Customizing SMF > SMF Coding Discussion
[WIP/BETA] EU cookie law
MrPhil:
--- Quote from: movedgoalposts on May 25, 2012, 07:06:45 PM ---This all seems vastly overcomplicated.
--- End quote ---
It is (unnecessarily so).
--- Quote ---If I'm reading the ICO stuff correctly they are not really concerned about session cookies, ie those that expire when you leave the site and only help you recognise what you are doing whilst you are on the site. They are concerned about cookies that recognise who you are perhaps by returning password, might track you for advertising patterns, use statistics and other behaviour patterns.
--- End quote ---
Bingo! Unfortunately, the way the law is worded (i.e., what a judge and jury would have to follow), all cookies have to be specifically approved -- no exemptions. Disclaimer: I have not read the law(s) myself, and am only passing on what others who claim to have read the law(s) have said. They seem consistent, but for all I know they could be full of aromatic fecal matter...
--- Quote from: movedgoalposts on May 25, 2012, 08:23:27 PM ---So basically until the ICO tells us what we really need to do, rather than their wishy washy definitions, and hopefully provides proper solutions to this mess, can we just stick our head in the sand?
--- End quote ---
At your own risk (if you're subject to EU national laws). I'm not sure that the first case won't be laughed out of court, but you do run the risk of considerable expense and annoyance/irritation defending yourself. Someone was annoyed enough by tracking cookies to push for this law, and they evidently have friends in low places (legislatures), so it might not be a pushover. Hey, maybe it's a secret cabal of typewriter manufacturers, the Post Offices, and brick-and-mortar stores. You think?
--- Quote ---Perhaps I could hide my site behind a htaccess type password. But that would antagonise both my legitimate users and defeat the idea of the site being friendly.
--- End quote ---
You'd still have cookies, and thus still be technically illegal. It would be interesting if they could force you to grant Big Brother an ID so they can get in and see if you have any of those horrific cookies!
--- Quote ---Like most users, even of small sites, that allow others to register and post the biggest issue is spammers. Perhaps the government, EU and all should look to properly deal with that rather than meddling with ill thought out policies that cause headaches to most legitimate users.
--- End quote ---
Fat chance. I'm sure spammers are quite wealthy and therefore can buy any legislation they need.
Arantor:
--- Quote ---They seem consistent, but for all I know they could be full of aromatic fecal matter...
--- End quote ---
This is the problem. The layman's advice provided by the ICO seems to imply that it is OK but the wording of the law seems to imply that it isn't unless it can be shown to be 'strictly necessary'. Given the wording of the rest of the law and the UK's Data Protection Act, I believe it would be defendable as 'strictly necessary' if there weren't the analytical capability attached to it.
--- Quote ---At your own risk (if you're subject to EU national laws). I'm not sure that the first case won't be laughed out of court, but you do run the risk of considerable expense and annoyance/irritation defending yourself.
--- End quote ---
Therein lies one of the problems, actually. While enshrined in law, it's not the police or the direct judicial system that's charged with dealing with it, it is a regulator who would take it through private courts, primarily.
MovedGoalPosts:
A lot of the advertising mechanisms have evolved and unfortunately do seem to have a level of tracking. Equally the informed user, and that's the problem that they need to be informed, can reduce their exposure with their anti-malware software, and other opt out systems (http://www.networkadvertising.org/managing/opt_out.asp for example deals with many providers, but no doubt places it's own cookie on your browser). Unfortunately this regulation seems to have gone beyond just adverts and related tracking behaviour. Whilst I respect privacy, if someone does choose to visit a website why shouldn't the owner of that site be able to understand what the visitor is looking at as hopefully such information might improve the site and information provided as well as the basic justification for the site.
But this should still come down to reasonableness in the extent of the solution. Most websites that allow any interaction between user and the site are going to need some form of tracking. Did the EU really envisage that the evolved interactive internet was going to have to be reprogrammed?
We'll never know the full implications of this without some test case and decisions from a court of law. Some sense of proportionality and reasonableness must surely prevail especially as the ICO's views are themselves only their interpretation of the regulation. I maintain that if I am just running SMF based cookies that allow my site to function and if I really wanted to, to know some basic data on what and where my visitors went, that is not a problem. After all those people, even if they don't register, chose to visit my site. But if I'm, trying to pass that gleaned information on to others, that is a problem and should be stopped.
I'm using standard software, i.e. SMF not cutting edge stuff. I'm a basic user who is struggling to even get the website to have a theme that seems individual. Essentially I rely on stuff that other cleverer people have donated for use by numpties like me, as I haven't got the funds to line the pockets of people like Bill Gates pension fund. As a simple internet user I don't want or need complex barriers in my way before I can get at the useful stuff, hell If I encounter a flash type preview thing before entry to the main web site I've probably moved on to somewhere else.
Unless the standard, unmodded SMF is doing something to track users, or even the webmaster, by installation and use of the package, which allows the webmaster or SMF to sell on individual user data or activity, I really can't see a problem and why SMF should be modded. If we really must do this then it shouldn't be an add on mod, it needs a fundamental rewrite of the SMF code so that cookies never exist. In turn that needs a fundamental rewrite of most of the code that powers most of the internet's website.
It is suggested that the current SMF guest cookies go beyond the essential use of short term session this is what you have looked at use, and could provide analytical data giving too much activity information to the webmaster in the process. Surely the easiest solution is to prevent the cookie from collating such analytical information, that many of us have no idea how to access simply keeping things to the basic session cookie that tells the user where they have been, rather than the website.
If it is the concern over tracking that is the problem, then deal with the tracking and the consequences of the cookie, rather than causing problems by even placing cookie warnings in front of the user.
Arantor:
--- Quote ---But this should still come down to reasonableness in the extent of the solution. Most websites that allow any interaction between user and the site are going to need some form of tracking. Did the EU really envisage that the evolved interactive internet was going to have to be reprogrammed?
--- End quote ---
No, they didn't. Partly this is because they're lawmakers and not technical people. But they actually allowed for this with the 'strictly necessary' exception. If you can justify what you're doing as 'strictly necessary' it's allowed.
But the justification criteria for that is vague. Cookies that are used for analytics strictly for load balancing are considered 'probably acceptable' but for general analytics such as SMF's... not so much.
Thing is, I actually wrote to them, detailing all of this and waiting for some kind of guidance but none is forthcoming.
The standard, unmodded SMF does have facilities to track users over and above what would be necessary for logins to work, you can see how many 'users' there are and what they are doing (and by default that's visible to anyone on the site), and an IP address is tied to it.
The argument, then, is that it is over and above what is strictly necessary.
I outlined that it would be possible to remove even that cookie behaviour and session handling for guests and leave it strictly for registered users, but even that is problematic because the 'number of users' and 'what they're doing' is seen as 'required information' by some admins, meaning that no-one wants to actually remove it from the core, even though you'd get several benefits and very little practical down-sides.
(I'd do it but I really don't want the hassle attached to dealing with supporting the changes required.)
Of interest: XenForo, which is entirely operated out of the UK, appears to be doing nothing special regarding cookies at all.
bonzo:
After the mention of XenForo ( no idea what or who they are ) I thought I would visit Amazon.co.uk and I have deleted all my browser cookies. Amazon are setting 15 cookies when you land on their site and you can not tell me these are all essential to the running of the site!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version