The Cookie Law (in the UK at least)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
The Cookie Law (in the UK at least)
« on April 5th, 2012, 06:55 PM »
http://www.theregister.co.uk/2012/04/05/eprivacy_directive_web_analytics/

For those who haven't been following it, essentially this is about cookies and that cookies not being used for 'essential functionality' need to be obtaining permission from the user first.

I'm not quite sure how the hell they intend this to be enforced, but the fact is that site operators in the UK do need to bear this in mind, and any European operator should at least be mindful since it is planned to be rolled out across the EU in some fashion.

Interestingly this was raised some time ago on sm.org, about whether SMF would consider it and I was less than enthused at the response there (since it is a valid matter of concern, just not for them, of course)

The question for us is whether the cookie in Wedge is considered an essential function or not. I'm ignoring the fact that we could just ignore cookies and push the SID via the URL of course, which would be an incredibly bad move, and as far as I'm concerned, I can satisfactorily argue the use of cookies for members as essential functionality - for the security aspect alone.

For guests the matter is a lot more complicated. The cookie there is still the session identifier, but for guests the purpose is merely to indicate uniqueness of session, as a vague form of analytics to figure out how many users are currently on the site (as entirely unique sessions will not do this)

I find the whole concept a bit ridiculous, actually, because as I said you could ignore cookies entirely and still pass all the data between pages internally - but it does essentially exclude Google Analytics, which is of course the point.

This last point does bother me, actually. Firstly, I don't know how it's going to work if I make a plugin of GA, because I don't think it will really pass their rules, and that I'm subject to these rules. Secondly, I have the uncomfortable feeling we're going to start seeing sites that actively demand GA to be running to work, or that they'll run their own full-on analytics.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 15,969

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #2, on April 5th, 2012, 08:46 PM »
That would circumvent the 'cookie' aspect of the law, much as pushing the session id into the URL would do so. (And in fact, I have the ominous feeling that's exactly what Google Analytics will do!)

But it doesn't solve the fact that you still have to supply the session id on each request so all you end up doing is having JS pull the session id out of localStorage and serve it up into requests.

CJ Jackson

  • I got myself a new iPad, a different world to the iPhone!
  • Posts: 241

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #4, on April 5th, 2012, 10:08 PM »
That's a very, very good question. And, of course, one our government has no real answer for - like all the laws made by lawmakers who have no clue whatsoever how the internet actually works.

I think we're supposed to take it as read that as the site operator is based in the EU, EU laws re privacy would actually apply.

Nao

  • Dadman with a boy
  • Posts: 15,969
Re: The Cookie Law (in the UK at least)
« Reply #5, on April 5th, 2012, 10:55 PM »
France has strong privacy laws too. All sites are required to register at the CNIL (google it) and print their CNIL ID in their footer.
Did I do that? Nope. Do I care about my user's privacy? Of course I do.
What happen effectively is that they just decided to trust webmasters they wouldn't do anything bad. The CNIL is treating the overall French web community with respect as long as everything's going fine. It's just politics. They can't sue everyone in the uk for not complying.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #6, on April 5th, 2012, 11:02 PM »
No, but users can be reported to the ICO for non-compliance.

As I understand it, this actually potentially runs deeper than CNIL, and to be honest, the ICO is essentially brain-dead when it comes to technology and understanding how it is actually applicable.

Nao

  • Dadman with a boy
  • Posts: 15,969

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #8, on April 6th, 2012, 10:34 AM »
You know I'd be a lot more convinced by our Government seeking to protect our privacy in this way BUT for the fact that it is now monitoring every email we send and receive, knows our browsing habits, records all telephone conversations, keeps copies of our text messages AND, finally, has more CCTV cameras per capita to monitor our movements than any other country on the planet.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #9, on April 6th, 2012, 01:05 PM »
The government is not yet actively monitoring everything, the law has not yet been passed in the UK, though it doesn't seem too far away.

That's the thing, this ruling is not really down to our government but it's actually an EU-wide ruling that is supposed to be adopted by all member states. Note that the UK is one of only two states that has agreed to implement it (and I can't even remember the other)

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #10, on April 6th, 2012, 06:57 PM »
Around 11 months ago, El Reg reported that almost all EU member states had given a collective "thumbs-down" to the Directive with only Denmark and Estonia being fully signed-up. The UK at that time was only prepared for a partial implementation to which the EU concluded that we Brits had, yet again, fallen short of our legal obligations.

Really and truly the EU should be concentrating on getting its own house in order - Commission accounts that actually pass audit[1] would be nice - rather than forcing through measures that are arguably not needed and certainly don't appear to have much, if any, real support.

In my opinion, it's another daft directive that would be difficult - and therefore expensive - to enforce. The problem is that you and I will be paying for an expensive TV and newspaper advertising campaign to inform the masses about this new law and the Information Commissioner's office will be flooded with complaints. Unless a user either knows how to establish where a particular IP Address points to, or, has something like the Netcraft Toolbar which identifies the host's provider's name and country, he's unlikely to know if a particular site is hosted in the UK (or EU, for that matter). Most of the complaints will be invalid because the hosts are located elsewhere.

I think many web sites will simply update their T&Cs to reflect the new law.

As for Google, it might be able to circumvent the directive since Google.co.uk is hosted in the US!
 1. And that's something the EU Commission has singularly failed to do for around 10+ years: none of its accounts in that time have passed.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #11, on April 6th, 2012, 07:27 PM »
From my perspective, you can call up WHOIS and identify the owner of a domain and their base of operations, which is probably more meaningful than where the host physically is.

Google doesn't get to circumvent it, exactly, if you get a UK site using Google Analytics, they do have to make this declaration.

Though if you do want a laugh, take a look at the ICO's own implementation, http://www.ico.gov.uk/ - especially the privacy policy.

I find it quite disturbing that they're happy with a blanket opt-in which would include Google Analytics.

Cryotech

  • Posts: 16
Re: The Cookie Law (in the UK at least)
« Reply #12, on April 12th, 2012, 04:08 AM »
I wouldn't get to hung up about it, For one thing, the onus to actually enforce this law will be on both the ISPs and Big Brother and though they'll target a few companies (most likely the competitors of Big Sister - Google), they won't have the funds, nor the man power, to enforce this.

I guarantee it. I was a Federal Officer for 12 years and there's already laws on the books pertaining to this sort of thing even here in the states and the FBI never enforces them unless it's big, headline news that justifies their existence. Much like the DEA's war on drugs. One example is the harvesting of private information for Social Network sites. Most people don't even know it's a federal offense to ask for, or harvest, the private log-in information of users. How many arrests have you heard about in the past year alone? None and there's quite a few would-be, employers now mandating that people hand over Facebook log-in details so they can see what you're doing. I will say this though, now since Facebook has released a statement against this type of practice, the FBI will target a few employers on the behest of FB just to appease the millions of mindless masses and to give FB a gold star.

Secondly, as long as you have it clear within your default terms of service agreement that your software (wedge) implements the usage of cookies for functionality (with details) and not tracking, and reiterate this within the privacy policy (which is site specific actually) and if you create the GA plug-in you make people aware of Google's practices at the time of them downloading it and installing it, you, the creator will be free of any wrong doing caused by any site because you've already made the attempt on your end to obey any, and all, fascist laws of the corporations.

If the site owners decide to break the laws, that will be their responsibility. I, for one, would rather NOT have GA embedded in any software and will refuse to use any software or application that requires or forces me to use anything from Google and there's a lot of people out there that feel the same way and developers know this. That's why they make everything "per choice" meaning, up to the user if they want it or not and the agreement is already in the installation. Will this change in the near-future? Most certainly. As you said Arantor, pretty soon it will be mandated that we all abide by the great and powerful Google and will be forced to use their products whether we want to or not if we want to be on the internet. But there's always ways around this too..

I'm not a conspiracy theorist (though I do believe having a bit of conspiracy theorist in you keeps you alert and aware) but I ask you this, why would a law that's supposed to be *helping* users such as you and I be co-authored by a powerhouse such as Google when Google, as well as Facebook, have been caught time and time again stealing and abusing users' private information? It's because the law is being written by them to protect them. Since when does Big Brother need a corporation to create laws?
Quote
I find it quite disturbing that they're happy with a blanket opt-in which would include Google Analytics.
I do too, but when the corporation is now the government, that's what you get. A corporation allowed to break laws and then allowed to rewrite old ones or write new ones to protect them while others are condemned, punished and driven out of business for doing the same exact thing.


Nao

  • Dadman with a boy
  • Posts: 15,969

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #14, on April 15th, 2012, 09:45 PM »
I have one site hosted in the UK and one hosted in the US. My solicitor (in London) has just advised me that I must have a notice prominently displayed for guests and members who are accessing from within the EU regarding the content and use of cookies by the Forum software. Apparently this must appear on both sites in order to comply with the Directive, since they can both can be accessed from within the EU. I'm also advised that a similar notice should also appear in the membership agreement.

I honestly doubt that many people will complain to the ICO but if they do, it's a big hassle and a potentially huge fine for site owners. A simple notice may remove that threat for now but, I'm told, the ICO (and its European counterparts) may in future require site operators to provide a means for cookie-less access to their sites.

What's not clear - and apparently the ICO isn't giving chapter and verse - is where the responsibility for third-party cookies lies. Anyone visiting a web site these days is bound to have one or more Google cookies stored in addition to any first-party cookies. It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).


Mark