Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

BBC Site Uses Cookies To Inform Visitors of Anti-Cookie Law

timothy posted more than 3 years ago | from the only-criminals-will-have-cookies dept.

Privacy 98

Andy Smith writes "As of 26 May 2011 web sites in the UK must get a user's permission to set cookies. If you go to the BBC's commercial TV listings site Radio Times you'll see a message telling you about the new law. Go to the site again, though, and you don't see the message. How does the site know you've already seen it? By setting a cookie of course! It doesn't ask for permission."

cancel ×

98 comments

Sorry! There are no comments related to the filter you selected.

Lack of tech know how (1)

MrDoh! (71235) | more than 3 years ago | (#36272076)

I guess that's what happens when law makers don't really get what's going on, and the techies tasked to implement this stuff don't really care.

Re:Lack of tech know how (1)

Larryish (1215510) | more than 3 years ago | (#36272142)

un

Un

UN

UN!

Un Fucking Enforceable

Re:Lack of tech know how (5, Informative)

beelsebob (529313) | more than 3 years ago | (#36272224)

No, that's what you get when the person writing the article doesn't understand what's happened - it's absolutely legal to store cookies that are required for the functionality of the site. This will clearly count. What's not legal is storing cookies that are only for tracking you without asking.

Re:Lack of tech know how (1)

Arancaytar (966377) | more than 3 years ago | (#36272444)

If you code the site to be non-functional without cookies, then every cookie will be required for the functionality of the site.

Re:Lack of tech know how (1)

Mitchell314 (1576581) | more than 3 years ago | (#36275186)

And if you outlaw all cookies, only criminals will have cookies.

Wait . . .

Re:Lack of tech know how (1)

bryan1945 (301828) | more than 2 years ago | (#36285020)

Why do you think he's called the Cookie MONSTER?

Re:Lack of tech know how (1)

outsider007 (115534) | more than 3 years ago | (#36272730)

Track users without asking? What sort of "cookie monster" would do such a thing?

Re:Lack of tech know how (0)

Anonymous Coward | more than 3 years ago | (#36273144)

The two aren't mutually exclusive you know. You can easily make site where an essential cookie is also used for tracking.

Re:Lack of tech know how (1)

Anonymous Coward | more than 3 years ago | (#36273410)

Of course you can. But that is not the point. The point is that it's perfectly fine to store a cookie with field pair noticeshown=true. That is not information that can identify you. And don't start arguing that they could save it as noticeshown=id2458928 or some bullshit. Obviously they could. I could also try to rob a bank, but those things would be illegal to do.

Can somebody explain how this works? (0)

Anonymous Coward | more than 3 years ago | (#36272384)

I am the IT guy for a small European company that does business in many places, including the UK. Our website uses cookies for a couple of things, most importantly to determine which language to show the website in. We have a custom CMS/CRM written in PHP that does its job of serving the website and managing customers and their purchases very well. But it is a complex, fragile and undocumented technical nightmare that I hate diving into without absolute necessity and which I cannot afford to have re-written.

I recently learned of this directive, and I was wondering if somebody out there could explain (or point me to a resource) on what exactly I have to do to be in compliance. Are session cookies OK? If not, I have a lot of work to do to make this thing work without the $_SESSION variable. What about third-party analytics software, like Xiti or google analytics?

Is anybody else out there in this position? What are you doing about it?

Re:Can somebody explain how this works? (1)

realityimpaired (1668397) | more than 3 years ago | (#36272426)

Not in this position, but the HTTP_REQUEST does include the language of the user's browser (accept-language)... It is fairly safe to assume that your site visitor wants it in the language that their browser is, and give them the option to change that language with a cookie to save it.

As an added bonus, if the site automatically looks at the accept-language and serves up a German-language storefront without the user having to click on German after being presented with an English default, it may improve your sales by not driving away some customers who may think your site isn't available in their language.

Re:Can somebody explain how this works? (1)

pjt33 (739471) | more than 3 years ago | (#36273030)

The UK's Information Commissioner issued some advice [ico.gov.uk] which isn't really finished but provides a good starting point. The big problem is that we don't have a good enough definition of what "strictly necessary" for the function of the site means. I've seen it interpreted (I think it was by a spokesman for the European Commission, but I didn't make a note at the time) as meaning cookies needed to perform a function requested by the user. The example given was a shopping cart - the user requests you to put an item in the cart, so you don't need to ask permission to use a cookie to associate that cart with the user.

Third party analytics software seems to be the target they're really shooting for, so I think we're going to have to move towards asking permission for those.

Re:Can somebody explain how this works? (1)

Hognoxious (631665) | more than 3 years ago | (#36276960)

Our website uses cookies for a couple of things, most importantly to determine which language to show the website in.

I really hope it doesn't try to guess by working it out from the client's IP address.

Because if it does, I hate you.

session cookies (1)

Alain Williams (2972) | more than 3 years ago | (#36294478)

Are session cookies OK?

I asked the ICO (Information Commissioner Office) exactly that question about a month ago, they have not replied in spite of a reminder. If they cannot answer a simple question like that then I have to assume that they don't know what they are talking about.

love it (1)

Quick Reply (688867) | more than 3 years ago | (#36272082)

shows how stupid the cookie law is

Why? (0)

Anonymous Coward | more than 3 years ago | (#36272084)

Why is the necessary?

Also, I use no script so I never saw that "notice". Does that mean its still breaking the law.

What is this protecting me from?

Re:Why? (0)

Anonymous Coward | more than 3 years ago | (#36272372)

What is this protecting me from?

Cookies are fattening.

That's genius (1)

Anonymous Coward | more than 3 years ago | (#36272086)

Not all cookies are tracking cookies; legislators appear to have overlooked this.

idiot submission (5, Informative)

Anonymous Coward | more than 3 years ago | (#36272100)

The new cookie laws are only about tracking cookies, not session cookies or cookies necessary for the functioning of the website.
That cookie is not a tracking cookie, as such it isn't breaking the law. non-news.

Re:idiot submission (1, Informative)

ColaMan (37550) | more than 3 years ago | (#36272168)

Er, I don't want to be Captain Obvious here, but doesn't the cookie *track* who has seen or not seen the message about the cookies?

Re:idiot submission (4, Informative)

Anonymous Coward | more than 3 years ago | (#36272218)

Probably not, if the cookie only contains "Don't show the message again", it isn't tracking. Tracking is when the information makes you uniquely identifiable, which this clearly isn't.

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272612)

It might be unique... what if I'm the only who would like to see the message again?

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272698)

I agree that a single bit worth of information does not allow tracking. However, what if there are another 20-30 settings you can make on the site (or which can be made for you, depending on which browser you have)? Then the cookie might just be storing settings, but they could still be unique for the user and thus allow tracking.

Re:idiot submission (1)

ColaMan (37550) | more than 3 years ago | (#36276706)

Alright, I checked the cookie and all it says is "true". Which is OK.

Of course, they're still setting a couple of cookies at the moment. This cookie is just a cookie to let them know that they've let you know that sometime in the future they're going to do something about your preferences in regard to the setting (or conversely, not setting) cookies on your computer when you access their domain.

Onwards!

Re:idiot submission (2)

Co0Ps (1539395) | more than 3 years ago | (#36272172)

Ummm.. it tracks if you have given permission for cookie tracking. Doesn't that make it a "tracking cookie"? Isn't all cookies tracking cookies? The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

Re:idiot submission (4, Informative)

SilentChasm (998689) | more than 3 years ago | (#36272208)

By tracking cookies I think they mean uniquely identifiable, like an ID number for a specific user that they can then tie advertising preferences to. Tracking stuff like site settings seems like an actual valid use of cookies.

I do agree with you though on the "necessary for the functioning of the website" loophole, as they could just include advertising tracking as "necessary" (for financial reasons of course).

Re:idiot submission (-1)

Anonymous Coward | more than 3 years ago | (#36272388)

A HTTP-server can track the client host without uniquely identifiable information in a cookie. Example:

1. HTTP-server sends cookie "TrackInfo=1" to client.
(Behind the scenes) 2. HTTP-server stores a registry of the clients MAC-address and the sent cookie.
3. Client issues a search command for "Nikon Cameras" to the HTTP-server.
4. HTTP-server relays back result.
(Behind the scenes) 5. HTTP-server adds "Nikon Cameras" to the registry under the clients MAC-post.

Now, the HTTP-server has tracked 2 facts about the client host.
* This client-MAC has already seen the tracking information (cookie)
* This client-MAC has a special interest in "Nikon Cameras" (search)

Let's say the client now erases his cookies, for the reason that he should not be personally track-mapped.
So when the client connects to the HTTP-server again the next day, this is what happens:

6. Client requests main page from the HTTP-server.
(Behind the scenes) 7. HTTP-server looks up the client's MAC-address. Finds the 2 tracked cookie-fields.
8. HTTP-server sends main page, without the tracking information and with Nikon & Camera ads, to the client.
(9. Client rages.) xD

Re:idiot submission (1)

Anonymous Coward | more than 3 years ago | (#36272410)

Your story sounds wonderful, it is just missing out on the small little detail that the server doesn't know the clients mac address...

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272766)

Damn! With doubt I knew I should have looked that up in Wireshark before posting. But I am too lazy. =)

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272418)

Sorry, that's not 'cookie-fields' but just 'fields'.

(Behind the scenes) 7. HTTP-server looks up the client's MAC-address. Finds the 2 tracked fields.

Re:idiot submission (1)

MichaelSmith (789609) | more than 3 years ago | (#36272420)

How does a web server not on my network get my MAC address?

Re:idiot submission (1)

walshy007 (906710) | more than 3 years ago | (#36273582)

By connecting to it over ipv6 with an autoconfigured ipv6 address. it uses your MAC address for the host portion.

Re:idiot submission (1)

MichaelSmith (789609) | more than 3 years ago | (#36276288)

Okay I understand that now, but its not going to work in many places yet.

Re:idiot submission (1)

CapOblivious2010 (1731402) | more than 3 years ago | (#36272666)

Even leaving aside the MAC address problem, why would the client "rage" about seeing ads for something he's actually interested in? If you're gonna have ads on the page anyway, isn't that better than ads for, say, feminine hygiene products?

Re:idiot submission (1)

Hognoxious (631665) | more than 3 years ago | (#36276990)

why would the client "rage" about seeing ads for something he's actually interested in?

Maybe I'm not interested in them now. Perhaps I read in a magazine that Canon are better, or whatever.

I've used sites like that before. I find it annoying when a dumb machine tries to second-guess me.

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272242)

Well it is fairly obvious if an advertising company is placing cookies every time one of their ads is displayed, that the cookies are not necessary.

Re:idiot submission (1)

al4 (2208636) | more than 3 years ago | (#36273280)

The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

The wording of the law is "strictly necessary", and is from the point of view of the consumer, not the website owner. Even in the case of affiliate marketing where the referring site doesn't get paid unless a cookie is set, you can't argue that a tracking cookie is strictly necessary because in that instance the consumer's experience is the same whether the cookie is set or not.

Re:idiot submission (2)

pclminion (145572) | more than 3 years ago | (#36273492)

The only thing web masters have to do is to claim that all their cookies are "necessary for the functioning of the website" and "not tracking cookies". Isn't that a huge loophole?

That's why we have these funny buildings called "courthouses" where we evaluate things critically instead of using the law like an algorithm.

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36274704)

That's why we have these funny buildings called "courthouses" where we evaluate things critically instead of using the law like an algorithm.

Keep fishing for that +Funny moderation, you'll get one eventually.

Re:idiot submission (1)

Co0Ps (1539395) | more than 3 years ago | (#36276340)

Yeah, because the courthouses don't have anything important to do anyway and I bet the justice system love obscure laws where the outcome depends on intent and motivation rather than objective evidence............

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272196)

I suspect "Andy Smith, newspaper photographer" is more interested in having people visit his website than in presenting a balanced treatise on the current situation. Good luck with reducing the number of "No comments" posts, Andy. Hint: post relevant, and sensible.

Re:idiot submission (1)

Anonymous Coward | more than 3 years ago | (#36272554)

Have you actually read the update to the law? I'm betting no.

6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Source [ico.gov.uk]

The bit not in bold is the law before 26th May - the bit in Bold is now in effect. It doesn't differentiate between different types of cookie, their functionality or anything else. Consent must be gained for any use.

It leaves open hundreds of questions, but under no interpretation can you say "it only applies to tracking cookies".

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36272708)

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information--

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

So 4b is probably an exception in this case since this is strictly necessary for the functionality.

Re:idiot submission (1)

Blakey Rat (99501) | more than 3 years ago | (#36273982)

So forgive my ignorance, but what exactly does the law say?

I assume first-party session cookies are ok. Does it only ban third-party cookies? What about third-party session cookies? What about on sites that span multiple domains, where the third party cookie may be necessary for a user to remain logged-in?

There's a lot of debate here on what constitutes "tracking cookie" or "necessary for the site to function", but what does the actual law say?

Re:idiot submission (1)

quarkoid (26884) | more than 3 years ago | (#36275604)

Why would you think that it's only about tracking cookies? The legislation is quite clear:

(1) Subject to paragraph (4), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment -
(a)is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(3A) For the purposes of paragraph (2), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -
(a)for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
(b)where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

The whole law is about storing and/or accessing data stored on a user's PC. Please tell me where 'tracking cookies' are mentioned?

Re:idiot submission (0)

Anonymous Coward | more than 3 years ago | (#36276882)

This isn't true. Session cookies *are* included. All cookies are. The law actually covers all technologies for storing information on a user's device, including flash cookies, and does not state anywhere that I have been able to find that it only applies to tracking.

As far as exempting cookies "necessary for the functioning of the website" is concerned what the latest advice [ico.gov.uk] (PDF) from the ICO says is "The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user" (emphasis mine). The example it gives is a shopping cart. I doubt a breadcrumb trail, for example, will count.

Read the full advice - it's going to be a tricky bastard to implement.

Unintended Irony (0)

Anonymous Coward | more than 3 years ago | (#36272102)

The vast majority of techs and people in general don't think about what they're doing, so sometimes this kind of humor ensues. Sort of like that time a MS Server campaign was exposed by netcraft as being hosted on *nix.

Re:Unintended Irony (1)

Kalriath (849904) | more than 3 years ago | (#36273674)

By which you mean "served via the Akamai caching network, which happens to use Linux". You might want to pick an example which is actually true.

Guess you didn't read their link (4, Informative)

Blahah (1444607) | more than 3 years ago | (#36272128)

If you follow the link in the pop-up, the BBC website explains that the changes will be phased in gradually over the Summer.

"The government's view is that there should be a phased approach to the implementation of these changes. Over the summer, we will be working on developing the best methods for obtaining your consent.

In the meantime, you can control cookies by setting your device to notify you when a cookie is issued, or not to receive cookies at any time. We will ensure that we continue to provide you with clear and comprehensive information about the cookies we use, so that you can make informed decisions."

On top of that, the law only covers tracking cookies, but the BBC is going to include all cookies in it's policy. No story here.

Olo:Ha (2)

Fuzzums (250400) | more than 3 years ago | (#36272136)

But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

Re:Olo:Ha (1)

lwoggardner (825111) | more than 3 years ago | (#36272288)

But there is a significant difference between a don't-show-message cookie and a we-know-everything-about-you cookie.

Is there?. If the cookie is persistent (survives browser close) then it just contains a big random number that might uniquely identify you. This big random number is a key to the server side database that stores everything-we-know-about-you, including the bit about you having seen the message. You have no way of knowing if that is all they are tracking.

Re:Olo:Ha (1)

Fuzzums (250400) | more than 3 years ago | (#36272334)

Or it might just contain "seen message = true".

Re:Olo:Ha (0)

Anonymous Coward | more than 3 years ago | (#36272412)

ARPT=IMXIXIS192.168.100.82CKOMU
ARPT=IMXIXIS192.168.100.82CKOMW
ARPT=IMXIXIS192.168.100.82CKOMY
ARPT=IMXIXIS192.168.100.83CKOMW
JESSIONID=4FA920D8AD12E496F562A20842706673
gwpCookieDisplayed=true

So, the cookiedisplayed one is good.
Thene you get the sessionid in there.

Re:Olo:Ha (1)

Cyberax (705495) | more than 3 years ago | (#36272516)

JSESSIONID is not a persistent cookie, it'll be gone upon the restart of the browser.

Re:Olo:Ha (1)

quarkoid (26884) | more than 3 years ago | (#36275630)

Your comment is irrelevant - please read the legislation.

Any cookie (be it tracking/temporary/whatever) is covered.

Re:Olo:Ha (0)

Anonymous Coward | more than 3 years ago | (#36278110)

If session cookies which are not stored in non-volatile memory count as "data stored on the computer", then the entire contents of the webpage itself also count.

Re:Olo:Ha (1)

TheRaven64 (641858) | more than 3 years ago | (#36272456)

There is a fairly simple way - does every user with the same settings get the same cookie? You can verify that DuckDuckGo is not tracking you via cookies, for example, because each setting you change sets or clears a specific flag in the cookie. You can set the same settings on two computers, with different browsers on different IPs, and get exactly the same cookie. In contrast, you can tell that Google is tracking you because they give you a cookie with a unique key that references an entry in their database.

Re:Olo:Ha (0)

Anonymous Coward | more than 3 years ago | (#36272534)

What if the cookie contains something more mundane, though?

track:disable or track:enable, for instance? there's no hard or fast rules on what a cookie can contain, and a well designed one might just include settings in a human readable form, with no UID numbers present unless the user has opted into tracking.

Re:Olo:Ha (0)

Anonymous Coward | more than 3 years ago | (#36274346)

There are 9 cookies on my computer from Radiotimes.com. I've only ever been there once, today. Here is the cookie cookie.
Name: gwpCookieDisplayed
Content: true
Domain: www.radiotimes.com
Path: /
Send For: Any kind of connection
Accessible to Script: Yes
Created: Saturday, May 28, 2011 10:25:39 AM
Expires: Sunday, September 4, 2011 10:25:39 AM

It appears this one is rather benign. True, it doesn't expire right away, but it also doesn't contain any unique info.

What the other 8 cookies are doing... well you tell me?

Re:Olo:Ha (1)

Charliemopps (1157495) | more than 3 years ago | (#36272672)

If you're good at it, really there isn't.

Re:Olo:Ha (1)

Fuzzums (250400) | more than 3 years ago | (#36272784)

Technically they're the same. That's true.
In practice the first should only store if the user has seen the the warning message.

Re:Olo:Ha (0)

Anonymous Coward | more than 3 years ago | (#36301280)

Temporary session cookies do not technically need to be "stored" on a computer, in the persistant sense only in the operational/runtime/memory sense.

The law does seem to cover non-temporary / non-session cookies, those are cookies with an expiry date.

The difference about weather it tracks you, is mainly down to it generating an indentifiable / unique code, as part of the name or part of the value that is the cookie.

Now providing the BBC cookie effectively does "SERVED_NOTICE=true" then I can't see how it could be argued that it tracks the user, unless that user is the only user of the website.

One possible way around the law is to deliberately make your website use non-temporary cookies, instead of temporary cookies. Then claim it is needed to maintain the users state for website operation.

No Permission (1)

jmd_akbar (1777312) | more than 3 years ago | (#36272138)

CHUCK NORRIS doesn't need permission to set cookies in your system.

Re:No Permission (0)

Anonymous Coward | more than 3 years ago | (#36272176)

Chuck Norris is a doooosh bag.

language (1)

rossdee (243626) | more than 3 years ago | (#36272184)

In the UK, cookies are called biscuits.

Re:language (0)

Anonymous Coward | more than 3 years ago | (#36273848)

So we should now call them Cambridge University Magic Biscuits instead of MIT Magic Cookies? :)

Don't use this to prove God doesn't exist (2)

Provocateur (133110) | more than 3 years ago | (#36272200)

nt

Law is dumb (1)

troll -1 (956834) | more than 3 years ago | (#36272376)

This law is an example of what happens when overly zealous do-gooders try to protect people from themselves. If you don't want cookies, turn them off.

Re:Law is dumb (1)

SydShamino (547793) | more than 3 years ago | (#36277014)

So it would be okay if there were stores where, when you went inside to shop, the owner pick-pocketed you and made photocopies of your driver's license, all your receipts, and one or two of your credit cards? And then they took everything they found and shared it will all the other businesses in town?

Is that okay, as long as people who don't want to be tracked notice this and tell him "no"? Even if, when you tell him "no", he orders you out of his store? Oh, also every other store in town does the same thing?

Is that really and truly okay with you?

Re:Law is dumb (1)

mjwalshe (1680392) | more than 3 years ago | (#36280438)

isn't that what store loyalty cards do? track your purchases?

Re:Law is dumb (1)

SydShamino (547793) | more than 3 years ago | (#36297592)

Has a store ever secretly slipped a loyalty card into your wallet? Then snuck it out each time you've visited? Even if you don't buy anything or pay cash?

Re:Law is dumb (1)

mjwalshe (1680392) | more than 3 years ago | (#36300534)

they plug the dam things hard enough in supermarkets - and another similar case newpapers break down their subscribes by analysing where they live and use that to monetize adverts and also sell targeted inserts.

Re:Law is dumb (0)

Anonymous Coward | more than 3 years ago | (#36277536)

This law is an example of what happens when overly zealous do-gooders try to protect people from themselves. If you don't want cookies, turn them off.

No, this would (on the surface at least— I haven't look at the law in depth) be an example of a law that might actually make some sense. There is a difference between a tracking cookie and a session cookie. To turn off tracking cookies, you have to turn off all cookies, which means turning off session cookies. Since, technically, a cookie is a cookie, there is no technological solution to allow the turning off of tracking cookies without also turning off session cookies. Therefore, a non-technological solution is required.

Here's how it goes: (3, Informative)

VortexCortex (1117377) | more than 3 years ago | (#36272392)

Your Browser: Hey BBC, gimme a web page with the URI: http://raidotimes.com/ [raidotimes.com]

BBC Server: Here is the web page you requested, with cookie notification text (since you did not provide any cookie), and also a cookie.

Your Browser: Thanks! Let's see, the user settings say, "Accept Cookie" I'm permitted by the user to store this cookie.

--- Later ---

Your Browse: Hey BBC, gimme a web page [...] and also here's that cookie that you gave me which my user already gave permission for me to save and return to you via their preferences.

BBC Server: Ah, I see you provided me the cookie that if you had not given your browser permission to send me, I wouldn't be seeing right now -- I guess I won't show you that cookie info text this time.

YOU HAVE THE POWER TO DISABLE THE MOTHER FUCKING COOKIES -- USE IT AND STOP FUCKING UP OUR INTERNET WITH YOUR NOOB LAWS!

P.S. If the basic cookie settings aren't enough for you, use an existing plugin like Cookie Monster for Firefox -- More power over your god damn cookies than you could ever want. Honestly, if you don't understand it, leave it the fuck alone, before you hurt someone!

Re:Here's how it goes: (1)

Anonymous Coward | more than 3 years ago | (#36272438)

You're an idiot.

There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

Sure, cookies can be disabled. By default, they're not. Guess why? The reason is that browser makers realized that things would break if you disable them and that - more importantly - many people lack the expertise to selectively fix the problem.

Of course, enabling cookies has its own problems - e.g. tracking. But these problems aren't noticeable. If a site uses cookies and doesn't work, the user realizes that something is wrong and adjusts his settings. If a site uses cookies and works but also tracks the user then... what? The user doesn't even notice.

And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.

Legislation that bans tracking cookies unless the user opts in is fine.

In fact, consider this. If there were no problem, as you appear to be saying, then not only would this legislation be unnecessary, it would also not have any effect, as users are already opting in by means of their browser accepting cookies, right? In other words, there would be nothing to get upset over. But you are getting very upset (seriously, three different kinds of emphasis, and expletives on top of that?)... so obviously this law will change things. And that means that your argument that users are already opting in is invalid.

Re:Here's how it goes: (2)

Cogneato (600584) | more than 3 years ago | (#36272924)

Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it. Surely the better solution is at the browser level. Default it on to ask, give the user a way to turn it off. Or, default it to not ask, but show the user information about cookies and instructions to change the setting the first time they run their browser.

Education is an amazing thing. Web developers should not be subject to laws that are open to interpretation just because some people don't want to learn how to use something they are operating. Imagine if we applied the same philosophy to driving a car -- all owners of buildings need to post warnings that running into the building with your car can cause harm.

Yes, going on the internet takes a tiny bit of responsibility on the user's part. If the user is not smart enough to exercise responsibility with cookies when educated about them, imagine what they are doing with facebook, four square, hook-up dating sites, and so on.

Re:Here's how it goes: (1)

ianezz (31449) | more than 3 years ago | (#36278214)

Back in the day, I remember a setting on iBrowse (Amiga) that caused the browser to ask before accepting each and every cookie. I don't see that setting on my current browsers, though I may just be overlooking it

Firefox has such setting, with the option to ask what to do for every cookie a website tries to set/update (which quiclky gets annoying), plus an option in to remember your choice for all subsequent cookies from that website. It's there in Preferences->Privacy->History->Use custom settings.

Re:Here's how it goes: (3, Interesting)

ammorais (1585589) | more than 3 years ago | (#36273464)

There's a lot of people on the Internet - billions, literally. The vast majority of them are not technically inclined; most have no idea how the Internet works or what cookies actually are.

And sometimes, you actually want cookies. For example, on a news site such as the BBC, you may want to be able to log in and post a comment... and then log out again and not have the site continue tracking you. How do you do that? Short of constantly disabling and re-enabling cookies on a per-site basis, there's no way. Expecting users to do that is idiotic and only shows that a serious disconnect from reality on your part.

Did you know you can still track people you without cookies? You can use a combination of user-agent/IP/browser/language to track you with considerable accuracy.
So your solution for is to ask people that don't know/want to know what are cookies, if they want cookies? How kind of question box you suggest?
Something like this perhaps?


Do you accept cookies? If you press YES this site will work
properlly, and we can track you if we want to.
If you press NO this site won't work properly, but we can't
track you trough cookies. We can still track you by other means
if we want to but not with cookies!

| YES | | NO |

Re:Here's how it goes: (1)

ozone702 (1243146) | more than 3 years ago | (#36273778)

Thanks for the info. I knew about cookie preferences in browsers (which are a pain in the ass to turn on and use), but I wasn't aware of the Cookie Monster plugin for Firefox. I'll have to play around with that one... thanks.

BTW, I totally agree with your philosophy on "newb laws." If you're not smart enough to protect yourself on the internet, that's your fault.

Re:Here's how it goes: (0)

Anonymous Coward | more than 3 years ago | (#36273980)

A browser says 'would you like to save this cookie?' and not 'the purpose of this cookie is to store your website settings' or 'the purpose of this cookie is to identify you to anyone we like, hahaha'. Because the law requires informed consent, its legally requires a website owner to say *why* it's setting the cookie before you decide whether to accept it; this isn't something you can magically implement with a browser setting. This is made very clear in, for instance, the documents on the subject from the UK ICO.

Re:Here's how it goes: (1)

Anonymous Coward | more than 3 years ago | (#36274630)

The only people who should be against this, are marketing companies looking to exploit peoples privacy for their own commercially gain.

Are you both against the "Do Not Call" phone lists as well? Those are the lists of numbers which telemarketers are not allowed to call and can be fined if they do. You can find out every number registered by x company and block them from your cell phone account. You have the power, so why have a giant list? The answer is simple. Nobody wants to go through hundreds and thousands of numbers and block them individually. It is a burden and a waste of time.

There are millions of websites which I can potentially visit. The last thing I want to do is go though each one I view and block their tracking cookies. Some can't even be detected if they are encrypted or not easily readable.

PS: The law only affects tracking cookies, not every cookie. Your enactment seems to imply that you don't care about privacy if you allow cookies. Most users who enable cookies are enabling it to save site settings. They don't do it so that they can be tracked and exploited.

Re:Here's how it goes: (1)

ozone702 (1243146) | more than 3 years ago | (#36277280)

You're wrong. There are measures within your browser to help you prevent this, so imposing it on everyone is stupidity.

Re:Here's how it goes: (1)

AmberBlackCat (829689) | more than 3 years ago | (#36274940)

So how does that work if you never actually changed your web browser settings to accept cookies, but it accepts them anyway by default? Almost everybody's browser accepts cookies and almost nobody knows what they are. And the only browser settings anybody ever change are their homepage and bookmarks.

Re:Here's how it goes: (0)

Anonymous Coward | more than 3 years ago | (#36297412)

It requires a little education on how the browser works, like you need to know some basic things about how a car works before driving it. I suppose the browser makers could put up a page on first run explaining these things, I expect most users would ignore it anyway, but at least they get a chance to have it explained to them.

Postponed (0)

Anonymous Coward | more than 3 years ago | (#36272478)

Actually the law has been deferred for a year in the EU, s there is no rush to update your websites. We might find that after a proper consultation that it's impossible to manage.

Here's the irony, providing a source link via the BBC News site: http://www.bbc.co.uk/news/technology-13541250

Re:Postponed (1)

Ensign Morph (1824130) | more than 3 years ago | (#36274926)

Mod parent up, submitter / "editors" didn't check their facts as per usual.

I'm glad this is the case since I still haven't had a response from our company's webhost as to whether the session cookies our site sets are needed for the stats package, or just an unneccessary ASP default setting.

Similar to the PC-Mac add? (1)

kanweg (771128) | more than 3 years ago | (#36272586)

So I'll be like PC (http://www.adweek.com/adfreak/get-mac-security-94121) all the time, clicking Yes buttons when not needing them (while hating to see them), effectively priming me to approve one when I shouldn't.

Bert

Re:Similar to the PC-Mac add? (0)

Anonymous Coward | more than 3 years ago | (#36276302)

What's a PC-Mac add? Some facebook thing?

It's not actually required yet (0)

Anonymous Coward | more than 3 years ago | (#36272636)

While the EU directive is in force now, the UK was actually given a stay for a year:
http://www.bbc.co.uk/news/technology-13541250
So they can set as many cookies as they want for the next year; they just have to stop doing this sort of thing by the switchover.

RadioTimes sets Cookies to 2021 (1)

doperative (1958782) | more than 3 years ago | (#36272724)

.radiotimes.com LOG_ID 05/28/21

Google only goes up to 2013
 
.google.com PREF 05/27/13 ID= ******

See also, Radio Times recommends Internet Explorer 8 [imageshack.us]

Re:RadioTimes sets Cookies to 2021 (0)

Anonymous Coward | more than 3 years ago | (#36272936)

05/27/13 - the end of the world

Re:RadioTimes sets Cookies to 2021 (1)

Spad (470073) | more than 3 years ago | (#36273052)

Radio Times *advertises* Internet Explorer 8, not exactly the same as recommending it.

Wow! (0)

Anonymous Coward | more than 3 years ago | (#36273094)

The tin foil hattery is off the charts today, even for /. standards.

What I would prefer. (1)

dayton967 (647640) | more than 3 years ago | (#36273328)

My personal opinion would be that the html standards needs to be changed. One change would be to create a session header, that does not write, and is cryptographically modified after each page access. This would prevent the websites from accidently storing session data, such as the recent linkedin session problem. Also I would change this so that only one session may be stored unlike cookies.
Cookies then can be used for what they were intended, the storage of information relating to the site, such as preferences. This then can be user definable as if you want to store them, not store them, not accept them, etc.

Broswer Detection Instead (1)

ozone702 (1243146) | more than 3 years ago | (#36273692)

How come I can't set my browser to detect what type of cookie it is and prompt me if a site wants to set a tracking cookie? Get that accomplished and... problem solved.

Re:Broswer Detection Instead (0)

Anonymous Coward | more than 3 years ago | (#36274282)

How does your browser know that it's a tracking cookie? A tracking cookie is just one that contains a unique ID. Your browser is utterly unqualified to determine whether a block of text is unique enough to track you!

dom

I don't understand (1)

itchythebear (2198688) | more than 3 years ago | (#36273712)

It's just cookies, who ever complained about cookies?

Maybe we could require sites to provide milk if the serve any more than a couple of cookies...

yeah right (1)

slick7 (1703596) | more than 3 years ago | (#36274530)

I guess this comes from the Department of Redundancy Department.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>