ICO.gov (click on continue without agreeing to cookies) (opens in new tab)

(ico.gov.uk)

43 pointsggordan15y ago54 comments

54 comments

44 comments · 18 top-level

yaix15y ago· 7 in thread

Argh!

99% of people have no clue what a "cookie" is used for and just hear that it is "evil" and such. At the same time, these same people have no problem exhibiting themselves of Facebook or tracking their positions on Foursquare.

@gov: Just make something like this (http://www.networkadvertising.org/ > "Conumer opt-out") legally binding for tracking networks (not for individual web sites!) and the whole "Cookie" paranoia is solved.

nupark215y ago

> 99% of people have no clue what a "cookie" is used for and just hear that it is "evil" and such.

99% of people also don't know how to evaluate the safety of a food additive.

Most don't even know proper food handling procedures and couldn't even evaluate the food safety procedures of their favorite restaurant's kitchen (assuming they even had the time to do so).

Hence, governmental regulatory bodies. You might not agree with the regulatory environment, or with the outcomes, but the regulatory position is logically consistent.

> At the same time, these same people have no problem exhibiting themselves of Facebook or tracking their positions on Foursquare.

Ignorance aside, people are quite often circumspect with what they share on social networking sites; they, honestly have no idea the level of tracking and data sharing that occurs.

Even still, your statement is an unfounded generalization; there are clearly plenty of people that don't use Facebook (or Foursquare) and do have a problem "exhibiting" themselves.

> @gov: Just make something like this (http://www.networkadvertising.org/ > "Conumer opt-out") legally binding for tracking networks (not for individual web sites!) and the whole "Cookie" paranoia is solved.

As a consumer, I prefer opt-in for analytics, user tracking, and unsolicited spam.

JonoW15y ago

I'm not sure your comparison with food safety is completely apt; This cookie law is the equalivant of being asked "Do you consent to the use of sodium benzoate in your food" before entering any restaurant. Most people will have no idea what to make of that, and will probably hate being asked every time.

It would be different if tracking was such a problem that it was outlawed all together (like dangerous food additives are), as that would be clear to everyone how to proceed.

bartl15y ago

Facebook tracking my every move is the reason why I don't have a Facebook account.

Ditto: I don't use GMail because I don't want Google to have a copy of all my mail.

Call me paranoid if you must, but I'm sure I'm not the only one.

kmfrk15y ago

Paranoid how? You're basically right: http://edition.cnn.com/2010/OPINION/01/23/schneier.google.ha....

spjwebster15y ago

The previous implementation of the law was opt-out. It didn't work, because most users were completely unaware they were being tracked.

The real saviour will likely come in the shape of browser support for Do Not Track [1]. While it's not fine-grained enough to be used as the sole mechanism for gaining user consent for all non-essential cookies, it at least covers the 3rd party tracking cookies that were the motivation behind this law change. Note that DNT specifies that the default MUST NOT be opt-in:

> A user agent MAY adopt NO-EXPRESSED-PREFERENCE or OPT-OUT by default. It MUST NOT transmit OPT-IN without explicit user consent.

[1] http://tools.ietf.org/html/draft-mayer-do-not-track-00

CWuestefeld15y ago

It didn't work, because most users were completely unaware they were being tracked.

More like, most users just plain don't care. So now, the regulators respond with: "we don't care what your personal priorities are, we're going to force everyone you interact with to conform to our values rather than your own".

1 more reply

jnorthrop15y ago

Along with the NAI check out what the newly formed Digital Advertising Alliance (http://www.aboutads.info/) is doing. Peter Kosmala, formerly from the NAI, was just appointed its head -- I would expect to hear more from this group soon.

Edit: The problem with both of these programs are that they are self-regulatory, which means only the "good guys" are going to follow the guidelines.

gcb15y ago· 4 in thread

unfortunately, that's not the regular clueless legislator.

That's an example of the shift of power happening in the web.

Remember when you started using firefox because of all the options and "about:config"?

Now, remember how you ditched it for Chrome, but have to start firefox to be able to use crazedlist.org because to disable cross-site referrer on chrome you have to recompile it? (they even removed the command line option!)

In a few chrome versions (what happens every 15min), I doubt you will be able to disable cookies.

patrickaljord15y ago

Never heard of crazedlist.org but you can use extensions for cross site referring http://code.google.com/chrome/extensions/xhr.html

gcb15y ago

Don't think we are talking about the same thing.

I'm talking about the referrer headers.

It used to have an option. Then they moved it to a command line[1]. now they removed it completely!

Disabling referrer header kills some google features in adwords and analytics. So they have more than enough reason to kill it first.

[1] http://darklaunch.com/2011/05/07/chrome-disable-referer-head...

2 more replies

gcb15y ago

Also, remember the old firefox moto? "Take back the web"?

it's just changed to "Made to make the Web a better place."... can it get more Orwelian? :D

Give me back my browser control. and stop hiding my url bar, dammit! ...they start removing the protocol, nobody bothers. ha http, who cares? Then move a little to the side, 'to align with the tab'. Then will make it autohide. And before you notice the only way to go to a page is to use AOL^H^H^H GOOGLE KEYWORDS.

geon15y ago

There's no reason to have a URL bar on the top of the screen all the time, just to enter a url manually.

A "Enter URL" menu item would Work just fine.

2 more replies

retube15y ago· 3 in thread

"unless the cookie is strictly necessary to provide a service requested by the user"

Isn't this open to some interpretation? Seems like a pretty wide loop hole. Seems that this will allow a site to set/read it's own cookies no problem. Third-party ad-networks and trackers though, yeah, they would not fall within this definition I think. And isn't that a good thing?

mgkimsal15y ago

IMO, the 'service requested by the user' is to deliver the website, and all that the 'website' entails.

One might also say that cookies are never strictly necessary. We can always just put tracking IDs in the URL. And when browsers get rid of URL bars, it'll be harder for people to copy/paste the URL (with session ID) so the 'security' aspect against that argument will fall on deaf ears ("I can't see the problem you're talking about, so it's not real").

Limes10215y ago

I don't think it's a good thing. Many websites rely on advertising to allow them to even exist

mike-cardwell15y ago

So? All those websites have to do is ask permission from the site visitor to track them. Rather than tracking them without their consent...

And if people don't want to be tracked, and the site loses out by not tracking them, so be it... That is a better situation than somebody being tracked without their knowledge/consent.

adaml_62315y ago· 2 in thread

In their privacy policy they list the cookie that 'Is essential for their site to function'

"Essential site cookie|ASP.NET_SessionId|This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser."

They also say that they've left it there because: "as we’re unable to remove it from one part of the site without affecting another"

So apparently incompetence is an excuse for leaving cookies in place. Problem solved!

eitland15y ago

Does ASP.Net depend on it for some reason? I used to do some work in Java Server Pages, and in JSF we were stuck with something called viewstate, that were kept either as a blob in the page or as reference in the page to a blob stored on the server. Technically not a cookie, but for all intents and purposes the same as a cookie that gets deleted when the browser is closed.

dave1010uk15y ago

Blocking the cookie lets me view a few pages of the site perfectly fine. I guess the session is required in one small part of the site and it wasn't easy for the developers to make the site only set the cookie in that place.

patrickaljord15y ago· 2 in thread

That's the same site that paid £585 for their favicon http://news.ycombinator.com/item?id=2175321

benjash15y ago

I think that says it all. Clueless.

spjwebster15y ago

I take it you didn't read the comments on that post then? The ones that explained why the upfront cost of £585 is not at all unreasonable.

Silhouette15y ago· 2 in thread

From the linked page:

> Currently our website contains one cookie that we do not use, but is essential for part of the site to operate. At present we have left this in place across the site, as we’re unable to remove it from one part of the site without affecting another. This session cookie is set on a user’s arrival to the site - at which time they’re informed that the cookie has been set - and is deleted when a user leaves the site.

I'm fairly sure the advice from the ICO that I read earlier was quite blunt about cookies that were not strictly necessary: you can't set them without consent just for your own convenience.

There is a silly box at the top of their page that asks you to accept cookies and tells you off if you click "Continue" without doing so, which seems entirely contrary to the principle of this new law to me, before you even get to this mysterious cookie they apparently set anyway.

spjwebster15y ago

The important bit is "but is essential for part of the site to operate." To me, that clearly falls under the "strictly necessary" banner, albeit that it probably shouldn't be set until you enter the part of the site that requires it.

Government IT moves at a glacial pace, and just like everyone else they're still trying to figure out how this stuff should work. That's why they've deferred enforcement for a year.

Silhouette15y ago

> The important bit is "but is essential for part of the site to operate." To me, that clearly falls under the "strictly necessary" banner

They say that, but it is easily demonstrable that running a web site providing static content such as they do does not require the use of any cookies or similar technology at all to provide the service the user is requesting: millions of web sites manage it every day. As you say, if only part of their site requires the cookie for some genuine reason, perhaps they should only set it there. In any case, there is really no excuse for not explaining properly what the cookie is for or for cluttering up the screens of visitors who don't check your "do whatever you want" button just to make the extra panel go away.

Bottom line: the exemption is not for cookies that are required because you hired poorly trained web developers or picked an inconvenient tool somewhere on your hosting platform. It's for cookies that are essential to providing the service that visitors are expecting. The ICO themselves have been very clear on this in the guidance they published in the run up to the handover, and their own site is flagrantly violating at least the spirit of the rule if not the letter of the law -- which AIUI they have responsibility for interpreting in the UK, so if they can't get it right, what hope is there for anyone else?

av50015y ago· 1 in thread

websites had that coming for a long time.

It's a common industry pattern to overdo things and then get regulated.

take e.g german gas stations, they went from adjusting their prices occasionally (e.g. when the oil price changed) to price changes several times per day in order to gouge the most out of the customers. Now, they will get regulated and only be allowed to change their price once per day... they basically asked for it.

Same for international roaming fees in Europe, from insane to regulated..

Cookies were used to tracks people's shopping carts and that was fine, same for a site to recognize you. Nowadays they are used to identify and track you in global ad networks etc.. again, asking for it..

bxr15y ago

This is why we can't have nice things, abuse of something useful for ends undesirable to the masses leads to it getting banned for all uses.

bruce51115y ago· 1 in thread

Unfortunately this is another case of throwing the baby out with the bathwater, and incidentally not really solving the problem.

Firstly there are various kinds of cookies. There are ones that are stored on your hard-disk, and others which exist only in memory (for the life of the browser instance.)

There are ones used for marketing and tracking purposes, and others (notably session cookies) that allow the server to track the "state" - thus allowing for "web apps" as much as web-pages.

So their idea is to just "ban cookies". Or, as they have done, get all sites to have a "allow cookies" switch. Don't turn that on? well then you can't use any part of the site. And if you do turn it on, it's "all or nothing" - I can't allow say _just_ the session cookie, while banning the tracking cookies?

As to the possibility of enforcing this? Let's not even go there...

av50015y ago

what other option is there? To mandate browser source code that implements cookies in a lawful way?

And where is the broad coalition of "don't be evil" browser vendors and websites that proudly claims "we don't track you" and that would have made such laws unnecessary?

benjash15y ago· 1 in thread

I really want to know what there jurisdiction and who this effecting.

Does this apply to all EU traffic?

OR does this only apply to websites hosted within the EU?

OR does only apply to EU companies?

Plus how on earth do they plan to enforce this?

andersju15y ago

Unfortunately this is not just a UK thing. Every EU country is forced to do this.

A similar law was passed in Sweden just the other week and will come into effect on July 1, despite heavy criticism from pretty much everyone.

So how could they pass such a law? It's from an EU directive, more specifically 2009/136/EC [1]. A directive is something that every member state is _required_ to implement into national law, whether they like it or not. AFAIK every member state is supposed to have implemented this by now. Sigh.

[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2...

jschuur15y ago· 1 in thread

Couldn't a site just declare a single session ID as essential, and store everything else server side? Or is the problem that you usually don't keep server side session data indefinitely? I suppose you couldn't use client side JavaScript on your cookies in that case either.

Does this apply to HTML5 localstorage too?

mike-cardwell15y ago

Whether or not you declare it essential is irrelevant. What matters is if it actually is essential.

As for localstorage, read the guidance from the ICO:

https://www.ico.gov.uk/~/media/documents/library/Privacy_and...

Third paragraph: "These changes apply to storage or gaining access to information stored, in the device of a subscriber or user. This means the use of cookies and similar technologies for storing information."

Fifth paragraph: "The Regulations also apply to similar technologies for storing information. This could include, for example, Locally Stored Objects (commonly referred to as "Flash Cookies")."

xedarius15y ago· 1 in thread

This is exactly why we are currently cutting back on bloated Government departments in the UK. I can see this being repealed in 12 months, it's a ridiculous, unenforceable law.

amouat15y ago

To be fair, I think it's based on a European directive that all European countries will need to enforce sooner or later (unless it gets changed).

Limes10215y ago· 1 in thread

Okay, so I don't really use cookies ever, the only one I use is for the PHP Session Identifier. Is this going to be allowed? D:

I'm guessing that it will be because ICO is allowed..

mike-cardwell15y ago

It depends on when you set it and why. If you just set it as soon as anyone visits your site, and there is no essential reason for you doing that for the site to work, then you are breaking the law.

If you only set it when somebody logs in to your site, to maintain a logged in session, then it will be fine.

teyc15y ago

I'm so not looking forward to seeing jsessionid in my urls again.

panacea15y ago

If you block cookies on that website you don't see the message.

If you don't click 'accept cookies' or 'continue' but simply browse the site, you've apparently accepted some cookies.

gurraman15y ago

The Internet is a really big part of our current society; the concern of a lot of people. You'd expect that the advisory board of decision-makers of such important things would consist of the smartest and most knowledgable persons available - the persons who invented the web, the persons who are making it work and who are taking it forward.

I haven't done any research. Does anyone know who gives these guys advice?

Jencha15y ago

But why? "[tick] I accept cookies from this site... what is a cookie?" a user may ask.

jlampart15y ago

How do they check if you have cookies enabled without setting one? Aren't they breaking the law in the process?

rojaro15y ago

Imagine millions of websites greeting you with a cookie acceptance dialog ...

j / k navigate · click thread line to collapse