The Cookie Law (in the UK at least)

nend

  • When is a theme, no longer what it was when installed?
  • Posts: 165
Re: The Cookie Law (in the UK at least)
« Reply #75, on April 25th, 2012, 06:09 PM »
Why they don't make the law require it at the browser level and leave webmasters out of it. The browser can then prompt "This site is requesting to store a cookie, bla bla bal, do you accept." It should be required in browsers, set by default depending on location, with the ability to disable. I would disable it if my browser had something like that, annoying. :lol:

I don't get what the big fuss is about cookies, there are other means of tracking, useless law IMHO.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #76, on April 25th, 2012, 06:19 PM »
Their view is that the browsers do not currently have the functionality they want (but they are pursuing the browser manufacturers separately)

Even IE4 had that functionality, in fact, to offer to prompt for every cookie, but it's been the default not to ask for years, which is where we are now.

Most users do not understand the consequences of cookies, which is why the ICO feels it needs webmasters to reconsider the cookies they use and whether those cookies are even needed.

I'm increasingly taking the view that Wedge need not issue a cookie for guests at all, since all that really gives you is mostly meaningless tracking information (and some potential per-session caching, but for guests that's mostly avoidable anyway!)
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

nend

  • When is a theme, no longer what it was when installed?
  • Posts: 165
Re: The Cookie Law (in the UK at least)
« Reply #77, on April 25th, 2012, 06:25 PM »
I don't know, too many laws, another straw. I think we are starting to get to a point where we say screw big brother and lets all be pirates. With all the new laws being introduce everyday, we will all be criminals soon. I am not saying go out and distribute illegal media, but heck with all these stupid laws, I am getting tired of it. Every single country every single day moving more and more to communist. I only say that because they make laws where the public doesn't have a voice so they can do whatever they want without a single vote. Even my own country with all their stupid laws, I guess we like electing idiots into office, sad though that is all we got to choose from.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #78, on April 25th, 2012, 06:45 PM »
It's not even a communist attitude. It's actually more of a fascist approach where the state dictates your life.

What I will say, as I said to a colleague of mine last week: I cannot and will not defend the likes of SOPA or PIPA, I cannot do so with a whole heart, and there is nothing well meaning or well intentioned in those laws.

This law, however badly implemented, at least has one argument in its defence: even though it is written by lawmakers who don't understand how the internet works, it is written with the intention of protecting one's privacy and enshrining that into law that privacy is not an entitlement or right conferred upon the higher-ups but mandated into law that all have the right and expectation of privacy in an increasingly online world. I disagree with many aspects of implementation but I can fully stand up and justify its intent.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #79, on April 26th, 2012, 06:00 AM »Last edited on April 26th, 2012, 06:35 AM
Quote from Arantor on April 25th, 2012, 05:50 PM
OK, so let's back up a minute.

The PHPSESSID cookie, left alone and untouched by logins, will be removed properly. When logging in, though, SMF and Wedge both make that a persistent cookie. There's no argument on that score: it's a persistent cookie that is not being handled nicely and certainly flies in the face of any argument we can make that PHPSESSID is a valid session cookie when it stops being one.

@nend, why should you bother? That's a good question, and for now I don't think you have to be too concerned if you're based entirely outside the EU. That assumes the US do not introduce any forms of sanction, and I wouldn't put it past them, because then a user in the EU could complain to their national body and they can take it forward on that user's behalf. So in that respect, you don't have to be too bothered - for now.


Assuming the ECL cookie is set, there is nothing in the guidance about it being a session cookie from what I remember, and it does seem overly onerous to make it such, particularly if there is a persistent cookie of any form present.

My take on it is that if cookies are provided that the site is expecting (e.g. the member cookie or PHPSESSID), we can assume that consent must have been provided in the past and not require that extra cookie.
The ECL cookie is SMF's counterpart to the ICO's ICOCookiesAccepted cookie and which that site appears to check if you re-visit.

The ECL cookie should be persistent, in my opinion, for the simple reason that the SMF member and PHPSESSID cookies could get removed at the end of a session[1] should the user select a session length shorter than "forever".

As an amusing aside, I followed a link provided by the ICO in its guidance document. The link is to a US-hosted site, ]allaboutcookies.org and immediately upon landing on its home page, a nice JScript popup informs you that it would like to set a cookie - for advertising - and gives you some options; very nicely done. The problem is that its popup window doesn't include any details of the first-party cookie it wants to set and that cookie is set regardless! I was left wondering whether the ICO should really continue promoting "allaboutcookies" since its implementation of the new regulations is somewhat lacking!
 1. But that assumes that the browser makers get their act together and actually removed expired and session cookies!

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: The Cookie Law (in the UK at least)
« Reply #80, on April 26th, 2012, 04:56 PM »
Quote from Arantor on April 25th, 2012, 06:19 PM
(and some potential per-session caching, but for guests that's mostly avoidable anyway!)
How so?
In the current example (detecting mobile browsers), having it cached per session would allow me to run Mobile_Detect 2.x without an afterthought, and thus some finely tuned variables in return... While having a possibility of it being disabled means I have to rely on my current (and *very* fast) Class-MoDe.php class, which should find 99% of all mobile devices, but not all of them. Which pisses me off :lol:

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #81, on April 26th, 2012, 07:04 PM »
That's actually about the only thing that will have to be run for guests per page rather than per session; the mod cache is not needing to be populated at all, for example.

In fact, if we look at what is cached in session for guests, it's actually very little and nothing that's hideously expensive (since guests can't do a lot really)

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #82, on April 26th, 2012, 07:55 PM »
I've just noticed something rather alarming. If your site permits Google Analytics to set up to four cookies (__utma, __utmb, __utmc and __utmz) it appears you are also inviting Google to set further cookies. I only discovered this by accident and these cookies are not listed in Firefox but are by Chrome's "inspect elements" (I actually use SW Iron, a Chromium-based browser which has none of the "phone home" stuff that Google has in Chrome).


As you can see, the four cookies I've highlighted have not been set by my site but by Google. I'm not in the UK at the moment so I don't know if Google is using geoIP to determine whether or not to ask permission before setting these cookies, but as they are being set via my site, I'm a tad concerned as to who is responsible. (The other "odd" cookie, bb2_screener_, is set by my ISP and is used, I think, for traffic-shaping purposes.)


I wonder if the ICO is aware of this.

 Cookies.jpg - 98.18 kB, 1128x244, viewed 180 times.


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #83, on April 26th, 2012, 07:57 PM »
Well,bb2_screener_ is set by Bad Behaviour. I'm aware of that cookie and have chosen not to implement it into the implementation that's in Wedge, so that's not an issue.

But that's rather unpleasant that you're getting injected cookies like that. Not using Google Adsense, I take it?

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #84, on April 27th, 2012, 01:36 PM »
Quote from Arantor on April 26th, 2012, 07:57 PM
Well,bb2_screener_ is set by Bad Behaviour. I'm aware of that cookie and have chosen not to implement it into the implementation that's in Wedge, so that's not an issue.
What's interesting about that cookie is that if you inspect it in Firefox, it contains the name of the ISP you're connected via. That's what led me to believe it was being set by an ISP.
Quote
But that's rather unpleasant that you're getting injected cookies like that. Not using Google Adsense, I take it?
Not specifically no, we do have a couple of advertisement spots though.


Incidentally, Wolf Software (UK) has a neat javascript GPL implementation requiring only a slight modification to the page header. The company claims it has consulted with ICO to ensure its solution fully complies with the law.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #85, on April 27th, 2012, 01:43 PM »
Quote
What's interesting about that cookie is that if you inspect it in Firefox, it contains the name of the ISP you're connected via. That's what led me to believe it was being set by an ISP.
Funny, in the screenshot you posted, it was using your IP address - but it'll go with a hostname if it has that available. The idea is to validate that when content is posted, that it's come from the same source as the person getting the form (so that you don't get the same amount of pump and dump spam)
Quote
Incidentally, Wolf Software (UK) has a neat javascript GPL implementation requiring only a slight modification to the page header. The company claims it has consulted with ICO to ensure its solution fully complies with the law.
Got a link? There's certainly nothing that says the consent has to be shown every page and nothing that says it can't be set via JavaScript, so I can well believe it is compliant but I'd like to see it to get a sense of what the ICO is claimed to have agreed with.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #86, on April 27th, 2012, 02:45 PM »
Quote from Arantor on April 27th, 2012, 01:43 PM
Quote
What's interesting about that cookie is that if you inspect it in Firefox, it contains the name of the ISP you're connected via. That's what led me to believe it was being set by an ISP.
Funny, in the screenshot you posted, it was using your IP address - but it'll go with a hostname if it has that available. The idea is to validate that when content is posted, that it's come from the same source as the person getting the form (so that you don't get the same amount of pump and dump spam)
Yes that is the IP Address my ISP tells you I'm on, but according to my desktop gadget, my external IP is 120.28.248.151 - go figure!
Quote
Quote
Incidentally, Wolf Software (UK) has a neat javascript GPL implementation requiring only a slight modification to the page header. The company claims it has consulted with ICO to ensure its solution fully complies with the law.
Got a link? There's certainly nothing that says the consent has to be shown every page and nothing that says it can't be set via JavaScript, so I can well believe it is compliant but I'd like to see it to get a sense of what the ICO is claimed to have agreed with.
There are a couple of packages available from Wolf, one is jConsent and that appears to be just the Javascript to which you need to interface with your own (PHP) logic to set its options. A more complete solution is Wolf's Jpecr package which also contains all the PHP driver logic and only requires a minor change to the page header to be operative. A really neat feature of this second package is that in one of the small PHP files, there's a setting to use geoIP (it's disabled by default) which if set only causes the display of the Cookie Agreeement stuff if the user is located within the EU.


To save you rushing over there, I'm attaching both to this post.

 jpecr_package.zip - 162.83 kB, downloaded 222 times.

 jconsent.zip - 14.4 kB, downloaded 162 times.


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #87, on April 27th, 2012, 02:58 PM »
Quote
Yes that is the IP Address my ISP tells you I'm on, but according to my desktop gadget, my external IP is 120.28.248.151 - go figure!
The IP address used is the one the webserver itself received - if it's behind a firewall it might be the internal IP rather than an external one. It's... complicated.
Quote
To save you rushing over there, I'm attaching both to this post.
Thanks, though I really wanted a link so I could see them in action before I looked at any code. It's not always practical to study code to see the result you will get from it ;) Still, always good to have the code handy.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #88, on April 27th, 2012, 03:23 PM »
Quote from Arantor on April 27th, 2012, 02:58 PM
Quote
Yes that is the IP Address my ISP tells you I'm on, but according to my desktop gadget, my external IP is 120.28.248.151 - go figure!
The IP address used is the one the webserver itself received - if it's behind a firewall it might be the internal IP rather than an external one. It's... complicated.
Quote
To save you rushing over there, I'm attaching both to this post.
Thanks, though I really wanted a link so I could see them in action before I looked at any code. It's not always practical to study code to see the result you will get from it ;)Still, always good to have the code handy.
Both the links I provided will cause the display of a "cookie acceptance" panel but a more complete - and differently configured popup - is to be found on the ICO's recommended cookie information site All About Cookies.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #89, on April 27th, 2012, 03:26 PM »
*nods*, I just had to dive in and see for myself.

I'd note that it's... complicated... to use their code since they're using a modified GPLv3 licence which is going to fuck everyone around anyway.