The Cookie Law (in the UK at least)

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: The Cookie Law (in the UK at least)
« Reply #150, on May 31st, 2012, 05:04 PM »
Quote from feline on May 31st, 2012, 04:57 PM
For what I want to apologize to you, Nao?
That I have a clear idea of what I will do what?
I've never personally attacked you and I respect what you do.
And that, I think, I can also expect from you ...
You don't seem to remember do you..?

Back in late 2010 I think, I offered you to join our private forum to share your ideas about what SMF should be. Then you said you'd only share your ideas once we give you "half ownership of Wedge".
Which was a bit 'expensive' for some text that you already posted on sm.org for free, if I may say...
It even led me to ignore your posts, suggestions and requests on sm.org from that point on.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #151, on May 31st, 2012, 05:20 PM »
Getting back to the topic :), I've found that a site by the name of live.com sets a cookie that can not be deleted. Possibly the expiry date is the reason?

 cookie.jpg - 9.59 kB, 233x122, viewed 146 times.


Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #152, on May 31st, 2012, 05:22 PM »
Would seem like it, but on the other hand, your browser should still allow you to remove it. Unless you're using IE, in which case it may or may not allow you to (seeing that Live.com is owned by MS IIRC)
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

PantsManUK

  • [me=PantsManUK]would dearly love to dump SMF 1.X at this juncture...[/me]
  • Posts: 174
Re: The Cookie Law (in the UK at least)
« Reply #153, on May 31st, 2012, 05:57 PM »
Got eight cookies from them when I visit the live.com landing page, but no problems deleting any of them in Chrome Dev.
« What is this thing you hoomans call "Facebook"? »

feline

  • Posts: 29
Re: The Cookie Law (in the UK at least)
« Reply #154, on May 31st, 2012, 08:35 PM »
Quote from Arantor on May 31st, 2012, 05:02 PM
@feline, what Nao is getting at is back when Wedge was still very young and fragile, we were interested in having you on board but you basically told us that you weren't interested in being involved unless we turned over half the rights to you.
That's right .. I have a couple of years the PortaMx corp. established, with which I earn my money. If I now investing a lot of time into other projects (such as Wedge), I lose a lot of money. So I offered to be involved to 50% on Wedge, so as to achieve a balance. That's probably not too objectionable ...
Many are stubborn in relation to the path, a few in relation to the target.
Follow us on

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #155, on May 31st, 2012, 08:40 PM »
You didn't explain that at the time, you just said unless we turned over half the rights to you, you weren't interested - and given how things had just happened with us and SMF, we weren't even remotely interested in sharing anything.

feline

  • Posts: 29
Re: The Cookie Law (in the UK at least)
« Reply #156, on May 31st, 2012, 10:31 PM »
Well .. It's possible that I have not explained in detail, is already too long ago. Also, I had enough work with our portal software in addition to the "normal" work. Today our Business part is well established and I have more time for other projects. But I am not and never angry, neither you nor against Nao ..

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #157, on May 31st, 2012, 10:41 PM »
I hope you can see where our position at the time was, though - that was the summer after the SMF project nearly imploded, that Wedge started, and then vbgamer ripped me off and publicly called me a liar... we were very wary of being taken advantage of, and we still are, really... (it's why Wedge still has the same basic licence as SMF 1.1.x and the reason we're not allowed to publicly discuss much about Wedge at sm.org)

Nao

  • Dadman with a boy
  • Posts: 16,079
Re: The Cookie Law (in the UK at least)
« Reply #158, on June 1st, 2012, 12:08 AM »
Quote from feline on May 31st, 2012, 08:35 PM
That's right .. I have a couple of years the PortaMx corp. established, with which I earn my money. If I now investing a lot of time into other projects (such as Wedge), I lose a lot of money.
Programming work is not the same as suggesting improvements or reporting bugs etc. We never offered any developer positions to anyone (so far), and no one has invested (or had to invest, thankfully!) more than a quarter of the time we spent on Wedge in the end.
Quote
So I offered to be involved to 50% on Wedge, so as to achieve a balance. That's probably not too objectionable ...
That would assume that we make, or plan to make, money from Wedge...
But it was never in our plans, either. (And I'm starting to regret that, after two years of hard work on the project...! :^^;:)

feline

  • Posts: 29
Re: The Cookie Law (in the UK at least)
« Reply #159, on June 1st, 2012, 09:35 AM »
Everyone has his attitude and his plans and that's a good thing.
But everyone should also accept the decisions of others and not (as is often done) to insulting the other, just because he has a different opinion.
I think we should accept and respect each other .. that would be a good start :)

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #160, on June 4th, 2012, 09:43 AM »
IE 10 which is included in the Windows 8 Preview, has Do Not Track set "on" by default and follows the W3C 2011 Draft Submission for its implementation - which is the same as used by Firefox[1]. The Submission is quite unequivocal:
Quote
Websites that track users across multiple first-party websites must check for the presence of the Do Not Track user preference. If a website detects that this preference is enabled, it must disable any tracking code or collection of data that can be used for tracking purposes, regardless of the level of identification of the user.
 1. "DNT: 1" in the HTML header.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #161, on June 4th, 2012, 03:48 PM »
And that doesn't actually apply to us at all, as it happens.

A single Wedge install is not one-of-multiple first party websites. It does apply to the likes of Google Analytics of course and is by far a better solution than this bloody shambles.

The only time it would really come into play is for analytics type plugins for adding GA etc.

markham

  • Finally finished the Slideshow... phew!
  • Posts: 138
Re: The Cookie Law (in the UK at least)
« Reply #162, on June 5th, 2012, 09:41 AM »
Quote from Arantor on June 4th, 2012, 03:48 PM
And that doesn't actually apply to us at all, as it happens.

A single Wedge install is not one-of-multiple first party websites. It does apply to the likes of Google Analytics of course and is by far a better solution than this bloody shambles.

The only time it would really come into play is for analytics type plugins for adding GA etc.
What we have are two quite separate but related provisions, one of which is law and the other may be in future. So I'm wondering how Wedge will handle this. In my somewhat simplistic view, basic cookie handling should be a core function and, out of the box, an admin can enable either Cookie Law and/or Do Not Track handling. Along with that would be a hook that plug-in authors could/should use to determine whether cookies can be set: the plug-in can call the integration hook with either "tracking" or "non-tracking" as its parameter and get a boolean response as to whether it can set the cookie.

There are wider questions such as: does a Do Not Track setting override a user's acceptance for cookies on a given site or should websites honour that setting regardless? My personal view is that it should as the user has already made the choice not to be tracked.

I really don't think we can count on the ICO's "impled consent" provision being around for too long, possibly a year if that.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: The Cookie Law (in the UK at least)
« Reply #163, on June 5th, 2012, 12:47 PM »
I'll say this again: Wedge does not have to care at all about DNT.

It is irrelevant to Wedge out of the box whether DNT is enabled or not. DNT is to prevent information being shared across multiple first-party sites. Wedge is not designed to be multi-first-party. The only time that is even potentially an issue is if someone manages to mash up multiple sites with a single-sign-on controlled by a single cookie, a vastly complicated and unreliable process at the very best of times. Wedge out of the box does not offer this (and is unlikely to ever do so), thus from my perspective, Wedge neither has no requirement or place in doing anything for DNT.

Does a DNT setting override a user's acceptance for cookies? If the cookies are not multiple-first-party cookies, then no, it does not override it. DNT is for tracking across multiple sites.

The thing is, DNT is designed by people who actually understand how the internet works, and it is designed with user choice, and reasonable technical implementation in mind.
Re: The Cookie Law (in the UK at least)
« Reply #164, on June 11th, 2012, 11:04 PM »
Hoo-bloody-ray, I got an answer from the ICO.

I've added quote tags to clarify which parts are from my email and which parts are their reply. They could have formatted it or something, but I guess that was too complicated.
Quote
11 June 2012.
 
Dear Mr Spicer,
 
Thank you for your emailed correspondence to the Information Commissioner’s Office (ICO), dated 20 April 2012, regarding the new rules on cookies under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR).
Quote
“I'm a developer attached to a project that builds discussion forum
software, and I'm trying to get some guidance on whether the software we have is compliant with the cookie laws or not, since the guidance is very confusing.

I would note also that our package ('Wedge') is derived from an existing US-based development ('SMF') and shares much of the same code including the cookie management. I should also note that SMF's developers have absolutely no plans to add any facilities for managing cookie privacy, so that UK site owners which use SMF will be left non-compliant, and not through their own fault.

Currently, Wedge offers two cookies, one is a session cookie created
automatically for guests. The session cookie is not shared with any
third party. The cookie itself is simply a session ID, though the
session ID allows for counting how many non-registered users are
visiting, and also the last action carried out by that session can also
be logged, meaning that site administrators can identify what topics of discussion a given user is viewing.

When a user actually logs in, a second cookie is deployed. Due to a bug, the first cookie is not erased, though it is not used when this second cookie is. The second cookie is more persistent, however the user is asked how long the session should persist for. This particular cookie carries two items of information, namely the user id of the logged in user, and their session ID. (The user id is carried through primarily for performance, though either way, that session ID is tied to a user account.) It is also possible for administrators to view the actions being carried out by logged in users.”
The new regulations are as follows:
 
“6.
 
A person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met
 

 
(2) The requirements are that the subscriber or user of that terminal equipment- 
 
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
 
(b) has given his or her consent.”


The more persistent a cookie is, the clearer the information needs to be in order to obtain valid consent. More persistent cookies are likely to be more intrusive, and therefore the level of consent needs to be greater.
Quote
“Now, there is a note in the standard registration agreement text, which reads: "Also note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer."

I recognise that this is not sufficient for compliance and that
something more obvious will be required.
When using terms and conditions to obtain consent, those terms and conditions must be actively accepted (as opposed to terms and conditions which are simply available on a website for viewing).  Where someone has to actively accept terms and conditions (for example, ticking a box as part of a login or registration process) then that can indicate consent.
 
It is important to remember that whilst the cookie rule requires information about cookies to be available to users, it also requires consent to the use of cookies to be obtained (where the exception is not met).  On this basis, while making information available in an online document will satisfy the first part of the rule, it will not meet the consent requirement.
Quote
“Anyway, this at least is the current position, and I would note that
pretty much all of the discussion forum platforms offer a similar
collection of features, and to the best of my knowledge, none of them are compliant at this time, and I do not believe there are plans to address that, meaning that site owners are likely to place themselves at risk by using any of these software packages.”
We are aware that there are a number of issues with this type of software.
 
Accordingly, we would at the very least expect that the requirement of Regulation 6(2)(a) is met (that is, the provision of clear and comprehensive information about the purposes of the storage of, or access to, information stored on or accessed from the equipment of the subscriber or user).
Quote
“My understanding of the cookie laws is that the registered-user cookie would be acceptable, by expressly asking for consent during registration so that on creating the user account, it would be clear that consent had been given.”
I can confirm that, if implemented appropriately, the above appears likely to be a valid method of obtaining consent.
Quote
“With respect to the session cookie, I am not clear as to whether this is acceptable or not. We will work on the issue where the session cookie is not removed as promptly as it should be, but given that its primary use within the system is to identify the number of active users who are not currently signed in (and potentially the action they are carrying out), it seems to me that we should ask for consent and not issue if it not given. I do note that the software will be used by people not based in the EU as well as people based there (the core development team consists of one person in the UK and one in France)”
The new rules apply to UK established organisations operating websites using cookies irrespective of whether site users are based in the UK. For example, an organisation established in the UK with an online presence entirely focussed on countries outside the EU would still be required to comply with the new rules on cookies.
 
We would recommend consulting page 6 of the following guidance in respect of the timing of consent:
 
Download the ICO's cookies guidance (pdf)
Quote
“I am concerned, also, with respect to the logging of actions. The
tracking is not entirely real time, but 'most' page views (certain
internal actions are excluded, and there is a threshold whereby making page views in that time will not be logged, typically views less than 8 seconds apart) are logged, and it is tied to the session ID (regardless of being signed in or not). My concern is that currently we are not advising users that this is being done, and that unlike general access logs, it is tied to a user, and could readily be argued to be personally identifiable. I would note that this can be disabled by the site operator, though it is enabled by default.

On a related note, that same session log is also able to identify
whether a given user is signed in or not and that information is often made available to all users (visually), even though every user has the option to 'hide' the fact that they are online from the general population, site operators will be able to see that fact regardless.”
The above scenario raises wider privacy concerns not specifically addressed under the new rules on cookies, but by the Data Protection Act 1998 (DPA98).
 
The DPA98 is specifically concerned with the processing of personal data. “Processing” includes obtaining, holding, recording, disclosing or using personal data in any way. Personal data is data which relates to and identifies a living individual. The DPA98 imposes eight Principles of “good information handling” on organisations responsible for processing personal data (“data controllers”).
 
The First Principle states that personal data must be processed fairly and lawfully. The First Principle goes on to state that personal data cannot be processed fairly unless the data controller ensures, as far as possible, that the individual has, is provided with, or has made readily available, the following information:
 
The identity of the data controller;
The purpose, or purposes, for which personal data will be processed;
Any further information necessary, in the specific circumstances, to enable the processing in respect of the individual to be fair.
 
The above information is generally provided to individuals in the form of a “fair processing notice” or “privacy notice” when their personal data is first collected.
 
For further information, please use the following link:
 
Privacy Notices Code of Practice
 
I trust this response has been helpful. If you require any further assistance, please contact me at: Casework@ico.gsi.gov.uk. In the subject field of your email please include the following text (including the square brackets) [Ref. XXXXXXXXXX], replacing the ‘X’ characters with your case reference number, including its three character prefix. This will add your email to the other information you have already sent to us about your case, and should occur automatically if you click the ‘reply’ button.
Well, that's maddeningly unhelpful, because they're not covering as to whether our cookies are or are not intrusive. They're all first-party cookies, however, so that's something to be thankful for!


1. We can't realistically mandate users accepting cookies before entering the site (because it excludes search engines entirely), so we will need to investigate the ECL type mod that Emanuele and feline worked on, simply because it's something we will need to look at doing.

2. Accepting cookies via registration allows for the extended cookie, however we should probably be explaining to users a bit more.

3. I'm thinking a general privacy policy (perhaps even user-editable) should be available in the forum. I'd argue for that regardless, actually.

4. The person writing the reply doesn't really understand what I'm talking about anyway.

5. It's not clear about the whole who's online issue, but that it would be covered by the privacy policy generally to log that.


I still think dropping sessions for guests would save a lot of hassle all around, even though it makes who's online only useful for registered members and up.