tCover page for TPS report.");

Just now I pasted this in my address bar:

javascript: alert( document.cookie );

(Not a moment too soon -- I almost sent that report with the old cover sheet.)

That message was sent to every website I visited today. I know damn well they don't have my explicit permission to read the cookie headers that my browser sends them -- Especially not when they contain such important trade secrets. I'll report all the sites in my history post haste! In fact, YOU don't have explicit consent to be reading my notes either! I never gave you explicit consent, so I'm afraid I'll have to report you as well.

Hmm, I'm not sure, but I think that since I'm self employed part-time I might be in violation too! I didn't update the Cookie Consent Clause of my Explicit Permissions Form [europa.eu] to specify that my company has the explicit permission to track my thoughts throughout the day using text files & "magic-cookies".

I sure hope I don't get fined, I can never go back to the yellow sticky squares... not after that time they didn't get my explicit permission to record the doodles I made of my manager, and nearly got me fired by way of an unauthorized 3rd party doodle disclosure!

(When I complained Post-It admitted that paper and pens normally only have implied consent to record and redisplay information to anyone within reading / writing distance, and explicit consent is required in the EU. However the EULA on the shrink wrap that I thew away said that by opening the package I forfeit my right to consider marks made with my hands as information...)

Re:Allowing cookies = consent? (2)

Cimexus (1355033) | more than 3 years ago | (#35439702)

I go with a whitelist approach. My browser is set to deny all cookies except those specifically allowed.

The way I identified which ones to allow is by turning cookies on to 'accept all except third party', using the web as normal for a few days, then observing which cookies had been written. After filtering out the obvious ones that I didn't need, I added the rest to the whitelist. These are all from sites that I have to log into obviously, so I have [*.]slashdot.org, mail.google.com, etc.

Only downside is if I register for a new forum or something I have to remember to add it to the whitelist, but that's OK. Means I can browse the web knowing I'm not accepting cookies except for those I explicitly need to remain logged into stuff.

Cookie whitelist is the way to go (0)

Anonymous Coward | more than 3 years ago | (#35440264)

but only at shutdown, deleting everything not explicitly set to be kept, otherwise many sites might not work at all.
(look for "selective cookie delete" among mozilla addons)

Re:Allowing cookies = consent? (1)

aaronszy (1752850) | more than 3 years ago | (#35439752)

it's safe to say that people get bored of clicking "allow" really quickly.

If the opt-in notices get annoying, browsers could detect the requests and opt you in automatically. Problem solved.

Mozilla already lets you set that (1)

billstewart (78916) | more than 3 years ago | (#35439788)

You can set Mozilla to always ask, always accept, always reject, do one of those except for exceptions, accept for session only, remember your choices or not remember them, etc. At this point I don't know what the default it :-)

Just saying a better method is needed. (1)

Anonymous Coward | more than 3 years ago | (#35439810)

Try setting your privacy level not to accept 3rd party cookies and set it to ask you every time (Firefox). I have no problem denying cookies manually all day. Some of the most egregious use of cookies come from mainstream sites like msnbc, cnn, etc.. Those sites are whoring themselves out to advertising and data miners more than any other sites I can think of... so I don't visit them anymore. I don't need to read or listen to their junk when their interests aren't trying to serve mine.

Tracking =/= cookie use (5, Informative)

mclearn (86140) | more than 3 years ago | (#35439576)

Cookies have legitimate uses that have nothing to do with "tracking". Perhaps the issue comes with trying to interpret the specific language used rather that knee-jerk "everyone must opt-in". If your cookies are not used to track -- if you do not use, for example, Google analytics -- then you are not in violation. The article basically states this.

Re:Tracking =/= cookie use (1)

hedwards (940851) | more than 3 years ago | (#35439828)

The problem is that a lot of sites include cookies for third parties without permission or any explanation. I regularly get requests for facebook to set a cookie for me. I'm not sure why most of those sites would do such a thing.

But in general I've found very little help on sites explaining to me why various javascript or cookies are requesting to be loaded by my browser. And really it makes it tough for me to figure out what ones are really necessary and which ones might not be.

Re:Tracking =/= cookie use (1)

Anonymous Coward | more than 3 years ago | (#35439836)

The articles state that only shopping baskets are explicitly exempt, and that login, session management or anything else is not.
It says in fact that that you are allowed to store the actual content of a shopping basket (really stupid if one does this), I don't think you are even allowed to store a shopping basket id in a cookie which points to a server side basket.

What the european directive actually says I've not yet checked.

Re:Tracking =/= cookie use (1)

scdeimos (632778) | more than 3 years ago | (#35439956)

The articles state that only shopping baskets are explicitly exempt, and that login, session management or anything else is not.

I don't believe it says that at all. From what I can see the article says:

Specifically excluded by the directive are cookies that log what people have put in online shopping baskets.

And it implies that all other types of cookies require explicit user consent (or at least have their contents and usage explained).

Given that cookies should be short and sweet, and used for things like storing Session IDs, it sounds rather odd that the directive encourages storing shopping basket data in them.

It's unfortunate that Flash Cookies and HTML5 Data Stores aren't mentioned - they are already replacing cookies in some contexts.

Wrong Solution (2)

amirulbahr (1216502) | more than 3 years ago | (#35439584)

The web browser, whichever one it is, that the user has decided to use should make the decision about whether or not to ask the users permission to set a cookie. Website are not doing anything malicious by setting cookies, they are simply asking the client browser to keep a bit of information and return it on subsequent visits. The web browser can ignore the request, ask the user for permission first, or silently accept it.

Many browsers can be configured to operate in either of those three modes. Effort would be better spent educating users... or better yet... just let it go already it isn't a big deal.

Re:Wrong Solution (2, Informative)

Anonymous Coward | more than 3 years ago | (#35439656)

Some cookies are used to remember login details, others are used to track your behaviour. You can't tell your browser to allow one type and block the other because your browser can't tell which one is which. That's what this law is about.

Re:Wrong Solution (0)

Anonymous Coward | more than 3 years ago | (#35439680)

Erm, as a forum manager myself, I can tell you that any cookie used to remember login details -also- tracks your behavior. One used exclusively to track behaivior could simply be considered an "anonymous" login. :\

Re:Wrong Solution (1)

wvmarle (1070040) | more than 3 years ago | (#35440160)

The old Mozilla suit made it very easy to set cookies acceptance to "visited site only". No third-party cookies. So if I visit say slashdot.org I only accept cookies from slashdot.org and not from say adnetwork.com who happens to put an ad on that page. I like that option. Cookies have their use, keeping you logged in for example - often needed even within a single session - or storing certain personal preferences, yet ad networks have no business in tracking me.

Later Firefox only had an all-or-nothing option when it came to cookies: accept all, or block all (with option for exceptions).

Firefox may still have it but it's buried; now in FF 3.6.15 I can not even find a cookies setting in the preferences at all! The only way I can find to get to the cookies configuration is via about:config. I may miss something but it certainly is not very obvious.

Re:Wrong Solution (3, Informative)

Nursie (632944) | more than 3 years ago | (#35440306)

Find a FF extension called "Cookie Monster" and then revel in th granular control you have once again :)

It's Easy! (1)

KeithIrwin (243301) | more than 3 years ago | (#35439636)

The first time someone visits your website, you redirect them to a consent form and then if they opt out of being tracked, you just set a cookie showing that they've opted out so that you won't have to ask them again. See, problem solved.

(I say that tongue-in-cheek, but it would actually probably work if you set a "don't track" cookie which wasn't personal to them. Most grocery stores also offer non-tracking versions of their loyalty cards. My dad has one for Harris Teeter and his card number is all zeroes. That's the number they give out to everyone who asks not to be tracked. Similarly you could set a cookie which only includes an "opt-out" code which is the same for everyone opting out so that you can't track them individually.)

Clue stick (1)

agendi (684385) | more than 3 years ago | (#35439640)

Have they costed how much it will be to make their own sites compliant?

Re:Clue stick (4, Insightful)

Malc (1751) | more than 3 years ago | (#35439738)

I couldn't give a rat's arse how much it costs sites to comply. I'm glad somebody with sufficient authority is looking out for my privacy, because it's hard enough to do it by myself. Cookies have been a fundamental feature of the web for a long time as a way to make the web a better experience for users, but I certainly didn't ask advertisers et al to abuse this functionality for things that aren't in my interest.

Re:Clue stick (1)

agendi (684385) | more than 3 years ago | (#35440334)

I don't mean corporates, I mean the Govt. agencies themselves that are currently using cookies, I bet they are the one of the first ones that work around it AND bill the tax payer for the effort of outsourcing the work to a foreign multinational. Yay! In the end it won't change squat.

Eurotrash fucktards (-1, Flamebait)

z-j-y (1056250) | more than 3 years ago | (#35439674)

Europe today would be the same if Hitler had won. They are worse than Nazis

Re:Eurotrash fucktards (0)

Anonymous Coward | more than 3 years ago | (#35439728)

Well, no. It's a fair bet that Hitler didn't like Muslims.

Re:Eurotrash fucktards (2)

awshidahak (1282256) | more than 3 years ago | (#35439840)

Europe today would be the same if Hitler had won. They are worse than Nazis

Wow am I out of the loop or what. They still practice genocide over there?

Car anology (1)

Anonymous Coward | more than 3 years ago | (#35439682)

The EU requires car manufacturers to get consent from drivers for the car to burn fuel.

Re:Car anology (2)

hedwards (940851) | more than 3 years ago | (#35439834)

We here in the US refer to that as the "ignition switch" and it's very effective at telling the machine not to burn fuel.

Re:Car anology (3, Interesting)

Malc (1751) | more than 3 years ago | (#35440036)

Hmmm, bad car analogy. As an owner and driver, I already have control over that. Perhaps it would be more like manufacturers putting a feature or governor in your car that makes it drive past some advertising slowly, without your permission... in which in my case I'd want the EU to regulate, just like I'm happy to see them doing something about abusive companies trying to track me for their benefit rather than mine.

Solution (1)

Memroid (898199) | more than 3 years ago | (#35439740)

1. Force browsers in relevant countries to pop up a message "Would you like to accept a cookie from www.[...]?" for every website they visit (and every cookie).
2. People everywhere else live happily ever after.
3. ???
4. Profit!

Re:Solution (0)

Anonymous Coward | more than 3 years ago | (#35440000)

Force browsers in relevant countries to pop up a message "Would you like to accept a cookie from www.[...]?" for every website they visit (and every cookie).

I can get that just by changing my browser's settings. We all know that this won't happen anyway because what website in its right mind make itself too hard to use? If it becomes a case of accept our policy or don't use our site, perhaps the EU will evolve the regulations.

Re:Solution (1)

Nursie (632944) | more than 3 years ago | (#35440068)

"We all know that this won't happen anyway because what website in its right mind make itself too hard to use? If it becomes a case of accept our policy or don't use our site, perhaps the EU will evolve the regulations."

Or you could say -

We all know that this won't happen anyway because what website in its right mind make itself too hard to use? If it becomes a case of accept our policy or don't use our site, perhaps websites will stop using so many damned unnecessary and unwanted cookies.

Seriously, have you looked at how many thousands of cookies the average browser holds these days? Jaysus. Given the tiny number of sites I actually require to hold account details for me, it's nuts.

Session cookies I have less of an issue with when they're used for actual useful stuff (shopping baskets) and are not third party.

Cookies (1)

cultiv8 (1660093) | more than 3 years ago | (#35439826)

will never die.

Do not set (1)

Mystra_x64 (1108487) | more than 3 years ago | (#35439858)

Do not set any cookies if person is not registered (here is your consent). Problem solved. Actually, that would be pretty nice.

Re:Do not set (0)

Anonymous Coward | more than 3 years ago | (#35440352)

One small problem -- In order to register you must create an account... In order to create an account you must allow cookies (these pre-registration cookies serve as nonce values to help prevent spam).

I've got a better Idea: If you don't want cookies on your browser, don't enable them, those of us who aren't dumb know that cookies are useful.
User state must be maintained somewhere -- Cookies give state to the stateless HTTP protocol so you can "sign in" to this very website.

Firefox > prefs > Privacy > Firefox Will : &gt Use custom settings for History :

Uncheck the "[x] Accept cookies from sites".

Less retarded individuals may leave cookies enabled, and instead uncheck "[x] Accept third-party cookies".

However, even the slightly knowledgeable individuals will note that this doesn't block flash cookies. [mozilla.org]

Back in the days before cookies we used the HTTP-REFERER header as well as the IP address and URL query portion (?USR=B4AC2.P3Y45) in links to "track" people so that they could stay logged in...

To disable your HTTP-REFERER header in Firefox: address-bar > "about:config"

filter "http.send", double click: "network.http.sendRefererHeader" and set the value to "0" (zero).

To disable websites from accessing your IP address or query parameters, simply press and hold Alt then press F4. (Mac: Option + W) -- This is actually the BEST way to keep websites from "tracking" you.

Seriously -- I've figured out ways to use cached JavaScript code, images, documents, style sheet text colors, the window size and position, the content size of the current window, the god damn USERAGENT string, and loads more to track people who disable cookies (Java Applets, Flash, ActiveX, auto-filled form contents, etc, Base64 encoded CSS images, ) Do you know why? Because idiots WANT to be tracked, (so they can log in), but they DON'T want to use Cookies!

These idiots that disable their cookies will call to complain that they can't log in, and when told to enable the damn cookies they fly off the handle because the media-fear-monger shit in their heads instantly reaches critical mass.

Fact: HTTP / HTML (the web) Was NOT originally designed to allow logins, or other nifty things like web-chat, web-mail, etc. It was supposed to be static. All the cool stuff you want to do has been hacked in -- many such features require user state, and a simple solution is to use cookies.

Don't get me wrong, there are harder solutions, but they all do the same damn thing: Store a bit a funky looking bit of data on your end to identify you when you make another connection. The web is free largely because of Advertising -- Disable 3rd party cookies won't keep a server from pasting your user token into the URL of the ad-server's file: SomeAds.com/affiliate/vc1030/?unique=YOUR_ID, disabling cookies doesn't disable the HTTP-REFERER header (that the embedded ads company will see).

Thus, the "no cooikes or text files" requirement is bogus -- HTTP-REFERER + GET query string == more than enough to track you server side (sans cookies). It's just harder... The ad server would create a mapping between the different sites unique user token and the internal data representing your data on the ad server. (I wrote such a program in 1999, all these techniques are already in use by many advertisers -- the cookies are just a bit of extra bonus data -- the "Sweet, I can save time on a database lookup" kind of icing on the cake.) Disabling cookies just makes it harder for you to use the web. For fuck's sake -- Get over the damn cookies! They have your IP address and the current time!

Stupid (1)

localman (111171) | more than 3 years ago | (#35439870)

Sure, cookies can be used for shady purposes but for heaven's sake - every useful website I can think of uses the hell out of cookies. It's the only practical way to maintain UI state. Browsers already have the ability to warn per cookies. They used to come with this turned on by default, but most have stopped that now. Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that. Even a once-off per site setup is absurd. This is the result of passionate but ignorant people.

Oh well. Like most such laws, there will almost surely be a legal workaround that dodges the spirit of the law. And in this case thank god for that.

Re:Stupid (1)

Nursie (632944) | more than 3 years ago | (#35440022)

"Ever tried turning those warnings on in the past ten years? You can't possibly browse the web like that."

Yup, it's crazy the number of cookies now being set/read when you visit modern sites. This is a very strong positive for the legislation though.

Me, I use "Cookie Monster" in firefox. It allows me to deny all third party cookies outright, and default-deny the rest. It has a neat little menu to allow cookies from a specific site on temporary basis (Let it set cookies until the browser is restarted), allows session cookies only or allow full access.

Coupled with ABP it makes me much happier about the net, and makes the net a much happier, quicker place.

Compromise. (1)

zmollusc (763634) | more than 3 years ago | (#35439892)

How about a browser option of 'accept all cookies - but delete them once the session is over'?
The tracking companies get their cookies accepted and privacy is maintained. Everyone is happy. Kind of.

Re:Compromise. (0)

Anonymous Coward | more than 3 years ago | (#35440020)

Most browsers can be set to delete cookies/history/cache/session IDs as part of the shut down already, so set your preferences accordingly.

Re:Compromise. (1)

Nursie (632944) | more than 3 years ago | (#35440032)

They should build the "Cookie Monster" addon into FF by default, with a sensible set of defaults (like auto-deny third party cookies).

That would cover it.

Re:Compromise. (2, Informative)

Anonymous Coward | more than 3 years ago | (#35440040)

Already exists in Firefox ! Accept cookies from sites ... Keep until: I close Firefox

Re:Compromise. (1)

wvmarle (1070040) | more than 3 years ago | (#35440170)

You mean like Firefox's Private Browsing mode?

I predict (0)

Anonymous Coward | more than 3 years ago | (#35439904)

A bright future for libraries doing browser fingerprinting and other tricks that enable tracking.

Ghostery for FF (3, Interesting)

b4nd0ler0 (1597801) | more than 3 years ago | (#35439924)

As for third party cookies: I use Ghostery on Firefox and it works pretty well and it's pretty unobtrusive once configured. It's amazing to see how many of these cookies are used and abused. Some sites have literally dozens of them. (./ has two: Google analytics and Addthis). FB and Twitter are major culprits, they have no business tracking me when I'm visiting some other site, I'm not one of their users and I don't give a sh`t about what they do. I support this legislation, we just don't know how much user data these companies are gathering and for what use so it's basically saying that you cannot track people that doesn't want to be tracked.

Oh so important anti-virus scanners! (1)

Coolhand2120 (1001761) | more than 3 years ago | (#35439976)

This comes from anti-virus and anti-malware programs labeling cookies as threats in order to make themselves appear more usefull than they really are: "oh look boss, this cookie was going to kill your cat!". So the layman uses his computer and sees his Norton fuck-ur-comp2201 report that www.target.com is trying to H4X0R their computer. Knowing the insidious nature of the evil corporate entity known as target said layman writes his representative informing him of the ticking time bomb Norton shit-tron-1117 reported.

Dear Sir or Madam,
I am writing to inform you of the insidious nature of the virus/malware/fascist threat known as a "cookie". In spite of its innocent name, hidden inside this simple text file is a menace so horrible that it should be expunged from the face of the earth. I'm not sure what it does, but I certainly don't want my children taking cookies from strangers without my express consent.

Reguards, J. Gearstorfer II esq. Lt. Gen. Ret. etc..

Of course when you lump cookies into the same category as trojan horses people are going to react this way. The nonsensical way some anti-malware programs behave is unethical. You cannot say "all cookies are bad" because it's simply a load of shit. I'm a highly experienced web developer and I really cannot think of any way that a cookie can harm you, your computer or your cat.

A cookie is just as revealing as your IP or your IP's RDNS entry. The only reason web sites use cookies is because they have no other way to distinctly identify which computer is hitting their web site from the other side of a NAT (your firewall). If each computer had a distinct static IP address (IPv6 or MAC) there would be no need for cookies. That cookies are somehow dangerous sounds just like people calming that vaccines are giving their children autism.... No... Actually, the vaccine people have a better case.

You absolutely need cookies to make web programs work and prevent accidental session hijacking. Any other method is a joke and therefore not used by serious programmers. Cookies cannot harm you. The worst thing that can happen is someone could tell you went to www.target.com because you have a cookie that says that on your computer, BFD.

This is not a score for privacy. This is a score for ignorance.

Re:Oh so important anti-virus scanners! (1)

zmollusc (763634) | more than 3 years ago | (#35440104)

Could you explain why cookies are 'absolutely needed'? Or provide a link? I can see how cookies are useful, but I don't see how they are vital.

Re:Oh so important anti-virus scanners! (1)

Coolhand2120 (1001761) | more than 3 years ago | (#35440326)

I mentioned it in my post:

The only reason web sites use cookies is because they have no other way to distinctly identify which computer is hitting their web site from the other side of a NAT (your firewall).

It's so they can tell it's the computer in the living room and not the computer in the bedroom. Or if you like an office analogy, it's so Sue in accounting doesn't get the same Facebook page as Ted in IT.

Technically speaking, the only information visible to the servers on the internet is the IP/MAC address of your nat/firewall/whatever, the computers behind the nat/firewall/whatever cannot (by design) expose their unique IDs (MAC or Media Access Control addresses) to the internet server because the MAC address given is of the NIC in the nat/firewall/router, not of the client computer. Yes, there are other ways of tracking people, such as browser signature or some other organic information about the client, but this is in no way a solution. If Sue in accouting uses the same browser and OS as Tim in IT (very likely!) than they appear to be the same person to the internet server. Without the infamous cookie Sue see's Ted's Facebook page (and has some trouble explaining why he friended Sue's girlfriend).

Really it all comes down to this: IPv4 doesn't have enough addresses to go around, so we stick UUIDs [wikipedia.org] in text files on each computer that visits a given site to uniquely identify them from other user's who visit the same site.

Re:Oh so important anti-virus scanners! (1)

DigitalSorceress (156609) | more than 3 years ago | (#35440192)

Coolhand2120, you've hit the nail precisely on the head.

I remember back when anti-virus apps first started to whine about cookies, I was like, "what? do these guys have ANY CLUE how the web works?". I eventually came to the conclusion that they did, but that they were benefiting from the appearance that they were stopping all this "evil" stuff.

Cookies are an absolutely essential way to maintain state across multiple visits from a given user on a web site. As always, XKCD is on-the-ball ... http://www.xkcd.com/869/ [xkcd.com]

I only ever use session cookies on web sites/apps that I build. Then again, I don't have anything to do with advertising.

Re:Oh so important anti-virus scanners! (3, Interesting)

wvmarle (1070040) | more than 3 years ago | (#35440198)

Well I agree with you that a cookie may not physically harm you; and that they are very useful tools for web site programming.

Yet the primary problem with cookies is the third-party cookies that ad networks place on your computer. So this ad network can track which web sites you visit. This has no use for you as end user; it only servers to give the ad network more information about you. They can see you visit slashdot, they can see you visit certain lolcat related sites, they see you visit amazon, they follow you whenever you hit a web site where their ads (and cookies) are served. And that is the problem they most likely want to tackle as that is where privacy is an issue.

Delete them yourself (0)

Anonymous Coward | more than 3 years ago | (#35440004)

I simply set my browser to delete all cookies on exit. I still use firefox for the extension to also delete flash cookies. I log out every few days just to reset them all.

Consider this submission (1)

qmaqdk (522323) | more than 3 years ago | (#35440062)

NickstaDB writes

"From the CNN article: 'From 25 May, US laws dictate that "explicit consent" must be gathered from web users who are being tracked via text files called "cookies". These files are widely used to help users navigate faster around sites they visit regularly. Businesses are being urged to sort out how they get consent so they can keep on using cookies.'"

And then consider how different the reactions and comments would be.

Is logging in explicit consent? (0)

Anonymous Coward | more than 3 years ago | (#35440066)

If they slap a notice on a login page saying "by logging in you are consenting to having this site track you", then doesn't that sort it for most sites? It's explicit because you have to log in to proceed.

Maybe this is an underhand way of pushing a technology upgrade to HTML5 and web storage!

Throwing the baby out but keeping the bath water (0)

Anonymous Coward | more than 3 years ago | (#35440072)

Most user fingerprinting that people should be concerned about can be done without any cookies. Development on these techniques hit full swing when all the browsers started tightening the screws on cross-site scripting protection which also included much stricter enforcement of cookie policies. So this will do little to nothing to actually stop the big players, governments, etc from identifying a browser or even a user across multiple browsers (something cookies alone can't possibly do).

As a web developer, I just wonder how much it will cost to audit all of our software (both written in-house and purchased software) that may use cookies to store session data, shopping details, form data for allowing the user to quickly shuffle back and forth through form screens without losing previously-entered data, etc.

The only cookies I can think of that we use that can be considered tracking are cookies used to keep track of visitors that came from specific affiliates so that the affiliate can be properly credited with the purchase. I have to assume that these will now need explicit consent, which will either result in a cascade failure of online affiliate systems, yet another "OK" / "Accept" button that users are conditioned to always confirm without any thought of origin or purpose, or a complete migration of developers from cookies to more insidious ways of tracking users that avoid cookies and could usher in even more privacy concerns.

The last possibility is the most-concerning and most-likely as it has already happened on the large-to-medium scale; the solutions would simply become more widely available and pervasive. These solutions also use such a variety of information to fingerprint users that coming up with a law that effectively bans such tracking would effectively gut the HTTP protocol and many established standards.

I know this as I created a proof-of-concept next-gen analytics system three years ago that could track users across multiple sites and with enough data on a user, could identify them as they switched between different computers and browsers. No cookies were used and Javascript on the client was not required. Clients with Javascript enabled simply provided more robust fingerprinting data as icing on the cake.

You can find out more about how this is done by visiting the EFF's Panopticlick [eff.org] site. I never launched my analytics engine as I quickly found out that I was not the first one to figure out these techniques and as I got closer to launch, a huge number of competitors jumped into the space, so I decided to look for less crowded avenues.

Fact is that there will always be people that want to keep track of you with or without your consent. No matter what changes of technology or laws occur, they will still successfully do this.

Re:Throwing the baby out but keeping the bath wate (1)

Nursie (632944) | more than 3 years ago | (#35440112)

Sure, they will, but there are things that can be achieved simply by blocking some cookies.

For instance - why should facebook be able to track people across every site with a "like this on facebook" button, regardless of whether they have a facebook account?

This can be worked around by switching off third party cookies (and perhaps blocking any content loaded from fb when not actually visiting FB), which IMHO aren't useful for anything BUT tracking.

I can't say it would bother me to see all the "affiliates" on the net die off.

In Denmark (1)

terminal.dk (102718) | more than 3 years ago | (#35440230)

The interpretation of the EU regulation is different. I think the latest bet on how Denmark understand the EU regulation is:

The users must be informed that cookies are used, and always have easy access to the "cookie policy".
The user must have a way to opt-out. It is still debated if it is enough to inform him how he adds sites to the Internet Zone, and denies cookies to sites in the Internet Zone. Persistent Cookies needs user approval, session cookies not.

There is also the other solution that wil kill the regulation: Just tell users that to use the site they must accept cookies. If they don't, they can go away. When they can visit no websites at all, they will start accepting the cookies. Most technical skilled people thinks this is the worst law ever decided by the EU. So many websites are dependent on cookies today, that most of the web would stop working if cookies was disabled.

As it is now, it is the user that decides if he want JavaScript or Cookies.

wtf?? (1)

mshenrick (1874438) | more than 3 years ago | (#35440298)

1. the user sent the information in the first place 2. the cookies are on thir computer 3. just use a cookie blocking extension, no need for server side implementation

Not my job. (1)

Lord Bitman (95493) | more than 3 years ago | (#35440354)

I have a perfect solution! Rather than continuing to use magical cookies which can follow you around and tell everyone where you've been, I'm going to re-implement a cookie-like thing which cannot possibly do anything you don't want!

Here's how it will work: When you go to my website, I will send your browser a "brownie". The "brownie" will just be a short text string.
Then, if you want me to track you, simply inform your browser that you would like to send back the "brownie". whenever you connect to my server.
In this way, every single connection will require explicit consent to be maintained! If your browser doesn't send the "brownie" with every connection, I won't track you.

The unicorns which maintain the magical cookies that track you without requiring your browser to explicitly send them back every time may be upset by this scheme, but I am never in favour of rejecting a technology simply because it will put people out of work.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>