BBC News - New net rules set to make cookies crumble
Just spotted this on the BBC this morning… sounds like it could have some pretty big implications for us developers!
There looks to be an exemption for shopping baskets, but not for remembered logins. I guess the law is there to restrict targeting advertising without the users permission, but it has wider-reaching consequences than that.
Is this a good idea? How are people planning to implement changes to comply?
We ran into something like this with just Internet Explorer— called something like P3P? Anyway it was something very much along these new law’s lines: you needed to state in a PHP header or something that you needed this cookie and that you weren’t doing certain things with it blah blah.
What this meant was, some of our pages that temporarily stored form info (to carry to the next form page) didn’t work in IE8 when it was our form in an iFrame on a partner’s site (6 and 7 did not have this). Without the header we’d need to change where and when information was saved as users moved through the application (multi-form app).
IE Blocking iFrame Cookies | Adam Young
Wasn’t a problem directly on our sites.
We should be careful with cookies anyway, no matter what.
From 25 May, European laws dictate that “explicit consent” must be gathered from web users who are being tracked via text files called “cookies”.
I guess it all depends on what they mean by “being tracked”. But the fact that they made an exception for shopping cards makes me fear the worst. Putting data in a shopping cart cookie isn’t tracking in my book. Unless the data is kept there even after ordering or clearing the cart, for future behavioural advertising.
So as long as the deciding factor is the use one makes of the data stored in a cookie, it should be no problem. But if any use of cookies must be agreed on by the customer, things could get messy.
I agree, having a customer agree explicitly to each cookie will be messy, but its sound like (at least in Europe), it’s going to be required. I will have to see if I can find the actual law in question and see what it’s all about!
This sounds like it’s going to be a lot of trouble.
I mean, are behavioral ads such a big problem. I don’t personally use them directly (unless something like Google Ads do) and I don’t particularly care for them. However, does it really matter to the extent that we have to make a new law to stop this?
I also rarely use cookies, but it’s going to make those few times I deem the need of cookies a huge hassle. I think what would be a better solution would be for browsers to educate the public on what cookies are, and for browsers to show whenever a cookie is stored.
Luckily I’m in the US, so I’m not directly affected by this, but it is worrying. Aside from a few things, I’m against internet censorship; if for no other reason than because it is almost impossible to enforce. What happens if you are in the US but have a .co.uk site? What happens if you are in the UK but have a server in the US? What happens if you have a US site for a US company, but you hire UK web developers? Where is the line draw?
Guess we’ll see what happens. =)
One thing to remember is that all of the tracking cookies used by advertisers are third party cookies. The ones the web site itself uses are either first party cookies or session cookies. By turning off third party cookies in the browser you disable all the advertising tracking but still leave the web site able to perform its own functioning that is dependent on cookies.
The only thing I have seen impacted by turning off third party cookies that is actually useful is openid (and presumably any of the other similar login systems). Since most browsers these days allow the browser owner to control cookies on a site by site basis they ought to be able to override their general third party cookie setting on those specific sites where they want to be able to use one of those login systems though.
All the functionality needed is already in the browser. It is just that most people don’t know how to set it up correctly.
Sounds like an uptick in business to me. My server is in the US and I’m in the US - unless they can tie this into US law via treaty I doubt they can enforce it here. Meanwhile advertising firms will move their business off European servers.
This was discussed in Norway as well a month or so ago, this is what happens when you have politicians who have no knowledge of the subject making decisions…
I have not heard anything more regarding this in Norway, so I have no idea if the goverment approved it or not.
The way they wrote the proposal to the law here, was that ALL use of cookies had to be approved by the user.
This of course become a major issue, for example with php you would keep the visitors state using sessions where the id is stored in cookies. Personally I can not foresee us going back to having the session id in the url as we did years ago.
If someone find out any more on how EU has implemented this, please share the details!
It will completely kill all web applications in the EU because they’ll have no way to maintain state.
Back to the days of static web pages that are all completely separate.
Meh. How much creditability does the BBC have? They are as big of a joke as MSNBC in the US. Nothing to see here folks, move along…
The way they wrote the proposal to the law here, was that ALL use of cookies had to be approved by the user.
I surfed that way for about a month with Konqueror (it would let me know for each cookie and asked if I y/n it). Some sites used so many cookies it got ridiculous (not sure what they needed 30 cookies for) so I stopped doing that. Probably was meant for back when sites maybe had a cookie or two.
Are you joking? The BBC is very credible in my opinion, far more so than any other organisation I’ve come across.
Did you read the comments? From what I can gather this is all really a storm in a tea cup.
A tweet shown as an image on the techcrunch article:
@nik says
This is the sort of crap that makes me want to move business to the US (link to law)
Uh huh… and crap like the US government demanding that same “private” data from US companies like Google and trying to with Twitter and Facebook makes me think just the opposite.
The EU is also ignoring the fact that 100% of web software by default creates a cookie for sessions.
Good lord, all web software forces developers to use cookies??? Oh noes!
arg techcrunch arg
and the person coding the application doesn’t even need to know that it will use a cookie - all they have to do is to start using a session so as to maintain state between pages and the session will automatically use a cookie (unless either the server or the browser specifically turns that option off in which case it will add the session id to the URL in the address bar and lower the security of the application by making it easier for the session to be hijacked).
So disallowing cookies when you access your bank web site could allow someone to hijack your session and empty your bank account. Either that or if the session is set on the server to disallow adding the session to the address (in order to maintain security) and then disallowing cookies will block you from accessing the site completely.
The thing is that cookies are in files stored on your computer and you already have control via the appropriate browser options to be able to decide which cookies to accept and which not. So presumably since the browser already provides the functionality that this appears to be legislating as a requirement there is nothing that the site owner need do. There is nothing the web site owner can do in any case since cookies are controlled by the browser and not by the web page.
So how will this affect php sessions then? - They’re stored in a cookie too aren’t they. How will forums and general sites where you need to login be affected?
I beg to differ. All “news” corps have an hidden agenda and alternative motive. One of the biggest panders to their base is the BBC. Once of the most biased media outlets around. And believe me, I have watched it a few times, and compared the facts to it, and they skewed the truth a number of times. Then again, they all do it. Don’t believe what you see/hear from the “news”…
That’s exactly the point, tangoforce. They would work very crappily, because the alertative is to append the session ID to the end of every URL on your site. This can kind of be done automatically, but it is still a pain.
So disallowing cookies when you access your bank web site could allow someone to hijack your session and empty your bank account. Either that or if the session is set on the server to disallow adding the session to the address (in order to maintain security) and then disallowing cookies will block you from accessing the site completely.
I’m sure my bank uses cookies, but what they base their security on is transaction authentication: that is, every time I as some logged-in user attempt to actually Do Something (make a transaction), I must supply a random number to match their random numbers in a device I put my bank card in. They don’t care that it’s really me or that I’m still at the same address, but that whoever is making the transaction has the Random-reader.
I don’t know enough about it to know if something like that can do away with cookies… not that this EU directive demands anything of the sort.
This will not affect PHP sessions. This will not affect forums and general sites. Unless they are using sessions tracking with 3rd-party cookies, which most of them don’t. First-party cookies are not the cookies that track you across sites like advertising cookies.
Besides, this isn’t a law, so wtf? Each country will decide whether to make their own law, which may or may not be restricted to 3rd-party cookies (because there may be dumber people in local government). So, tailored advertising in Europe might get hurt, but meh. I don’t want advertising tailored to me except when a site that sells X has their own ad saying “We sell accessories for X!” or “We also sell Y!”. Or even the Amazon-style “other people who bought this product also bough these!”
In any case, everyone who surfs the web should be educated on cookies and learn how to use their browsers. I’m starting to think it should be a required class in schools and for parents etc as well (to get them caught up too): Securiteh on teh Internetz 101