The simple solution is to forbid 3rd party cookies (and while we're at it third party JS as well, which I think is a much bigger problem than 3rd party cookies. I'm sure that will send shudders through the industry). And enforce it at the browser level by default and put up a big fat warning what the consequences are when you disable it.
That way we don't need to have silly laws that nobody will respect and we can all get on with making stuff work.
Third party JS opens so many cans of worms that I think it would be better if we just forgot about that whole idea, it'll never be secure and it puts too many juicy bits in the wrong hands.
Well third party javascript makes a lot of people money how do you propose we get around their buying power?
Also what would the limits be of third party javascript be? Would it be allowed on the domain level so people could still use CDN's and other things easily such as cdn1.example.com, etc... if so It probably could be okay then people could use CNAME or A records to link to their legitimate third party javascript like analytics and ads and it could take away a lot of the possibility of malicious third party javascript.
The web however would probably have to change a bit because a lot of websites use third party javascript depending on your definition of it such as google's 1e100 domain and other such cdn measures that aren't necessarily served from a domain record.
This passed in Sweden about a year ago, as required by the EU-directive. What's happened since? Essentially, nothing.
While a few government-related sites show information on cookies and a checkbox for opting in, noting that the site may not work properly otherwise, the average site has made absolutely no changes.
I think this proposal sprung from good intentions, but has been executed poorly. It's likely aimed at reducing tracking-cookies, something which most of us would consider a good thing, but this is clearly not the right way. I know of no person or site that has gotten in legal trouble for not showing this "Cookie-warning" or an opt-in button. It's simply unenforceable.
>I know of no person or site that has gotten in legal trouble for not showing this "Cookie-warning" or an opt-in button. It's simply unenforceable.
Nor should it be. The day this becomes massively enforced (god forbid) is the day that an adblock-esque plugin will be created to bypass all of this idiotic government mandated nonsense. Those options exist in web browsers already.
And it is nonsense. It does nothing to protect users, for one. The average user has no idea what a cookie is, and will either blindly click accept or move on.
For two, its the government getting their hooks into mandating specific content on the web. Yes yes, slippery slope is a logical fallacy and all that, but when it comes to government expansion of power, it tends to ring true.
For three, it's a pain in the ass. I really do not care what kind of cookies random sites are sending me. If I did care, I'd be running a plugin to deal with it or changing my browser settings accordingly.
Fourth, it's more work for web developers for questionable benefit.
Maybe this is just me being a typical ignorant American, but this kind of nannyism is downright offensive to me.
A common misconception of the EU directive is that it applies to cookies only leading to many technical people to laugh about it. Any method of storing information in the user's browser is covered: http://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electr...
Article 5:
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
the bbc recently changed to reflect this law (i assume). i don't know whether the law is tortuous or not, but the bbc's implementation was clear, easy to understand, and helpful. i used it to protect my privacy. seems like a good idea to me.
You can use your browser to protect your privacy - disable cookies.
Also the idea that disabling cookies somehow achieves something, is very naive. You'll still be tracked by any website that wants to track you. Your browser is uniquely identifiable.
Adding messages to every website that exists is unnecessary, and idiotic.
[+] [-] jacquesm|14 years ago|reply
That way we don't need to have silly laws that nobody will respect and we can all get on with making stuff work.
Third party JS opens so many cans of worms that I think it would be better if we just forgot about that whole idea, it'll never be secure and it puts too many juicy bits in the wrong hands.
[+] [-] ohgodthecat|14 years ago|reply
Also what would the limits be of third party javascript be? Would it be allowed on the domain level so people could still use CDN's and other things easily such as cdn1.example.com, etc... if so It probably could be okay then people could use CNAME or A records to link to their legitimate third party javascript like analytics and ads and it could take away a lot of the possibility of malicious third party javascript.
The web however would probably have to change a bit because a lot of websites use third party javascript depending on your definition of it such as google's 1e100 domain and other such cdn measures that aren't necessarily served from a domain record.
[+] [-] Zirro|14 years ago|reply
While a few government-related sites show information on cookies and a checkbox for opting in, noting that the site may not work properly otherwise, the average site has made absolutely no changes.
I think this proposal sprung from good intentions, but has been executed poorly. It's likely aimed at reducing tracking-cookies, something which most of us would consider a good thing, but this is clearly not the right way. I know of no person or site that has gotten in legal trouble for not showing this "Cookie-warning" or an opt-in button. It's simply unenforceable.
[+] [-] Karunamon|14 years ago|reply
Nor should it be. The day this becomes massively enforced (god forbid) is the day that an adblock-esque plugin will be created to bypass all of this idiotic government mandated nonsense. Those options exist in web browsers already.
And it is nonsense. It does nothing to protect users, for one. The average user has no idea what a cookie is, and will either blindly click accept or move on.
For two, its the government getting their hooks into mandating specific content on the web. Yes yes, slippery slope is a logical fallacy and all that, but when it comes to government expansion of power, it tends to ring true.
For three, it's a pain in the ass. I really do not care what kind of cookies random sites are sending me. If I did care, I'd be running a plugin to deal with it or changing my browser settings accordingly.
Fourth, it's more work for web developers for questionable benefit.
Maybe this is just me being a typical ignorant American, but this kind of nannyism is downright offensive to me.
[+] [-] jgrahamc|14 years ago|reply
Article 5:
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
[+] [-] andrewcooke|14 years ago|reply
http://www.bbc.co.uk/privacy/cookies/managing/cookie-setting...
[+] [-] mibbitier|14 years ago|reply
Also the idea that disabling cookies somehow achieves something, is very naive. You'll still be tracked by any website that wants to track you. Your browser is uniquely identifiable.
Adding messages to every website that exists is unnecessary, and idiotic.