New European Cookie Laws

Started by Insight, March 08, 2011, 07:54:46 AM

Previous topic - Next topic

CircleDock

Unfortunately, the visitors session cookie is still being set when the site is entered - and there being no cookies for the site beforehand.

Quote from: emanuele on April 21, 2012, 11:29:12 AM

The ICO guide says:
QuoteThere is an exception to the requirement to provide information about cookies and obtain consent where to use the cookie is:
(a) for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user
As far as I can understand the acts of register and/or log-in are requests made by the user to access an information (society) service, so they belong to the exception. So I would consider theme as implicit approval (also because registering and/or logging-in the users already gives you explicit permission to send them informations: it's the user that is requesting the log-in and/or the registration to access your service (i.e. the forum), it's not you that subscribe them without notice).

You may be right, in which case those actions may be allowable. However, I was able to carry-out other actions including "Calendar", "Media", "Search" etc. I was also able to read forum messages - which definitely should not have been permitted. That's probably because there was a valid PHPSESSID cookie set, as noted above.

emanuele

To not transform this topic into a support topic for this "mod", I'll post it later in the SMF Coding Discussion board.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

feline

For compatibility with SEF mods you should change this:

$context['ecl_accept_cookies'] = $_SERVER['REQUEST_URL'] . (strpos($_SERVER['REQUEST_URL'], '?') !== false ? ';' : '?') . 'cookieaccept';


to:

$context['ecl_accept_cookies'] = $scripturl .'?'. http_build_query(array_merge($_GET, array('cookieaccept' => '')));
call_integration_hook('integrate_fix_url', array(&$context['ecl_accept_cookies']));


Same for the other links in the template ...

feline

One more problem if any SEF enabled ..
change the setcookie to

setcookie('ecl_auth', 1, 0, '/');

emanuele

Thanks feline, I'll add your suggestions! :)


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

feline

Thanks emanuele ..
Also the links in the langfile (Modifications.xxx.php) like login/register/privacynotice don't work on SEF without fixurl ...
I think, it's better to put out these with sprintf(...)

Kindred

You know...   as long as people bend over and accept this sort of crap form politicians et al, it's going to continue and get worse.

It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law and, when someone tries to apply it - take it to court and prove how idiotic it is. Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification.

Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

emanuele

Quote from: Kindred on April 21, 2012, 03:18:32 PM
It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law
That's what we usually do in Italy...I guarantee you that it doesn't work... lol
(don't tell anyone, I'm not going to apply the mod on my forum! :P)

Quote from: Kindred on April 21, 2012, 03:18:32 PM
Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)
The idea of the law is not so bad... the idea.


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

snagz

Hi guys,
just a quick observation on this one with regards to an initial cookie being set before the user's consent is sought.
The ICO do it themselves!!!!, they set a session cookie, named "ico62#sc_wede" the minute you hit their web page, that's before you hit the optin banner at the top for any other cookies they might want to throw at you.
Our forums are doing exactly the same as them with our own PHPSESSID
This whole cookie law thing becomes a minefield once you start looking into it,
When it came in last year I was confused so I thought I'd sit on it for a while and see what other cleverer peeps are doing about it, then try to copy what they are doing before the years grace period is up.
Sadly, we've about a month to go and I've not seen much headway anywhere, even the 'big boys' like google and ebay don't appear to have implemented anything.
I started off confused and a year later am just as confused.

JohnS

I have not seen that cookie on the ICO site, but once you agree to cookies they set ICOCookiesAccepted which is very persistent, IE9 can not delete it even using the clear cookies options. So there seems to be no way to opt out once you have opted in unless you go looking for the cookie.
I wonder if they are doing different things based on your location.The only other cookies I see set are the _ut.. ones for Google Analytics.

emanuele

Quote from: snagz on April 21, 2012, 04:05:02 PM
The ICO do it themselves!!!!, they set a session cookie, named "ico62#sc_wede" the minute you hit their web page,
Quote from: http://www.ico.gov.uk/Global/privacy_statement.aspx
Content Management System cookie    

ico62#sc_wede
   


This cookie is set by our content management system on a small number of browsers, upon arrival to the ICO site. It is not used by the ICO for any purpose. This cookie is deleted when a user closes their browser.
   


The supplier of our content management system (the software we use to update our website) is working to remove this cookie from their product.

Quote from: snagz on April 21, 2012, 04:05:02 PM
Sadly, we've about a month to go and I've not seen much headway anywhere, even the 'big boys' like google and ebay don't appear to have implemented anything.
That's strange to me too...

@JohnS the ico62#sc_wede is not set for all the browsers.
I did have any problem in deleting the cookies including the "accept".


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

snagz

Quote from: JohnS on April 21, 2012, 04:12:32 PM
I have not seen that cookie on the ICO site, but once you agree to cookies they set ICOCookiesAccepted which is very persistent, IE9 can not delete it even using the clear cookies options. So there seems to be no way to opt out once you have opted in unless you go looking for the cookie.
I wonder if they are doing different things based on your location.The only other cookies I see set are the _ut.. ones for Google Analytics.
I found it straight away with this:  http://www.stratagia.co.uk/services/ict/share/cookie-tool/ [nofollow]  which I've been checking my own sites with.
reading through all the blurb, I think the most important thing is to have somewhere on your site a reference to the cookies you use, what they do and possibly a reference to the cookie law itself to show users that you're at least 'making the effort' to comply with what is a very confusing law.

emanuele

#92
@snagz did you read my answer? (In short they know about this cookie and they are working to remove it)

I posted the mod here: http://www.simplemachines.org/community/index.php?topic=474727.0


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

snagz

Quote from: emanuele on April 21, 2012, 04:42:51 PM
@snagz did you read my answer? (In short they know about this cookie and they are working to remove it)

I posted the mod here: http://www.simplemachines.org/community/index.php?topic=474727.0
Ooops.  thanks for that Emanuele, my bad for only 'part reading'  Seems a bit strange to me though, that they are the ones enforcing the law but are having problems adhering to it themselves...** they are working towards removing it**  you would think if they wanted all of us to comply they would know how to themselves BEFORE making it law.
I think I'm still gonna stick with my wait and see what everyone else does first plan then copy it.
even if it means putting a new front page opt-in on each of my sites come May 26th.

emanuele

They still have a month to comply! :P


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Norv

Heh. My irony meter is way, way off the scale.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

emanuele

Quote from: emanuele on April 21, 2012, 03:32:28 PM
(don't tell anyone, I'm not going to apply the mod on my forum! :P)


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

busterone

I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.

CircleDock

Quote from: Kindred on April 21, 2012, 03:18:32 PM
You know...   as long as people bend over and accept this sort of crap form politicians et al, it's going to continue and get worse.

It would be much better, in my opinion (not reflective of the team or anything else) for everyone to ignore the law and, when someone tries to apply it - take it to court and prove how idiotic it is. Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification.

Seriously, someone has to stand up and just say "no, you are being stupid"
(and on that note, I refuse to implement any such idiocy on any of my sites, in the US, Canada or the EU)
There are a few things you should understand about the EU and EU Directives. Directives are "laws" devised and brought into law by unelected officials known as Commissioners. The toothless-tiger that is the European Parliament almost never modifies or refuses to pass Directives. EU member nations are required, by virtue of their Treaty of Accession, to enact them so they come into national law. This particular Directive was, I believe, introduced by a Danish Commissioner who comes from a country where privacy issues are taken very seriously.

And in fact it's not such a bad law as it seeks to restore and bolster personal privacy. So I'm not clear why you are railing against it when you say "Otherwise, like in the US with our incredibly stupid "homeland security" laws, your rights will just be taken away more and more, with each successive removal pointing to the "success" of the previous one as justification." Seems like a contradiction - or maybe you don't/didn't understand the purpose of the legislation.

As for suggesting that we ignore the law I will say this. You can ignore it if you wish and if you have any web sites hosted on European servers then I hope you have very deep pockets; the fine for non-compliance is a stiff $750,000. You should also be aware that the EU has had discussions with other major economies on this very topic in order to harmonise this issue globally and, apparently, the US, Australia, New Zealand (among others) will be introducing very similar legislation.

CircleDock

Quote from: busterone on April 21, 2012, 07:03:34 PM
I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.
Excuse me but without intending to sound equally crass, why are you even commenting about an issue that clearly doesn't affect you at all ... for now? It is an issue that affects site owners hosting within the EU and those with visitors from within the EU.

Advertisement: