So....
When will El Reg begin asking me if I want Cookies and milk?
As we know, no one is on time in implementing the EU's cookies directive. Well, two countries managed to get their laws in place in time, the other 25 didn't bother. The UK has given everyone a year to comply, a year longer than we're supposed to have. Not fixing your website doesn't seem to be an option, given the £500,000 …
Sorry, had a day off and am a bit wobbly: why not fuck up the LSO's rather than cookies? LSO's are evil nasty bastards that deserve all they get.
So what if I visit something with flash on - I want to leave the site and have no traces, yes I'm an anti-CCTV, privacy-issue twyt et.c. : when I leave a site I do not want anything left on my PC; in fact I really object to the idea/fact that you (sites) can write to my storage with no permissions when I have set some of the stringest policies I can.
Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers.
I find all those advertising supporting flashy sites do a bloody good job of stopping me finding what I'm really looking for. Usually so busy trying to look pretty they either forget to put any meat on or hide it under so much flashing crap it's not findable.
That 'circa 2000' bare web has a lot going for it. Perhaps if folk stopping pissing pounds away on graphics they could afford pennies on real information. And just maybe the more useless ones will just bugger off and stop polluting the web if the cookie ban fscks up their business plan enough ;)
Possibly. But that's why you have paid portals.
Not advertising paid portals.
I run a teeny website. I mentioned it. Someone else said 'hey look at this' and before I knew it,. hits from all over.
I subscribe to the FT. dozens of links for people who are interested in economies, finance etc. Its worth paying the journalists to assemble the links.
And that's the point. Its worth paying for...if its worth paying for
"Fuck you for trying to track me. I don't care if it gives me a greater user experience or easier shopping - I care about the security of my equipment and data not your fucking bottom lines or deals with advertisers."
So from this, can we assume all of your machines are permenantly offline, with no additional access to them excepting the keyboard, mouse and monitor? Because that would obviously be the best security, and you seem to be very concious about that. Or maybe you use a machine that's heavily locked down to Fort Knox standards, and you gov-wipe the HDD at least 6 times afterwards prior to restoring the image again?
Or, you know, you could just use the internet like a normal user, and stop being a petulant child who whines about every percieved injustice in case anyone actually listens ;O)
I don't think ICO complies as they use a session cookie, to use the session cookie without permission one needs to say that the cookie is "essential to the site function". They say "This cookie is essential for the online notification form to operate and is set upon your arrival to the ICO site. This cookie is deleted when you close your browser."
I don't think an "Online notification form" is essential.
But hey, since they decided it is for them, perhaps it is for me too, though it's hard to tell as I can't find the "online notification form" that is so essential for the site to function...
This post has been deleted by its author
They don't comply because they install a cookie without your permission
It's no use installing a cookie then telling you about it. They have to tell ask beforehand.
The sessin cookie idea is rathy crafty because most people won't realise that all the information gathered is being stored on their server instead of locally, it will still be collected. The minor plus side is that the cookie expires when the session closes, however, even that that won't prevent them from connecting the dots to build up a profile from further sessions.
Big fail on the part of the ICO.
You can install ANY cookie as long as it's for the essential functioning of the site ... the specifications don't say anything about expiry dates. If you wanted to, you could store a session that lasts indefinitely and tie that into data held in the database between visits, as long as it's essential for the functioning of the site of course - so session and user authentication cookies are fine.
However, anything that's used merely for analytical or ad-tracking purposes (indeed anything that's not essential) requires an explicit opt-in.
So the ICO is actually obeying the law - they even set a cookie which tells the site that you've opted out as that's "essential" to ensuring that they don't place any other cookies (a saner alternative, admittedly, would be to set a cookie that says the user has opted IN and therefore, if that cookie isn't set, then treat them as having opted out... but hey).
Worse than that, only European sites will be affected by this reduction in recorded traffic so advertisers will see sites in other parts of the world as having more traffic and representing better bang for thier buck. It is now no longer economically viable to run an internet company in Europe unless you have a paywall. That'll help our economic recovery. Well done EU!
This cookie opt in farce is beautifully illustrated on the ICO website. The header is taken up with a message to op out. You click continue to get rid of the box and it tells you that you have to opt-in to continue! Not sure if the website completely works without cookies?
It's another classic: Europe.UK.Gov.IT.Web.fail.
So many times I've sat waiting for a page to load and I see my browser saying it's waiting for ssl-google-analytics.l.google.com, s.ytimg.com or ad.be.doubleclick.net. So as far as I'm concerned, they're getting in my way so I'm going to block them.
Various domains are banned here at Castle Wibble for precisely the same reason. The first time I became aware of google analytics (amongst others) was courtesy of the 'waiting for...' bit.
I have them resolving to an internal web server and the logs show the vast quantity of information passed on via request (with its referrer data) which I am glad is no longer subsumed into the various third-party data mountains.
It wasn't entirely down to being impatient - numerous sites have these things on their checkout pages and I didn't fancy the idea of someone's dodgy coding 'accidentally' handing my card details to some untrusted third party. Untrusted because I chose to trust the website/retailer, not their stats collector.
As a small web-shop owner, I've had google-analytics installed since day one, but once the cookie monster law appeared over the horizon I looked into replacing what GA does with my own bit of code. After about 1 hour of fiddling with a bit of javascript and some backend ASP I ended up with almost the same data being collected but as an integrated (not third-party cookies) function in my site. It also ran much faster (at the page load end) than GA as well.
My point being, there are many Analytic systems out there but people continue to use Google's because it's free. Which is a shame, because bit by bit Google are strangling web innovation with their one-size fits all solutions. Most people don't bother looking at alternative ways of doing things because there's almost always a Google product that will do most of it for them...
Welcome to the turn-key Web, leave your ideas at the door.
Omniture? Blackholed on the firewall and has been for years. This is just a small portion of my blockthetossers script:
${addcmd} 205.216.15.64/27 # Omniture confirmed ARIN
${addcmd} 205.216.7.128/28 # Omniture confirmed ARIN
${addcmd} 207.108.181.0/24 # Omniture confirmed ARIN
${addcmd} 216.143.122.0/23 # Omniture confirmed ARIN
${addcmd} 216.194.125.0/24 # Omniture confirmed ARIN
${addcmd} 216.52.17.0/24 # Omniture confirmed ARIN
${addcmd} 65.119.25.152/29 # Omniture confirmed ARIN
${addcmd} 66.150.208.0/24 # Omniture confirmed ARIN
${addcmd} 66.150.217.0/27 # Omniture confirmed ARIN
${addcmd} 66.151.137.0/24 # Omniture confirmed ARIN
${addcmd} 66.151.146.192/27 # Omniture confirmed ARIN
${addcmd} 66.151.152.0/24 # Omniture confirmed ARIN
${addcmd} 66.151.244.0/24 # Omniture confirmed ARIN
${addcmd} 66.235.128.0/19 # Omniture confirmed ARIN
${addcmd} 67.133.240.0/24 # Omniture confirmed ARIN
${addcmd} 70.42.134.0/24 # Omniture confirmed ARIN
${addcmd} 74.201.95.0/27 # Omniture confirmed ARIN
Anyone else you'd like to ask about? Audience Science? Experian? Because those and many, many others have been blocked for the same length of time. Hardly any performance hit because Radix trees are quite efficient at this sort of thing. I see it's now becoming trendy, which means most people will get it horribly wrong. Ho hum...
The article should read "....There's only one site I know of which *PARTIALLY* currently complies with the law: the Information Commissioner's site."
ico,gov.uk does indeed have the clicky ticky box, however if you go to the jobs section on the main page it launches a new tab at ico.jobs.
No clicky ticky in sight there....
Ho hum.
... is for the lazy.
According to TFA, they are counting site visits using GA. Why not simply count visits using a script on their own server? Oh, sorry, the expensive content management system we paid for can't do that, and they have no process for chucking a few hundred quid at a Perl-savvy contractor to write one.
.. but the ICO FOI data implies that GA was the *only* way they have of actually measuring site views and unique site visitors.
Since the ICO doesn't have advertising on its pages, it must only be using GA for tracking usage within the site. That kind of tracking should either be implemented locally, or built in to the ASP.NET application that runs it. In fact, the law (and the clumsy ICO site implementation) illustrates the problem. Site owners have used services like Google Analytics as a simple usage tracking system, whilst compromising the privacy of site visitors by adding to GA's record of their browsing habits.
Ok so someone answer me this.
I have a .com hosted in the US, do I need to change?
I have a .co.uk hosted in the US, do I need to change?
what about .net?
Is it based on who the domain is registered to?
I haven't been able to find a straight answer, I know it's government and laws so there probably isn't one but does anyone know?
It doesn't matter where the domain is registered, or where the site is hosted. If the business operates in the EU, it's subject to this law. Or at least, that's what the sainted Neelie Kroes says, and she ought to know. So to evade the law, you need to move your business registration and company seat out of the EU.
Looks like good news for the Isle of Man, Channel Islands etc.
Lets face it, if you could watch TV without adverts, and surf the net without hugely slow bandwidth wasting flash adverts why wouldn't you?
And as you so rightly point out, who will pay then?
My guess is that we will be pay per click some day. minuscule amounts. But we will pay.
And be free of advertising forever.
I personally cannot wait. If I want to research a product, fair enough.
But surely a web server who wants geolocation data can just get it from their access logs, which store IP addresses. Shouldn't be too hard to collate those data with referring page information on the advertiser's site, or simply capture the click on the server and use a redirect to actual advertiser. Or is disintermediating Google just too costly/troublesome for most?
So now I may end up in the situation of having less information which helps me manage our website.
We have no adds and flash!
But the thought of having to have a popup at the front of the site, makes me think “forget third-party analytics!”
Until you realise that stats from your server are generally "polluted" with robot spider visits.
Personally, if only the EU people would get a proper job, then maybe the rest of us can get on with ours!
... I use Google Analytics to figure out which links should be on our Landing pages, the idea being that the most popular always get on the landing page making for a quicker journey to the most popular tasks.
Yup, I know we have server logs and such like but we don't have the money to throw at developers to get something in house that provides the kind of info GA does.
I know upper management are gonna insist on website surveys to replace the lost data which means all the work we've done to improve our site and site confidence with the users will be lost.
I get why the EU is doing it but I would like the UK to be successful in it's discussions of implementing this in a better way via the Browser manufacturers.
Since the ICO has given UK webmasters a year to get it sorted then ill take my full 12 months thanks very much. But since the websites i run are of an 'adult' nature i doubt many people are going to go running to the police to report that a google analytics cookie was still on the websites after the 12 months has expired, and besides I opted for the whois privacy service of my registrar so the address the domains are registered to Suite 200, Olympic blvd, Los Angeles, US of A. along with 1556154 other domain names so good luck tracing them to me.
AC for obvious reasons
"But the way we know [where a visitor is from] is by the cookies".
Mr Worstall has managed plumb new depths after the "standards" fiasco. This statement is entirely untrue, cookies are used for maintaining state and if you really want to know where some is from you can always use the HTML5 Geo extensions to ask their permission.
Is this the end of journalism on El Reg as we know it? Or just a cunning plan by El Reg to show us what we will have to read if we don't opt-in into snooper cookies?
A few answers to other questions in a possibly vain attempt to stop the spread of ignorance:
* LSO's are covered just as much as http cookies;
* If free analytics are really worth that much then why are they given away? Answer because visitors are unwittingly paying the price by providing lots of personal information about their browsing habits; there are alternatives
* Snooping advertisers are selling the information they gather on your customers to your competitors;
* Omniture already conforms to European data protection legislation. Same origin cookies would be preferable with scrubbing (anonymisation of the IP address) as soon as possible
* The legislation will not be the end of the world as we know it
firefox has for sometime now had the option to 'ask every time' when third party cookies are planted - always click 'for session' + 'use my choice for all cookies from this site' unless it is a site I plan to use again etc.
Just need all the other borwsers to have this feature and then there is no need for this new directive?
Bizarrely, IIRC, that's why we've got a year's grace - I think someone in UK.gov actually heard about this idea (I'd be beyond bloody amazed if they thought it up themselves) and actually pushed the idea of working with the browser makers to simplify their cookie processes so that, by default, the (spirit of) the law is complied with.
i.e. the user/browser configuration setting determines whether the user wants to accept cookies - their permission is taken as being given (or not) based on those settings and the websites don't have to do anything.
It's an iffy one with Google Analytics mind since their cookies seem to originate from the domain of the site you're visiting - therefore first-party/third-party permission systems don't actually work.
Googles own opt-out extension is nothing more than a cunning PR job as clearly described by Noscript creator Giorgio Maone over here:-
http://hackademix.net/2010/05/26/google-analytics-opt-out-snake-oil/
The Noscript solution deals with the bullshit elegantly and terminally. Ciao, Giorgio.
Then we'd have NO oversight when Phorm/BT/whoever wanted to hand UK.gov a bung to allow them to operate illegally (granted UK.gov seems to be pretty much ignoring the court proceedings levelled at them from the EU) - depressingly the ONLY people looking out for the rights of the "little people" in the UK are in Brussels!
To be honest, I'm beginning to think we need to throw all the UK politicians into the North Sea and ask Germany if they'd like a new province.
OK, so have have various websites and I have regular server logs for them which I look at occasionally. I can see referrers, and which pages are more popular, and what browsers people use, and if I could be bothered I could geolocate the IP addresses. What exactly would I get by adding Google Analytics?
Is it the case that people are using Google Analytics just to do stuff that they could achieve themselves by looking at their own logs?
A big fail on the ICO's part. I clicked the link to the site and spent 10 seconds or so waiting for the prompt to appear. I thought initially that because I've visited it in the past it wouldn't appear. Then I noticed the very unintrusive box at the top of the screen. Not very noticable at all if you follow UI guidelines. I'm looking at the main part of the page, not the header where I expect to find banners, headlines, menus or the name of the website.
OK here are my questions - I hope someone can answer?
1) If I have to ask a visitor the "first" time they visit my site - I presume I am checking to see if they have a cookie from my site that let's me know they are accepting my cookies. If the cookie does not exist then presumably I have to assume they have never visited my site before and therefore they need to be asked if they will allow me to send them cookies. The only way I can know throughout the rest of their session on my site that they don't want cookies from the site is to use a server session based on their IP address to store that information?
Thus if the session is ended on the server the next time they load any page on my site - I need to pop up that message again (otherwise how do I know if they have been asked already - short of storing every visitors IP address in a database - which seems to me to more of a privacy concern than a cookie would be)
2) Third Party Analytics -
Technically if I use Statcounter or Google or whoever to gather data on how people use my site - it is not MY site setting the cookie - it is Google or Statcounter or whoever. My server sends no code to the browser at all asking it to store a cookie.
3) Application?
Who exactly in the UK does this affect?? is it EVERY website? Just business? Does Charity come under the regulation?
4) Implementation?
Why is it that this news is really only being covered on tech news sites?
If this is really as important as people make it out to be - there should be headlines across the web, there should be FREE services to help individuals to clean up their websites.
The first non-business website to get hit with a fine for this stupid crap will literally kill the internet overnight. "Mr Smith of Leeds has been fined £100,000 because his website left a small text file on a computer after the user of the computer visited his website." You mean his website did what 99% of websites have done ever since Internet Explorer 3? All (decent) browsers allow to deny or accept cookies on a site-by-site basis (or just switch them off entirely). All browsers allow you to clean your cookies (and temporary internet files) out whenever you like.
This makes me wonder how long it will be before people start having to pay fines because they got a virus on their computer.
is a really bad idea. Most ISPs have their customers on dynamic IPs that can change every hour or so. Added to that, a lot of people come through anonymising proxies or VPNs (especially in this day and age of web blocking and censorship) which can be completely misleading as to their location and identity.
I myself use a lesser-known but blisteringly fast VPN service with tunnels to several countries to get around things like Hulu and BBC geolocation, or to confuse location-tracking websites when I don't want them to know where I'm from. I know several people who now subscribe to VPNs in the face of the Telstra/Optus voluntary censorship coming up in Australia. This market is only going to grow in future, and it means for web developers that IP addresses are no more an effective means of tracking state than the user-agent string.
Ultimately there are two ways of keeping state around a website: cookies and session-ids. Cookies have the disadvantage of being easily blocked by the visitor (and of now being covered by this law), but they also have the advantages that they automatically maintain state once set without any further action needed from the web designer, and that they maintain state when the visitor leaves the site.
Session-ids OTOH are embedded in the url (or postdata for form submissions) and have the advantage of not being easily blocked by the user or being covered by laws, but have the disadvantages of losing state if the visitor leaves the site, and that every intra-site link on every page must carry the session-id.
Either way is a much better way of maintaining state than an IP address.
1: the ICO sets a long-term cookie that states that you've opted NOT to allow them to set cookies. This means that if that cookie is there, the visitor won't see the message asking them if they want to accept cookies every time. You are allowed to do this as it comes under the "essential functioning" clause of this cookie law.
2: This is one bit that's REALLY not explained - if you're using Google Analytics it's their service that's placing/using the cookies, although, because GA cookies appear to originate from YOUR domain and because YOU'VE installed GA to track YOUR customers I'd guess YOU might need to obtain consent. I have absolutely NO idea what would be the requirement if you were to embed a YouTube video on a page on your site however...
3: Technically it applies to everyone, including charities. In reality I'd be amazed if a £500,000 fine was levied as "Joe's WordPress Blog" for instance.
4: Implementation is entirely up to you - make it bright red, flashing and annoying if you like. If you want to protest make it bright red, flashing, annoying AND provide a brief reason as to why you have to legally get permission from your visitors with a link to the relevant EU website.
In short, the sky isn't falling - people will still be able to have Blogger/Blogspot sites and Facebook accounts, Google will still advertise and the world will go on.
About the ONLY changes you might expect this to have would be that web-devs will need to look at which third party software they incorporate into their site and whether that software places cookies (Google Analytics) and targeted advertising may need to rely on traditional methods like targeting the demographic of the site's visitors rather than the individual visitors themselves... just like people have been doing in print advertising for more than 100 years.
In short, if you're in the UK, investigate how you might logically implement it but otherwise ignore it for now - whatever the hell is implemented in a year's time will probably be radically different (and knowing UK.gov a lot more restrictive, imposing and unworkable).
I'd still love to know what you'd do with regards to an embedded YouTube video though :\
So I can't go <?php session_start(); ?> without asking first?
Therefore, I have to have a separate page with an 'accept cookies?' dialogue before I can send the visitor to the page they wanted. What if they type in the url of a page that uses sessions?
I see the ICO didn't do that, they created the session cookie anyway.
Having participated in a UK forum on this legislation I feel I should point out that Mr. Roper is mistaken on an important count. The European legislation does _not_ just relate to cookies in the strict technical sense - it relates of all tracking methods, and the exemption for functionality is being very narrowly interpreted.
The underlying aim of the legislation is self-management of personal privacy, so that makes perfect sense. I have actually raised the issue of server-side session-to-session state with the ICO and have been told it does come within the remit of the legislation unless it is strictly and solely used for direct benefit to the user.
So -
We are required to know whether or not the visitor has or has not clicked the box to allow cookies.
If there is no cookie on the machine - we display the message.
We must display the message continuously on every page of the website until the visitor finally gives in and clicks the box....
Sounds a bit like harrasment to me. My partner however has pointed out that it probably won't be long until 3rd party extensions for the major browsers provide a way to automatically tick the box without having to see the message,
I can see the web becoming a very ugly place if every website in the EU carries a message (and you know some websites will actually have a popup message rather than a tiny notice at the top of the page where most people aren't looking) on every bloody page of the site.
As for those people on a shared hosting platform - the bit in php.ini that changes whether a php session is passed on the address bar or in a cookie - is that overrideable on a site by site basis or is it a global server wide setting?
People better check "session.use_cookies" is set to 0 but we also better make sure we store some sort of unique identifier related to the Session ID for each visitor because - as the PHP Manual states -- "URL based session management has additional security risks compared to cookie based session management. Users may send a URL that contains an active session ID to their friends by email or users may save a URL that contains a session ID to their bookmarks and access your site with the same session ID always, for example."
Don't want to get into trouble with the law because Mr Smith sent Mr Jones a link from a shopping website which contained a session id in the link. Mr Jones is now suddenly logged in to Mr Smith's online account and can make purchases via Mr Smith's account details......
And yes the law says you can use cookies if they are essential - but online shopping *can* work without cookies - it is just not as secure - doesn't make it any less "functional" though.
Although I'm absolutely cheered by the wonderful news that people are starting to wake up to saying 'f--k off' to the endless tracking going on, I know in my heart that web sites will just make sure that their site doesn't work unless you accept the tracking cookies, even if they could just make it work anyway.
1. there are no adds on the ICO site.
2. they may not be able to count 'visitors' but they can still count page requests and impressions
3. that was two more things...
All the tracking you need can be done by yourself, without cookies, has no-one heard of server logs?
...unless of course your business relies on targeted advertising, as noted above, the ICOs doesn't.
You can't really track time taken on a page, bounce rate etc. without session detection as in order to pull those stats together you need to be able to associate one page request with another as part of a single user journey. You can detect general page flow using the http referrer and the current url to build general stats as to the direction of travel and from where it came.
With a session cookie (the sort you use to remember that a user is logged in by associating the browser with a server side data structure), you can do everything you can do normally but behind the scenes using a server as a relay between an analytics service and the end user. You could do so without cookies using the session id through the url method as metioned by Steven Roper above.
Cookies are not the problem it is the usage of the data gathered and that isn't remedied by this law simply because there are other ways to do it. If you wanted to store something on a user's machine there is localStorage and many other new data mechanisms. If you want to track a user and sell their data you can use other mechanisms that do not require anything to be stored on the users machine.
Cookies seem to me to be the fall guy for a deeper problems and that is being cavalier with data collected about your users. If you wanted to provide targeted ad space you can do so without providing ad companies any data about your users you simply tell the ad company what type of ads to serve and keep the to whom bit private. It is undeniably easier to just insert a couple of lines of third party code into your page though...
I don't understand why some people on here find it difficult to understand why a lot of websites and web masters use Google analytics.
You say you can just look at your log files? Seriously? Do you really think I have the time to go crawling through log files everytime my CEO wants a report on the latest onsite activity? Sure I could feed the logs through some log processing package, but why when I can just link up analytics, and the CEO can look at stats until his little heart is content.
GA is easy, it gives loads of stats (more than just number of visits/page impressions) and it is all really valuable.
We don't sell advertising space on our site, or have any interest in 3rd party advertising. We do have an interest in improving our site, and identifying where users may be having issues.
It seems to me that this law causes a lot of problems for legitimate businesses and websites.