[WIP/BETA] EU cookie law

Started by emanuele, April 21, 2012, 04:30:56 PM

Previous topic - Next topic

Insight

I downloaded the package and uploaded to package manager - I get the following message when I try to "Apply mod":

The package you are trying to download or install is either corrupt or not compatible with this version of SMF.

emanuele

What version of SMF?
The package works only with 2.0, and at the moment I don't have any plan to backport it to 1.x.
If anyone is interested feel free to fork the repo and ask questions! ;D


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Insight

Ah, I am using 1.1.16 :(

I guess I ought to get round to upgrading - I just don't have the time at the moment.

What are the chances of a backport? Does bribery work? :)

emanuele

BTW, yesterday I realized that in the vast majority of the cases the registration doesn't work unless the cookies are accepted (otherwise  smf cannot set the verification code cookie).


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

CircleDock

Quote from: emanuele on May 07, 2012, 06:44:56 AM
BTW, yesterday I realized that in the vast majority of the cases the registration doesn't work unless the cookies are accepted (otherwise  smf cannot set the verification code cookie).
Yes and that's one of the reasons I have modified several templates to omit the display of the main menu bar, Search and the Registration/Log-On boxes unless cookies are accepted.

feline

Quote from: emanuele on May 07, 2012, 06:44:56 AM
BTW, yesterday I realized that in the vast majority of the cases the registration doesn't work unless the cookies are accepted (otherwise  smf cannot set the verification code cookie).
it's more that not works properly with your code emanuele  ;)
1. Take a look at Maintenance mode handling
2. If you are logged in (always), leave the site without logout, come back and then logout will gives a session verification error.
3. Wap/Wap2/Imode is not handled

We have implemented (based on you code) a worked ECL support for our Portal & SMF and Mobile devices.
Test it on our site ..  ;)

bonzo

I am interested in this plugin but what state is it currently in after reading feline's comments ?

I have looked at felines site and seen the code in action but this is modifed from standard - are there any other sites I can look at?

feline

What you have see is mostly the final release that we will develop in association with our Portal software ...

nend

Just looking at feline's site and looking at the code it looks to be a nightmare to anyone that wants to accomplish SEO. Even if you do allow the bots in you may receive a penalty for different content for user and different content for bot.

nend

Here I just thought of this one, Here is a can of worms.



There we go, just set a cookie in your browser from a different domain through a script claiming to be a image. Now who is reliable for that?

CircleDock

Quote from: nend on May 12, 2012, 02:20:28 PM
Here I just thought of this one, Here is a can of worms.



There we go, just set a cookie in your browser from a different domain through a script claiming to be a image. Now who is reliable for that?

In the UK, the Information Commissioner (who enforces the new law) will very likely hold the site owner liable for any third-party cookies delivered to visitors to that site.

nend

Points I am trying to make, is that search engines like Google are going to penalize you for this. Even if you allow them in they will still penalize you for showing different content to a search engine vs a user. Second point is how are you going to prevent all third party cookies, there is no way a webmaster can be sure of all cookies, like the image above a cookie can be set by a generated image which can be hosted elsewhere.

Should the site owner be liable for third party cookies they may be unaware of?

Say I put this image on your site, I am not bound by the same laws so it is legal for me but not for you. How would the law handle this, embedded content.

Maybe getting off topic here though, but SEO is a real problem with this method. Only option for SEO sake is to allow anybody in and make sure the site doesn't set a cookie, but then you got your third parties. Maybe safe to turn of generated images in the BBC, to only allow non generated images.

Fact though, IMHO a simple mod is not going to achieve this, a more complex modification is needed. Even though, you will have to be extremely careful not to allow third party ads if law makes you reliable for them. There are allot of stuff that can set a cookie, this doesn't look like such a easy task if your reliable for third parties.

Really though, the law makes you reliable for third party cookies?

bonzo

I think it is a mess and nobody knows how to implement the law properly and most web users do not know what it means. Another law that has not been thought through properly and probaly creates "jobs for the boys" ( work that is given by someone who is in an important position to their friends or members of their family ).

One problem feline and that is I can not browse your website without accepting a cookie and perhaps I do not want to do that. How do you sell your product in that case? Does this mean that all websites should have a version of their website without any cookies what so ever?

My attitude nend is to do the best you can and if something sneeks in at least you can prove you have tried.


karlbenson


MrPhil

I agree with @bonzo that it's a mess. It's well-intentioned (stop the invasion of privacy by the use of tracking cookies), but stupidly implemented. My advice is

  • Be careful not to add mods which use tracking cookies. Someone please start a list of mods which use potentially illegal tracking cookies?
  • If you want to add tracking cookie mods (e.g., for revenue generation), find a way to shut them off in the EU.
  • Add highlighted text to the agreement.txt file notifying users that you have some cookies on your site, but they are used only to maintain the session and not to track them.
If the EU wants to prosecute you for normal SMF session cookies, just point out all the government sites illegally using cookies (e.g., the British ICO) and publicly demand that they be the first prosecuted. Who knows, you may be the straw that breaks the camel's back and brings down the whole EU! :)

Arantor

1. Most mods actually don't use tracking cookies. In fact, there's only a handful of mods that use their own cookies - other than Nibogo's multi quote mod, you're pretty much looking at the analytics and ad mods, and that's more because of the tracking aspect of the analytics and ads code (i.e. Google)

3. Should really be covered as part of the default wording for members, but there's no requirement to guests to do so.

Re British ICO, they acknowledge that they are using session cookies however they are working with the software developers to remove them. If you're not compliant currently, making a good faith effort towards compliance will discourage penalties.

I've opined elsewhere that it may actually be beneficial not to start a session at all for guests. Sure, you lose tracking of what guests are doing 'right now' and lose any ability to judge how many guests are on the site but search engines screw those over anyway, and you'd save a buttload of effort and DB stuff by not doing it.

CircleDock

Quote from: MrPhil on May 20, 2012, 11:15:14 AM
I agree with @bonzo that it's a mess. It's well-intentioned (stop the invasion of privacy by the use of tracking cookies), but stupidly implemented. My advice is

  • Be careful not to add mods which use tracking cookies. Someone please start a list of mods which use potentially illegal tracking cookies?
  • If you want to add tracking cookie mods (e.g., for revenue generation), find a way to shut them off in the EU.
  • Add highlighted text to the agreement.txt file notifying users that you have some cookies on your site, but they are used only to maintain the session and not to track them.
If the EU wants to prosecute you for normal SMF session cookies, just point out all the government sites illegally using cookies (e.g., the British ICO) and publicly demand that they be the first prosecuted. Who knows, you may be the straw that breaks the camel's back and brings down the whole EU! :)
I agreed with what you said right up to the highlighted part. The ICO is not acting illegally as it has identified all the cookies it and third-party sites are likely to set and enumerates them on its privacy page. As Arantor has said, they say they're working with their software providers to remove the session cookies. The fact that many UK Government web sites won't be compliant in time doesn't mean that the ICO will give a free pass to those in the private sector.

It's not the EU who would prosecute offenders but the national regulator in the relevant member nation that would act. However with only three countries that have enacted PECR so far - the UK, Denmark and Latvia - the whole thing is a bit of a mess and pretty typical of the EU in general.

live627

Quote1. Most mods actually don't use tracking cookies. In fact, there's only a handful of mods that use their own cookies - other than Nibogo's multi quote mod, you're pretty much looking at the analytics and ad mods, and that's more because of the tracking aspect of the analytics and ads code (i.e. Google)
Also, many large ADK mods use cookies.

feline

We have decided to allow no access to the contents before the cookie storage is not accepted.
This switchable option we have implemented in our portal, but no one MUST use it.
That is at least more than SMF and other mod authors make ..

CircleDock

Quote from: live627 on May 20, 2012, 01:22:33 PM
Quote1. Most mods actually don't use tracking cookies. In fact, there's only a handful of mods that use their own cookies - other than Nibogo's multi quote mod, you're pretty much looking at the analytics and ad mods, and that's more because of the tracking aspect of the analytics and ads code (i.e. Google)
Also, many large ADK mods use cookies.
Adk Portal certainly does (see Subs-Adkfunction.php -> function rewrite_context_html_headers()) but Adk Blog and Adk Advertising do not appear to.

Advertisement: