Each country is going to specify their own cookie laws, but generally speaking people have to consent before cookies are used from the 25th May.
I *think* a login into a forum would automatically be considered consent...
So my question is: Will SMF on it's own under any circumstances store cookies before login is made? If so, any chance for an option of disabling this?
I am trying to slowly work my way through it all before May 25th
This link (http://ediscoverymap.com/2011/03/the-new-eu-cookie-directive-leads-to-cookie-wars-in-the-netherlands/) says:
QuoteDutch law requires an opt-out regime for cookies: users need to be informed about the placement of tracking cookies, and they need to have an option to opt-out of having these cookies placed on their computers.
As far as I know SMF does not install tracking cookies.
;)
you might be interested in http://www.simplemachines.org/community/index.php?topic=425349
However if the data being stored in the cookie is a requirement to provide the service (which would include cookies relating to shopping basket, logging in etc.), consent is not required. The key point of the law appears to be to control 'behavioural' tracking, which is used to target adverts to a user based on what they have looked at or how they have interacted with websites.
http://www.f2b.co.uk/blog/2011/3/14/new-eu-cookie-law-what-does-it-mean-for-uk-websites/
Are any cookies set before user logs in into forum? If so, I am 99% sure that it's not legal from 25t May. (I followed quite a few discussions, but I am not a lawyer, so my opinion is not any better than anyone else's!)
It's true cookies can be set if/when consent is implied. I guess that a login into a forum would be consent.
It is also true I have seen shopping carts listed as exception. (Not anything else though)
The purpose of the cookie as such does not matter AFAIK. (Even if the intent was to target tracking cookies, the law got much broader)
The directive is first and foremost about ADVERTISING, and it is a directive - Directive is not law.
The directive is not a law, does not ban cookies and does not apply to cookies during log-ins or cookies issued as part of a shopping cart.
i like chocolate chip and pecan sandies. ;)
if my cookies are banished I'd go hungry O_o
Based on what I've read on the law:
- It only covers cookies used to track users
- It only applies to 3rd party cookies (those not coming from your site directly, but through something like an advertising network)
- Exceptions are given for cookies "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service"
This means that SMF by itself wouldn't run into any problems. Any cookies set are used to provide service, such as marking you as banned (this prevents an expensive database lookup) or keeping your session ID.
Any cookies added by an owner directly or indirectly, such as through an advertising service, would possibly need to be disclaimed. That is the responsibility of the site owner as they added such a thing.
Also - Please, remember that EU directives are not law. EU directives are something that most EU countries use as recommendations to write local law, but are not bound to accept directives as law 1:1.
And also note that Simple Machines is a United States based company and is not bound by other countries laws or directives (yes, the project should do what it can to accommodate, but is not required to do so)
Even if the directive did have the force of law, the SMF software wouldn't be in violation.
It's really the responsibility of the site owner to ensure that all software they use on their site is in line with local regulations.
Also, agreed with SlammedDime.
As a note, simplemachines.org the site wouldn't have to follow the directive anyway with this site, as it's hosted in the US by a US-based company.
Cookies law changed at 11th hour to introduce 'implied consent'
http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent
That's even more unhelpful information than anything provided before. What does 'implied consent' actually mean for forums?
I was fairly certain this would happen - the law would not have worked at all otherwise, and would have ended up like so many other crappy EU directives - pointless, and never forced...
Quote from: Arantor on May 26, 2012, 12:04:44 PM
That's even more unhelpful information than anything provided before. What does 'implied consent' actually mean for forums?
Essentially it puts the onus back on the user rather than the website.
Hopefully more information will follow shortly.
I realise that the onus is put on the user - but at the same time I also note that comment in that advice that it should not be taken as 'we don't have to do anything'.
And actually, the law would have worked as intended, since the intention was not to make compliance onerous - the 'strictly necessary' exception would have worked had it not been so badly defined.
Quote from: Tony Reid on May 26, 2012, 11:56:45 AM
Cookies law changed at 11th hour to introduce 'implied consent'
http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent
I have the feeling that the ICO had to modify its advice and requirements in view of the fact that its own site is still not fully-compliant with the law and neither are many public sector web sites in the UK; saves them some embarrassment. However there is a EU draft designed to strengthen the data privacy regulations and once that becomes a Directive, the ICO may well have to state that implied consent is no longer acceptable.
As Arantor has said many times, SMF's own cookies do have a tracking element albeit restricted to the forum site but stripping those out completely would result in an apparent loss of real time tracking of site visitors, even though the results are often misleading.
Into this mix we also have the "Do Not Track" initiative which is a settable browser option (for all modern browsers) and it's easy to test for its existence. If a visitor has that option set - and it's off by default - then we should assume that the user has already made an informed decision and not set any cookie that can be classed as a tracking cookie - and that arguably includes SMF's PHPSESSID.
I have to admit, having read some more of the discussions on it, I'm actually even less convinced 'implied consent' is applicable to us.
Yes, I get that it covers the sign-up cookie, and I could probably be content with the view that the statement in the registration agreement to the effect of cookies, that to me is a bit better than implied consent but it falls far short of what the law mandates should be done with cookies.
The problem comes back to the session cookie. There is nothing to indicate that session cookies are applicable, so I fail to see how 'implied consent' is applicable.
My meaning/interpretation .. the session cookie is not stringent required .. so we do this create not until the ECL is accepted. handicap .. you see no guests and can't track these on your site.
But .. the possible tracking is the critical point to have accept the ECL .. (I think)
That's what I've been saying for a while but apparently only you and CircleDock seem to listen to me :/
Tell you what though, if you assume users won't accept the ECL but still want to view the site, you can avoid tracking guests - and save yourself a boat load of resources.
Quote from: Arantor on May 27, 2012, 11:14:01 AM
Tell you what though, if you assume users won't accept the ECL but still want to view the site, you can avoid tracking guests - and save yourself a boat load of resources.
Exactly .. and I see that on the server logs since we have ECL enabled for our site ;)
How do you know how many guests are online if they don't accept cookies?
not exactly .. but I think .. more the 70% visit the site without accept ecl ;)
I think about a logging for these peoples ...
Quote from: Arantor on May 27, 2012, 11:30:01 AM
How do you know how many guests are online if they don't accept cookies?
In my experience, a session needs not be started (and so, no cookie) to see a guest on the who area.
EDIT: Wait, I take that back. Once I catch at least two guests on my site, I'll take a screenshot.
You do require a session to have been started in order for a guest to show up on the who's online page. If a session hasn't been started until absolutely necessary, you won't get the proper number of guests.
That means when I looked earlier and saw 6 guests, that's a fraction of the number of real guests who've opted in, which means it becomes a meaningless number.
Hmm... then this _is_ curious!
You have installed any ECL Opt In?
No, not exactly. Sessions are disabled for guests. Only two lines of code at the beginning of loadSession() were needed :D Plus the BB cookie and its injection code are totally gone, another two lines.
Interesting, very interesting. I may have been mistaken as to what was used to record state in the online log - guests are logged by IP address, not session ID in there.
But there's a LOT of assumptions in writeLog with respect to sessions being enabled.
Had to laugh at this blog... so true :
Dear ICO: This Is Why Web Developers Hate You
http://blog.silktide.com/2012/05/dear-ico-this-is-why-web-developers-hate-you/
Quote from: Tony Reid on May 28, 2012, 03:50:17 AM
Had to laugh at this blog... so true :
Dear ICO: This Is Why Web Developers Hate You
http://blog.silktide.com/2012/05/dear-ico-this-is-why-web-developers-hate-you/
That blog has been taken down ....
Quote from: live627 on May 27, 2012, 07:13:08 PM
No, not exactly. Sessions are disabled for guests. Only two lines of code at the beginning of loadSession() were needed :D Plus the BB cookie and its injection code are totally gone, another two lines.
That is not enough ... in SMF you will find a lot of code they grab the SESSION .. but if none exist, it will give a lot of errors. Same in the WriteLog() .. just after the Spider checking, you have to leave the function ...
if(!checkECL_Cookie() && empty($user_info['possibly_robot']))
return;
@Tony Reid .. you think, that will help anyone? it's polemic .. not more not less
Implied Consent explained...
ICO Guide - V3 (http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx)
I wouldn't call that 'explained'. I call that 'even more confusing than before'.
The key phrase I'm referring to is where it says (as I already said) about how it's not a 'we don't need to do anything' exception. It actually makes things a lot more confusing because I'm not sure how you can argue things like session cookies as having implied consent.
The example they give is a shopping cart, yes, I'm fine with that as having implied consent. Same with SMF logged-in cookies. But there is no way you can convince me that the session cookie is any way implied.
Yep - I agree confusing.
Interesting how this bank/building society interprets implied consent...
http://www.ibs.co.uk/legal/our-cookie-policy
And these.. http://www.sophus3.com/pulse-and-events/ico-implied-consent-can-be-sufficient-web-analytics-cookies
Still think we need to continue as we were - belt and braces type approach.
I've still got bits to do, but getting there slowly.
*nods* Pretty poor piece of wording from the ICO, really, especially given how much confusion 'strictly necessary' caused, and I can bet many will interpret implied consent as 'we don't have to do anything'.
This magazine, suggests its more opt out than in... and an implied notice is good enough..
http://www.pcpro.co.uk/news/enterprise/374734/ico-no-fines-for-breaking-cookie-rules
Also note its content...
Tony
That's not how I read it. It seems to me that it's more a case of 'it's law but the ICO understands that it isn't cleanly enforceable and that it will assess cases on a case by case basis'
Though the term 'distressing' is interesting, at what point does a cookie's use become distressing?
I was going by the cookie notice they use... it has no opt in tick boxes etc..
See attached...
Thing is, the cookies still get set, and that to me does not indicate implying consent. It's more a case of 'we're doing this, leave if you don't like it', and if you're browsing with NoScript enabled you won't even see it - but still get the cookies AIUI.
Well .. we can do a long discussion, if the session cookie 'strictly necessary'.
For me (and I think Arantor) it's clear, that this is NOT 'strictly necessary' .. the forum works without these cookie.
The one and only point they never works .. you don't see Guests they not have accepted the ECL in the Who list.
OK .. for a secure implementation of ECL it's need a lot of changes on the SMF sources, many to avoid undefined index errors and so one, but the basic function works perfectly. What WE have do and how it's work, you can see on our site.
A more detailed information you can find on the topic http://portamx.com/3155/eu-cookie-law-deadline-may-26th-2012/
That's exactly it, I cannot see how the normal SMF cookie falls under the 'strictly necessary' definition. It's only an architectural matter of SMF that requires it, it isn't required to actually be able to make the site function, as opposed to, say, a shopping cart that basically would require it.
1+ ;D
Wait, when did you and I ever agree on anything? :D
because we are not stupid ? :D
Quote from: feline on May 28, 2012, 06:43:43 AM
if(!checkECL_Cookie() && empty($user_info['possibly_robot']))
return;
What is checkECL_Cookie()? I assume it's a function from ema's mod to check for cookie consent.
And you didn't extend this to spiders?? How... interesting.
Yeah, that's something I picked up on earlier, allowing spiders in when not allowing users in (assuming modal acceptance) is a sure way to get penalised by search engines.
Spider are (imho) guests they have accepted the ECL :D
Of course ... it's possible that (in modal mode) to get a penalize. But I don't known how this will detect ???
I suppose you can probably argue implied consent for spiders but the problem is that search engines do sometimes visit without identifying themselves as spiders to validate that people aren't hiding content from guests without hiding it also from search engines.
There was a 'tech help site' that did this - supply a user agent of Googlebot and you'd get all the answers you wanted, but use a regular user agent and you'd be expected to pay for answers to questions on the site. I won't dignify them with a name because IMHO the site is one of the lowest forms of scum on the net.
OK .. Thanks for the infomation. ;D
But .. because we have enabled the non modal mode (onyl WAP is modal, but locked in robots.txt) we are on a good way (I hope)
Yeah, you should be fine, the problem is when it's modal - effectively blocking genuine users until accepting the cookies, while not blocking spiders at all.
I don't known .. but have google a search engine they emulate a mobile device (like android) ?
Yes, there is also a mobile user agent, though I forget what it is. But even then they have been known to do detection against UA testing.
Quote from: Arantor on May 29, 2012, 05:17:24 AM
There was a 'tech help site' that did this - supply a user agent of Googlebot and you'd get all the answers you wanted, but use a regular user agent and you'd be expected to pay for answers to questions on the site. I won't dignify them with a name because IMHO the site is one of the lowest forms of scum on the net.
Expert Sex Change (well, not with that spacing or capitalization in their name...), I think it was. Bet you can't see their name any other way from now on, now.
They are actually following the rules because the answers are all the way at the bottom of the page, and they use a cookie to block those completely on the third visit to their site - removing that cookie shows the answers again. Not the nicest approach, but they are actually following the rules.
QuoteExpert Sex Change (well, not with that spacing or capitalization in their name...), I think it was. Bet you can't see their name any other way from now on, now.
Yes, yes that's exactly who I'm thinking of, and that ambiguity was one reason I didn't want to mention them, though I believe they've actually put a hyphen in the name now.
QuoteThey are actually following the rules because the answers are all the way at the bottom of the page, and they use a cookie to block those completely on the third visit to their site - removing that cookie shows the answers again. Not the nicest approach, but they are actually following the rules.
They are *now*. That was their response to the penalties from Google. Originally all one had to do to see any amount of answers was to visit as Googlebot.
I've read where Americans were really picky about cookies and privacy. I find it humourous that as much as Europe laughs at the USA, they come up with the cookie directive. All a person really has to do is delete cookies and the session is over.
If anything pertaining to cookies really goes to law, they aren't going to be able to police 50 trillion forums, fan sites, communities, businesses and so on. And, the law is really only as effective as the barrister/lawyer behind that law when it is argued in court. Also, a simple legal statement pertaining to cookies only being used to keep someone logged in and how they expire the instant user signs out, should go a long ways in protecting against cookie laws.
About SMF and cookies: I notice that no matter how I set things, I'm automatically logged out and have to relog back in. This has always been an issue for me on the server I use. I set it to "stay logged in for 36,000" as a joke, as I'm always logged out every hour or so anyways. :laugh: (And no, not a support question!) This could indicate to the user, that cookies on your site is very temporary and largely useless and don't track anything...including active key strokes. :laugh: With that said, I still prefer SMF as its the only forum in softaculous that works my way.
Quote from: 青山 素子 on May 30, 2012, 01:03:18 AM
Expert Sex Change (well, not with that spacing or capitalization in their name...), I think it was. Bet you can't see their name any other way from now on, now.
Reminds me of a photo of a small store, posted on one of those "FAIL!" sites: The Children's Exchange. Only, the sign kind of ran the words together in a Small Caps font that barely distinguished between capitals and lowercase...
Quote from: tpgames on June 06, 2012, 11:28:38 AM
I've read where Americans were really picky about cookies and privacy.
Actually, we're conditioned to give up all our information privacy in return for trinkets. It's physical searches (and the loss of dignity) we're squeamish about (see "Don't touch my junk!" case).
Quote
I find it humourous that as much as Europe laughs at the USA, they come up with the cookie directive.
You laughin' at us? I said, are you laughin' AT US?
Quote
If anything pertaining to cookies really goes to law, they aren't going to be able to police 50 trillion forums, fan sites, communities, businesses and so on. And, the law is really only as effective as the barrister/lawyer behind that law when it is argued in court. Also, a simple legal statement pertaining to cookies only being used to keep someone logged in and how they expire the instant user signs out, should go a long ways in protecting against cookie laws.
They will rely on the fear of heavy fines to keep sites in line. They won't need to police individual sites, except if they receive a complaint about cookies being used. A few website owners made destitute will do the job quite effectively, by striking fear into the hearts of everyone else. With that much money at stake, I'm sure they'll find effective prosecutors to press cases. Finally, technical explanations don't matter with non-technical juries. They're not going to understand a word of it. It's all a matter of theatre.
Quote
If anything pertaining to cookies really goes to law, they aren't going to be able to police 50 trillion forums, fan sites, communities, businesses and so on. And, the law is really only as effective as the barrister/lawyer behind that law when it is argued in court. Also, a simple legal statement pertaining to cookies only being used to keep someone logged in and how they expire the instant user signs out, should go a long ways in protecting against cookie laws.
If anything our government will tax the cookies and instruct google to find each and every one. That will be our solution to the debt crisis when the Euro fails.
Just a quick question, since im in England do i have to put a notice up about the cookies ? even though my sever is in india somewhere...
yep