18 comments

[ 2.4 ms ] story [ 48.0 ms ] thread
This article isn't clear whether it means all cookies or just cookies that are tracking users cross-website. I really, really hope it means the latter.
I haven't read the directive, but in the article it does say:

"Specifically excluded by the directive are cookies that log what people have put in online shopping baskets."

From para 66 of the Directive ( http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2... ):

"Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user."

I would take this to mean that session cookies, shopping cart cookies and wotnot are exempted. But I'm a coder, not a lawyer, so pinch of salt 'n all that.

Edit: in fact reading it more closely, it would appear that this statement merely places a restriction on exemptions that individual nations implementing the Directive might carve out. If they make exceptions, they must be limited to the situations described, but they don't have to exempt all such uses. Which is a less-than-comforting thought.

Paragraph 66 in full:

Third parties may wish to store information on the equip­ ment of a user, or gain access to information already stored, for a number of purposes, ranging from the legiti­ mate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spy­ ware or  viruses). It is therefore of paramount importance that users be provided with clear and comprehensive infor­ mation when engaging in any activity which could result in such storage or gaining of access. The methods of pro­ viding information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these require­ ments should be made more effective by way of enhanced powers granted to the relevant national authorities.

(apologies for linebreaks, PDF copy/paste fail)

This isn't nearly as bad as what the BBC are saying. In fact this seems perfectly reasonable.

I'm mystified that they're trying to pressure countless advertisers rather than a handful of browser vendors who could make the problem go away by changing the defaults from "persist every cookie from anywhere forever".
I thought this would be a bad idea at first, because it'd break all those "remember me" check boxes, but a lot of browsers can save usernames and passwords and do a good job at prompting the user about it, so I think it might be entirely possible. The biggest hurdle is that there are a lot more cookies out there than username and password forms.
Don't forget flash cookies.
And there's precisely one vendor in charge of the defaults and capabilities of those.
The ad networks and such will just track you through browser/device fingerprinting instead of cookies. Except for extremely tightly controlled, homogenous systems in corporations, it doesn't take much info beyond your IP and user agent to uniquely identify a PC. Your history/cache, fonts, plugins, screen/viewport size, etc. are all discoverable from the browser.
Indeed -- it'd be the browsers job to make this kind of profiling less effective. Just restricting cookies is not enough.

Does anyone know of a firefox addon (or for another browser) that 'homogenizes' the info sent to sites?

TorButton does that (and, of course, allows you to switch Tor on/off).
"Specifically excluded by the directive are cookies that log what people have put in online shopping baskets."

I am speechless beyond words about this total lack of imagination. So the only ebusinesses endorsed by the government are shopping sites?

Thinking about it, this will probably just strenghten Facebook. Facebook will hide a "consent checkbox" somewhere in their intractable pricavy settings. Then all sites that use Facebook authentication are good to go.

I suppose Facebook might even be able to provide some sort of server side cookie service. Perhaps it could be a JavaScript from Facebook that reads the Facebook cookie from Facebook and sends a hash value to the server. The server can then ask Facebook for the identity. Or something like that.

If you check out the relevant paragraph of the Directive itself (quoted below) you'll see that's just the BBC's rather odd interpretation. The Directive doesn't mention shopping cart cookies at all, but rather carves out an area of potential exemptions for information that is essential to the service the user is accessing.

The BBC's technology reporting veers wildly between the patronising, the embarrassing, and the just plain wrong. I think this is a stab at the former.

I heard that some people also use Google, Yahoo, MS Live and other services besides Facebook.
Not for logging in, though. And in the future more and more sites could turn to Facebook as their single login solution, because they solve the tracking consent problem.
Facebook is popular for that, but personally I use Twitter, Google and Yahoo (via their openid services) for login to several sites, including this one. Facebook has by no means won the contest to provide a 'single login'. I don't think anybody is going to.

Facebook is my last choice for signing into a site, as they give the site access to more data then is needed.

Does this include use of cookies in analytics services such as Google Analytics, KISSMetrics, etc?