Simple Machines Community Forum

Hi All,

I was wondering whether SMF have seen anything with regards to the new forthcoming European cookie laws. They are supposed to come in effect later this year. For something like SMF I don't think it will involve anything more complex other than a statement of what data is stored in the cookie and to obtain permission on whether it is ok to do so for the user.

You could argue this could be written into the terms & conditions that users agree to on registration but this might not be transparent or accessible enough for the rules and wouldn't count for any existing users that agreed before the T's & C's get changed.

The BBC Article:

http://www.bbc.co.uk/news/technology-12668552

It seems from the article that the rules aren't fully defined as yet - but I wondered whether SMF were aware of the changes and whether SMF subsequently whether you will be releasing anything to cater for it?

From SMF's registration agreement:

QuoteAlso note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

I'd argue that it's covered, personally.

Quote from: Arantor on March 08, 2011, 09:02:22 AM
From SMF's registration agreement:

QuoteAlso note that the software places a cookie, a text file containing bits of information (such as your username and password), in your browser's cache. This is ONLY used to keep you logged in/out. The software does not collect or send any other form of information to your computer.

I'd argue that it's covered, personally.

It might very well be, however, by the look of the way the rules are being discussed saying "such as your username" might not be an explicit enough definition of what the cookie stores for the EU legislation though.

This thread is more to serve as a flagging item really so the SMF guys are aware of the impending rule definition and can respond in turn if there is anything for them to do.

Well, technically it's user id and password, hashed, that are sent, rather than user name - but I'd still argue SMF is already covered. But yeah, it's good to flag up.

actually, this would be up to the individual admins, not SMF as a software.

Like the idiots lawyers who submit lawsuits against Simple Machines organization because someone who uses our software offended their client...   we distribute the software, we are not responsible for the use, misuse or anything that you do with it, once you download it.

So, I'll claim that Arantor is correct and that the currently distributed agreement is valid. However, if you think not and want your site to be more specific, then change your site's agreement... it's a simple text file (which I have almost always customized anyway) and is the responsibility of each admin to make sure his/her site is legal in the specific location the site is being served.

Until the legislation has been determined, we can't speculate what would be sufficient really. While I agree with you, SMF would not be held responsible, I was just wondering whether they would implement a feature to help admins support the legal requirements properly.

Not all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Again, it may not be an issue, but I thought I would mention it so SMF are aware of these legal changes going forward (better to be aware of this sort of thing than not be in my opinion).

QuoteI was just wondering whether they would implement a feature to help admins support the legal requirements properly.

It's really not that hard to edit the agreement to include the necessary wording and it can of course be done in the master versions if the team decide it is necessary.

QuoteNot all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Yes, you're actually correct. There are people who don't seem to be able to go to Admin > Registration > Registration Agreement and edit it :P

Quote from: Arantor on March 08, 2011, 09:48:05 AM

QuoteI was just wondering whether they would implement a feature to help admins support the legal requirements properly.

It's really not that hard to edit the agreement to include the necessary wording and it can of course be done in the master versions if the team decide it is necessary.

QuoteNot all SMF admins have the necessary abilities to mod their installation if something more than a large sweeping 'I agree' was to become required by EU law.

Yes, you're actually correct. There are people who don't seem to be able to go to Admin > Registration > Registration Agreement and edit it :P

Good response... always nice to remind myself of why I avoid posting on here, pleasant people such as you.

I mean, IF something more than a large agreement text (like specific opt in / opt out of marketing mail options) is required.

If something is, then I'm sure it'll be added, but I can't see it being a requirement, and in any case I can't see it being that effective a piece of legislation since the unpleasant ad networks will be based in the rest of the world where the EU law doesn't apply.

Oh, and SMF does already have some options for opting in/out of announcement emails in your profile...

Quote from: Arantor on March 08, 2011, 10:01:13 AM
If something is, then I'm sure it'll be added, but I can't see it being a requirement, and in any case I can't see it being that effective a piece of legislation since the unpleasant ad networks will be based in the rest of the world where the EU law doesn't apply.

Oh, and SMF does already have some options for opting in/out of announcement emails in your profile...

No, but companies in the EU will be required to state what they do with the cookie data, be that pass it on to other ad networks etc. It is a privacy thing, so someone can decide whether they want to use the site or not.

I know it does, I was using it as an example of what I was getting at.

Yes, I realise that it's intended for privacy, except that like the recent ASA legislation here in the UK: it's fatally undermined by the fact that the web is bigger than the UK and bigger than the EU.

So, a company that operates in the EU has to advise its users what cookie data is used for. What happens to people like me who are individuals, and that my site is physically located in the US?

What happens with global companies that have both US and non US areas?

The sad fact is, this is broken legislation. All it means is that companies who are responsible have more red tape to deal with, and those who aren't responsible will continue to operate outside the EU and still abuse your privacy through cookie sharing; in other words only legitimate sites are affected, those who really need targetting aren't touched because they're based mainly in the US.

Quote from: Arantor on March 08, 2011, 10:35:44 AM
Yes, I realise that it's intended for privacy, except that like the recent ASA legislation here in the UK: it's fatally undermined by the fact that the web is bigger than the UK and bigger than the EU.

So, a company that operates in the EU has to advise its users what cookie data is used for. What happens to people like me who are individuals, and that my site is physically located in the US?

What happens with global companies that have both US and non US areas?

The sad fact is, this is broken legislation. All it means is that companies who are responsible have more red tape to deal with, and those who aren't responsible will continue to operate outside the EU and still abuse your privacy through cookie sharing; in other words only legitimate sites are affected, those who really need targetting aren't touched because they're based mainly in the US.

Good points, but broken or not, some of us will need to adhere to it :)

Yes, some will... but it remains to be see how many will *need* to, and how many will actually *do* so.

I get the feeling it will be like the ASA's new powers in the UK, to combat false advertising... on the web. Yeah, that works well.

Regardless, right now it appears that the actual regulations and policies around this aren't yet codified. As such, they could still change. Any effort made to try and focus on how they are at a single time could wind up partly or totally wasted.

Also, it is the duty of the website operator to ensue their site meets all local laws to which it might be subject (registering with the US Copyright Office as a designated agent, for safe-harbor protection, for example). A single product created by a US-registered company consisting of all volunteers cannot easily or in practicality ensure that all legal issues are covered internationally, especially when the software might simply be a component of a larger website or service.

This is why I have a Canadian host.  ;)

A little more information is now available and does seem to create issues with Forums including SMF. My comments are based on the UK interpretation of the EU directive, other countries have different interpretations, not this is not legal opinion I am not qualified to give legal opinion and this is based on my personal views.

1. It does not matter where your hosting is located, if you are located in the EU or the user is in the EU then the law applies.

2. SMF uses cookies and attempts to place a cookie on your PC before you log in.

3. Placing this cookie (or even looking for a cookie on a PC) is not allowed under the new law without permission, unless it is 'strictly necessary'.. But there is no definition of this. Who will define 'strictly necessary'. It could be argued that it is not necessary until after you have logged in, but this cookie is before you have logged in. If you bar this cookie you can not log in.

4. The ICO (UK Information Commissioners Office) who will control this law have stated that in the first instance at least they will only take action against complaints and even then will ask the offending party what they are going to do about it. There will be no immediate prosectution, so that gives time for things to settle down and some precedents to be set. They have also said that the first issue will be cookies that contain personal information, they do not seem to be too worried, at least at the moment, about neutral cookies that do not particularly identify people or thier habits.

5. You would be well advised to ensure your sign up agreement covers the new law which covers new subscribers, but it does not cover existing ones. The UK ruling based on the EU directive is that you must seek positive approval, it is not enough just to change your terms and conditions, even if you advise people of the change, you must get their positive approval of the change. Opt Out is no longer a possibility in the EU it is now all Opt In.

6. I have a subscriber base of over 4000 people, obviously postive opt in can only be carried out automatically. I already have utilities which clean the database and remove people, I will be working on these to change them to require everyone to verify their membership of the list on a postive response basis.

7. I am still not convinced that this will meet the letter of the law, though it will probably meet the intent of the law which is to control third party (intrusive cookies. At the end of the day it will probably not matter what the law says, but what the ICO do to police it. It could take years to find that out.

8. It may no longer be possible to allow indefinite log in and log in will have to be restricted to current session only. Together with the removal of any cookie use prior to log in. Whether the SMF team will take this on board I do not know.

9. Users of the forum are perhaps the least worry as they are unlikely to complain about use of cookies on the site, the complaints will come from those who are not members and who do not understand cookies. Warnings may need to be placed, certainly in the joining terms and conditions and the on site privacy statement (also required by EU directives, but not always there).

10. Forget Google Analytics, unless you are willing to pop up an agreement panel every time a person visits your site they contravene the UK law, they do not necessarily contravene other EU country law as some have taken a more relaxed approach than the UK big brother. We may find the big guns going into battle on this Google, Facebook and many others have a lot to lose here.

John

1- BS and unsupportable
2- yup
3- it is required by SMF. There is no other way to deal with user sessions.

in short...  it's all BS and is not defensible or enforceable.

So I'm thinking change the terms and conditions to say you must accept we use a cookie,  If they don't accept then they can't join.  New members will see the new terms and press the button to accept - that's all you need for new members as it's direct acceptance.

And I was thinking to start a simple thread for active members to voice their acceptance.  Also sending a newsletter to each member that they must accept in the thread.  Anyone who does not accept has their membership deleted.   If they want to come back weeks later then they get the new terms and conditions.

Can anyone tell me what details the SMF Cookie holds ?  Is it just the username and password ?  Or is there anything else ?

I think this is directed at the big boys that provide "free" services like Google's Analytics, Chrome, and Search for example and gather huge amounts of very specific user behavior information. I doubt SMF needs to worry.

QuoteCan anyone tell me what details the SMF Cookie holds ?  Is it just the username and password ?  Or is there anything else ?

The user id, a hashed password which is then hashed again with a salt, and the time you logged in.

Thanks :)

But yes, aimed at the big boys for sure and the abusers of useful technology.

Aimed at the big boys...maybe, well intentioned .... perhaps, will it affect how we operate in future... almost certainly. There is no doubt the active rights elements will step on the bandwagon after 26th, they have already had some success in other areas, forcing the big boys to change their ways. The effect of this new law should not be underestimated. It may well take several years for it to become an issue, but become an issue it will. You can already get instant fines for speeding, how about instant fines for using cookies, wild theory or possibility I do not know, if it becomes an easy target for revenue (hidden taxation) then it will happen. It would not be totally impossible under the new law to require ISP's to report those using cookies.
Although the ICO has stated they may not take action at first, this may be taken out of thier hands, they must by law implement the law and if they do not then they and those that have websites using cookies could be taken to the EU courts, who would have no alternative but to apply the EU directive. There is no such thing as EU law, only directives, so they would apply the law of the country in which the offence took place.
I don't think there is cause for instant concern, but I certainly will have a plan in place to meet the law, how this will effect applications like SMF I do not know. From the 26th use of SMF in Europe may break the law, in UK at least it depends whether you can convince the ICO that such cookies are 'strictly necessary' for the operation of the site. whether that is immediate cause for concern I do not know, it will take time for rulings to come down in this regard and at the moment there is no clear guidance.

As far as I understood, this law only applies to tracking cookies... Cookies that check where you have been on the internet, what you have been doing there, etc.

This does not apply for normal cookies to save your login and that kind of thing o0

On a sidenote, the SMF servers are in the United States. The European laws do not apply.

The law applies to all cookies (at least the UK law does other countries have a slightly less rigid interpretation of the directive), it also prohibits interrogating for cookies, not only placing cookies, without the express permission of the user. The only exception is for cookies that are 'strictly necessary' to the operation of the website. Though there are some guidelines on this there is no definition of 'strictly necessay' so it is not yet clear whether interrogating every visitor to see if they have a cookie set, or placing a session cookie prior to log in is legal. The only thing you can currently rely on is that shop cookies are OK provided they are not used until after the customer has logged in and there must be a clear warning on the log in page.
The law applies to where the website is used or controlled, not to where it is hosted, though how they would implement anything for non EU hosts sites I do not know, but there are ways and Google in Germany have already found out there are ways. You currently risk a $75,000 fine for using Google Analytics in Germany.
The UK law provides for a fine of up to $750,000 for the use of 'intrusive' cookies (again no definition) and ISP's are required by law to advice the ICO where they are being used. Of course what the law says and what happens may be two different things, but it will take a while before any guidelines become definitive.

Yeah if you host your SMF website in Europe, it could affect the owner of the website.
However, SMF does not store any intrusive cookies or cookies that track what you are doing on the internet.

The cookies stored for login *are* stricly necesarry.
This law wont cause trouble for something like this.

Quote
The law applies to where the website is used or controlled, not to where it is hosted

That is not true. If people from Europe visit our website and we would store tracking cookies on their computer, they cant do anything about it as long as it is legal in the united states.
The European laws do not apply to us in the United States, same as the DMCA (as example) does not extend beyond the borders of the USA...
*IF* we would store such cookies and someone from Europe (where it is illegal) would visit our website we cannot be punished nor would we be doing anything that's against the law. Servers in the US, the US laws apply. Not the laws of another continent or country.

I agree that in the case of the SMF site provided it is hosted outside the EU and you have no presence in the EU then you 'may be' exempt and possibly are. Germany has shown that not to be the case as far as they are concerned.
However if your website has any connection with the EU by way of hosting or by way of any data being controlled from the EU, then it is subject to the laws.
So whilst it may not affect SMF directly, it will affect all users of the SMF software if they are based in the EU.
Your definition on 'strictly necessary'  but it has not yet been shown whether this will be the opinion of the UK regulatory body. Whilst a cookie after log in can be shown to be 'strictly necessary' a cookie prior to log in as used by nearly all, if not all forums, shops etc may not be legal. Time will tell.
Note it applies to ALL cookies, it does not matter if they are tracking, intrusive or contain no data at all they require advance opt in permission to be used unless they are 'strictly necessary'.
I don't think this is the place to discuss EU - USA law, suffice it to say that laws are in place that can make a US citizen liable for offences in the EU and liable to extradition, and vice versa, it has already been used against hackers and other offenders. The DCMA is enforceable in the EU even though a US law. Though I doubt a cookie would result in that kind of action.

Quote from: JohnS on May 25, 2011, 08:00:51 AM
The law applies to all cookies (at least the UK law does other countries have a slightly less rigid interpretation of the directive), it also prohibits interrogating for cookies, not only placing cookies, without the express permission of the user.

That's funny wording since there is no "interrogation" as browsers broadcast the cookie contents willingly.

Quote from: JohnS on May 25, 2011, 08:00:51 AM
The only exception is for cookies that are 'strictly necessary' to the operation of the website.

The SMF software will not work properly without the cookie it uses. You will not be able to stay logged in while browsing. I would say that it is quite necessary for the operation of the software.

Do you have a link to the UK law? Last I checked on the directive, it was for 3rd-party cookies only, as I noted earlier in the topic. If the UK has gone beyond that and is also enforcing against first-party cookies, that would be quite interesting.

BTW:
http://www.bbc.co.uk/news/technology-13541250
http://allthingsd.com/20110524/eat-your-cookies-eu-privacy-directive-takes-effect-wednesday/
http://www.thedrum.co.uk/news/2011/05/25/21754-advice-for-brands-about-new-eu-cookies-directive/
http://www.ico.gov.uk/~/media/documents/pressreleases/2011/enforcement_cookies_rules_news_release_20110525.pdf

It ONLY covers "intrusive" cookies and is designed to protect personal identifiable information. Username and hashed password would not count...



However, it is fairly clear that US-based websites are free to ignore this...
except for:
http://blogs.wsj.com/digits/2011/05/24/california-privacy-politics-makes-strange-bedfellows-facebook-and-google/
http://info.sen.ca.gov/cgi-bin/postquery?bill_number=sb_761&sess=CUR&house=B&site=sen
but it's not quite the same...

The full law is at http://www.legislation.gov.uk/uksi/2003/2426/contents/made

The relevant part is regulation 6.

Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (PECR):
6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Whilst browsers my broadcast the cookies, the law makes it illegal to look at them without prior permission. As you can see the law applies to much more than cookies and it is very generic it does not differentiate between first and third party cookies. Each country will have its own interpretation, some are much looser than the UK one.
This is what happens when bureaucrats try and implement technical solution.

Edit: Just to make it clear the extract above is the ruling from 26th May, the on line law still contains the old version which is not quite so tight.

Quote
I agree that in the case of the SMF site provided it is hosted outside the EU and you have no presence in the EU then you 'may be' exempt and possibly are. Germany has shown that not to be the case as far as they are concerned.

Not possibly, certainly.
And what Germany is or is not concerned about is not our problem. They cant force their laws upon another country.

Quote
I don't think this is the place to discuss EU - USA law, suffice it to say that laws are in place that can make a US citizen liable for offences in the EU and liable to extradition, and vice versa, it has already been used against hackers and other offenders

This is a different situation. For example, in the Netherlands it is allowed to download music for your own use. It is illegal to upload it. But for downloading, it is legal. The US law cannot prosecute a person living in NL for download music, nor can they ask for extradition as the person is simply not doing anything wrong by law. It's not like you are comitting a murder. (Although the music industry wants it to be that way, lol)
A hacker with intent to destroy something is illegal in Europe aswell, hence the possibility to get prosecuted.

Quote
The DCMA is enforceable in the EU even though a US law

It is not. We have different types of laws and procedures, the DMCA law does not apply to anyone in Europe. It is a US law, not a EU law. Different country's, different laws. Simple as that.

CoreISP>> I think we will have to agree to disagree! There is no doubt that the Netherlands Law although based on the same directive is different to the UK Law. In addition the USA and UK have bilateral agreements in place that extend jurisdiction so in some cases it can be different countries same laws. Though meant for the big bad boys and unlikely to be used against the odd cookie, they do exist. Best wishes.

Just to update this, if anyone is interested I have a re-validation scheme that forces all current users to revalidate accepting new terms and conditions. The code is not what I would call a totally user friendly release, but it is functional with a little care or php knowledge. If there is demand I could consider tidying it all up.
John

Has anyone actually seen any sites that have explicitly asked for approval to use cookies yet.  I have not seen one yet myself, but hang on to that code ;)

I think, understandably, that there is a lot of confusion surrounding these laws (ie the European cookie law, as implemented variously by different European states).

From a UK perspective, I believe that we are actually already subject to the new law. The government has chosen, however, to allow a one year grace period (which we are currently part way through), during which time webmasters should be able to show (if challenged) that they are making demonstrable efforts towards implementing changes to their website(s) such that they will be fully compliant with the law by the time the grace period ends.

Also, I think that discussions about adding a permission statement within a forum's registration Ts and Cs are, with respect, missing the point. It's my belief that the law (as implemented in the UK) requires a user to be given the opportunity to opt out of cookie use at the very moment that they arrive on your site. This applies regardless of whether they are an existing forum member or just an unregistered visitor who is passing through (and wishes to read some of the forum posts before they leave, but has no intention of registering and no need to read your Ts and Cs).

As the enforcer of this law in the UK, the Information Commissioner's Office has implemented a pop-up permission box that appears as soon as you arrive on their site: www. ico. gov. uk (remove spaces).

I have various projects for which I want to use forum software. With the clock ticking down on the grace period, it's imperative for me that whatever forum I use includes an admin option that triggers an automatic permission gatherer like the one on the ICO's site. It also, obviously, needs to allow the user to either continue using the site without cookies (with restricted functionality, if necessary, like not being able to join) and that spells out what any "strictly necessary" cookies are used for and how.

I don't agree any forum can claim it's "strictly necessary" to use cookies because they're needed for logging in - purely and simply because not everyone wants to log in.

As, presumably, a US-based project, I don't know whether Simple Machines is prepared to add this kind of functionality. If not, they will be severely restricting their market as far as law-abiding UK and European webmasters are concerned. In the long run, I could easily see how a lack of interest / willingness to address this issue could easily lead to SM getting a bad reputation and even to forum publishers suffering quality score penalties in natural search rankings.

Sorry, Jonathan, but I disagree with your interpretation of the need for such an intrusive "warning".

Jonathan
I think there are differing views on the new law and there is no doubt the UK version is much more restrictive than any other country. But I believe you are spot on with your statements.
I do not believe that SMF in its current form can be totally compliant, it would require a permission prompt prior to setting or interrogating any cookie to be fully compliant. But it does depend on how 'essential for the site operation' is defined and only time will tell on that. My view is that all the cookies initiated by SMF are not strictly necessary, the only one that can be strictly necessary would be the one that shows you have registered. It could be said in fact that there is no way you can now legally operate a website because of this law (it is not just cookies but no information at all can be read without prior permission, so technically reading the HTTP headers is not allowed).
For my own part I have modified the scripts so that all registered users are forced through a re-registration page where they can read the new terms and conditions, I believe this is adequate for the moment, however like you I would like to see the option for all visitors to the site to accept or reject cookies and not be able to use the forum unless they agree to cookies and no cookie to be set before they agree. This is something I will look into later though there is no doubt it is a major task.
But for the moment I think that forcing all users to re-register under new terms displays the intent to comply, but further work may be needed, once guidelines have been set by the ICO, to ensure full compliance.
I have already removed Google tracking and other third party cookies from my web pages as they are definitely non compliant.
I can only hope that the ICO will issue some better guidelines on this law. If nothing comes out by the end of the year I will definitely be contacting them.

Quote from: Kindred on September 22, 2011, 10:38:53 AM
Sorry, Jonathan, but I disagree with your interpretation of the need for such an intrusive "warning".

Whilst I respect your opinion, I can only point out that the example I offered (ico.gov.uk) doesn't illustrate my interpretation that such an intrusive warning is needed, rather it is evidence of how the body that defines and polices this law within the UK interprets it. And for UK webmasters, it is the ICO's view (not mine, not yours) that counts.

We can dislike this as much as we want, but it won't change the facts. This is simply what an active opt-in looks like.

The ICO is practicing (and providing a practical example for others of how to comply with) what the UK has decided the new law requires. In the absence of further guidelines, this can and must surely be regarded as the template that we should all be busy preparing to follow.

It is interesting that the ICO on thier website are setting two cookies without permission saying they are essential to the site operation. They are setting __utma and __utmz which are Google tracking cookies. I would have hardly thought they are 'Essential to the operation of the website'.

Quote from: JohnS on September 22, 2011, 11:45:06 AM
Jonathan
...For my own part I have modified the scripts so that all registered users are forced through a re-registration page where they can read the new terms and conditions, I believe this is adequate for the moment, however like you I would like to see the option for all visitors to the site to accept or reject cookies and not be able to use the forum unless they agree to cookies and no cookie to be set before they agree. This is something I will look into later though there is no doubt it is a major task...

It sounds like you're making excellent progress, John. The obvious problem with waiting for further guidance is that if / when it comes at all, it may come too late to allow sufficient time for all of the necessary and very time-consuming recoding, testing, rolling out, etc that needs to happen before the grace period runs out.

In an ideal world (and I do appreciate the work this would entail), publishers of forum, blogging and other template-based software packages should already be preparing, testing and rolling out a new "cookie permissions" menu / module, which gives webmasters choices from a range of options (eg full "belt and braces" / highly intrusive, medium intrusion, low intrusion). This kind of approach would help to enable publishers across different European jurisdictions to choose whatever they feel best fits with their own local laws and also their personal comfort factor in complying with them or pushing their luck.

Quote from: JohnS on September 23, 2011, 11:47:35 AM
It is interesting that the ICO on thier website are setting two cookies without permission saying they are essential to the site operation. They are setting __utma and __utmz which are Google tracking cookies. I would have hardly thought they are 'Essential to the operation of the website'.

Perhaps they're experimenting a little. I understand they lost 90% of their Google Analytics tracking data upon introducing the opt-in. Cue the sound of chickens roosting.

The only cookie SMF itself sets is also "essential to the operation" of the software. Namely, it contains session information that enables SMF to function and remember where a user is. When a user is logged in, their account identifier is also stored so that nice things like tracking what has already been viewed will work.

So, yes, to implement a strict opt-in, you would need to have a special page outside SMF that basically asks if the person would like to continue.

Sorry to revive this but since the company I work for is now implementing things on their website to cater for this law it peaked my interest again. Interesting to see the ongoing debate after my initial post albeit somewhat dismayed at the response from the SMF guys concentrating more on arguing whether this applies to them in the US.

I agree it is our responsibility to ensure our websites are legal, but surely SMF could do something to help us to make it so within the framework?

The accepted T's & C's would cover it I think as long as the website places no cookies at all prior to registration but I get the impression that it does.

How hard would it be for the SMF guys to code an admin option to display a warning message similar to that the ICO have used (presumably as an example of what they see as the best way to deal with this)? It can be switched off by default and it would be the responsibility of the installing admin to switch it on if appropriate? I can't imagine it would be a huge piece of work (or even for someone to write a mod for) with the appropriate skill level.

The cookies the ICO are interested in are not just the tracking cookies - see the text from their PDF on the subject:

QuoteSession and persistent cookies
Cookies can expire at the end of a browser session (from when a user opens the browser window to when they exit the browser) or they can be stored for longer. The Regulations apply to both types of cookies:

Session cookies – allow websites to link the actions of a user during a browser session. They may be used for a variety of purposes such as Version 2 4
13 December 2011
remembering what a user has put in their shopping basket as they browse around a site. They could also be used for security when a user is accessing internet banking or to facilitate use of webmail. These session cookies expire after a browser session so would not be stored longer term. For this reason session cookies may sometimes be considered less privacy intrusive than persistent cookies.

Persistent cookies – are stored on a user's device in between browser sessions which allows the preferences or actions of the user across a site (or in some cases across different websites) to be remembered. Persistent cookies may be used for a variety of purposes including remembering users' preferences and choices when using a site or to target advertising.

First and third party cookies – Whether a cookie is 'first' or 'third' party refers to the website or domain placing the cookie. First party cookies in basic terms are cookies set by a website visited by the user - the website displayed in the URL window. Third party cookies are cookies that are set by a domain other than the one being visited by the user. If a user visits a website and a separate company sets a cookie through that website this would be a third party cookie.

Its not just a cookie law, it is the 'The Privacy and Electronic Communications Regulations'  which  cover all sorts of aspects of electronic communications including advertising emails,  location data and lot of other items. Any web site owner in Europe needs to be familiar with the regulations applying to thier country, whilst there is a common EU  Directive, each country implements laws in  a different way.
These Regulations are separate to the Data Privacy Regulations which you also need to  be familiar with, most forums break the data privacy act in one way or another. Also if you take money in any form there are a host of other regulations that you need to be aware of.
Why to the EU make Directives.... my opinion would probably make me liable for something, lets just say its a benefit of being in the EU!!!!!
In theory it is to protect the privacy of individuals, cookies can track them and identify what they are doing right down to what was on thier last shopping list. Now you can not do this unless you have specific prior approval from them. But what may be a reasonable idea gets hashed by the lawmakers who have no idea of technology into a law that is unworkable.

Quote from: Insight on March 13, 2012, 09:42:50 AM
Sorry to revive this but since the company I work for is now implementing things on their website to cater for this law it peaked my interest again. Interesting to see the ongoing debate after my initial post albeit somewhat dismayed at the response from the SMF guys concentrating more on arguing whether this applies to them in the US.

Well yes it does apply if they have visitors to their sites from the European Union. Furthermore a similar law is likely to be enacted federally in the US following discussions between the EU and US on this very issue.

The important thing to understand is that this law requires site visitors to explicitly "opt-in" to allow the storage of cookies and no cookie can be stored otherwise. The law also requires site owners to inform visitors the names, origins, purposes and full details of the information stored for each and every cookie likely to be stored on visitors' computers, regardless of whether they are first-party or third-party cookies.

All European Union member nations are required to enact local legislation to encompass the provisions of the EU Directive known as "The Privacy and Electronic Communications Regulations" and, so far, the UK, Denmark and Latvia have such statutes. In the UK, the law comes into effect next month and it will be enforced by the Information Commissioner who has published information about the  "cookie law" here (http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx).

As I have said, visitors must explicitly allow the use of cookies and if visitors do not allow that site to place cookies and one (or more) cookies is essential for that site's operation, then further navigation on that site can be denied to that visitor. You can see that in operation on the Information Commissioner's own web site (http://www.ico.gov.uk/).

The fine for non-compliance or violation is eye-wateringly high: $750,000 (£500,000) so the "head in the sand" approach by some is not helpful.

It matters not if there's currently no legislation in a given EU nation, so, for example, if a site hosted in (say) Germany doesn't obtain an "opt-in" for cookie storage and a visitor from the UK feels sufficiently aggrieved, he can report the matter to the ICO who then takes up the matter with his German counterpart and that site could then be fined under the Directive.

Quote from: JohnS on March 31, 2012, 03:37:55 AM
Its not just a cookie law, it is the 'The Privacy and Electronic Communications Regulations'  which  cover all sorts of aspects of electronic communications including advertising emails,  location data and lot of other items. Any web site owner in Europe needs to be familiar with the regulations applying to thier country, whilst there is a common EU  Directive, each country implements laws in  a different way.
These Regulations are separate to the Data Privacy Regulations which you also need to  be familiar with, most forums break the data privacy act in one way or another. Also if you take money in any form there are a host of other regulations that you need to be aware of.
Why to the EU make Directives.... my opinion would probably make me liable for something, lets just say its a benefit of being in the EU!!!!!
In theory it is to protect the privacy of individuals, cookies can track them and identify what they are doing right down to what was on thier last shopping list. Now you can not do this unless you have specific prior approval from them. But what may be a reasonable idea gets hashed by the lawmakers who have no idea of technology into a law that is unworkable.

As far as UK-hosted Forums are concerned, the standard information collected and stored about members is currently not covered by the Data Protection Act - by "standard information" I mean user name, email address and IP Address. As to other personal information supplied by members, that is readily accessible to them and they are free to modify or remove that information at any time. So I'd suggest that (UK-based) Forum operators need not worry too much about the DPA.

The only possible infringement would occur in the case of banned members who had supplied personal information in addition to their user name, email address and IP Address(es). It would be prudent for Admins to delete that additional information when banning a member. (In fact, I don't know why this isn't automatically done by the core software since the US also has Data Protection laws.)

There's a big difference between the scope of the Data Protection Act and PECR and it is this: A member living outside the UK is not covered by the Data Protection Act for information held about him on a UK site. But any member living within the EU is covered by PECR whether or not his country's government has enacted that Directive and since the UK (Denmark and Latvia) have, site owners in those three countries can be held liable for violations reported by (site) members resident in other EU nations. It won't be too long before the US, Australia and New Zealand enact similar legislation.

I am not a lawyer and can not give a legal opinion but do not believe some of your statements to be correct. If you hold data on someone that personally identifies them in any way, no matter how you hold that data, you have to observe the Data Protection Act. Depending on who you are and what you are doing you may not have to register with the commissioner and have an appointed data controller, but you still must observe the laws of the DPA.
With the DPA it is not a question of where the person resides it is a question of where the information is held and where the data controller is located. I suspect some forum's (or is that fora) would not qualify for the exemptions from the registration required by the DPA. I would  suggest the UK based operators should either ensure they do qualify for the exemptions from registration (there is a check list on the ICO site) or they should register as a data controller. But even  if you do qualify for exemption from registration you must still observe the DPA requirements.

The PECR covers the collection of ANY information from the users computer without the prior approval of the owner. So if the user supplies that information by for example filling in an application form, that covers you for the DPA provided the wording is correct. But unless you get thier permission to set or interrogate a cookie before that cookie is set, you do not meet the PECR. This is where SMF has a problem. Even if you are guest, a tracking cookie is set without the user being aware of it. I doubt you could argue the cookie is 'essential' and no warning of that cookie is given. It could be argued that even looking to see whether a cookie has been set is a breach of the PECR.

To me there seems to be little point in banning a user, they will just register again under a different name anyway, I just remove accounts completely.

The information I posted is a combination of my own research combined with that of a Forum software developer based in the UK coupled with legal advice from a London Solicitor. Currently the Data Protection Act permits sites to hold basic information (the user name, email address and IP Address) without the need for that site to register as a Data Controller. But there are two caveats: sites frequently hold other personal information voluntarily supplied by members - which they can add/edit/remove at will. Storing information may well require the site to register as a Data Controller but neither of us (who've researched this) can find any evidence of Forum sites being investigated or action by ICO taken against them; the law is untested therefore. The second caveat is that privacy laws across Europe are being strengthened so what is permissable today, may not be so tomorrow. And, of course, if the ICO is asked to investigate a site that has allegedly flouted the "Cookie Law" there's the risk that the Information Commissioner may look for other violations.

All the foregoing relates to sites that do not offer mailing lists, make personal information available to third-parties or sell personal information to advertisers. That's a whole different ballgame.

Quote from: JohnS on April 20, 2012, 04:57:10 AM
The PECR covers the collection of ANY information from the users computer without the prior approval of the owner. So if the user supplies that information by for example filling in an application form, that covers you for the DPA provided the wording is correct. But unless you get thier permission to set or interrogate a cookie before that cookie is set, you do not meet the PECR. This is where SMF has a problem. Even if you are guest, a tracking cookie is set without the user being aware of it. I doubt you could argue the cookie is 'essential' and no warning of that cookie is given. It could be argued that even looking to see whether a cookie has been set is a breach of the PECR.

I agree and SMF has been aware of this legislation for a year and during that time has released at least one update. But no provision has been made to accommodate PECR's requirements - why? Because SMF is US-based and the law doesn't apply to them appears to be the reason. Worse than that, the software flouts PECR by virtue of the fact that it doesn't remove its expired session cookies. Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

There are a  number of issues and as said these largely remain untested in legal terms, but that does not grant permission for anyone to flout the law on the basis they may not get caught.

I would imagine a large number of forum operators have absolutely no idea of the technical implications of running a forum. Or what the various add ons can do to the way the forum works.

With the DPA it is not so much what information you hold but what you use it for. No one is exempt from the DPA but may not have to register. But for example if you advertise on your site that could mean the difference between not having to register and having to register, but there are no clear cut lines and you have to work it out for each case.

At the end of the day SMF is free software and you either take it and use it or not. Requests can be made for modifications, but whether these will be done depends on the developers, thier time and the percieved requirement for the changes. If the majority of developers or users do not fall under the EU directives then I can see why there is no urgency to make changes.

The session cookie is just that and expires at the end of the session (when the browser is closed) and is deleted, so I can not really see why it needs to be specifically deleted. Though there should be some warning before it is set in the first place for guests. I am looking at ways round this, but it is proving tricky.I have already made the necessary changes for registred users, but the problem is the guest visitors.

Cookie Laws ???  ...sorry someone had to do it

Well it is a bit of a Monster....

Quote from: CircleDock on April 20, 2012, 06:03:53 AM
Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

It can't be deleted, not without causing a lot of trouble. Any software that uses PHP's session system will have a cookie of that name (or whatever name is defined in the PHP configuration). This cookie is how PHP retrieves the system state information for the user when it loads. The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

The SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

Quote from: CircleDock on April 20, 2012, 06:03:53 AM
What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

With SMF's behavior, I think it might be okay. In the UK wording, Regulation 6, section 4 says:

Quote
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Sub-section "a" should allow the default PHPSESSID cookie, as it's used only for carrying out the communication requested by the user. The SMF cookie should also be allowed unde sub-section "b" as it is created only on the login of a user account (a "request") and is necessary to "provision" the forum service for that user.

Note that this covers only the SMF software itself. Adding various modifications, services, or advertising  will of course change things. Of course, the people who provide the SMF software really have no influence over cookies set or other information stored due to modifications of the SMF software or due to the environment in which the SMF software is used.


Of course, that's my non-legal review. If you want a real opinion, consult a lawyer. In fact, if you're going to push for mechanisms that would probably cause SMF to be broken to satisfy an ill-defined regulation, you should probably provide the opinion based on a specific review of SMF from a learned legal mind.

My opinions and words are my own. I do not speak for the organization, the software team (I'm no longer part of the project team), or any other person here. I am not a lawyer. Follow the above advice at your own risk.

Quote from: 青山 素子 on April 20, 2012, 12:32:13 PM

Quote from: CircleDock on April 20, 2012, 06:03:53 AM
Also, when a member visits a SMF-powered site, he immediately gets a visitors' session cookie (PHPSESSID) which should be deleted when the full member's cookie is set. But it isn't!

It can't be deleted, not without causing a lot of trouble. Any software that uses PHP's session system will have a cookie of that name (or whatever name is defined in the PHP configuration). This cookie is how PHP retrieves the system state information for the user when it loads. The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

Except that it isn't!

QuoteThe SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

I believe it's actually 3 years :)

Quote

Quote from: CircleDock on April 20, 2012, 06:03:53 AM
What I find rather disconcerting is the seeming lack of interest in this whole issue on the part of anyone at SMF - one that affects a rather large group. But they are not alone: the same situation pertains amongst its competitors too.

With SMF's behavior, I think it might be okay. In the UK wording, Regulation 6, section 4 says:

Quote
(4) Paragraph (1) shall not apply to the technical storage of, or access to, information -

(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

Sub-section "a" should allow the default PHPSESSID cookie, as it's used only for carrying out the communication requested by the user. The SMF cookie should also be allowed unde sub-section "b" as it is created only on the login of a user account (a "request") and is necessary to "provision" the forum service for that user.

You appear to have quoted from PECR but PECR itself is not being enacted in European Union countries. The Directive requires member states to enact legislation that takes PECR as a minimum framework. The UK (and, I understand, Denmark) have legislation in place that states that a web site may not place ANY cookie on a visitor's PC without getting that visitor's expressed permission beforehand. In addition, the web site must have a page that details each and every cookie, its origin, the information it contains and its use. It is entirely possible that the UK implementation will be the minimum adopted by other EU nations since, under UK law, only a single opt-in to cover all cookies is required. Other countries may require either separate opt-ins for first and third party cookies or an opt-in for each and every cookie.

That SMF's cookies are necessary is actually completely irrelevant. The visitor must agree to them being placed. Of course if he declines, then further navigation of the site is unachievable - take a look at ico.gov.uk where that is exactly what happens.

So in respect of its two cookies, SMF does have an important part to play.

QuoteNote that this covers only the SMF software itself. Adding various modifications, services, or advertising  will of course change things. Of course, the people who provide the SMF software really have no influence over cookies set or other information stored due to modifications of the SMF software or due to the environment in which the SMF software is used.

I agree and for that very reason I have had to remove Google Analytics from my UK-hosted Forum.

QuoteOf course, that's my non-legal review. If you want a real opinion, consult a lawyer. In fact, if you're going to push for mechanisms that would probably cause SMF to be broken to satisfy an ill-defined regulation, you should probably provide the opinion based on a specific review of SMF from a learned legal mind.

I have consulted a lawyer and indeed much of what I have written in this topic is based on advice I have received. As for it being ill-defined, I beg to differ. The applicable law in the UK has been on the Statute books for 11 months and is clearly explained in layman's terms on the Information Commissioner's web site (ico.gov.uk) and has been mentioned in at least 2 other topics on this web site. The problem is that because this is not part of US law, there is no interest in making the software compliant.

I can not give a legal opinion, in fact I am not sure at the present time that even a lawyer can until there is some case law to give precedent. However from informed reading I beleive it is the purpose of the cookie that can define whether or not prior permission is required.
At first glance para 4a could seem to apply, but this session cookie is not essential to the carrying of information over a network. Secondly one purpose of this session cookie is to track the user and provide statistics, this definitely requires prior approval, the only reason you need a PHP session cookie is for tracking purposes.
The main member cookie is easier to define, prior to 26th May you should log out everyone, put a disclaimer and link to your cookie policies next to the log in box, and that will meet the requirements for that cookie. But not for the session cookie.
What I am expermenting with is to look for the main member cookie before the session cookie is set and if there is not one then take put up a bar at the top of the screen advising about cookies. There does seem to be some leeway in when you can advise about a cookie, it seems ideally you should ask before setting it, but you may, and I emphasise may, get away with advice provided it is given as early as possible in the chain of events. But there is no doubt the regulations require you to tell people you are setting cookies whatever they are.
I am pretty sure it will require a complaint to initiate anything, i doubt the ICO will be sending out web robots to look at all sites. But I am not sure i would wnat to hide behind that.
The disclaimer of course... use any of the above at your own risk.

Quote from: JohnS on April 20, 2012, 01:27:04 PM
I can not give a legal opinion, in fact I am not sure at the present time that even a lawyer can until there is some case law to give precedent. However from informed reading I beleive it is the purpose of the cookie that can define whether or not prior permission is required.
At first glance para 4a could seem to apply, but this session cookie is not essential to the carrying of information over a network. Secondly one purpose of this session cookie is to track the user and provide statistics, this definitely requires prior approval, the only reason you need a PHP session cookie is for tracking purposes.
The main member cookie is easier to define, prior to 26th May you should log out everyone, put a disclaimer and link to your cookie policies next to the log in box, and that will meet the requirements for that cookie. But not for the session cookie.
What I am expermenting with is to look for the main member cookie before the session cookie is set and if there is not one then take put up a bar at the top of the screen advising about cookies. There does seem to be some leeway in when you can advise about a cookie, it seems ideally you should ask before setting it, but you may, and I emphasise may, get away with advice provided it is given as early as possible in the chain of events. But there is no doubt the regulations require you to tell people you are setting cookies whatever they are.
I am pretty sure it will require a complaint to initiate anything, i doubt the ICO will be sending out web robots to look at all sites. But I am not sure i would wnat to hide behind that.
The disclaimer of course... use any of the above at your own risk.

I wish that were true, but I'm afraid it's simply isn't. You must obtain opt-in consent before setting any cookie. That advice is on the ICO web site and is exactly what a senior member of his staff advised my solicitor.

Im keeping a keen eye on this issue to.

Just to assist the thread - I've attached the ICO guidance document which is a bit more layman than the actual regulation itself.

Do these bungling bunch of euro braindeads realise the wider implications of this totally useless time wasting piece of ****** law?  There is so much I could say here but will refrain because this forum is for all ages and users.. The amount of small businesses that may be destroyed overnight will only serve to add to the recession and further set us all back when it comes to recovery and prosperity. We are all the accused until proven innocent and have the right to privacy unless its a massive company like Google spy network ,Murdoch phone tapping department or the UK gov and their new bill they should all be shot for even dreaming up.

Im sick to death of laws to protect us really an excuse to spy on every single person without need for a warrant or any kind of permission. This cookie law is a joke, cookies are what makes the net work and without them it will make the storage of basic information toward the user experience a right pain in the ass to implement. I can simply block cookies from sites I dont want to be stored and maybe the idiots should have just learnt people that instead of making a big song and dance causing how much lost revenue?

I pray there is a revolt soon because were sleepwalking into a control state with a world government that dictates everything to us and we subserve and obey....

Your right - its total BS... but working together we can solve this.

From the ICO page http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx:

Quote
The Regulations specify that service providers should not have to provide the information and obtain consent where that device is to be used:

    for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or
    where such storage or access is strictly necessary to provide an information society service requested by the subscriber or user.

If you want to be extra safe, what you'll have to do is this:

• Move your forum to a sub-directory
• Put up an entrance page advising of the cookies that will be set.
• Make a small change on the main SMF index page redirecting anyone who doesn't have an "opt in" cookie set to the entrance page.
• Require a click-through to get to the new forum location, setting a cookie (which was disclosed on that page!) to prevent SMF from kicking them out.

If you put the check right at the start of the SMF execution path, that should avoid a PHP session from being started.

Oh, this solution also prevents search engines from indexing anything since SMF now requires an "opt in" cookie to even show.

I think that would legally work, although it would probably destroy your site since you wouldn't have any results in search so you'd only get new visitors via direct referral.

Quote from: CircleDock on April 20, 2012, 01:24:08 PM

Quote from: 青山 素子 on April 20, 2012, 12:32:13 PM
The PHP session cookie defaults to only be active for the status of the session. When you close the browser, it is erased.

Except that it isn't!

You must have an odd browser or non-default behavior. I just logged onto an SMF forum I manage. Here are the two cookies set and their expirations:

PHPSESSID: End of session
SMFCookie???: Thur 19 April 2018

Quote from: CircleDock on April 20, 2012, 01:24:08 PM

QuoteThe SMF-set cookie only exists when a user has logged into an account. The expiration is set to the time chosen on login. If "Forever" is selected, the cookie is set with a 6 year expiration.

I believe it's actually 3 years :)

See above. I'm not sure if older versions used a shorter one, but 6 years appears to be the default for 2.0.2.

Quote from: CircleDock on April 20, 2012, 01:24:08 PM
That SMF's cookies are necessary is actually completely irrelevant. The visitor must agree to them being placed. Of course if he declines, then further navigation of the site is unachievable - take a look at ico.gov.uk where that is exactly what happens.

Oddly, I don't get that. Apparently they don't care if you're from the US. They must be doing IP-based location.

Quote from: CircleDock on April 20, 2012, 01:24:08 PM
The problem is that because this is not part of US law, there is no interest in making the software compliant.

I think the larger problem is that the law basically makes it near impossible for something like a discussion forum to properly function. That and the fact that there is a lot of confusion over what actually needs to be done, especially like how you mentioned needing opt-in for each individual cookie vs blanket-opt-in depending on country.

@CircleDock

QuoteI wish that were true, but I'm afraid it's simply isn't. You must obtain opt-in consent before setting any cookie. That advice is on the ICO web site and is exactly what a senior member of his staff advised my solicitor.

I agree you have no control over cookies already set and I am not sure how the law treats cookies that were set before the law became effective. But if you log out everyone they must log in again and in doing so will set a new cookie. If there is a notice about cookies at the log in point then I believe you have effectively met the requirements of the law, even though it may not be strictly correct. What I am saying is that the cookie for members is probably not the issue and that can be overcome, the problem is the session cookie.

As 青山 素子 says, there are options but these will block the search engines as well and that is the problem, coming up with a solution that will work but not block robots, but I think that is too deep into the core code to be doable as a modification.

AS said this is going to be a major problem for many websites, especially for small businesses that may not be aware of what they are actually doing. In my view the new law actually makes using the internet illegal as your server can not legally read the packet headers which contain informationf from the users terminal without thier prior permission but how can you get that prior permission if you can't reas the headers.

It is dangerous to read one section of the PECR in isolation, you have to take all the sections together, also to be aware that the UK law and the EU directive are not the same and other countries laws where they exist or are in preparation have taken a different viewpoint and modified things.

From the guidance:

QuoteWhere this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.

Which implies you do not have to get prior approval as long as you do it as soon as possible, but this is just guidance by the ICO and they could be challenged on thier interpretation by the courts or the EU. My impression is that the ICO will be looking for website owners to be doing as much as possible and to have a plan to eventually meet the regulations, it is not an option to be doing nothing.

Quote from: JohnS on April 20, 2012, 06:04:13 PM
As 青山 素子 says, there are options but these will block the search engines as well and that is the problem, coming up with a solution that will work but not block robots, but I think that is too deep into the core code to be doable as a modification.

One other possible solution is to not start a PHP session until a user authenticates, but I'm not sure of the practicality or security implications of that. Of course, even if you're sending a hash so the password isn't in the clear, but doing so over a non-secure link isn't exactly the most secure practice either - unfortunately, it's often the best you can do with shared hosting.

Quote from: 青山 素子 on April 20, 2012, 04:43:05 PM

• Move your forum to a sub-directory
• Put up an entrance page advising of the cookies that will be set.
• Make a small change on the main SMF index page redirecting anyone who doesn't have an "opt in" cookie set to the entrance page.
• Require a click-through to get to the new forum location, setting a cookie (which was disclosed on that page!) to prevent SMF from kicking them out.

If you put the check right at the start of the SMF execution path, that should avoid a PHP session from being started.

Oh, this solution also prevents search engines from indexing anything since SMF now requires an "opt in" cookie to even show.

I think that would legally work, although it would probably destroy your site since you wouldn't have any results in search so you'd only get new visitors via direct referral.

Are you serious?? Is this the "SMF solution"??! It seems to me you've just sent the message to European Forum site owners that they should look to other software providers because SMF isn't going to assist them in obeying the law.

You know very well that were this US Law, SMF would be bending over backwards to accommodate the new provisions and an updated version would have been beta'd and released by now. So why the discrimination against your European users who probably represent a significantly high percentage of your user base?

Why is it that no current representative of SMF is willing to engage in this discussion?

Quote from: JohnS on April 20, 2012, 06:04:13 PM
@CircleDock

QuoteI wish that were true, but I'm afraid it's simply isn't. You must obtain opt-in consent before setting any cookie. That advice is on the ICO web site and is exactly what a senior member of his staff advised my solicitor.

I agree you have no control over cookies already set and I am not sure how the law treats cookies that were set before the law became effective. But if you log out everyone they must log in again and in doing so will set a new cookie. If there is a notice about cookies at the log in point then I believe you have effectively met the requirements of the law, even though it may not be strictly correct. What I am saying is that the cookie for members is probably not the issue and that can be overcome, the problem is the session cookie.

In respect of cookies set before the law comes into effect you could do what I have done. I have a banner prominently displayed on my Portal Page that informs guests and members that my site sets one or more cookies that are essential for the site to work correctly. That banner contains a link to a FAQ page where I detail as best I can the names of the various cookies, where they originate and how they are used. That really is all that one can reasonably be expected to do.

QuoteAs 青山 素子 says, there are options but these will block the search engines as well and that is the problem, coming up with a solution that will work but not block robots, but I think that is too deep into the core code to be doable as a modification.

Precisely! And it is for that very reason that SMF should be taking this issue seriously and provide us with an update so that we can be in compliance with the law. You can bet dollars for doughnuts that were this US law, the issue would already have been addressed. I would even go so far as to suggest that this issue affects a very sizable percentage of all SMF users and could even approach 50%. So why is this issue being ignored?

QuoteAS said this is going to be a major problem for many websites, especially for small businesses that may not be aware of what they are actually doing. In my view the new law actually makes using the internet illegal as your server can not legally read the packet headers which contain informationf from the users terminal without thier prior permission but how can you get that prior permission if you can't reas the headers.

That's an interesting observation and if one takes the regulations literally then one could certainly come to that conclusion. But I sure that's not the intent!

QuoteIt is dangerous to read one section of the PECR in isolation, you have to take all the sections together, also to be aware that the UK law and the EU directive are not the same and other countries laws where they exist or are in preparation have taken a different viewpoint and modified things.

That's the point I made earlier: PECR is a framework for individual member nations' own legislation.

QuoteFrom the guidance:

QuoteWhere this is not possible at present websites should be able to demonstrate that they are doing as much as possible to reduce the amount of time before the user receives information about cookies and is provided with options. A key point here is ensuring that the information you provide is not just clear and comprehensive but also readily available.

Which implies you do not have to get prior approval as long as you do it as soon as possible, but this is just guidance by the ICO and they could be challenged on thier interpretation by the courts or the EU. My impression is that the ICO will be looking for website owners to be doing as much as possible and to have a plan to eventually meet the regulations, it is not an option to be doing nothing.

Whilst that is certainly true, ICO will not accept that as an excuse for continued non-compliance and they will look to web site owners to be fully in compliance as quickly as possible. One could argue (and ICO might) that web sites should be fully in compliance as of 26th May as they will have had a full year to implement the necessary changes.

One important point that SMF and all EU Forum owners should bear in mind is that although Cookie Laws have been implemented only in the UK, Denmark and Latvia so far, the ICO (and his Danish and Latvian counterparts) can enforce that law EU-wide. So if, for example, someone from the UK (or Denmark or Latvia) visits a web site hosted in (say) Germany and that site does not ask before setting cookies, that site is in violation and can be fined.

Quote from: CircleDock on April 21, 2012, 01:06:09 AM
Are you serious?? Is this the "SMF solution"??! It seems to me you've just sent the message to European Forum site owners that they should look to other software providers because SMF isn't going to assist them in obeying the law.

I do not speak for the team, so it is certainly not an "SMF solution". It was an opinion on a way to ensure compliance if you had to make sure you were being very strict on the reading of the regulations. It's a totally crappy suggestion, but it would work.

Once again, I am not an active team member and the suggestion was my own.

Quote from: CircleDock on April 21, 2012, 01:06:09 AM
You know very well that were this US Law, SMF would be bending over backwards to accommodate the new provisions and an updated version would have been beta'd and released by now.

Possibly. Maybe. SimpleMachines is a US organization, and the main board is in the US, so it would need to comply with US law. I don't see why a change would be made on this site for that and it not get put in the code when it was stable.

Quote from: CircleDock on April 21, 2012, 01:06:09 AM
So why the discrimination against your European users who probably represent a significantly high percentage of your user base?

I don't think it's active discrimination at the very least. I haven't seen any team member say no or do anything discriminatory.


Okay, I'm going to sound kinda like an asshole here, but I think this should be said. Keep in mind this is my own opinon and not any kind of stance of the SMF project team, SimpleMachines, the larger community here, or whatever else I may be confused to represent. If you feel I've stepped over the line, there's a nice "report to moderator" link you can use to report my post to the folks running this site. It's down at the bottom right (at least in the default theme) of each post.

Now, the rant:

SMF 2.0 is under a totally free license, the BSD license. Anyone can go and change it and even provide their own "spin" of the software (provided they remove the SMF branding). They can even distribute patches to fix issues.

Instead of throwing tantrums over what you see as some kind of conspiracy by a very-understaffed project to ignore the law, fix it yourself and provide the fix. If you can't code and this is vitally important to you, get someone who can code to fix it.

SMF the software is provided free of charge and is maintained by some very passionate individuals who give up their spare time for this project. What makes things so awful is when people demand changes and generally present an entitled attitude when they have done nothing to contribute. While strong views are appreciated, acting like a spoiled brat demanding changes is the best way to get an issue ignored. Yes, this is probably an important issue and needs to be addressed, but being an asshole about it just makes it take that much longer.

As for me? I'm going to give things a try and see if I can avoid any cookies before login. I don't think it'll be all that easy to break the way dynamic software works to try and comply with a law that seems utterly clueless to that fact, especially for first-party cookies. Maybe I'll find a solution, maybe I'll give up. However, instead of ******ing about it, I'm going to actually try to contribute, unlike you.

Quote from: 青山 素子 on April 21, 2012, 02:48:12 AM
Possibly. Maybe. SimpleMachines is a US organization, and the main board is in the US, so it would need to comply with US law. I don't see why a change would be made on this site for that and it not get put in the code when it was stable.

I would suggest to you that it would definitely be implemented because if it weren't, the outcry would be considerably more vociferous and indeed smf.org itself would be in violation.

Quote
Instead of throwing tantrums over what you see as some kind of conspiracy by a very-understaffed project to ignore the law, fix it yourself and provide the fix. If you can't code and this is vitally important to you, get someone who can code to fix it.

Firstly, whilst I hold very strong opinions about this issue - one of legal compliance - I have not intentionally demanded it be fixed but I and others have asked, sometimes passionately, that it be addressed. The fact this topic hasn't had a single contribution from any official SMF Project member speaks volumes in my view.

I am not a programmer but I have had someone who does do web site development work look at the code. He tells me that the way it is currently implemented, it was akin to a minefield that he didn't want to enter and urged me to refer the matter to the SMF development team - which is exactly what I'm trying to do here. So to accuse me of doing nothing about it is a wrongful accusation.

QuoteAs for me? I'm going to give things a try and see if I can avoid any cookies before login. I don't think it'll be all that easy to break the way dynamic software works to try and comply with a law that seems utterly clueless to that fact, especially for first-party cookies. Maybe I'll find a solution, maybe I'll give up. However, instead of ******ing about it, I'm going to actually try to contribute, unlike you.

I completely agree with you that the EU Directive has been written from a political standpoint without much, if any, practical regard for how it is to be implemented in the real world. But it is now a law and one that has attracts massive penalty tariff ($750,000) if violated. We're unfortunately stuck with it and all EU member nations are legally obliged (by virtue of their EU accession treaties) to implement their own laws in compliance.

If you are able to devise a solution to this issue, then you'll most certainly receive my grateful thanks along with many others' I am sure.

I concur that it would probably be practically impossible to prevent the PHPSESSID cookie being set. I actually suspect that the ICO would understand that difficulty and not pursue a site provided it obtains an opt-in for all other cookies AND, should the visitor decline to accept cookies at all, that the PHPSESSID cookie be removed.

Thank you for taking an interest!

As a footnote I would add that I have logged-in and out of several SMF-powered Forums and the PHPSESSID cookies remain even after the browser is closed. That's with Firefox 11 and also SW Iron (Chromium-based).

Since I talked about doing something, I decided to try my hand at a quick fix. My patch is attached. It's a unified diff. You can apply it by hand or use the "patch" tool on Linux. I believe winmerge also works for this on Windows.

The patch prevents the default PHP session cookie from being created unless an SMF login cookie has been set. Additionally, it displays a noticeable yellow bar at the top of the page linking to information on the two default cookies used when logged in.

If you use this, you need to make sure PHP is not configured to auto-start sessions. That setting will make PHP always generate a session and cookie, and there is no way to fix that in code.

This is not ready for any kind of package install. It has hardcoded language strings and probably has some weird side-effects. I have not fully tested it. It's 2am and I want to sleep...

Quote from: CircleDock on April 21, 2012, 03:51:05 AM
I am not a programmer but I have had someone who does do web site development work look at the code. He tells me that the way it is currently implemented, it was akin to a minefield that he didn't want to enter and urged me to refer the matter to the SMF development team - which is exactly what I'm trying to do here.

Preventing the default PHP session ID cookie wasn't too hard. A little snip in the loadSession function was all that took. A change to the index template and the addition of a new page for cookie info provided the announcement portion. I think I spent more time messing with git than coding...

Quote from: CircleDock on April 21, 2012, 03:51:05 AM
As a footnote I would add that I have logged-in and out of several SMF-powered Forums and the PHPSESSID cookies remain even after the browser is closed. That's with Firefox 11 and also SW Iron (Chromium-based).

Make sure to check your cookies before going to the site again. Even if the one session cookie is removed on exit, a new one will be created when you visit the page again. If the expiration is set as "session" or similar wording, the browser is supposed to remove it when you fully close it.

Just to be clear here. There is no such thing as 'it's US not EU' at play on this matter, that SMF itself may not be "required" to comply is completely besides the point, and not the issue here.

If this directive/regulation is affecting indeed EU admins and/or users (and it's workable and at least a bit reasonable to implement a solution), then we will find a way. That document attached several replies above, as shocking as it is, appears to be relatively explicit as to some expectations, though I will try hard not to qualify them and their potential consequences on the web today. Thank you all who are looking into it, be it legal side or technical side.

Be it said. (sorry to be on the run). Personally I appreciate generally, that there are attempts in the current worldwide landscape today, to address third party applications tracking users activities and behavior on the web, and informing people of what websites do. This one however, for all I can see so far, it's a terribly misguided attempt at that. And that's an understatement.

When politicians/lawyers make regulations on technical aspects they don't fully understand, we get ourselves something like this. (which I won't qualify, because I'm trying to remain polite. :P)

On the constructive side, for one, we are also taking a look at the ToS at registration time, to add more information about the operation of the forum and what are cookies used for. I'm NOT convinced that any kind of "prior" consent could or should be reasonably required for session cookies, considering the normal operation of the forum, non-existent "intrusiveness", and non-existent harm to personal information of any kind. Same goes for 99% of the web applications packages these days.


ETA: Thank you very much, Motoko, for the patch! Will look ASAP into this too.

N.N. I fully agree that the law which perhaps had a valid reason in the beginning, has gone through the political machine that is the EU and has emerged mangled and useless much like everything else that goes through that machine. But neverthess it is now a law here in the UK which is being enforced by the ICO and has huge penalties. The fact that the UK just adopted the EU directive without any thought for the impact of the law makes things even worse, at least some of the other EU countries are making laws which meet the intent of the directive without being so restrictive. The sites I operate with SMF are charity sites and we just can not afford to fall foul of this law in any way.

The persistant user cookie I have solved, prior to the 26th May last year I removed access all users and made them re-validate thier membership under the new terms and conditions which seek permission for the placement of cookies, I did this by changing thier is-activated setting to its current value +50 and developed a script they could go through to set it back again by agreeing to the new terms and conditions . It did result in about 50% of the registered members not doing this, but as they never visit the site anyway that was in fact a plus as it cleaned out my database (something the DPA requires). I considered this showed an attempt to comply pending more permanent changes.

Over the past few weeks I have modified my template so that there is a notice about cookies on the log in page and above the log in area at the top left of the page, warning members that if they log in they are setting cookies, that has links to my cookie explanation page.The registration terms and conditions have been modified with links to my cookie information page. On the 26th May I will log everyone out and so when they next revisit they will have to log in again, so not only did they last year accept the new terms and conditions, they will have to log in again after a warning that logging in will generate cookies. I believe that covers the persistent user cookie.

I now have to look at what Motoko has provided (many thanks for the work Motoko it is appreciated as it gives me some more clues as to where I should be looking.) And see if I can resolve my session cookie issue.

That law is BS because users already have such power in any browser they just need to use it (and it has been like that from...I don't even know when, since as far as I remember any browser has the option to ask to accept cookies or not).

BTW, try the attached package (not really tested, not really sure I take in consideration everything).

https://github.com/emanuele45/EU-cookie-law

ETA: the privacy notice is completely unwritten, it's just a placeholder, I'm not good at writing this kind of legal-related things...

ETA2: this will (hopefully) prevent any kind of cookie to be set up, so even ban-related cookies are not put in place (bans will relay rely on a complete ban check every time unless the user accept the cookie.
Additionally, since these actions would setup a a cookie, I disabled at "action-time" any post, vote, moderate, etc. action that could create a cookie (I added more than necessary just because I was too lazy to check if the actions actually create a cookie).
The "accept cookie" is obtained through a cookie itself (i.e. once you click on "accept" a cookie is created) that will last for the session (i.e. every time you or your users will close the browser you will be asked again to accept the cookies, this could be changed to a more persistent cookie...let's say a week?).
There is an hidden setting (ecl_strict_interpretation) that enables a possible stricter interpretation of the law: in other terms you or your users will not be allowed to login or register unless the accept the cookies. As far as I can tell this is *not* required by the law (UK instructions on implementation), because as soon as the user registers or logs in he is accepting the communication (or something like that, I read it yesterday and I don't remember the exact terms), but still can be enabled if you want.

Quote from: emanuele on April 21, 2012, 07:43:22 AM
That law is BS because users already have such power in any browser they just need to use it (and it has been like that from...I don't even know when, since as far as I remember any browser has the option to ask to accept cookies or not).

BTW, try the attached package (not really tested, not really sure I take in consideration everything).

https://github.com/emanuele45/EU-cookie-law

ETA: the privacy notice is completely unwritten, it's just a placeholder, I'm not good at writing this kind of legal-related things...

AWESOME I am glad to see someone is taking this serious.
Even though the law seems like a whole lot of gibberish, its still have to be adhered to and we all have to take measures.
Simple fact is, alot of people who use the SMF software have no coding knowledge, so expecting them to do it them selves is like asking a dog to make you breakfast lol.

I'll try this out now ;)
Thanks again sir.!

Edit: I will help you with the wording also if need be. I have no problem with that ;)
I been reading the dam law for about 2 hours lol.

Just like to confirm that it has broken my forum lol.
I will fix it and report the error few mins,

Quote from: aljo1985 on April 21, 2012, 07:57:15 AM
Just like to confirm that it has broken my forum lol.
I will fix it and report the error few mins,

Working fine here, I installed without errors.
BTW I removed it.

I fixed the forum and un installed the package for now.

These are the errors I got.
PHP Fatal error:  Call to undefined function ecl_authorized_cookies() in Load.php on line 2751
and
PHP Fatal error:  Call to undefined function ecl_authorized_cookies() in Subs-Auth.php on line 166

Thanks,
Star.

That's a problem with the hooks not installed...try to run the install.php manually (load it into your forum directory and run it from the browser).

I uploaded it at github download section.

Quote from: emanuele on April 21, 2012, 08:04:12 AM

Quote from: aljo1985 on April 21, 2012, 07:57:15 AM
Just like to confirm that it has broken my forum lol.
I will fix it and report the error few mins,

Working fine here, I installed without errors.
BTW I removed it.

Yeah there was no errors on the install. But as soon as I installed it I got error.
If you can point me in the right direction I would love to get this problem solved on my own forum as quick as possible :(

Awesome.. I still have your package, will try it now XD

Quote from: emanuele on April 21, 2012, 08:18:11 AM
That's a problem with the hooks not installed...try to run the install.php manually (load it into your forum directory and run it from the browser).

I uploaded it at github download section.

Awesome it works.. Now just needs to privacy notice to display all the cookies and what they do :)
I need to delete my cookies now and see what cookies it placed on the website before this notice.
I see how this is done using ECL cookie 2 lol nice...

Sorry to be a pain :(
But what are these cookies?
Just that when I re-visited I had these cookies set automatically.

__utma
__utmb
__utmc
__utmz

Scrap that.. They are analytic cookies GRRRR.

Quote from: 青山 素子 on April 21, 2012, 05:25:11 AM
Since I talked about doing something, I decided to try my hand at a quick fix. My patch is attached. It's a unified diff. You can apply it by hand or use the "patch" tool on Linux. I believe winmerge also works for this on Windows.

The patch prevents the default PHP session cookie from being created unless an SMF login cookie has been set. Additionally, it displays a noticeable yellow bar at the top of the page linking to information on the two default cookies used when logged in.

If you use this, you need to make sure PHP is not configured to auto-start sessions. That setting will make PHP always generate a session and cookie, and there is no way to fix that in code.

This is not ready for any kind of package install. It has hardcoded language strings and probably has some weird side-effects. I have not fully tested it. It's 2am and I want to sleep...

Quote from: CircleDock on April 21, 2012, 03:51:05 AM
I am not a programmer but I have had someone who does do web site development work look at the code. He tells me that the way it is currently implemented, it was akin to a minefield that he didn't want to enter and urged me to refer the matter to the SMF development team - which is exactly what I'm trying to do here.

Preventing the default PHP session ID cookie wasn't too hard. A little snip in the loadSession function was all that took. A change to the index template and the addition of a new page for cookie info provided the announcement portion. I think I spent more time messing with git than coding...

Quote from: CircleDock on April 21, 2012, 03:51:05 AM
As a footnote I would add that I have logged-in and out of several SMF-powered Forums and the PHPSESSID cookies remain even after the browser is closed. That's with Firefox 11 and also SW Iron (Chromium-based).

Make sure to check your cookies before going to the site again. Even if the one session cookie is removed on exit, a new one will be created when you visit the page again. If the expiration is set as "session" or similar wording, the browser is supposed to remove it when you fully close it.

I've tried your patches and, unfortunately, they don't work. The Cookie message isn't ever displayed and cookies are set. But many thanks for trying to provide a solution!

Quote from: emanuele on April 21, 2012, 07:43:22 AM
That law is BS because users already have such power in any browser they just need to use it (and it has been like that from...I don't even know when, since as far as I remember any browser has the option to ask to accept cookies or not).

BTW, try the attached package (not really tested, not really sure I take in consideration everything).

https://github.com/emanuele45/EU-cookie-law

ETA: the privacy notice is completely unwritten, it's just a placeholder, I'm not good at writing this kind of legal-related things...

ETA2: this will (hopefully) prevent any kind of cookie to be set up, so even ban-related cookies are not put in place (bans will relay on a complete ban check every time unless the user accept the cookie.
Additionally, since these actions would setup a a cookie, I disabled at "action-time" any post, vote, moderate, etc. action that could create a cookie (I added more than necessary just because I was too lazy to check if the actions actually create a cookie).
The "accept cookie" is obtained through a cookie itself (i.e. once you click on "accept" a cookie is created) that will last for the session (i.e. every time you or your users will close the browser you will be asked again to accept the cookies.
There is an hidden setting (ecl_strict_interpretation) that enables a possible stricter interpretation of the law: in other terms you or your users will not be allowed to login or register unless the accept the cookies. As far as I can tell this is *not* required by the law (UK instructions on implementation), because as soon as the user registers or logs in he is accepting the communication (or something like that, I read it yesterday and I don't remember the exact terms), but still can be enabled if you want.

Thank you very much Emanuele, your implementation is almost exactly what's required! In point of fact, ecl_strict_interpretation will be required because, under UK law at least, the user must take a positive action to show he is prepared to allow cookies to be set and all actions including Login and Register should be ignored until he does so.

Unfortunately, setting that option means that visitors can not accept cookies (the "accept" link is missing in this case).

Quote from: CircleDock on April 21, 2012, 11:18:29 AM
Thank you very much Emanuele, your implementation is almost exactly what's required! In point of fact, ecl_strict_interpretation will be required because, under UK law at least, the user must take a positive action to show he is prepared to allow cookies to be set and all actions including Login and Register should be ignored until he does so.

The ICO guide says:

QuoteThere is an exception to the requirement to provide information about cookies and obtain consent where to use the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user

As far as I can understand the acts of register and/or log-in are requests made by the user to access an information (society) service, so they belong to the exception. So I would consider theme as implicit approval (also because registering and/or logging-in the users already gives you explicit permission to send them informations: it's the user that is requesting the log-in and/or the registration to access your service (i.e. the forum), it's not you that subscribe them without notice).

Unfortunately, the visitors session cookie is still being set when the site is entered - and there being no cookies for the site beforehand.

Quote from: emanuele on April 21, 2012, 11:29:12 AM

The ICO guide says:

QuoteThere is an exception to the requirement to provide information about cookies and obtain consent where to use the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user

As far as I can understand the acts of register and/or log-in are requests made by the user to access an information (society) service, so they belong to the exception. So I would consider theme as implicit approval (also because registering and/or logging-in the users already gives you explicit permission to send them informations: it's the user that is requesting the log-in and/or the registration to access your service (i.e. the forum), it's not you that subscribe them without notice).

You may be right, in which case those actions may be allowable. However, I was able to carry-out other actions including "Calendar", "Media", "Search" etc. I was also able to read forum messages - which definitely should not have been permitted. That's probably because there was a valid PHPSESSID cookie set, as noted above.

To not transform this topic into a support topic for this "mod", I'll post it later in the SMF Coding Discussion (http://www.simplemachines.org/community/index.php?board=60.0) board.

For compatibility with SEF mods you should change this:

$context['ecl_accept_cookies'] = $_SERVER['REQUEST_URL'] . (strpos($_SERVER['REQUEST_URL'], '?') !== false ? ';' : '?') . 'cookieaccept';


to:

$context['ecl_accept_cookies'] = $scripturl .'?'. http_build_query(array_merge($_GET, array('cookieaccept' => '')));
call_integration_hook('integrate_fix_url', array(&$context['ecl_accept_cookies']));


Same for the other links in the template ...

One more problem if any SEF enabled ..
change the setcookie to

setcookie('ecl_auth', 1, 0, '/');


Thanks feline, I'll add your suggestions! :)

Thanks emanuele ..
Also the links in the langfile (Modifications.xxx.php) like login/register/privacynotice don't work on SEF without fixurl ...
I think, it's better to put out these with sprintf(...)

You know...   as long as people bend over and accept this sort of crap form politicians et al, it's going to continue and get worse.

It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law and, when someone tries to apply it - take it to court and prove how idiotic it is. Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification.

Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)

Quote from: Kindred on April 21, 2012, 03:18:32 PM
It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law

That's what we usually do in Italy...I guarantee you that it doesn't work... lol
(don't tell anyone, I'm not going to apply the mod on my forum! :P)

Quote from: Kindred on April 21, 2012, 03:18:32 PM
Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)

The idea of the law is not so bad... the idea.

Hi guys,
just a quick observation on this one with regards to an initial cookie being set before the user's consent is sought.
The ICO do it themselves!!!!, they set a session cookie, named "ico62#sc_wede" the minute you hit their web page, that's before you hit the optin banner at the top for any other cookies they might want to throw at you.
Our forums are doing exactly the same as them with our own PHPSESSID
This whole cookie law thing becomes a minefield once you start looking into it,
When it came in last year I was confused so I thought I'd sit on it for a while and see what other cleverer peeps are doing about it, then try to copy what they are doing before the years grace period is up.
Sadly, we've about a month to go and I've not seen much headway anywhere, even the 'big boys' like google and ebay don't appear to have implemented anything.
I started off confused and a year later am just as confused.

I have not seen that cookie on the ICO site, but once you agree to cookies they set ICOCookiesAccepted which is very persistent, IE9 can not delete it even using the clear cookies options. So there seems to be no way to opt out once you have opted in unless you go looking for the cookie.
I wonder if they are doing different things based on your location.The only other cookies I see set are the _ut.. ones for Google Analytics.

Quote from: snagz on April 21, 2012, 04:05:02 PM
The ICO do it themselves!!!!, they set a session cookie, named "ico62#sc_wede" the minute you hit their web page,

Quote from: http://www.ico.gov.uk/Global/privacy_statement.aspx

Content Management System cookie

ico62#sc_wede

This cookie is set by our content management system on a small number of browsers, upon arrival to the ICO site. It is not used by the ICO for any purpose. This cookie is deleted when a user closes their browser.

The supplier of our content management system (the software we use to update our website) is working to remove this cookie from their product.

Quote from: snagz on April 21, 2012, 04:05:02 PM
Sadly, we've about a month to go and I've not seen much headway anywhere, even the 'big boys' like google and ebay don't appear to have implemented anything.

That's strange to me too...

@JohnS the ico62#sc_wede is not set for all the browsers.
I did have any problem in deleting the cookies including the "accept".

Quote from: JohnS on April 21, 2012, 04:12:32 PM
I have not seen that cookie on the ICO site, but once you agree to cookies they set ICOCookiesAccepted which is very persistent, IE9 can not delete it even using the clear cookies options. So there seems to be no way to opt out once you have opted in unless you go looking for the cookie.
I wonder if they are doing different things based on your location.The only other cookies I see set are the _ut.. ones for Google Analytics.

I found it straight away with this:  http://www.stratagia.co.uk/services/ict/share/cookie-tool/  which I've been checking my own sites with.
reading through all the blurb, I think the most important thing is to have somewhere on your site a reference to the cookies you use, what they do and possibly a reference to the cookie law itself to show users that you're at least 'making the effort' to comply with what is a very confusing law.

@snagz did you read my answer? (In short they know about this cookie and they are working to remove it)

I posted the mod here: http://www.simplemachines.org/community/index.php?topic=474727.0

Quote from: emanuele on April 21, 2012, 04:42:51 PM
@snagz did you read my answer? (In short they know about this cookie and they are working to remove it)

I posted the mod here: http://www.simplemachines.org/community/index.php?topic=474727.0

Ooops.  thanks for that Emanuele, my bad for only 'part reading'  Seems a bit strange to me though, that they are the ones enforcing the law but are having problems adhering to it themselves...** they are working towards removing it**  you would think if they wanted all of us to comply they would know how to themselves BEFORE making it law.
I think I'm still gonna stick with my wait and see what everyone else does first plan then copy it.
even if it means putting a new front page opt-in on each of my sites come May 26th.

They still have a month to comply! :P

Heh. My irony meter is way, way off the scale.

Quote from: emanuele on April 21, 2012, 03:32:28 PM
(don't tell anyone, I'm not going to apply the mod on my forum! :P)

I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.

Quote from: Kindred on April 21, 2012, 03:18:32 PM
You know...   as long as people bend over and accept this sort of crap form politicians et al, it's going to continue and get worse.

It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law and, when someone tries to apply it - take it to court and prove how idiotic it is. Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification.

Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)

There are a few things you should understand about the EU and EU Directives. Directives are "laws" devised and brought into law by unelected officials known as Commissioners. The toothless-tiger that is the European Parliament almost never modifies or refuses to pass Directives. EU member nations are required, by virtue of their Treaty of Accession, to enact them so they come into national law. This particular Directive was, I believe, introduced by a Danish Commissioner who comes from a country where privacy issues are taken very seriously.

And in fact it's not such a bad law as it seeks to restore and bolster personal privacy. So I'm not clear why you are railing against it when you say "Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification." Seems like a contradiction - or maybe you don't/didn't understand the purpose of the legislation.

As for suggesting that we ignore the law I will say this. You can ignore it if you wish and if you have any web sites hosted on European servers then I hope you have very deep pockets; the fine for non-compliance is a stiff $750,000. You should also be aware that the EU has had discussions with other major economies on this very topic in order to harmonise this issue globally and, apparently, the US, Australia, New Zealand (among others) will be introducing very similar legislation.

Quote from: busterone on April 21, 2012, 07:03:34 PM
I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.

Excuse me but without intending to sound equally crass, why are you even commenting about an issue that clearly doesn't affect you at all ... for now? It is an issue that affects site owners hosting within the EU and those with visitors from within the EU.

Oh, I understand the purpose - and I disagree with it (and no, I do not agree with the statement that it was intended to "restore and bolster personal privacy") However, in addition, the implementation was so incredibly stupid that the purpose has nothing to do with it any more.

As for deep pockets....   lol. That is my whole point. None of us could pay that...  So, they can fine me all they want, they won't get one red cent - because I don't have it in the first place. If they did, though, I would challenge it (which, IMO, is what people should be doing instead of caving...   and I'll bet that the first company, like Google that they try to hit will be all over them in the courts)

If this Regulation enters into force (and will), SMF is not applicable as a forum system in the EU.
So here SMF should make a change.

Quote from: Kindred on April 22, 2012, 06:29:36 AM
Oh, I understand the purpose - and I disagree with it (and no, I do not agree with the statement that it was intended to "restore and bolster personal privacy") However, in addition, the implementation was so incredibly stupid that the purpose has nothing to do with it any more.

As for deep pockets....   lol. That is my whole point. None of us could pay that...  So, they can fine me all they want, they won't get one red cent - because I don't have it in the first place. If they did, though, I would challenge it (which, IMO, is what people should be doing instead of caving...   and I'll bet that the first company, like Google that they try to hit will be all over them in the courts)

This law is designed to curb the power of companies like Google, Facebook and others who routinely track users and make use of that information either directly themselves or by selling it to third-parties such as advertising companies. And as a Forum owner, I am surprised that you exhibit such little regard for your members' privacy.

You will probably not thank me for telling you that a similar law is currently being worked-on by US lawmakers who are concerned about privacy issues and the power of the big information harvesters. That law will very likely be modeled on the EU's "Privacy and Electronic Communications Regulations" and will, in all likelihood, be co-operative with the EU's. So like it or not, one day quite soon you will have to contend with this issue and I do wonder if you will use such brave words of defiance when that day dawns.

CircleDock is correct.

This decade the boom is in information. Information about us, belonging to us, that these companies are collecting and profiting from.

Quote from: feline on April 22, 2012, 07:33:02 AM
If this Regulation enters into force (and will), SMF is not applicable as a forum system in the EU.
So here SMF should make a change.

I can happily report that Emanuele's modification is fully working and complies fully with both PECR and UK Law. But there are caveats:

   
• If you have SA-Chat installed, you will need to modify its index.php (I have provided details of that in the Topic Emanuele started elsewhere)
• If you have the Google Analytics modification installed, you will need to make a small edit in subs.php to prevent GA's Javascript being placed on the current page under construction.
• You will need to check any other modifications you have installed to ensure that they neither make calls to "start_session" or drop Javascript onto the page.

Mark

I wanted to implement something in my blog software too. After it was done, I realised that I don't even use cookies. :'D

I know that the US is planning something just as stupid -- and I will behave exactly the same toward them as I do toward the idiots in the EU.

Just to note,
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation. Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

While I am aware of many things in the web privacy/initiatives/laws areas, I am also unaware of many things in these areas. Any help would be very appreciated, from your personal perspective or understanding, to links that would give precedents (if any), other countries take on the matters or expectations, layman's "translation" of the regulations, lol, whatever you find relevant. :)


Note also that the above UK ICO doc (posted by Tony) clearly does NOT address exactly the issues of Google/Facebook actual tracking of users on the web, inappropriate and unknown use of personal information by them, actual expectations on third party information sharing, examples of misuse, etc, meaning the real issues it's meant (or should be meant) to address. Instead these 'expectations' they claim to have, will create most likely, yet another 'omg you has cookies' turmoil as several years ago, mostly unworkable and unenforceable (I'm still using polite terms :P), and barely touching the real privacy problems of users on the web.

Quote from: CircleDock on April 22, 2012, 04:32:41 AM

Quote from: busterone on April 21, 2012, 07:03:34 PM
I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.

Excuse me but without intending to sound equally crass, why are you even commenting about an issue that clearly doesn't affect you at all ... for now? It is an issue that affects site owners hosting within the EU and those with visitors from within the EU.

Because at least one third of my members are from Europe.  Happy?

Quote from: N. N. on April 22, 2012, 12:01:14 PM
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation.

As far as I can understand the ICO is implementing the European Directive 2002/58/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT) (see also this "explanation" (http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm) and the two amending acts that introduce few variations, I'm not sure about the entity).

BTW, apparently there is also a brand new (January) draft for an European Regulation: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (I still have to read it, it's loooong!! :P)
Probably in the long term we will have to deal with that more than national implementations.

Quote from: N. N. on April 22, 2012, 12:01:14 PM
Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

Even if it is different, admins in the UK would have to comply with it. I think.
Of course I'm not saying a software should comply with all the laws of all the Countries of the world. But SMF haz mods! :P

Ugh, please stop helping CircleDock perpetuate this ridiculousness?

As an EU resident running multiple sites hosted or in other ways based in the EU, I, along with any other admin out there with at least half a brain cell, will proudly be doing absolutely nothing about this silliness. I view this law in the same light as those archaic laws forbidding passage for bees over certain towns. Completely ridiculous, pointless, and irrelevant.

As somebody who browses the web, I give sites permission to store, set and read their cookies because I have my web browser configured for it. By configuring my web browser to let sites set cookies, I am giving consent. I am opting in.

Don't want facebook tracking you? Install facebook disconnect. Don't want cookies? Disable cookies. It's built into every modern browser.

http://www.youtube.com/watch?v=arWJA0jVPAc

Quote from: N. N. on April 22, 2012, 12:01:14 PM
Just to note,
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation. Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

While I am aware of many things in the web privacy/initiatives/laws areas, I am also unaware of many things in these areas. Any help would be very appreciated, from your personal perspective or understanding, to links that would give precedents (if any), other countries take on the matters or expectations, layman's "translation" of the regulations, lol, whatever you find relevant. :)


Note also that the above UK ICO doc (posted by Tony) clearly does NOT address exactly the issues of Google/Facebook actual tracking of users on the web, inappropriate and unknown use of personal information by them, actual expectations on third party information sharing, examples of misuse, etc, meaning the real issues it's meant (or should be meant) to address. Instead these 'expectations' they claim to have, will create most likely, yet another 'omg you has cookies' turmoil as several years ago, mostly unworkable and unenforceable (I'm still using polite terms :P), and barely touching the real privacy problems of users on the web.

I understand your difficulty.

What's important to understand that the EU Directive being talked about ("Privacy and Electronic Communications Regulations" or PECR) is of itself not law. The Directives contain guidelines and minimum criteria for legislation in member states and it is up to each EU member state to implement laws that at least meet the minimum criteria but they are free to make them more rigid.

Here's an example of what I mean. The applicable law in the UK only requires a single "opt-in" (and it must be an "opt-in") to allow all cookies a web site wants to set, to be set. Those advising our Parliamentarians thought that was the best option as it's reasonable easy for web site owners to implement and isn't unduly taxing on visitors and yet still affords them a degree of privacy protection. But, other countries may take a different view and may require that separate "opt-ins" be obtained for each and every cookie - in other words, visitors can select those they will accept (eg SMF's) but refuse other cookies - such as Google Analytics'.

Unfortunately (for you) only 3 EU nations have so far passed the necessary legislation to uphold their treaty commitments to implement this Directive: Denmark, Latvia and the UK. Denmark is well-known to be somewhat paranoid about personal privacy in general so it is quite likely that their cookie acceptance requirements may be stricter than the UK's.

Just to add to the confusion, there is currently no guidance coming from the UK Information Commissioner concerning the requirements that UK-hosted sites must meet in order to comply with the requirements elsewhere in the EU for visitors from the EU to UK-hosted sites. If (say) Poland requires a separate "opt-in" for every cookie and a Polish user lands on a UK-hosted site where he is asked to accept all cookies as a "one-time deal", would that user have a legitimate complaint against the UK-hosted site? The current advice - which is subject to change - is that provided the UK-hosted site meets the requirements under UK law, then that is sufficient.

You should also bear in mind that similar legislation is likely to be passed in other territories, including the US, so that there is a degree of harmonization with regard to personal information and privacy. However the onus isn't just on yourselves as providers of Forum software, the browser companies have to get their house in order too because too many are not removing session cookies, or deleting expired cookies, when browser sessions are closed. And this they must do to comply with PECR.

My advice would be to plan for the worst case scenario which is that every cookie must be accepted every time someone visits a site. Now that's an extreme, I agree, and possibly will never be required in practice. Far more likely is either the UK-type scenario with a single "opt-in" for all cookies or individual "opt-ins" so that visitors can choose which cookies they accept and reject others. An Integration Hook could be provided so that Mod developers who need to set cookies - or whose mods do so - can do this through core functionality which would check to see if the user has accepted cookies in accordance with national requirements.

One of the big concerns from a UK standpoint is that, so far, no UK-hosted Forum owner has yet been investigated or prosecuted under the Data Protection Act - which governs the storage and use of personal information held by web site owners - it might look for DPA violations if "Cookie Law" violations are reported. Certain items of data are currently exempted such as a member's user name and his email address but in the case of the storage of IP Addresses, it's not quite so clear cut as that could pin-point the user geographically. And certainly the retention of personal information that a member voluntarily supplies to a Forum is covered by the Data Protection Act and whilst a member can edit or remove that information during his membership, he is prevented from doing so if he receives a ban and thus a violation occurs unless that site owner has registered as a Data Controller (and very few, if any, have because of the extra work and cost involved). I mentioned this from a UK standpoint but my remarks may hold good for other territories including the US which does, I believe, have similar regulations.

I hope this helps and hasn't confused you further!

QuoteDon't want cookies? Disable cookies. It's built into every modern browser.

And that's what the legislatures don't get. Site admins shouldn't have to worry about it.

Quote from: Roph on April 22, 2012, 01:28:24 PM
Ugh, please stop helping CircleDock perpetuate this ridiculousness?

As an EU resident running multiple sites hosted or in other ways based in the EU, I, along with any other admin out there with at least half a brain cell, will proudly be doing absolutely nothing about this silliness. I view this law in the same light as those archaic laws forbidding passage for bees over certain towns. Completely ridiculous, pointless, and irrelevant.

As somebody who browses the web, I give sites permission to store, set and read their cookies because I have my web browser configured for it. By configuring my web browser to let sites set cookies, I am giving consent. I am opting in.

Don't want facebook tracking you? Install facebook disconnect. Don't want cookies? Disable cookies. It's built into every modern browser.

http://www.youtube.com/watch?v=arWJA0jVPAc

Well said. Don't want a cookie, simply turn them off in their browser.

Quote from: emanuele on April 22, 2012, 01:01:36 PM

Quote from: N. N. on April 22, 2012, 12:01:14 PM
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation.

As far as I can understand the ICO is implementing the European Directive 2002/58/EC (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:EN:NOT) (see also this "explanation" (http://europa.eu/legislation_summaries/information_society/legislative_framework/l24120_en.htm)).

BTW, apparently there is also a brand new (January) draft for an European Regulation: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (I still have to read it, it's loooong!! :P)
Probably in the long term we will have to deal with that more than national implementations.

No, the "Cookie Laws" come from a 2009 or 2010 Directive and were passed into law by the UK Parliament last May (2011). What you have found is the proposal for even tougher data protection legislation which in fact the UK already has (Data Protection Act) but that Act may require some amendments if the new EU Proposals become a Directive.

Quote

Quote from: N. N. on April 22, 2012, 12:01:14 PM
Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

Even if it is different, admins in the UK would have to comply with it. I think.

It's not just UK-hosted sites that must comply - it's UK owned and registered sites regardless of where they are hosted. If the Domain name is registered in, or to someone (or entity) in the UK, that Domain must comply with the law even if the site is hosted elsewhere.

Quote from: CircleDock on April 22, 2012, 01:56:26 PM
No, the "Cookie Laws" come from a 2009 or 2010 Directive and were passed into law by the UK Parliament last May (2011).

In the "explanation" link I posted is mentioned the 2009/136 that amends few articles and introduces others.
Do you have any number for the "2010"?

Quote from: CircleDock on April 22, 2012, 01:56:26 PM
What you have found is the proposal for even tougher data protection legislation which in fact the UK already has (Data Protection Act) but that Act may require some amendments if the new EU Proposals become a Directive.

ETA: the other thing I found will not become a Directive it will become a Regulation (http://en.wikipedia.org/wiki/Regulation_(European_Union)), so national laws will be irrelevant.

Quote from: CircleDock on April 22, 2012, 01:56:26 PM

Quote
admins in the UK would have to comply with it. I think.

It's not just UK-hosted sites that must comply - it's UK owned and registered sites regardless of where they are hosted. If the Domain name is registered in, or to someone (or entity) in the UK, that Domain must comply with the law even if the site is hosted elsewhere.

I wrote "admins in the UK", not "sites hosted in the UK". ;)

I'd like to thank the smf team for taking this on - its very much appreciated.

I've not tried any of the mods - but just a thought (and I apologise if this has already been taken care of) , but the language string for 'Always stay logged in:' should be adjusted to remind the user that this will place a permanent cookie. Maybe something like '(This sets a cookie)' and a link to the privacy policy.

Its $txt['always_logged_in'] and it resides in  themes/default/languages/index.english.php

For those manually editing who do not normally jump into code - please do not use apostrophes in the language string unless you prefix it with a /

For example : 'You\'ve got a Privacy Policy' rather than 'You've got a Privacy Policy'

I'd also suggest removing the quick login functionality as this uses a dropdown to save the cookie setting - with the login option in the menu its not really needed anyway.

Just to be clear on some of the questions, here and in the other topics on SMF's sessions - in short. It is essential for SMF forums to start the session as soon as possible (meaning set PHPSESSID one way or the other). It's out of the question to make something like this optional. According to the wording of this law/directive, even, it's strictly necessary, so it doesn't pose problems.

And on the funny side, you may wish to take a look European Data Protection Supervisor site.  *angel eyes*
http://www.edps.europa.eu/EDPSWEB/edps/EDPS
I'd suggest ICO to... recommend them compliance. :D

Quote from: N. N. on April 23, 2012, 01:09:38 PM
Just to be clear on some of the questions, here and in the other topics on SMF's sessions - in short. It is essential for SMF forums to start the session as soon as possible (meaning set PHPSESSID one way or the other). It's out of the question to make something like this optional. According to the wording of this law/directive, even, it's strictly necessary, so it doesn't pose problems.

I think we all understand that SMF's session cookie is necessary but that's not the point. It can not and must not be set unless and until the visitor agrees to cookies being set.

If you go to the ICO's web site, you will be able to navigate that site even if you do not accept that site's cookies and I have the horrible feeling that this may well be necessary in SMF. Possibly this could be overcome by adding the session ID to the URL as has previously been done? Yes, I agree it's ugly, possibly creates other problems challenges and may well not be Search-Engine friendly however.

As UK-based owners we have to use ICO's web site as the benchmark against which to base our individual implementations.

As it stands, Emanuele's modification coupled with any necessary changes to accommodate SA-Chat and Google Analytics, is working. But there's one very important aspect that's not addressed at all and that relates to shared computers.

Looks like the ICO might relax the analytics's side... in terms of action at least - I guess this is possibly due to the fact that the UK government's digital advisory committee is saying the the government websites use of analytics is a necessity and essential.

http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/

Incidentally - if anyone is using adsense, then they need to consider turning off behavioural 'Interest based ads'.

This can be done via Adsense > Allow and Block Ads > Advanced Settings > Interest Based Ads Preference.

The reason I mention this is because googles policy states that the cookies they drop for the site belong to the site, so they are our responsibility.

So, its just a precaution.

Quote from: Tony Reid on April 24, 2012, 04:03:47 AM
Looks like the ICO might relax the analytics's side... in terms of action at least - I guess this is possibly due to the fact that the UK government's digital advisory committee is saying the the government websites use of analytics is a necessity and essential.

http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/

And that is possibly why the ICO is requiring owners to display a single "opt-in" as a blanket for all cookies. However I dispute the need for Google Analytics because the same information - but in a less presentable way I agree - is available by inspecting the server logs using a tool such as WebStats or Awstats.

Elsewhere I read a comment made by a well-known SMF "luminary" in which he said that anyone who is truly concerned about protecting privacy should not be using Google Analytics. I agree with him.

Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.

People are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.

What the UK government or ICO may say, may not be enforcable, both of them could be taken to the EU courts for failing up uphold the directive or if they fail to prosecute those who break the directive, those owners could be taken to the EU courts. As I have said before, I don't think there will be prosecution of thousands of small websites, the system could just not handle it and until they have thier own back yards sorted out they are unlikely to do so. But I still think  that were it is possible to comply you should and you must definitely know exactly what your site is doing and have an explanation of that somewhere on your site and some policy statement of how you are trying to comply.

Also do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.

Many may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.

QuoteBut there's one very important aspect that's not addressed at all and that relates to shared computers.

This is a whole new minefield, what as far as I can see has no solution under the current law.

You can not legally check whether a cookie is set without getting advance permission, despite the fact the cookie information is freely available in the header you are not allowed to check it without advance permission.

You do not know whether that person has visited the site before until you check for cookies, but you can not do that without permission and as you do not know until you read the cookie you have a catch 22 situation.

So you must always take everyone to a log in page to get that permission before doing anything else. The ICO do not do this, they rely on setting a permanent cookie and reading that to let you in the next time.

There is no request for permission the second time you visit and there is no opt out facility, at least none I can find.

Then on to shared computers and computers used by people who do not own them (example in the workplace). It can be argued under the law you require the permission of the user or the subscriber (that being the person who pays the bill for the service provided). So you could get a situation where the user has agreed but the subscriber specifically disagrees, the law does not seem to allow for this and it is not known who will take precedence. For example a user who uses thier PC at work may give permission, but thier company who is the subscriber may have a policy banning the use of your website in the workplace.

What happens if two people share a PC, the one who does not pay the bill gives permission, then the person who does pay the bill uses the PC and finds cookies set which they do not agree to.

The only way I can see to comply with the law is to use session cookies only so they do not move from user to user and to require log in every time someone visits the site before a cookie is set.

I don't think there will be any answers to these questions until there have been some prosecutions to set case law.

Quote from: JohnS on April 24, 2012, 04:55:02 AM
Need to be careful on how you define analytics. A cookie such as that set by SMF and only used by SMF for tracking may just for the time being scrape under the 'acceptable' category. But most people use something like Google Analytics which is definitely not acceptable as this is a third party intrusive cookie.You have to be sure exactly what any cookie your site uses is used for. This is even more important if you carry advertising on your site.

Firstly - and in my view - Google Analytics is completely unnecessary unless you're using its secondary purpose, coupled with the Adsense script, which is to provide targeted advertisements. That Adsense script does not itself set cookies but relies on one or more of the "__utm?" cookies for that purpose. In fact disabling it will make your site load faster particularly at times of high traffic volumes.

QuotePeople are talking about cookies being strictly necessary, but you have to read the whole rule on that which is "Strictly necessary for the provision of a service explicitly requested by the user". So a cookie set up to hold a shopping basket would be OK as it is necessary and the user is requesting something. But even if a cookie is necessary for the operation of the site it is not permissible without prior consent of some kind or some action by the user, just visiting a page can never qualify as having a strictly necessary cookie. Basically the user must have given some input first for a cookie to be technically strictly necessary. Even if you have cookies within the band of strictly necessary you still have to advise users clearly that a cookie is being set and what it is being used for.

This would imply separate opt-ins for first and third party cookies which is not currently required by the ICO who clearly state that a single positive "opt-in" for all cookies is necessary. Of course that could all change at any time - and probably without notice!

QuoteAlso do not forget they can make the web hosting companies responsible for monitoring this. And don't underestimate the fact that some rights groups may just be waiting to take action.

My UK Host hasn't mentioned this but it is entirely possible that they will have a part to play in enforcement. The ICO could simply instruct hosting companies to suspend the accounts of any site owners for whom the ICO has received complaints. Cheaper and much easier than the ICO itself taking action.

And you're quite right about the privacy groups who will, I'm sure, be quite indiscriminate in who they report. Since they are the ones from whom the ICO will receive the most complaints, it rather reinforces the view that I believe the ICO will get the ISPs to act as enforcers, especially in the case of the smaller sites which probably aren't worth the effort in prosecuting.

QuoteMany may well get away with it, but it only takes one disgruntled user to complain about your site to put it in the spotlight and the ICO may not have any alternative but to prosecute.

That's very true.

Quote from: JohnS on April 24, 2012, 05:19:08 AM

QuoteBut there's one very important aspect that's not addressed at all and that relates to shared computers.

This is a whole new minefield, what as far as I can see has no solution under the current law.

You can not legally check whether a cookie is set without getting advance permission, despite the fact the cookie information is freely available in the header you are not allowed to check it without advance permission.

You do not know whether that person has visited the site before until you check for cookies, but you can not do that without permission and as you do not know until you read the cookie you have a catch 22 situation.

Checking for the existence of a cookie is considered a "strictly necessary process" and so is most certainly permitted - at least, that is the (legal) advice I have been given. If it weren't the ICO is in violation and I rather doubt that's true.

QuoteThere is no request for permission the second time you visit and there is no opt out facility, at least none I can find.

The required process is a one-time positive action by the visitor to accept cookies (an "opt-in"). There is no requirement to offer an "opt-out" to someone who (apparently) already has opted-in.

QuoteThen on to shared computers and computers used by people who do not own them (example in the workplace). It can be argued under the law you require the permission of the user or the subscriber (that being the person who pays the bill for the service provided). So you could get a situation where the user has agreed but the subscriber specifically disagrees, the law does not seem to allow for this and it is not known who will take precedence. For example a user who uses thier PC at work may give permission, but thier company who is the subscriber may have a policy banning the use of your website in the workplace.

What happens if two people share a PC, the one who does not pay the bill gives permission, then the person who does pay the bill uses the PC and finds cookies set which they do not agree to.

This is my point exactly. If I were so inclined, if someone uses one of my computers and accepts cookies for a site that I have never visited, nor likely to ever visit, I would, I believe, have a legitimate complaint. Problem is, however, that this facet has not been considered or addressed by either the law-makers in Europe or by the ICO as Britain's regulator.

QuoteThe only way I can see to comply with the law is to use session cookies only so they do not move from user to user and to require log in every time someone visits the site before a cookie is set.

You can not use "login" as an implicit acceptance of cookies. The problem is compounded by the fact that none of the browsers I've checked are removing session or expired cookies.

QuoteI don't think there will be any answers to these questions until there have been some prosecutions to set case law.

That fact alone is likely to disadvantage the first few owners who come under ICO's spotlight.

Has anyone yet sought an opinion from the ICO as to how these laws will apply to the specific case of a discussion board?

Quote from: Antechinus on April 29, 2012, 09:27:48 PM
Has anyone yet sought an opinion from the ICO as to how these laws will apply to the specific case of a discussion board?

The law doesn't discriminate between different types of web site, if they're owned, registered or hosted in the EU then their owners and admins really need to comply.

The first step is to do a cookie audit, that step is fairly straight forward and simply involves finding and identifying first and third party cookies that are set by the Forum software and any mods thereto. We know the cookies SMF itself uses and the (up to) four cookies Google Analytics deploys and they can be listed in an information panel and visitor acceptance prompted for. So far, so good.

Unfortunately that isn't the whole story. What is not at all clear is where the responsibility lies in the case of injected third-party cookies such as those AdSense, Facebook and others use to track users and their preferences. ICO does not appear to offer any specific guidance here but may take the view that as these cookies are passed in pages served by sites (that use AdSense, Facebook etc), those sites are responsible. I am aware, however, that the ICO is in discussions with these companies and, possibly, we will suddenly find pop-ups appearing from AdSense etc., requesting a specific "opt-in" to allow their cookies to be injected. On the other hand, we may not on the grounds that we have laid the conditions for those companies - by subscribing to AdSense, for example - therefore it is up to us to seek permission. That view is reinforced by the actions taken by a site that the ICO recommends as a provider of information about cookies:http://www.allaboutcookies.orgwhich specifically asks permission to use AdSense.

That site, allaboutcookies.org, is using a small plug-in developed by a British software company, Wolf Software, which is available under a GPLv3 license and is attached to this message. As it was developed in consultation with ICO - and has been updated to reflect more recent guidance - I believe I can safely say that it is in full compliance. In fact, this package is far easier to implement than Emanuele's mod as it only requires two minor edits - in Load.php and Index.template.php to add it (plus some edits to its configuration files to customize it). It also has the benefit of being very configurable and can optionally use geoIP so that only EU visitors are required to "opt-in". A visitor can "opt-in" for that one visit only in which case cookie information is passed in headers but the cookies themselves are not stored.

Quote from: circledock. ICO does not appear to offer any specific guidance here but may take the view that as these cookies are passed in pages served by sites (that use AdSense, Facebook etc), those sites are responsible.

That is my understanding after reading the new google privacy agreement.

As for analytics and adsense,

I've switched my google analytic's  to servers side php, without using cookies (ref:  http://techpad.co.uk/content.php?sid=205 )

I dont really care about the behavioural side of analytics, I only need basic stats - nothing that tracks individuals - only events.

In addition I have turned off Behavioural tracking in Adsense. Just need to tweak it.

So from googles perspective, I'm 'nearly' cookie-less but I still have js analytics on a couple of other pages that need to be upgraded to server side code.

I've only got to worry about my coppermine bridge and the smf cookie and skimlinks on my forum (I still have js analytics on other pages that still need to be upgraded to server side code).

Hopefully I should have the remaining cookies cleaned up soon.

FYI,

http://nocookielaw.com/

I'm beginning to think CircleDock is just an elaborate troll.

Quote from: N. N. on April 30, 2012, 09:02:44 AM
http://nocookielaw.com/

Well .. much interest  :D

But in fact .. the EU have the ECL and it's easy to implement that.
For the coming release of our Portal we have a option implemented to enable the ECL Mode. In this case any visitor (except spiders) must accept the storage of cookies before he/she can browse the site.
That (I think) is the best option and it's need only one Click more if you enter the site ...

Quote from: Roph on April 30, 2012, 09:54:17 AM
I'm beginning to think CircleDock is just an elaborate troll.

That's a bit unfair. I think he is pretty accurate, and you could adopt a strict approach like his suggestions. The wolf software he recommends is a good way to become compliant too.

My personal view is to work towards the guidance, and be open an honest to your users about everything. Including warn users about cookies and more importantly stop any third parties from using behavioural tricks on our users. As it stands currently, we have to do what they say - and if not then we have to prove that we are trying to be compliant.

I think the bit that gets people emotional is the fines. Yes there are fines 'UP TO' 500,000GBP, but even then you would have an enforcement notice to comply within x amount of time. Unless it is of an extremely serious nature(such as health records, mass credit card leakage etc) and then you get a 'stop now' enforcement.

And the 500k isn't specifically for the cookie law - as some would have you think. It's the max penalty the ICO can impose for breaches in all data protection related areas.

QuoteMonetary penalty notices
A monetary penalty will only be appropriate in the most serious situations. When deciding the amount of a monetary penalty, the Commissioner not only takes into account the seriousness of the breach but also other factors including the size, financial and other resources of a data controller. It is not the purpose of a monetary penalty to impose undue financial hardship. The amount must not exceed £500,000 and is not kept by the Commissioner, but paid into the Consolidated Fund owned by HM Treasury.

Quote from: Tony Reid on April 24, 2012, 04:08:52 AM
Incidentally - if anyone is using adsense, then they need to consider turning off behavioural 'Interest based ads'.

This can be done via Adsense > Allow and Block Ads > Advanced Settings > Interest Based Ads Preference.

The reason I mention this is because googles policy states that the cookies they drop for the site belong to the site, so they are our responsibility.

So, its just a precaution.

Regardless of that setting, Google Adsense will still inject cookies but their content may be different.

Neither Adsense nor Analytics cookies the ICO categorise as being "essential" so one may need to consider allowing people to reject either or both - and that's one good reason for using the Wolf Software solution since it permits users to make a(n informed) choice.

To he who suggests I'm trolling: you are entitled to your opinion and, for all we know, the ECL may not even apply to you and your site. So maybe your comment was itself troll-like.

And as far as the "NoCookieLaw" website is concerned, its effectiveness can be demonstrated by the fact that the law will still be enforced as of May 26. The law is on the Statute books and it's far too late to protest against it. And those who do obviously care little for the privacy of those who visit websites.

I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post (http://www.simplemachines.org/community/index.php?topic=474727.msg3326740).

This is what I think of the new European cookie law, :P

LOL, it don't apply to me.  ;D

But I will fight for your rights against it, because I am not found of it.

Everything I have coded that required cookies, have been out of necessity. If the cookie wasn't present the script will not work.

Take 2-SI Chat for instance, now SA Chat, if the cookie wasn't there. On every load windows would overlap because no position data is stored via the JavaScript. Multiple windows will cause sync data to be unavailable causing messages or no messages to spit out to certain windows. Basically the server side script will loose most communication with the possible multiple client side script. It is a mess and will break the script, which isn't tracking just trying to figure out what is going on with its JS counter part.

On a side note, maybe banks shouldn't keep transaction records, because they show where you have been, they are tracking also. This is how they are looking at the internet world and it is unsafe for future development of it.

Quote from: CircleDock on May 03, 2012, 06:26:16 AM
I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post (http://www.simplemachines.org/community/index.php?topic=474727.msg3326740).

I would be careful with using geo-location in such a way.  You could get false negatives and end up serving cookies to someone who was in the EU.  Plus there is the issue of a UK citizen traveling outside of the EU, can you serve them a cookie without violating the law?

IMO, if you are going to comply with it then do it for everyone, makes things easier.

Quote from: Thantos on May 03, 2012, 11:14:34 AM
IMO, if you are going to comply with it then do it for everyone, makes things easier.

QFTW

Quote from: Thantos on May 03, 2012, 11:14:34 AM

Quote from: CircleDock on May 03, 2012, 06:26:16 AM
I have augmented Emanuele's "EU Cookie Law" modification by adding Geo-Location so that only visitors from within EU member states will need to agree to cookies, those from outside the EU won't be prompted and cookies will be set as before.

My changes are detailed in this post (http://www.simplemachines.org/community/index.php?topic=474727.msg3326740).

I would be careful with using geo-location in such a way.  You could get false negatives and end up serving cookies to someone who was in the EU.  Plus there is the issue of a UK citizen traveling outside of the EU, can you serve them a cookie without violating the law?

IMO, if you are going to comply with it then do it for everyone, makes things easier.

The MaxMind database used by my changes - and used by Spuds' geoIP mod - is claimed to be over 98% accurate. That will be degraded slightly by the appearance of IPv6 Addresses but I've erred on the side of caution by assuming that they are all in the European Union (which of course won't be the case). In fact my changes assume the visitor is within the EU unless their IP Address shows otherwise.

It is my impression that if your server or your data controller is in the EU then you need to observe the rules even if the visitor is outside the EU, if you and your server are totally outside the EU then you do not need to observe the rules even if the visitor is from the EU. The law is applied to the person providing the service not to the end user. If you or your data controller is in the UK and your server is outside the UK then you need to seek permission to keep your data outside the UK under the data protection act.
That is just my impression from reading the various laws and guidelines, but I can not offer a legal opinion. It would therefore seem that using an IP locator is irrelevant and just slowing things down.

Quote from: Thantos on May 03, 2012, 11:14:34 AM
Plus there is the issue of a UK citizen traveling outside of the EU, can you serve them a cookie without violating the law?

this... regardless of how accurate the geo service might be...

If you are going to knuckle under for them, then why do it half-way?

Quote from: JohnS on May 04, 2012, 12:20:47 PM
It is my impression that if your server or your data controller is in the EU then you need to observe the rules even if the visitor is outside the EU, if you and your server are totally outside the EU then you do not need to observe the rules even if the visitor is from the EU. The law is applied to the person providing the service not to the end user. If you or your data controller is in the UK and your server is outside the UK then you need to seek permission to keep your data outside the UK under the data protection act.
That is just my impression from reading the various laws and guidelines, but I can not offer a legal opinion. It would therefore seem that using an IP locator is irrelevant and just slowing things down.

A Forum need only register under the Data Protection Act if it is storing personal information about an individual or information that could directly identify him. The only information routinely stored by Forums about members is:

[A] Their user name
Their email address
[C] Their IP Address

None of those are protected and even if a member were to register with their real name as their user name, that data would still not be covered by the Data Protection Act. Unless Forum Admins choose to store other information about their members - such as PayPal account numbers, their postal address etc. - then they are not required to register under the Data Protection Act and nominate a Data Controller. I too am not a lawyer but the foregoing has been given to me by a lawyer who checked with the Information Commissioner.

As for Geo-Location "just slowing things down", it's a very simple database query that returns one row and performed in less than 2 milliseconds on my server and it's only done at most once per user session. If it were using an external service, then there could be a slight delay I agree.