News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

New European Cookie Laws

Started by Insight, March 08, 2011, 07:54:46 AM

Previous topic - Next topic

Insight

Hi All,

I was wondering whether SMF have seen anything with regards to the new forthcoming European cookie laws. They are supposed to come in effect later this year. For something like SMF I don't think it will involve anything more complex other than a statement of what data is stored in the cookie and to obtain permission on whether it is ok to do so for the user.

You could argue this could be written into the terms & conditions that users agree to on registration but this might not be transparent or accessible enough for the rules and wouldn't count for any existing users that agreed before the T's & C's get changed.

The BBC Article:

http://www.bbc.co.uk/news/technology-12668552

It seems from the article that the rules aren't fully defined as yet - but I wondered whether SMF were aware of the changes and whether SMF subsequently whether you will be releasing anything to cater for it?


Arantor

From SMF's registration agreement:
QuoteAlso note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

I'd argue that it's covered, personally.

Insight

Quote from: Arantor on March 08, 2011, 09:02:22 AM
From SMF's registration agreement:
QuoteAlso note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

I'd argue that it's covered, personally.

It might very well be, however, by the look of the way the rules are being discussed saying "such as your username" might not be an explicit enough definition of what the cookie stores for the EU legislation though.

This thread is more to serve as a flagging item really so the SMF guys are aware of the impending rule definition and can respond in turn if there is anything for them to do.

Arantor

Well, technically it's user id and password, hashed, that are sent, rather than user name - but I'd still argue SMF is already covered. But yeah, it's good to flag up.

Kindred

actually, this would be up to the individual admins, not SMF as a software.

Like the idiots lawyers who submit lawsuits against Simple Machines organization because someone who uses our software offended their client...   we distribute the software, we are not responsible for the use, misuse or anything that you do with it, once you download it.

So, I'll claim that Arantor is correct and that the currently distributed agreement is valid. However, if you think not and want your site to be more specific, then change your site's agreement... it's a simple text file (which I have almost always customized anyway) and is the responsibility of each admin to make sure his/her site is legal in the specific location the site is being served.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Insight

Until the legislation has been determined, we can't speculate what would be sufficient really. While I agree with you, SMF would not be held responsible, I was just wondering whether they would implement a feature to help admins support the legal requirements properly.

Not all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Again, it may not be an issue, but I thought I would mention it so SMF are aware of these legal changes going forward (better to be aware of this sort of thing than not be in my opinion).

Arantor

QuoteI was just wondering whether they would implement a feature to help admins support the legal requirements properly.

It's really not that hard to edit the agreement to include the necessary wording and it can of course be done in the master versions if the team decide it is necessary.

QuoteNot all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Yes, you're actually correct. There are people who don't seem to be able to go to Admin > Registration > Registration Agreement and edit it :P

Insight

Quote from: Arantor on March 08, 2011, 09:48:05 AM
QuoteI was just wondering whether they would implement a feature to help admins support the legal requirements properly.

It's really not that hard to edit the agreement to include the necessary wording and it can of course be done in the master versions if the team decide it is necessary.

QuoteNot all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Yes, you're actually correct. There are people who don't seem to be able to go to Admin > Registration > Registration Agreement and edit it :P

Good response... always nice to remind myself of why I avoid posting on here, pleasant people such as you.

I mean, IF something more than a large agreement text (like specific opt in / opt out of marketing mail options) is required.

Arantor

If something is, then I'm sure it'll be added, but I can't see it being a requirement, and in any case I can't see it being that effective a piece of legislation since the unpleasant ad networks will be based in the rest of the world where the EU law doesn't apply.

Oh, and SMF does already have some options for opting in/out of announcement emails in your profile...

Insight

Quote from: Arantor on March 08, 2011, 10:01:13 AM
If something is, then I'm sure it'll be added, but I can't see it being a requirement, and in any case I can't see it being that effective a piece of legislation since the unpleasant ad networks will be based in the rest of the world where the EU law doesn't apply.

Oh, and SMF does already have some options for opting in/out of announcement emails in your profile...

No, but companies in the EU will be required to state what they do with the cookie data, be that pass it on to other ad networks etc. It is a privacy thing, so someone can decide whether they want to use the site or not.

I know it does, I was using it as an example of what I was getting at.

Arantor

Yes, I realise that it's intended for privacy, except that like the recent ASA legislation here in the UK: it's fatally undermined by the fact that the web is bigger than the UK and bigger than the EU.

So, a company that operates in the EU has to advise its users what cookie data is used for. What happens to people like me who are individuals, and that my site is physically located in the US?

What happens with global companies that have both US and non US areas?

The sad fact is, this is broken legislation. All it means is that companies who are responsible have more red tape to deal with, and those who aren't responsible will continue to operate outside the EU and still abuse your privacy through cookie sharing; in other words only legitimate sites are affected, those who really need targetting aren't touched because they're based mainly in the US.

Insight

Quote from: Arantor on March 08, 2011, 10:35:44 AM
Yes, I realise that it's intended for privacy, except that like the recent ASA legislation here in the UK: it's fatally undermined by the fact that the web is bigger than the UK and bigger than the EU.

So, a company that operates in the EU has to advise its users what cookie data is used for. What happens to people like me who are individuals, and that my site is physically located in the US?

What happens with global companies that have both US and non US areas?

The sad fact is, this is broken legislation. All it means is that companies who are responsible have more red tape to deal with, and those who aren't responsible will continue to operate outside the EU and still abuse your privacy through cookie sharing; in other words only legitimate sites are affected, those who really need targetting aren't touched because they're based mainly in the US.

Good points, but broken or not, some of us will need to adhere to it :)

Arantor

Yes, some will... but it remains to be see how many will *need* to, and how many will actually *do* so.

I get the feeling it will be like the ASA's new powers in the UK, to combat false advertising... on the web. Yeah, that works well.

青山 素子

Regardless, right now it appears that the actual regulations and policies around this aren't yet codified. As such, they could still change. Any effort made to try and focus on how they are at a single time could wind up partly or totally wasted.

Also, it is the duty of the website operator to ensue their site meets all local laws to which it might be subject (registering with the US Copyright Office as a designated agent, for safe-harbor protection, for example). A single product created by a US-registered company consisting of all volunteers cannot easily or in practicality ensure that all legal issues are covered internationally, especially when the software might simply be a component of a larger website or service.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


butchs

This is why I have a Canadian host.  ;)
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

JohnS

A little more information is now available and does seem to create issues with Forums including SMF. My comments are based on the UK interpretation of the EU directive, other countries have different interpretations, not this is not legal opinion I am not qualified to give legal opinion and this is based on my personal views.

1. It does not matter where your hosting is located, if you are located in the EU or the user is in the EU then the law applies.

2. SMF uses cookies and attempts to place a cookie on your PC before you log in.

3. Placing this cookie (or even looking for a cookie on a PC) is not allowed under the new law without permission, unless it is 'strictly necessary'.. But there is no definition of this. Who will define 'strictly necessary'. It could be argued that it is not necessary until after you have logged in, but this cookie is before you have logged in. If you bar this cookie you can not log in.

4. The ICO (UK Information Commissioners Office) who will control this law have stated that in the first instance at least they will only take action against complaints and even then will ask the offending party what they are going to do about it. There will be no immediate prosectution, so that gives time for things to settle down and some precedents to be set. They have also said that the first issue will be cookies that contain personal information, they do not seem to be too worried, at least at the moment, about neutral cookies that do not particularly identify people or thier habits.

5. You would be well advised to ensure your sign up agreement covers the new law which covers new subscribers, but it does not cover existing ones. The UK ruling based on the EU directive is that you must seek positive approval, it is not enough just to change your terms and conditions, even if you advise people of the change, you must get their positive approval of the change. Opt Out is no longer a possibility in the EU it is now all Opt In.

6. I have a subscriber base of over 4000 people, obviously postive opt in can only be carried out automatically. I already have utilities which clean the database and remove people, I will be working on these to change them to require everyone to verify their membership of the list on a postive response basis.

7. I am still not convinced that this will meet the letter of the law, though it will probably meet the intent of the law which is to control third party (intrusive cookies. At the end of the day it will probably not matter what the law says, but what the ICO do to police it. It could take years to find that out.

8. It may no longer be possible to allow indefinite log in and log in will have to be restricted to current session only. Together with the removal of any cookie use prior to log in. Whether the SMF team will take this on board I do not know.

9. Users of the forum are perhaps the least worry as they are unlikely to complain about use of cookies on the site, the complaints will come from those who are not members and who do not understand cookies. Warnings may need to be placed, certainly in the joining terms and conditions and the on site privacy statement (also required by EU directives, but not always there).

10. Forget Google Analytics, unless you are willing to pop up an agreement panel every time a person visits your site they contravene the UK law, they do not necessarily contravene other EU country law as some have taken a more relaxed approach than the UK big brother. We may find the big guns going into battle on this Google, Facebook and many others have a lot to lose here.

John


Kindred

1- BS and unsupportable
2- yup
3- it is required by SMF. There is no other way to deal with user sessions.

in short...  it's all BS and is not defensible or enforceable.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrMorph

So I'm thinking change the terms and conditions to say you must accept we use a cookie,  If they don't accept then they can't join.  New members will see the new terms and press the button to accept - that's all you need for new members as it's direct acceptance.

And I was thinking to start a simple thread for active members to voice their acceptance.  Also sending a newsletter to each member that they must accept in the thread.  Anyone who does not accept has their membership deleted.   If they want to come back weeks later then they get the new terms and conditions.

Can anyone tell me what details the SMF Cookie holds ?  Is it just the username and password ?  Or is there anything else ?

choloman05

I think this is directed at the big boys that provide "free" services like Google's Analytics, Chrome, and Search for example and gather huge amounts of very specific user behavior information. I doubt SMF needs to worry.

SlammedDime

QuoteCan anyone tell me what details the SMF Cookie holds ?  Is it just the username and password ?  Or is there anything else ?
The user id, a hashed password which is then hashed again with a salt, and the time you logged in.
SlammedDime
Former Lead Customizer
BitBucket Projects
GeekStorage.com Hosting
                      My Mods
SimpleSEF
Ajax Quick Reply
Sitemap
more...
                     

Advertisement: