| 1. | And that's something the EU Commission has singularly failed to do for around 10+ years: none of its accounts in that time have passed. |
I find it quite disturbing that they're happy with a blanket opt-in which would include Google Analytics.
It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).
It might not, but there is always the possibility that it *does*.
In the UK only, then. We'll just ban them from using our sites, because what have the British ever done for us(http://www.epicure.demon.co.uk/whattheromans.html), anyway? :lol:Quote from Arantor on April 15th, 2012, 11:11 PM It might not, but there is always the possibility that it *does*.
Have you been to the ICO's site? Their opt-in is a very big list of cookies, which lists every cookie they use (of which there are quite a few), and the opt-in is for all cookies, not a per-cookie basis, so opting in for the important cookies also opts you in by proxy for the others too, which is a very dubious state of affairs.Quote It would seem that site owners may be responsible and have to obtain specific opt-ins before allowing their software to invite third-party cookies. But, as I said, ICO isn't giving any clear guidance on this (that satisfies lawyers).
You mean I'd have to run SMF instead of running Wedge on my sites (since I'd be banned from using it)?
Except it's an EU directive, so all of y'all will be coerced into enacting it eventually, the UK just happened to have done it "early".
I guess it makes sense that it is -- except that I've never even heard about it being planned to be done in France...
Well, you Frenchies have strange data protection laws as it is :eheh:
Quote Hello,
I'm a developer attached to a project that builds discussion forum software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.
I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.
Currently, Wedge offers two cookies, one is a session cookie created automatically for guests. The session cookie is not shared with any third party. The cookie itself is simply a session ID, though the session ID allows for counting how many non-registered users are visiting, and also the last action carried out by that session can also be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.
When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.
Now, there is a note in the standard registration agreement text, which reads:
"Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."
I recognise that this is not sufficient for compliance and that something more obvious will be required.
Anyway, this at least is the current position, and I would note that pretty much all of the discussion forum platforms offer a similar collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.
My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.
With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)
I am concerned, also, with respect to the logging of actions. The tracking is not entirely real time, but 'most' page views (certain internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.
On a related note, that same session log is also able to identify whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.
I appreciate that this is a complex list of information I am giving, but I feel that as I develop a platform that others will make use of, I am duty bound to get advice on what is acceptable within the bounds of the UK privacy laws, and perhaps some insight into what is required across the EU.
Thank you in advance for any insight you can provide.
Peter Spicer
Developer of 'Wedge', wedge.org.
It does also seem that there is a certain degree of insanity in the wording, from what I can tell, a user in the UK can complain to the ICO about a site based in Europe, regardless of being run in the UK or not, and for it to be taken up with the appropriate country's authorities on the matter.
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team
whilst those over at SMF are simply burying their heads in the sand. You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge!
The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
The other rather laughable aspect of the ICO site is that it places a second cookie, in addition to their main one, if you agree to cookies -- surely the presence of their main cookie indicates that you've agreed to cookies!
Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team whilst those over at SMF are simply burying their heads in the sand. You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge! Thank you!
'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
Only half the team, I'm afraid :PQuote from markham on April 19th, 2012, 06:22 PM Oh and thank you for posting a copy of your email to ICO. I am relieved and reassured to know that this issue is being taken seriously by the Wedge Team
I'm still convinced that this is just 'for the show', and that this law is only going to be used in clear cases of privacy abuses, as legal grounds for action, rather than being mindlessly applied to every single blog or whatever.
Heck, even *I* can no longer wait for an alpha release...Quote whilst those over at SMF are simply burying their heads in the sand. You have just provided me with yet another in an increasingly long list of reasons to wait patiently for the release of Wedge!
That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
That's true, but to a point one of the considerations is whether you're acting in good faith or not. If you're 'on the edge' but making an attempt in good faith to be compliant, you're probably going to OK, but if you're on the edge trying to bend the rules at every opportunity, when you do skirt the rules, it will come back to bite you a bit more.Quote The unholy side-effect of that is that site owners based in Europe will have to know the applicable laws for each EU member as the Directive does not proscribe any particular wording.
The ICO's own site is where I feel it's failing most: I accept that they may not know the specific details of each cookie - I don't know the specifics of what's in the Google Analytics cookies, for example, so that part I'm willing to accept the way they're doing it. What I don't like is the way they're using a single consent to accept *all* of those cookies, not bits and pieces.Quote The other bit of advice I've just been given is that site owners should clearly explain the content and use of any third-party cookies introduced on visitors' machines during their visit. But I note that even the ICO is unable to do this fully.
I'm sure Wedge will be fine with just a warning message at registration time. That could be disabled from the admin panel for users outside the UK or whatever.
The UK site has complied with the Directive as implemented in UK law but is not compliant under German law. As things stand, the Information Commissioner would have to agree that the web site concerned was in violation. But whether he would seek prosecution is entirely another matter.
But is there any other practical way of doing this? As a developer, you'd say "yes", I'll simply include hooks that cause the display of a cookie acceptance dialog so that developers of plug-ins that set cookies can get the user's acceptance. But from a user's point of view, to be presented with a succession of cookie opt-in dialogs is going to become tiresome to say the least. If we are going to go down that road, then I think two opt-in dialogs should suffice: one for first-party and the other for all the third-party cookies. That second dialog could optionally be re-presented to the user if additional cookies are added. How's that for compromise?
I actually did some investigation on this some time ago, when I first started running forums, and I don't believe anything's changed. Basically, a username and password is not considered personal information and as yet, neither is an email address. Consequently because you're not providing anything that comes under their definition of 'personal information', you don't have to get into the realms of being a registered Data Controller, and whatever's left regarding IP (which also, currently, is not considered personal information) is covered by the standard registration agreement, which is within the First Principle's approach to transparency.Quote That said though, I do wonder how many Forum sites operating from UK hosts actually comply with the requirements of the Data Protection Act. Very few, if any, would be my guess.
Oh, I'm pretty sure that it is just for show, but until it's actually tested in a complaint, we have to assume that it isn't. Bear in mind that it is only to be used in the case of people complaining, rather than doled out by machine.
I agree entirely with your comments. But many Forum sites hold other personal information that has been voluntarily supplied by its members - such as their location, user names on social network sites and instant messengers, perhaps even their exact geographic location (for Google Map pins).
Well almost: if that member receives a ban, he is no longer able to remove his personal details and whilst the site needs to retain that member's email address, user name and IP Address in order to enforce the ban, it does not - and should not (in my view) - retain any of the additional information that user supplied during his membership. That retention might fall foul of the DPA.
If my suspicions have any legs, then wouldn't it be wise for the site to automatically remove all additional informations - including all PMs sent/received - when a member is banned?
To the best of my knowledge - and according to some basic research carried-out by my lawyer - no UK-based Forum site has been found in violation of the DPA but there remains the risk that should the ICO be asked to investigate a site under the "cookie law", it might also check for other violations.
On a side-note - cookie lifetimes. For logged on folks ("paid up" members), it's easy in most cases because you ask them how long they want to be logged in for; just be explicit that a cookie is used to store that information and I would hope that the ICO view that as a "good faith" attempt at compliance. For "anonymous" guests, I'd like to see any cookies lasting for as short a time as can be managed - to the extent of potentially having cookies expire while anonymous users are still browsing.
With more and more people leaving their browser running 24x7, you can't really rely on "End of session" cookies any more (this is a browser issue in my book - but I can't think of an easy fix...)
I live in the UK but my hosting servers are in the US, do I have to comply with these rules on my website?
If we have visitors from the UK so we have to comply for them visitors?
Also isn't the notice on the registration agreement enough to say what cookies are stored on your computer and what they are used for?
Will this be applicable to voluntary small websites who can basically be bitten by a cookie law?
I would of never heard about this other than reading this website.
AND I LIVE IN THE UK!!! That's a but stupid init?
I noticed on my ISP website they have information at the bottom of their website, like little icons that you don't even know what they are until you hover or click them which allow you to control the use of cookies they store.
Yes, because you're the site operator.Quote I live in the UK but my hosting servers are in the US, do I have to comply with these rules on my website?Yes, if the site is owned or operated within the EU, since this is an EU directive. If there is no EU-based management, there is no requirement to comply - at the present time, since I don't see how a user from within the EU can make a complaint to their respective data management body, when there's no way that can further on be enforced.Quote If we have visitors from the UK so we have to comply for them visitors?You're not the first person to ask this, and the answer is unequivocally NO.Quote Also isn't the notice on the registration agreement enough to say what cookies are stored on your computer and what they are used for?
This is the part that people do not follow. What you state in the registration is, frankly, irrelevant. You are supposed to obtain permission before setting ANY cookies. Even guests. The registration process would cover the more complex cookie, but it is not sufficient to cover for guests for whom a cookie is set straight away anyway.Yes, if you use a cookie. This is one of the points we've debated here: all sites that operate within the UK at least (and in time the EU) should comply, and a user can lodge a complaint with the ICO if they do not comply with the rules. (Or the respective country's equivalent)Quote Will this be applicable to voluntary small websites who can basically be bitten by a cookie law?You want to know the real fuck-up? This was introduced almost a year ago back in May 2011, but the ICO made it very clear that they would not enforce for a minimum of one year (and that date is fast approaching, it will be May 26th this year), however during that time we have been waiting for guidance from the ICO on how exactly this should work.Quote I would of never heard about this other than reading this website.
AND I LIVE IN THE UK!!! That's a but stupid init?That's not really satisfactory. The ICO's own site is so far the only site I have seen that actively follows the guidance.Quote I noticed on my ISP website they have information at the bottom of their website, like little icons that you don't even know what they are until you hover or click them which allow you to control the use of cookies they store.
It sounds ridiculous you know, for the fact I can be persecuted for something I was unaware of.
I still don't understand it and if I get bitten by it.
Sounds to me like the want to abolish cookies.
What else are they going todo. Do we need to start displaying HUGE notices explaining what information is cached on your PC also lol.
I can say that almost every website I know on the internet is not even close to complying with this.
For the fact of, how can you comply with something you don't even know about and don't even understand.
Should set myself up as a user suing all websites that do not comply with something and make a million lol.
I am sure with all these stupid laws its possible lol.
So let me try and understand this some more.
Basically I have to display a notice that says we use cookies and what they do?
After looking on the additional info it even states the ICC website so it looks like they are complying with this just by providing this option.
So if I put an icon with basic information of what cookies are applied and what they track, I would be covered?
Simple fact is.. I will have to apply this so I need some help on what todo..
Do they take into account that some users might not even be aware of what cookies the software they use on their website do?
Category 1: strictly
necessary cookies
For those types of cookies that are strictly necessary, no
consent is required
Generally these cookies will be essential first-party session
cookies, and if persistent or third party, there should be a good
justification for this.
Not all first-party session cookies will fall into the ‘strictly
necessary’ category for the purposes of the legislation. Strictly
necessary cookies will generally be used to store a unique
identifier to manage and identify the user as unique to other
users currently viewing the website, in order to provide a
consistent and accurate service to the user
So I believe that wedge and SMF are covered by these cookies that produce a session ID to individually identify a guest and you do not need permission.
So you don't need to worry about that.
So in effect, strictly necessary cookies like session ID's for guests do not need consent.
Maybe someone can correct me on that.
All the other cookies, such as performance and blah you could put in the registration agreement
So cookies that remember a change on your website like a theme option or what ever.
I imagine all these need users permission.
Man this is giving me a head ache. I mean seriously.
Another head ache is we use analytic's and have images from photo bucket that some one posted on the home page.
All these are storing cookies on users computers!
Paypal some how have a cookie stored, youtube because there is a youtube video in the shoutbox... Facebook like.
Google plus one.
I can see the reason why they are implying these laws, but some of them are stupid.
Like changing a theme layout and storing a cookie you need users permission for a cookie that probably only has the option a, b or c.
What can I do about these 3rd paty cookies that are simply being placed on the website simply because of a donate button, or an image from photobucket, a video from youtube being posted.
Like every person who owns a site in the UK has the time to do all this and research it :(
I really don't understand what to do about all the youtube cookies, paypal or any content that can be on the home page and what not.. Do I have to disable use for guests?
These laws should be put in place for websites that display adverts or sell a product or something..
Not to the standard website owner.. Its just too much effort for us to comply with this.. I mean seriously a lot of effort.
I have spent hours already on this subject alone and not even started to implement it.......... HEAD ACHE...
I really don't wanna waste a hell of alot more time actually implementing this and the thought is like I really don't wanna do it.
But I have to... You know that feeling right.?
1st I dunno how I am going to do it lol.
This is why I like Arantor. You take your time out to reply, and educate + 1
Put in the registration agreement that they allow all cookies and *hope* SMF do something about guest cookies.
If you put the check right at the start of the SMF execution path, that should avoid a PHP session from being started.
- Move your forum to a sub-directory
- Put up an entrance page advising of the cookies that will be set.
- Make a small change on the main SMF index page redirecting anyone who doesn't have an "opt in" cookie set to the entrance page.
- Require a click-through to get to the new forum location, setting a cookie (which was disclosed on that page!) to prevent SMF from kicking them out.
Oh, this solution also prevents search engines from indexing anything since SMF now requires an "opt in" cookie to even show.
I think that would legally work, although it would probably destroy your site since you wouldn't have any results in search so you'd only get new visitors via direct referral.
In my view the new law actually makes using the internet illegal as your server can not legally read the packet headers which contain informationf from the users terminal without thier prior permission but how can you get that prior permission if you can't reas the headers.
| 1. | This is simply an observation (and probably a truism!), nothing more than that! |
This is why I like Arantor. You take your time out to reply, and educate + 1
I just viewed that website and man that looks so easy how they have done it.
Only thing is stopping these cookies from my site being stored for guests GRRRR.
Put in the registration agreement that they allow all cookies and *hope* SMF do something about guest cookies.
Also need a page that displays each cookie and what that cookie does. Well there is only 3 cookies I made myself.
Which I can explain simply as they are only
Category 3: functionality cookies
For things like the Shoutbox remembering which chat channel you are in and the theme changer lol.
Still my problem with 3rd party cookies unless they sort that out them selves.
That would mean minimal work for me XDDDDDDDDDDDDD
Last one is analytic's, meh. What's the point in having it on the forums when you can't allow guests lol.
I mean as if a guest is really gonna OPT IN.. I wouldn't lol.
Guess I will remove that. I don't even use it anyway to be honest.
Will probably improve the speed of the website as well XD.
I thank you guys for making me aware of this as I seriously would never of known.
I spoken to alot of friends UK also.. They had no idea either..
Shocking heh.
Oh he's earned more than +1 from me as he seems to be the only Forum software developer who has not only taken time to research this (and other legal implications) but has demonstrated a genuine willingness to implement a decent solution.
You can hope and you can pray but whatever you do, don't hold your breath! Here's the solution that a (former?) SMF project person has suggested:
However, there is another British Forum owner contributing to that same thread and he poses the following:
The sad fact is that were things different to what they are today, there would have been an Arantor-authored modification for SMF available by now
I've noticed that some ISPs are placing tracking cookies for each web site visited. I wonder what ICO's views on that would be, since such cookies are outside the direct control of the web site owner.
| 1. | Yes, that's one thing that hasn't exactly been noted by those who've looked around the issue. |
Unfortunately neither of the solutions work. That by the-person-whose-name-I-can't-read-let-alone-pronounce didn't work at all. The second one, by Emanuele, isn't preventing the PHPSESSID (ie visitors) cookie from being set.
Not all first-party session cookies will fall into the ‘strictly
necessary’ category for the purposes of the legislation. Strictly
necessary cookies will generally be used to store a unique
identifier to manage and identify the user as unique to other
users currently viewing the website, in order to provide a
consistent and accurate service to the user.
Examples include:
• Remembering previous actions (e.g. entered text) when
navigating back to a page in the same session.
• Managing and passing security tokens to different services
within a website to identify the visitor’s status (e.g. logged in
or not)
• To maintain tokens for the implementation of secure areas of
the website
• To route customers to specific versions/applications of a
service, such as might be used during a technical migration
Generally these cookies will be essential first-party session
cookies, and if persistent or third party, there should be a good
justification for this
I still think we should try tracking guests through their ip if feasable ;)
I think the best thing to do, if this doesn't apply is to adapt the cookie to fall directly under these terms.
I think that would be a better way, and would allow tracking to still exist. As in uniquely identify them.
I still think we should try tracking guests through their ip if feasable ;)
Hey, that was me who tried Emanuele mod.Quote from markham on April 21st, 2012, 06:45 PM Unfortunately neither of the solutions work. That by the-person-whose-name-I-can't-read-let-alone-pronounce didn't work at all. The second one, by Emanuele, isn't preventing the PHPSESSID (ie visitors) cookie from being set.
It did work, I set it up and it disabled cookies for guests until they agreed to use them, using the notice that is placed at the top.
So SMF didn't issue no cookies at all lol.
It says, either agree, login or register to accept the cookie.
Then it places an ecl_ cookie on your computer to verify that you have accepted lol.
I checked and there was no cookie issued to the guest only analytic's and shoutbox, not SMF.
I have un installed it now, as it looks a mess right now lol.
But I believe it does the job, with an extra page that you can click in the notice where all the information will be about the cookies.
Nothing on it as of yet lol.
| 1. | (function ob_google_analytics($buffer) |
One thing I will add... actually... there is an interesting point to be made here. Complying with the law as it seems to be, that means we can't issue the PHPSESSID cookie without permission. That means search engines won't give consent, and thus we don't have to worry about PHPSESSID for non-guests.
In *that* case, yes, we lose the accuracy of the 'number of online guests', but we actually gain performance and speed and stop having any PHPSESSID/SEO issues again ever to have to deal with.
From my perspective, I'm increasingly considering that a viable option - though I do note there is an exemption in there for cookies used for performance and tracking the number of users to balance load, and it's possible to argue that one with PHPSESSID. Until I get some guidance from the ICO, though, this is all largely hypothetical.
Do we actually *need* to track unique guests? Do we care how many 'guests' are online at once? Do we care how many 'unique guests' (given that's a figure that we don't really understand nor have any accuracy for) are online at once?
if (!ecl_authorized_cookies())With Emanuele's help (he used some kind of analyser on my site) I discovered that PHPSESSID was being set was because I have SA-Chat installed and, for some strange reason, it has its own index.php file. One of the very first things that happens is that there's a call to start_session(). A simple edit was all it took me to prevent the Mod from loading unless cookies had been authorised.
How about us that operate and live in the US and decide to ignore the foreign law. I shouldn't be expected to follow by a law that I am in no way bound by, should I?
*edit, this system also helps reduce server load. Hopefully you didn't disable it, the mod IMHO is useless without this system in place because it can bring your site to a slow down. It is hard to remember everything from back then, lol.
define('SMF', 1);
// Experimental Optimizer
define('loadOpt', 1);
// Lets go head and load the settings here.
require_once(str_replace('//','/',dirname(__FILE__).'/').'../Settings.php');
// Load SMF's compatibility file for unsupported functions.
if (@version_compare(PHP_VERSION, '5') == -1) {
require_once($sourcedir . '/Subs-Compat.php');
}
//
// Load Emanuele's 'EU Cookie-checker Modification.
require_once($sourcedir . '/Subs-EclWarning.php');
// If the user hasn't accepted cookies, get out! We can not go ahead and load SA-Chat
// because set_session() sets cookies and so potentially does SA-Chat's javascript.
if (!ecl_authorized_cookies())
die();
// Okay, cookies can be set so continue.
session_start();
session_cache_limiter('nocache');
//<-------------------------------------------------------------------------------
// Load the theme
if (isset($_REQUEST['theme']) && !strstr('..', $_REQUEST['theme']) && is_file('./themes/'.$_REQUEST['theme'].'/template.php') && is_file('./themes/'.$_REQUEST['theme'].'/style.css')) {
$themeurl = $boardurl.'/sachat/themes/'.$_REQUEST['theme'];
$themedir = $boarddir.'/sachat/themes/'.$_REQUEST['theme'];
$thjs = 'theme='.$_REQUEST['theme'].'&';
require_once($themedir.'/template.php');
}
I suppose for google analytic's you could also just put this before it in the head.
Code: [Select] if (!ecl_authorized_cookies())
// Google Analytics Integration
function ob_google_analytics($buffer)
{
global $modSettings, $boardurl;
if (ecl_authorized_cookies())
{
/*
if (!empty($modSettings['googleAnalyticsCode']) && !isset($_REQUEST['xml'])) {
$google_code = '
<script type="text/javascript"><!-- // -->' . chr(60) . '![CDATA[' . '
var _gaq = _gaq || [];
_gaq.push([\'_setAccount\', \'' . $modSettings['googleAnalyticsCode'] . '\']);
_gaq.push([\'_trackPageview\']);
(function() {
var ga = document.createElement(\'script\'); ga.type = \'text/javascript\'; ga.async = true;
ga.src = (\'https:\' == document.location.protocol ? \'https://ssl\' : \'http://www\') \'.google-analytics.com/ga.js\';
var s = document.getElementsByTagName(\'script\')[0]; s.parentNode.insertBefore(ga, s);
})();
// ]]' . chr(62) . '</script>';
*/
// add in the analytics code at the very end of the head section
$buffer = substr_replace($buffer, $google_code . "\n" . '</head>', stripos($buffer,
'</head>'), 7);
}
}
// All done
return $buffer;
}
Also reading a lot of discussion about it. It does seem like these big company's might not be taking this serious.
Maybe its my hoping in chance that it will get challenged and thrown out.
I mean who wants to be throwing alerts at people to accept, lol..
I'm not saying I don't agree with the new law, but I certainly think its should be looked at again and properly, probably in my favour LOL.
Edit: I would just like to add.. The cookie that is set from the mod is only supposed to last for that "session" I don't think there is a need to keep throwing it at the users face every time they revisit.
If my understanding is correct, they only have to agree to it once.
setcookie('ecl_auth', 1, 0, '/');
setcookie('ecl_auth', 'EU Cookie Law - LiPF cookies authorised- ' . strftime('%d-%b-%Y %H.%M.%S', time()), time() 189345600, '/'); // Set a 6 year cookie, the same as a "Forever" cookie in SMF
| 1. | That information string contains HTML entities and I'm not sure if (a) that is safe and (b) how to overcome it. |
Except for the fact that US law makers are in the process of an equivalent Federal statute ....Quote from nend on April 23rd, 2012, 06:10 PM How about us that operate and live in the US and decide to ignore the foreign law. I shouldn't be expected to follow by a law that I am in no way bound by, should I?Ah you're the original author! You created a great modification and, IMHO, the best of its type I found for SMF.Quote *edit, this system also helps reduce server load. Hopefully you didn't disable it, the mod IMHO is useless without this system in place because it can bring your site to a slow down. It is hard to remember everything from back then, lol.
Changing its index.php file was actually very simple - even for a 61 year old non-programmer like me!All I needed to do was to move the loading of Settings.php and Subs-Compat.php up from below session_start(), then load the Cookie checking code. All your basic logic remains as it was before and now what happens is that if the Cookie authorisation Cookie is not detected, the chat application isn't executed. The load checking and balancing code is still there and fully-operative but only, of course, if cookies are authorised.Code: [Select] define('SMF', 1);
// Experimental Optimizer
define('loadOpt', 1);
// Lets go head and load the settings here.
require_once(str_replace('//','/',dirname(__FILE__).'/').'../Settings.php');
// Load SMF's compatibility file for unsupported functions.
if (@version_compare(PHP_VERSION, '5') == -1) {
require_once($sourcedir . '/Subs-Compat.php');
}
//
// Load Emanuele's 'EU Cookie-checker Modification.
require_once($sourcedir . '/Subs-EclWarning.php');
// If the user hasn't accepted cookies, get out! We can not go ahead and load SA-Chat
// because set_session() sets cookies and so potentially does SA-Chat's javascript.
if (!ecl_authorized_cookies())
die();
// Okay, cookies can be set so continue.
session_start();
session_cache_limiter('nocache');
//<-------------------------------------------------------------------------------
// Load the theme
if (isset($_REQUEST['theme']) && !strstr('..', $_REQUEST['theme']) && is_file('./themes/'.$_REQUEST['theme'].'/template.php') && is_file('./themes/'.$_REQUEST['theme'].'/style.css')) {
$themeurl = $boardurl.'/sachat/themes/'.$_REQUEST['theme'];
$themedir = $boarddir.'/sachat/themes/'.$_REQUEST['theme'];
$thjs = 'theme='.$_REQUEST['theme'].'&';
require_once($themedir.'/template.php');
}
Just went over the code changes and the found the source on github, Your right, It looks like it shouldn't cause any problems. The ecl warning script just checks to see if a cookie is set that it added before and returns true or false. ;)
OK, so let's back up a minute.
The PHPSESSID cookie, left alone and untouched by logins, will be removed properly. When logging in, though, SMF and Wedge both make that a persistent cookie. There's no argument on that score: it's a persistent cookie that is not being handled nicely and certainly flies in the face of any argument we can make that PHPSESSID is a valid session cookie when it stops being one.
@nend, why should you bother? That's a good question, and for now I don't think you have to be too concerned if you're based entirely outside the EU. That assumes the US do not introduce any forms of sanction, and I wouldn't put it past them, because then a user in the EU could complain to their national body and they can take it forward on that user's behalf. So in that respect, you don't have to be too bothered - for now.
Assuming the ECL cookie is set, there is nothing in the guidance about it being a session cookie from what I remember, and it does seem overly onerous to make it such, particularly if there is a persistent cookie of any form present.
My take on it is that if cookies are provided that the site is expecting (e.g. the member cookie or PHPSESSID), we can assume that consent must have been provided in the past and not require that extra cookie.
| 1. | But that assumes that the browser makers get their act together and actually removed expired and session cookies! |
(and some potential per-session caching, but for guests that's mostly avoidable anyway!)
Well,bb2_screener_ is set by Bad Behaviour. I'm aware of that cookie and have chosen not to implement it into the implementation that's in Wedge, so that's not an issue.
But that's rather unpleasant that you're getting injected cookies like that. Not using Google Adsense, I take it?
What's interesting about that cookie is that if you inspect it in Firefox, it contains the name of the ISP you're connected via. That's what led me to believe it was being set by an ISP.
Incidentally, Wolf Software (UK) has a neat javascript GPL implementation requiring only a slight modification to the page header. The company claims it has consulted with ICO to ensure its solution fully complies with the law.
Funny, in the screenshot you posted, it was using your IP address - but it'll go with a hostname if it has that available. The idea is to validate that when content is posted, that it's come from the same source as the person getting the form (so that you don't get the same amount of pump and dump spam)Quote What's interesting about that cookie is that if you inspect it in Firefox, it contains the name of the ISP you're connected via. That's what led me to believe it was being set by an ISP.
Got a link? There's certainly nothing that says the consent has to be shown every page and nothing that says it can't be set via JavaScript, so I can well believe it is compliant but I'd like to see it to get a sense of what the ICO is claimed to have agreed with.Quote Incidentally, Wolf Software (UK) has a neat javascript GPL implementation requiring only a slight modification to the page header. The company claims it has consulted with ICO to ensure its solution fully complies with the law.
Yes that is the IP Address my ISP tells you I'm on, but according to my desktop gadget, my external IP is 120.28.248.151 - go figure!
To save you rushing over there, I'm attaching both to this post.
The IP address used is the one the webserver itself received - if it's behind a firewall it might be the internal IP rather than an external one. It's... complicated.Quote Yes that is the IP Address my ISP tells you I'm on, but according to my desktop gadget, my external IP is 120.28.248.151 - go figure!Thanks, though I really wanted a link so I could see them in action before I looked at any code. It's not always practical to study code to see the result you will get from it ;)Still, always good to have the code handy.Quote To save you rushing over there, I'm attaching both to this post.
I wonder how long it will take for our legislators to discover the "joys" of web bugs and HTML5 local storage both of which can, I understand, be used to track people around the net.
Can't wait for the US to get into these laws should be an interesting clusterf*ck.
| 1. | Eg as expressed on SMF for example |
http://www.bbc.com/news/technology-18090118I'm not surprised. I still haven't had an answer from the ICO and I have sent another email asking for an update.
I still think the problem can be solved in Wedge's case by a more drastic measure than previously indicated and would have a lot of beneficial effects as a consequence but the shouting that will ensue from users afterwards... I don't want to have to deal with that.
http://civicuk.com/cookie-law/indexhttp://www.pcpro.co.uk/news/enterprise/374734/ico-no-fines-for-breaking-cookie-rules
Asked whether the ICO thought users knew enough to be able to consent to cookie agreements, Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.
Well, if you have a gripe against a particualr website
Why not complain to the ICO? At least then your grumbling over their uselessness will be based on actual experience.
Meantime, is it too polite to term this whole episode as an omni-shambolic barrel of cluster-fucking monkey-shite?
Interesting approach. Note that they're essentially saying 'you cannot use this site until you at least agree to cookie use'.
| 1. | Most actions are blocked in index.php by Emanuele's mod, if cookies haven't been accepted. |
$DoNotTrackHeader = "DNT";
$DoNotTrackValue = "1";
$phpHeader = "HTTP_" . strtoupper(str_replace("-", "_", $DoNotTrackHeader));
if((array_key_exists($phpHeader, $_SERVER)) and ($_SERVER[$phpHeader] == $DoNotTrackValue))
{
// Do Not Track is enabled
}
else
{
// Do Not Track is not enabled
}
@Ox - The BBC is using Geo-location to determine whether or not to seek cookie acceptance which better minds than mine reckon is a bit dangerous.
techcrunch.com/2012/05/25/cloudflare-to-launch-service-for-sites-dealing-with-tortuous-eu-cookie-law/Yay we are starting to censor communication more and more. I am thinking about writing a letter to your government who set up this law and tell them they are setting a bad example for the rest of the world. This is BS that you all have to code around this just for a few that are tracking users for unjust purposes.
| 1. | Strange isn't it, that all the later web browsers support DNT but few of them handle cookies correctly. |
Hey - don't blame us, we didn't invent this law! Blame the EU and in particular the Danish Commissioner who dreamt-up this load of malarkey.Quote from nend on May 25th, 2012, 04:23 PM Yay we are starting to censor communication more and more. I am thinking about writing a letter to your government who set up this law and tell them they are setting a bad example for the rest of the world. This is BS that you all have to code around this just for a few that are tracking users for unjust purposes.
http://h30565.www3.hp.com/t5/UK-Edition-start-here/Hurrah-ICO-flip-flops-on-UK-cookie-consent-law/bc-p/4111However, the ICO has flip-flopped at the last minute, now saying that "Implied consent is a valid form of consent."
With these innocent-sounding eight words, the ICO has radically shifted the goalposts for most website owners. Depending on the context, there may now be no need to get users to click a button or checkbox, as long as your users understand that using the site will result in cookies being used.
You are receiving this as a registered member of my internet forum. While we do not email users as a rule, we are required to update all registered users of our adherence to the new UK and European law in regards to our use of cookies on the site.
When registering to join as a member, you have already given express consent to our use of cookies as stipulated in our Privacy Statement (/forums/content/section/177-privacy-statement.html).
Further information about how the site uses cookies can be found here - /faq.php?faq=vb3_board_usage#faq_vb3_cookies
Your continued use of the site will be taken as a reaffirmation of your consent to us using cookies and storing them on your computer.
Regards
| 1. | Emanuele's mod tests for the existence of the "cookie acceptance" cookie whilst Live627 (I think) tests if the session to be started is for a guest. |
you have to exit the WriteLog() if a Guest don't have accept the ECL .. if don't do that, a lot of errors occurs because it's no session created at this time ...
whilst Live627 (I think) tests if the session to be started is for a guest.
you have to exit the WriteLog() if a Guest don't have accept the ECL .. if don't do that, a lot of errors occurs because it's no session created at this time ...
yeah .. but there more mistakes in emanuelas mod .. I posted that in the thread
WAP/WAP2/IMode is not handled I think .. and you can login/register without accept the ecl. That's not correct I think ...
The bare minimum is covered, no? That a user (and spider) can access the site without having to deal with cookies.
For what I want to apologize to you, Nao?
That I have a clear idea of what I will do what?
I've never personally attacked you and I respect what you do.
And that, I think, I can also expect from you ...
@feline, what Nao is getting at is back when Wedge was still very young and fragile, we were interested in having you on board but you basically told us that you weren't interested in being involved unless we turned over half the rights to you.
That's right .. I have a couple of years the PortaMx corp. established, with which I earn my money. If I now investing a lot of time into other projects (such as Wedge), I lose a lot of money.
So I offered to be involved to 50% on Wedge, so as to achieve a balance. That's probably not too objectionable ...
Websites that track users across multiple first-party websites must check for the presence of the Do Not Track user preference(http://www.w3.org/Submission/2011/SUBM-web-tracking-protection-20110224/#dfn-do-not-track-pref). If a website detects that this preference is enabled, it must disable any tracking code or collection of data that can be used for tracking purposes, regardless of the level of identification of the user.
| 1. | "DNT: 1" in the HTML header. |
And that doesn't actually apply to us at all, as it happens.
A single Wedge install is not one-of-multiple first party websites. It does apply to the likes of Google Analytics of course and is by far a better solution than this bloody shambles.
The only time it would really come into play is for analytics type plugins for adding GA etc.
11 June 2012.
Dear Mr Spicer,
Thank you for your emailed correspondence to the Information Commissioner’s Office (ICO), dated 20 April 2012, regarding the new rules on cookies under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR).The new regulations are as follows:Quote “I'm a developer attached to a project that builds discussion forum
software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.
I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.
Currently, Wedge offers two cookies, one is a session cookie created
automatically for guests. The session cookie is not shared with any
third party. The cookie itself is simply a session ID, though the
session ID allows for counting how many non-registered users are
visiting, and also the last action carried out by that session can also
be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.
When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.”
“6.
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met
…
(2) The requirements are that the subscriber or user of that terminal equipment-
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) has given his or her consent.”
The more persistent a cookie is, the clearer the information needs to be in order to obtain valid consent. More persistent cookies are likely to be more intrusive, and therefore the level of consent needs to be greater.When using terms and conditions to obtain consent, those terms and conditions must be actively accepted (as opposed to terms and conditions which are simply available on a website for viewing). Where someone has to actively accept terms and conditions (for example, ticking a box as part of a login or registration process) then that can indicate consent.Quote “Now, there is a note in the standard registration agreement text, which reads: "Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."
I recognise that this is not sufficient for compliance and that
something more obvious will be required.
It is important to remember that whilst the cookie rule requires information about cookies to be available to users, it also requires consent to the use of cookies to be obtained (where the exception is not met). On this basis, while making information available in an online document will satisfy the first part of the rule, it will not meet the consent requirement.We are aware that there are a number of issues with this type of software.Quote “Anyway, this at least is the current position, and I would note that
pretty much all of the discussion forum platforms offer a similar
collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.”
Accordingly, we would at the very least expect that the requirement of Regulation 6(2)(a) is met (that is, the provision of clear and comprehensive information about the purposes of the storage of, or access to, information stored on or accessed from the equipment of the subscriber or user).I can confirm that, if implemented appropriately, the above appears likely to be a valid method of obtaining consent.Quote “My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.”The new rules apply to UK established organisations operating websites using cookies irrespective of whether site users are based in the UK. For example, an organisation established in the UK with an online presence entirely focussed on countries outside the EU would still be required to comply with the new rules on cookies.Quote “With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)”
We would recommend consulting page 6 of the following guidance in respect of the timing of consent:
Download the ICO's cookies guidance (pdf)(http://ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx)The above scenario raises wider privacy concerns not specifically addressed under the new rules on cookies, but by the Data Protection Act 1998 (DPA98).Quote “I am concerned, also, with respect to the logging of actions. The
tracking is not entirely real time, but 'most' page views (certain
internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.
On a related note, that same session log is also able to identify
whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.”
The DPA98 is specifically concerned with the processing of personal data. “Processing” includes obtaining, holding, recording, disclosing or using personal data in any way. Personal data is data which relates to and identifies a living individual. The DPA98 imposes eight Principles of “good information handling” on organisations responsible for processing personal data (“data controllers”).
The First Principle states that personal data must be processed fairly and lawfully. The First Principle goes on to state that personal data cannot be processed fairly unless the data controller ensures, as far as possible, that the individual has, is provided with, or has made readily available, the following information:
The identity of the data controller;
The purpose, or purposes, for which personal data will be processed;
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.
The above information is generally provided to individuals in the form of a “fair processing notice” or “privacy notice” when their personal data is first collected.
For further information, please use the following link:
Privacy Notices Code of Practice(http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/privacy_notices.aspx)
I trust this response has been helpful. If you require any further assistance, please contact me at: Casework@ico.gsi.gov.uk. In the subject field of your email please include the following text (including the square brackets) [Ref. XXXXXXXXXX], replacing the ‘X’ characters with your case reference number, including its three character prefix. This will add your email to the other information you have already sent to us about your case, and should occur automatically if you click the ‘reply’ button.
Well, that's maddeningly unhelpful, because they're not covering as to whether our cookies are or are not intrusive. They're all first-party cookies, however, so that's something to be thankful for!
1. We can't realistically mandate users accepting cookies before entering the site (because it excludes search engines entirely), so we will need to investigate the ECL type mod that Emanuele and feline worked on, simply because it's something we will need to look at doing.
2. Accepting cookies via registration allows for the extended cookie, however we should probably be explaining to users a bit more.
3. I'm thinking a general privacy policy (perhaps even user-editable) should be available in the forum. I'd argue for that regardless, actually.
4. The person writing the reply doesn't really understand what I'm talking about anyway.
5. It's not clear about the whole who's online issue, but that it would be covered by the privacy policy generally to log that.
I still think dropping sessions for guests would save a lot of hassle all around, even though it makes who's online only useful for registered members and up.
| 1. | and was announced after I had completed the implementation in any case |
| 2. | The current Registration Agreement is also available post-registration under the "About Us" menu option |
| 3. | It would have been cleaner and likely more satisfactory to use the menu item's "show" property but this would only work for menu items that are coded in Subs.php and not for those that are added by integration. |
Seriously, fuck this. This can be a plugin. Most of us don't really give a shit about UKs rampant idiotic laws. Sorry for the harsh language, but stupid legislation annoys me to no end. At least make this "feature" toggleable. I don't like cluttering stuff just to please buerocratic imperialistic dimwits.
Cheers.
PS: I mean no disrespect to the English people, you're all grand.
| 1. | If my memory serves! |
Setting cookies are no different then RFID's, how is it they are trying to frown on one and not the other. IMHO this law is BS and I still believe if any consent should be done it should be done on the client end and not the server.
We are delivering content, we shouldn't be responsible for figuring out these stupid cookie laws.
What we are going to do soon read a 1,000 page manual of all the laws of the internet just to set up a personal webpage. Talk about some real treats to freedom of speech.
So would I like to see it as a software solution? I have to be honest here if a software is built around this then IMHO it isn't worth installing. If a software has this as a portion of it it must be configurable and not interfere with the software if disabled. Mainly this is worthy of a plugin and not a core component.
Setting cookies are no different then RFID's, how is it they are trying to frown on one and not the other. IMHO this law is BS and I still believe if any consent should be done it should be done on the client end and not the server.
We are delivering content, we shouldn't be responsible for figuring out these stupid cookie laws. What we are going to do soon read a 1,000 page manual of all the laws of the internet just to set up a personal webpage. Talk about some real treats to freedom of speech.
In the case of RFIDs embedded into machine-readable Passports, this was a requirement originally imposed by the US Department of Homeland Security which required machine-readable Passports to be used by all non-US citizens those entering the US.
I don't see the connect between the Cookie Law and threats to freedom of speech. The Cookie Law is all about protecting an individual's privacy.
Just to make you feel even hotter "under the collar", the European Commission is likely to issue a new Directive one day quite soon to strengthen the existing privacy and data protection laws. I have seen a draft of the new proposals which includes mention of the use of local storage and web beacons as well as conventional and flash cookies as means to track internet users.
You know its little stuff like this that get these movement groups going. The governments only have themselves to blame and if the US does try to implement this law I hope these groups take my government down. I love my country but I hate how its being run into the ground when we have more important issues at hand then the internet.
It's not the entire government but quite a lot in there that don't know anything about the internet or computers. There the old ones that believe change can break things, when it only makes things better. They rather listen to their own uneducated opinions then listen to the ones that know.
You know I am tired of it, if a revolution ever did break out I will be one of the ones dismantling this countries sorry government.
| 1. | Noting full well that the W3C has actively said yesterday it should be off by default even though IE10 turns it on by default. |
I'll just say that once again -- cookie laws are done to give some juice to lawyers so they can attack bigger anti-privacy companies. They're not made to piss off people who have a forum, even those who think it's a smart idea to run Google Analytics (the agony!) on it.
So it's basically safe...
And if you ever receive an official notice about it -- then it'll be time to implement that in Wedge.
it is all about stupid people who don't understand how the internet (or computers, in general) work.
I will not be implementing the SMF version of this, regardless of what the US does...If they feel like coming after me, I'll take them to court over it (and I'll win, guaranteed)
| 1. | I can't state categorically that our Cookie Law provisions are solely responsible and recognise there may be other valid reasons for that. |
However (and to address markham's point) "requiring" this crap because of some illusion that this involves privacy in any way shape or form is complete BS.
To address his other points... yes, these people are stupid. It has very little to do with their knowledge of how the internet works. They would be stupid, even if they did understand it... the fact that stupid people get to make such stupid laws just emphasizes the point.
So everyone, in your eyes, is stupid? That's a rather arrogant and patronising statement to make about people who visit my sites, your sites and everyone else's sites.
Will you be so brave about ignoring it then?
I'm interested in the fact that Ie10 generated backlash because people think that since it enables DNT by default, websites will decide to turn it down. However, what makes one think that they wouldn't turn it down either way? Spammers don't care about laws anyway...
These are things that reviewing the site and its software would bring. You as a site owner are responsible for what your site does, burying your head in the sand to these issues does not absolve you of that responsibility.
Just because you may not be subject to a law trying to protect privacy, does not mean you shouldn't try to protect their privacy!
I don't think making people plaster ugly banners on their sites protects privacy.
Rules about what you can and can not track would be better suited, but then again that would take real courage on the legislators part, so that shit ain't happening.
Apart from the fact that the ICO considers SMF's (and Wedge's) cookies beyond what is reasonable, (putting aside the privacy implications of Who's Online) the fact that the registration agreement is only barely acceptable and that in the UK, officially forum owners are actually supposed to register with the ICO for being data controllers... yes, apart from those tiny details, it's fine.
Go back and read the letter I sent them and their response. Even though I actually pointed out to them that SMF's default registration agreement does mention cookies.
Oh, and SMF's registration agreement etc. definitely does not extend to the likes of Google Analytics, which are so far beyond what is acceptable without work that it isn't even funny.
| 1. | Similar legislation is also being proposed in the US and the Philippines but with different aims in the latter case where there will be a definite affect on the freedom of speech. |
Is that something relevant...?
It's not a good approach
I don't mind the govt having a snoop around those pesky Facebook "Like" buttons that track you whether or not you utilize them, but when they start punishing hobbyists like me who are acting in good faith, that's just silly and makes me want to kneejerk at them, something I probably will.
The advice I've been given suggests that log-in names, email and IP addresses can be stored without having to register as a Data Controller.
But there is new legislation being introduced by the government which may require sites to retain information that can be used to more closely identify users should they engage in anti-social behaviour such as cyber-bullying[1] and that would almost certainly require UK-based/owned Forums to register,
And it IS getting sites to consider how they're doing things, the fact that we're having this debate is proof of that.
Oh, yes. It's been discussed at SMF that the 'hide online' doesn't hide last online time for users, this is an extension of the same idea.
There is still an issue, though, regardless of whether hide online is enabled or not - it's still logged as to what they're doing and it's still shown to admins, so even if 'hide online' is on, it's not hidden from admins. Whether that's a privacy issue is also questionable, of course.
My argument stands IMHO, this is still a threat to freedom of speech and should be placed on the arms of the browser creators and not the content creators
But somebody out there is going to break this law with no idea they did so.
Yay, more legislation from lawmakers who don't understand the workings of the law. For example, the recent ruling in favour of the lady who was bullied on Facebook. What are the odds the people who were bullying were feeding FB fake data?Quote But there is new legislation being introduced by the government which may require sites to retain information that can be used to more closely identify users should they engage in anti-social behaviour such as cyber-bullying[1] and that would almost certainly require UK-based/owned Forums to register,
My argument stands IMHO, this is still a threat to freedom of speech ...
Well as silly as this law may be and how it may not affect me now. I am all for the handling in core. If its based on what ever law is most stringent it means most will comply everywhere. I can't see how asking a user is it okay if I put cookies on your computer is in any way infringing on freedom of speech.
DNT is a fairy good concept but it still requires work of site owners not sure what all the hoopla about this is TBH. Sure the people making these laws are ignorant to how technology works, but at the end of the day nothing to scary yet,
| 1. | I believe you should. |
Just how is the Cookie Law a threat to freedom of speech, nend?Quote My argument stands IMHO, this is still a threat to freedom of speech ...
It is a stepping stone, that will soon lead to site content. The publisher should not be responsible for security concerns around cookies.
it should be the sole responsibility of the browser to handle these things.
. It is the same like loading a text document, the text editor is responsible for all security concerns, not the document.
LOL, don't get upset I am just pointing out my views like we are all allowed to do.
IMHO anything in the body tags should be the sole decision of the webmaster.
This is sort of similar to DNT however it is on a consent basis.
Except I've put this question to you several times and each time you've ignored me. That is, ultimately, one of the key things behind this law, to make web site owners take some responsibility for what they do. Your entire attitude says to me 'I don't give a shit about my users as long as I can make something out of them'.
| 1. | The formation of the National Health Service immediately post-WW2 is seen by many as the birth of "nanny-stateism" |
| 2. | The Computer Misuse Act |
The Web Site is Requesting Permissions
Store a cookie on your device.
Site reason for this here.
Store temporarily files to your device.
Site reason for this here.
How is asking users if its okay to store a cookie a stepping stone to limiting free speech? I don't follow the logic. It is in no way limiting you, about all it does is maybe add a small amount of work.
Do you really trust browser makers to implement a standard that works worth a darn.
You can still do whatever you want with your site, this law and others like it in no way limit what you as a site owner can do.
How is asking users if its okay to store a cookie a stepping stone to limiting free speech? I don't follow the logic. It is in no way limiting you, about all it does is maybe add a small amount of work.
Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.
| 1. | Oh, you, me and the side-board know *full* well that the US is going to enact something similar to this in the not too distant future. It's inevitable... |
This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Mind you, the way it's all implemented, most sites aren't being particularly explicit about cookies - XenForo for example has now complied with the law but falls a bit short on thoroughness IMHO, it doesn't even mention that the analytics cookies are from Google. And the cookies are set before the user has a chance to refuse them.
@nend: Yes but you know what cookies could be set, it's simply a case of displaying a page with their names, persistency, content and use :). You can use this page(http://liveinthephilippinesforum.com/forum/index.php?page=cookies) as a model if you wish.
I'm pretty sure I'm correct in saying that you would be responsible for all the cookies Coppermine sets as that software is on your server and is serving pictures etc., to people on your site.
What we are talking about though is cookies set by another website without the forum owners knowledge and/or consent.
The thing I want to know is if the news ticker is condone because I know there is no way to display a consent due to security and without the cookie the news ticker will not work.
I hate to do another example, but here is a image above. It is a SMF attachment from another site. If you look at your cookies now there will be some new cookies in there that are not from wedge.org or authorized and/or have proper consent from wedge.org but in the browser they are associated with wedge.org and this page. If you notice there will be a few cookies from sicomm.us in the site wedge.org.
However this could be a honest user who doesn't know the image comes with a cookie. This however from what I hear is not condone.
The thing I want to know is if the news ticker is condone because I know there is no way to display a consent due to security and without the cookie the news ticker will not work.
Are you saying though, that were I to re-use that image in a message - posted on another site - that anyone who reads that message (but not yours posted here) will also have that sicomm.us cookie?
If so, how is that possible? Has it been encoded as an animated GIF and the "animation" part is some Java that sets the cookie because that's the only way I can see this working?
Images have headers just like normal web pages, the cookie is an absolutely standard part of this (it's part of HTTP of sorts), so you can trivially set a cookie on requesting an image, just like you can to request a web page.Quote If so, how is that possible? Has it been encoded as an animated GIF and the "animation" part is some Java that sets the cookie because that's the only way I can see this working?
But I can't see that working if I were to download that avatar from wedge.org and then upload it elsewhere and include it in a message.
Of course it is. (Yes, Prime Minister is also a good show but only the original incarnation. The remake is shite.)
I'd be fine with a core notice disabled by default - I just think we should include it for those who need it. I could even make it a plugin really... As long as it's available, easily, for those who feel they need it.
How is it so bad in comparison?
And is the original Yes Prime Minister any good, too? (i.e. seasons 4-6 or something.)
because I don't have such excellent memories of The New Statesman, which was one of the first British sitcoms to be shown in English with subtitles in France
The characters are well played, they're all likeable and the gimmick is interesting (i.e. starting the episode with the Minister trying to do something better for the UK, and ending up having to compromise because of reality checks.)
Well, as of now, it's much easier to implement into Wedge than it would have been if you'd had to disable cookies by default..! :^^;:
Might be a good opportunity to get rid of PHPSESSID though :P
Well, I've been looking into that. We have two choices, we can ditch the session rewriter part (and rename sessrewrite!!) and leave the underlying handling for guests, or we can entirely remove sessions for guests for a massive performance boost overall.Quote Might be a good opportunity to get rid of PHPSESSID though :P
I'm tempted to go with the first one because of how upset people get when their meaningless statistics are threatened.
But the point of what I was suggesting was the complete opposite of what you're asking anyway.
"is PHPSESSID now only used for guests"
When the point of the suggestion was to NOT use it at all for guests.
Is disabling session handling for guests a major change?