The Cookie Law (in the UK at least)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #15, on April 15th, 2012, 10:09 PM »
Quote
It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).
Have you been to the ICO's site? Their opt-in is a very big list of cookies, which lists every cookie they use (of which there are quite a few), and the opt-in is for all cookies, not a per-cookie basis, so opting in for the important cookies also opts you in by proxy for the others too, which is a very dubious state of affairs.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 16,068

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: The Cookie Law (in the UK at least)
« Reply #18, on April 16th, 2012, 12:04 PM »
On my UK hosted blog, I have a script that requests opt-in for the GA cookies, and a page explaining what all the cookies sent are for and when they expire (and that if you don't like cookies, disable them in your browser because the cookie law won't fix the problem)... Hope that'll keep ICO happy for now.
« What is this thing you hoomans call "Facebook"? »

Nao

  • Dadman with a boy
  • Posts: 16,068

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: The Cookie Law (in the UK at least)
« Reply #21, on April 16th, 2012, 01:51 PM »
Quote from Nao on April 16th, 2012, 12:47 PM
Quote from Arantor on April 15th, 2012, 11:11 PM
It might not, but there is always the possibility that it *does*.
In the UK only, then. We'll just ban them from using our sites, because what have the British ever done for us, anyway? :lol:
Except it's an EU directive, so all of y'all will be coerced into enacting it eventually, the UK just happened to have done it "early".

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #22, on April 16th, 2012, 03:06 PM »
Quote from Arantor on April 15th, 2012, 10:09 PM
Quote
It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).
Have you been to the ICO's site? Their opt-in is a very big list of cookies, which lists every cookie they use (of which there are quite a few), and the opt-in is for all cookies, not a per-cookie basis, so opting in for the important cookies also opts you in by proxy for the others too, which is a very dubious state of affairs.
Yes I have and you're right, it is a long list. However, the British implementation of the Directive may be at odds with other EU nations' in the case of exemptions and blanket opt-ins which, apparently, the Directive doesn't even mention. So whilst a UK-hosted site may be in compliance with British Law, it may not be fully-compliant with other nations' implementation of the Directive and the ICO will have to investigate complaints passed to it from its EU counterparts.

Given that, the advice surely must be that an opt-in be obtained for each and every cookie regardless of whether first or third-party. And that could make visiting EU-hosted web sites somewhat tedious.

Nao

  • Dadman with a boy
  • Posts: 16,068
Re: The Cookie Law (in the UK at least)
« Reply #23, on April 16th, 2012, 03:13 PM »
Quote from Arantor on April 16th, 2012, 01:29 PM
You mean I'd have to run SMF instead of running Wedge on my sites (since I'd be banned from using it)?
Yes! Because the British have always loved nonsensical humour haven't they? :P
Posted: April 16th, 2012, 03:12 PM
Quote from PantsManUK on April 16th, 2012, 01:51 PM
Except it's an EU directive, so all of y'all will be coerced into enacting it eventually, the UK just happened to have done it "early".
I guess it makes sense that it is -- except that I've never even heard about it being planned to be done in France...

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: The Cookie Law (in the UK at least)
« Reply #24, on April 16th, 2012, 05:12 PM »
Quote from Nao on April 16th, 2012, 03:13 PM
I guess it makes sense that it is -- except that I've never even heard about it being planned to be done in France...
Well, you Frenchies have strange data protection laws as it is :eheh:

Can't find the actual directive listed anywhere in the UK law, but the law itself is PECR - "Privacy and Electronic Communications (EC Directive) Regulations". I'm kinda hoping the rest of the EU shouts it down and the UK is left as Billy Nomates... About the only way I see it being repealed/changed in the UK.

Nao

  • Dadman with a boy
  • Posts: 16,068

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #26, on April 19th, 2012, 02:20 PM »
OK, so I've been reading up on the guidance issued by the ICO.

They actually go as far as to note that there is an exemption for 'important' as opposed to 'strictly necessary' cookies, and that they note that 'Cookies used for analytical purposes to count the number of unique visits to a website for example' is not likely to fall within the exemption.

Going back to the whole PHPSESSID thing, which is relevant here, we could remove PHPSESSID, and simultaneously drop the entirety of the problem with the cookie law in the process by simply not starting a session for guests (and take the view that if our own cookie wasn't supplied, it's nothing we're interested in). BUT, this would mean losing accuracy of the number of guests, and will require much more work under the hood.

The other thing is that if we go out and use IP addresses, that we do actually bend the other guidance that there is regrading behavioural tracking. Like a lot of things it is about the lawmakers making policies that don't really work - except that the ICO doesn't have the same view that the French authorities have.

It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.

We also have a problem that needs resolving, namely that setting the regular cookie to 'forever' also manages to set PHPSESSID as a cookie to forever too. I need to re-evaluate getting rid of PHPSESSID because if PHPSESSID is actually a session cookie, not a persistent one, we can much better argue its case as important. But still there is an issue with respect to privacy since the admin can see what users are doing because it's logged.

(That is definitely a privacy concern, btw. Going through logs is considered valid if you explain that you have that power. We can probably argue that it is much the same thing, except slightly more real time, and from a privacy perspective more problematic because it's not just logs, it's personally identifiable.)

Jeesh it's a mess.
Re: The Cookie Law (in the UK at least)
« Reply #27, on April 19th, 2012, 02:55 PM »
I've today sent an email to the contact email address at the ICO.

(click to show/hide)
Quote
Hello,

I'm a developer attached to a project that builds discussion forum software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.

I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.

Currently, Wedge offers two cookies, one is a session cookie created automatically for guests. The session cookie is not shared with any third party. The cookie itself is simply a session ID, though the session ID allows for counting how many non-registered users are visiting, and also the last action carried out by that session can also be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.

When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.

Now, there is a note in the standard registration agreement text, which reads:
"Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."

I recognise that this is not sufficient for compliance and that something more obvious will be required.


Anyway, this at least is the current position, and I would note that pretty much all of the discussion forum platforms offer a similar collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.

My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.

With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)

I am concerned, also, with respect to the logging of actions. The tracking is not entirely real time, but 'most' page views (certain internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.

On a related note, that same session log is also able to identify whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.

I appreciate that this is a complex list of information I am giving, but I feel that as I develop a platform that others will make use of, I am duty bound to get advice on what is acceptable within the bounds of the UK privacy laws, and perhaps some insight into what is required across the EU.

Thank you in advance for any insight you can provide.

Peter Spicer
Developer of 'Wedge', wedge.org.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #28, on April 19th, 2012, 06:22 PM »Last edited on April 19th, 2012, 06:29 PM
Quote from Arantor on April 19th, 2012, 02:20 PM
It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.
Yes, that's my reading of it also and corresponds to the legal advice I've been given. What's probably a bit draconian about this is that other EU nations are being somewhat dilatory about implementing their own "Cookie Laws" but that won't be taken into consideration if a complaint is made about a web site hosted in one of those member states. They are liable for the same huge fine if they're found to be in violation (£500,000 or $750,000). The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.

The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.

The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!

Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!

Nao

  • Dadman with a boy
  • Posts: 16,068
Re: The Cookie Law (in the UK at least)
« Reply #29, on April 19th, 2012, 06:47 PM »
Quote from markham on April 19th, 2012, 06:22 PM
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team
Only half the team, I'm afraid :P
I'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
Wedge (and SMF), by having their source code freely available (well, soon for Wedge!), clearly make it easy to get a full list of what the software does with cookies and such.
Quote
whilst those over at SMF are simply burying their heads in the sand.  You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge!
Heck, even *I* can no longer wait for an alpha release...