The Register® — Biting the hand that feeds IT

Feeds

Please kill this cookie monster to save Europe's websites

Crummy cookie cutting law really takes the biscuit

By OUT-LAW.COM, 18th May 2009
  • print
  • alert

Agentless Backup is Not a Myth

Opinion Visit any website and there's a good chance that it will send a cookie to your computer. But unless that cookie is essential, its delivery could become illegal under a strange new plan that has, very quietly, won EU support.

Cookies are small text files that websites send to visitors' computers. Websites struggle to recognise their users without them. When someone visits OUT-LAW.COM for the first time, our site endeavours to send that visitor's computer a cookie. We do this with some help from Google, which offers a free service called Google Analytics. The Google Analytics cookie is used to count our visitors, a measure of success that we find rather helpful. This is just one way in which we use cookies. It's impossible for us to argue, though, that that cookie is essential to fulfilling the visitor's purpose.

Under plans endorsed by the European Commission, the Council of Ministers and the European Parliament, we would have a choice: stop using Google Analytics or ask visitors for permission to send that cookie when they visit. Like an over-enthusiastic greeter, the latter approach requires us to welcome even casual passers-by with a "Hi, how are you today?" and an invitation to wear a visitor's badge.

Most websites use Google Analytics (including the site of the UK's privacy chief, at ico.gov.uk) or a similar traffic analysis tool, and that is just one use that sites make of cookies. We’re all subject to this requirement for prior consent – or so it seems. The trouble is, we don't know what the law really means. Nobody does, because the proposed law is ambiguous. (See the relevant sections or full text.)

There is a cookie law in Europe today. It comes from the Privacy and Electronic Communications Directive (11-page pdf), which says that sites using cookies must give visitors "clear and comprehensive information" about the purpose of the cookies. They must also offer visitors "the right to refuse" the use of cookies. That law was passed in 2002 and it is somewhat ambiguous – but in a way that allows for pragmatic interpretations.

The 2002 Directive did not say when or how the information had to be provided. It was implemented in the UK in a set of Regulations that parroted the Directive's ambiguous language. But our Information Commissioner, to his credit, took a pragmatic view. He published guidance (19-page pdf) that said it was acceptable to display the information in a privacy policy, asking only that "the policy should be clearly signposted at least on those pages where a user may enter a website." Usability survived, in the UK at least.

To comply with today's law is easy. Websites add a 'privacy policy' link to every page, and that policy explains their uses of cookies. The right to refuse cookies is dealt with retrospectively: you'll probably have the cookie by the time you read about it. But that's okay, the Commissioner tells us, provided the policy guides users on how they can control and delete the cookies on their machines.

Since that guidance will vary according to the user's choice of internet browser, we set up AboutCookies.org, a site to which any privacy policy can direct its readers. Lots of websites' privacy policies include a link to AboutCookies.org. You'll find instructions there for controlling and deleting cookies in various browsers, like Internet Explorer, Firefox, Safari, Opera and Chrome. (A short time later, the Interactive Advertising Bureau set up AllAboutCookies, a site that serves the same purpose.)

This simple approach to cookie compliance is under threat.

The new law says that cookies can be delivered to a user's computer only if that user "has given his/her consent, having been provided with clear and comprehensive information" unless it is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."

So if I'm shopping at Amazon.co.uk and I put a book in my shopping basket, Amazon can use a cookie to remember which book I want when I proceed to the checkout. That is a cookie that's essential to the service I've explicitly requested. But if Amazon wants to use a cookie for another purpose, e.g. to monitor shopping basket abandonment, it needs my consent.

This sounds bad, but a recital to the new law sounds like an escape clause. In any Directive, recitals are listed before the formal 'Articles'. They provide an introduction to the new law, sharing the lawmakers' rationale for the provisions that follow. Curiously, the cookie recital includes a suggestion that conflicts with the main Article.

The new cookie recital says: "The user's will to accept processing may be expressed by way of using the appropriate settings of a browser or other application."

Most browsers have a default setting that allows cookies. Most people never change that (and many don't know that the setting exists). So a court might reasonably question how consent can be implied from a default setting. If no question is asked, silence does not convey consent.

What you need to know about cloud backup

Page:

COMMENTS

House Rules Send Corrections
All Reader Comments (39)
Highly Rated
Anonymous Coward
Anonymous Coward

@Tim Bates

@Tim Bates

A lot of us just don't want some marketing company tracking of movements and trying to sell us crap.

What you say is all well and good now, but there is a large potential for abuse, and that is what most people would be concerned with. Last night I clicked a link on a blog and ended up reading some other blog that was very right-wing and kind of scary. I do not like the idea that such information is recorded, and might be able to be used against me. What if I'm accused of a crime and the police demand my records from google? they might put up a fight NOW, but you only have to look at how things were 10 years ago to see how quickly things change. Such a thing could become common procedure.

But really, the bottom line is people enjoy their privacy, and this is a matter of privacy.

1
0
Peter Fairbrother

Google Analytics

"When someone visits OUT-LAW.COM for the first time, our site endeavours to send that visitor's computer a cookie. We do this with some help from Google, which offers a free service called Google Analytics."

That's certainly not mentioned in your privacy policy page. You say you will collect some data automatically. and may pass data abroad to your other offices, but you don't say you pass data abroad to Google.

Get a grip. Collect your own data and do your own analyses, it's not that hard.

Also, I wonder whether it's possible to link Google analytics cookies to the different sites that produce them. Or if Google can do it - a quick skim suggests they can - and you can't be sure what they are actually doing with the data.

The proposed law doesn't go far enough, but well done EU so far!

1
0
Anonymous Coward
Anonymous Coward

EU package

There was a big scramble in the last few months of this package. Pro-phorm UK policy makers were weakening the 'choose to refuse'. There was also a page and half from Ofcom suggesting Internet could be treated like a Cable TV network leading to net discrimination clauses - the wiki amendments and AT&T amendments. There was also the 'three strikes' clauses being pushed by UK and French civil servants.

Parliament did catch the three strikes and pushed the package to conciliation. In the UK the Lib Dems Sara Ludford and Caroline Lucas of the Greens were active, as were UKIP and the Scottish Nationalists. As late as last week iptegrity.com was reporting on meetings to squeeze the legislation through. Tory MEP Malcom Harbour (the rapporteur - the proposer) keeps re-assuring fellow MEPs he is acting in the customer interest, but putting a Tory on a Customer Protection committee is a bit like Alastair Campbell being in charge of a Truth commission, it's just not in their genes, they do not get it. Mr Harbour is Mr Cameron top internet expert, be worried!

Amidst the arguing, Internet access was declared a right and thus much of the net discrimination clauses were weakened, but they were adopted. It remains to be seen whether the conciliation process opens up the nasties in the adopted clauses or whether they remain. The lack of scrutiny and accountability is awful as the conciliation process happens behind closed doors.

What is clear is that tens of thousands made their voice heard and those in the smaller parties listened, so I will voting for them on June 4th.

1
0

More from The Register

SCO vs. IBM battle resumes over ownership of Unix
Zombie lawsuit back and wants to suck the brains out of Linux
115
breaking news
Jailed LulzSec hacker Cleary coughs to child porn images, will be freed soon
Some images of infants as young as six months
68
NSA whistleblower to tech firms, Obama: 'Grow a pair!'
Ed Snowden: Email tracking grabs 'IPs, raw data, content, headers, attachments, everything'
66
breaking news
Ecuador: All right, Julian, you CAN stay on our sofa - it's your human right
Minister and Wikileaker share cosy chat in tiny London flat
65
Google flings another £1m at online child sex abuse vid CRACKDOWN
See, see, we're trying, ad giant tells Daily Mail UK.gov
41
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
breaking news
BBC lied to Parliament about doomed £100m IT monster, thunder MPs
Axed DMI ballooned and burst while watchdogs sang Kumbaya
50
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
Not just telcos, THOUSANDS of companies share data with US spies
It's all perfectly legal, trust us
68