News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

New European Cookie Laws

Started by Insight, March 08, 2011, 07:54:46 AM

Previous topic - Next topic

Kindred

Oh, I understand the purpose - and I disagree with it (and no, I do not agree with the statement that it was intended to "restore and bolster personal privacy") However, in addition, the implementation was so incredibly stupid that the purpose has nothing to do with it any more.

As for deep pockets....   lol. That is my whole point. None of us could pay that...  So, they can fine me all they want, they won't get one red cent - because I don't have it in the first place. If they did, though, I would challenge it (which, IMO, is what people should be doing instead of caving...   and I'll bet that the first company, like Google that they try to hit will be all over them in the courts)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

feline

If this Regulation enters into force (and will), SMF is not applicable as a forum system in the EU.
So here SMF should make a change.

CircleDock

Quote from: Kindred on April 22, 2012, 06:29:36 AM
Oh, I understand the purpose - and I disagree with it (and no, I do not agree with the statement that it was intended to "restore and bolster personal privacy") However, in addition, the implementation was so incredibly stupid that the purpose has nothing to do with it any more.

As for deep pockets....   lol. That is my whole point. None of us could pay that...  So, they can fine me all they want, they won't get one red cent - because I don't have it in the first place. If they did, though, I would challenge it (which, IMO, is what people should be doing instead of caving...   and I'll bet that the first company, like Google that they try to hit will be all over them in the courts)

This law is designed to curb the power of companies like Google, Facebook and others who routinely track users and make use of that information either directly themselves or by selling it to third-parties such as advertising companies. And as a Forum owner, I am surprised that you exhibit such little regard for your members' privacy.

You will probably not thank me for telling you that a similar law is currently being worked-on by US lawmakers who are concerned about privacy issues and the power of the big information harvesters. That law will very likely be modeled on the EU's "Privacy and Electronic Communications Regulations" and will, in all likelihood, be co-operative with the EU's. So like it or not, one day quite soon you will have to contend with this issue and I do wonder if you will use such brave words of defiance when that day dawns.

garry383

CircleDock is correct.

This decade the boom is in information. Information about us, belonging to us, that these companies are collecting and profiting from.
Laws aren't meant to be broken, any bent, squashed and shanghai'd.

CircleDock

Quote from: feline on April 22, 2012, 07:33:02 AM
If this Regulation enters into force (and will), SMF is not applicable as a forum system in the EU.
So here SMF should make a change.
I can happily report that Emanuele's modification is fully working and complies fully with both PECR and UK Law. But there are caveats:

       
  • If you have SA-Chat installed, you will need to modify its index.php (I have provided details of that in the Topic Emanuele started elsewhere)
  • If you have the Google Analytics modification installed, you will need to make a small edit in subs.php to prevent GA's Javascript being placed on the current page under construction.
  • You will need to check any other modifications you have installed to ensure that they neither make calls to "start_session" or drop Javascript onto the page.
Mark

Robert.

I wanted to implement something in my blog software too. After it was done, I realised that I don't even use cookies. :'D

Kindred

I know that the US is planning something just as stupid -- and I will behave exactly the same toward them as I do toward the idiots in the EU.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Norv

Just to note,
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation. Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

While I am aware of many things in the web privacy/initiatives/laws areas, I am also unaware of many things in these areas. Any help would be very appreciated, from your personal perspective or understanding, to links that would give precedents (if any), other countries take on the matters or expectations, layman's "translation" of the regulations, lol, whatever you find relevant. :)


Note also that the above UK ICO doc (posted by Tony) clearly does NOT address exactly the issues of Google/Facebook actual tracking of users on the web, inappropriate and unknown use of personal information by them, actual expectations on third party information sharing, examples of misuse, etc, meaning the real issues it's meant (or should be meant) to address. Instead these 'expectations' they claim to have, will create most likely, yet another 'omg you has cookies' turmoil as several years ago, mostly unworkable and unenforceable (I'm still using polite terms :P), and barely touching the real privacy problems of users on the web.
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

busterone

Quote from: CircleDock on April 22, 2012, 04:32:41 AM
Quote from: busterone on April 21, 2012, 07:03:34 PM
I hate to sound crass, but I am in complete agreement with Kindred.  I think it is an absolute stupid law passed by stupid politicians who have no clue whatsoever.  I will do absolutely nothing on my sites. I am hosted in the US and took a stand against SOPA and PIPA, and all the other absolutely stupid proposals that will effect me here. I certainly will not bow to the EU idiocy.
Excuse me but without intending to sound equally crass, why are you even commenting about an issue that clearly doesn't affect you at all ... for now? It is an issue that affects site owners hosting within the EU and those with visitors from within the EU.
Because at least one third of my members are from Europe.  Happy?

emanuele

#109
Quote from: N. N. on April 22, 2012, 12:01:14 PM
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation.
As far as I can understand the ICO is implementing the European Directive 2002/58/EC (see also this "explanation" and the two amending acts that introduce few variations, I'm not sure about the entity).

BTW, apparently there is also a brand new (January) draft for an European Regulation: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (I still have to read it, it's loooong!! :P)
Probably in the long term we will have to deal with that more than national implementations.

Quote from: N. N. on April 22, 2012, 12:01:14 PM
Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).
Even if it is different, admins in the UK would have to comply with it. I think.
Of course I'm not saying a software should comply with all the laws of all the Countries of the world. But SMF haz mods! :P


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Roph

#110
Ugh, please stop helping CircleDock perpetuate this ridiculousness?

As an EU resident running multiple sites hosted or in other ways based in the EU, I, along with any other admin out there with at least half a brain cell, will proudly be doing absolutely nothing about this silliness. I view this law in the same light as those archaic laws forbidding passage for bees over certain towns. Completely ridiculous, pointless, and irrelevant.

As somebody who browses the web, I give sites permission to store, set and read their cookies because I have my web browser configured for it. By configuring my web browser to let sites set cookies, I am giving consent. I am opting in.

Don't want facebook tracking you? Install facebook disconnect. Don't want cookies? Disable cookies. It's built into every modern browser.

http://www.youtube.com/watch?v=arWJA0jVPAc

CircleDock

Quote from: N. N. on April 22, 2012, 12:01:14 PM
Just to note,
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation. Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).

While I am aware of many things in the web privacy/initiatives/laws areas, I am also unaware of many things in these areas. Any help would be very appreciated, from your personal perspective or understanding, to links that would give precedents (if any), other countries take on the matters or expectations, layman's "translation" of the regulations, lol, whatever you find relevant. :)


Note also that the above UK ICO doc (posted by Tony) clearly does NOT address exactly the issues of Google/Facebook actual tracking of users on the web, inappropriate and unknown use of personal information by them, actual expectations on third party information sharing, examples of misuse, etc, meaning the real issues it's meant (or should be meant) to address. Instead these 'expectations' they claim to have, will create most likely, yet another 'omg you has cookies' turmoil as several years ago, mostly unworkable and unenforceable (I'm still using polite terms :P), and barely touching the real privacy problems of users on the web.
I understand your difficulty.

What's important to understand that the EU Directive being talked about ("Privacy and Electronic Communications Regulations" or PECR) is of itself not law. The Directives contain guidelines and minimum criteria for legislation in member states and it is up to each EU member state to implement laws that at least meet the minimum criteria but they are free to make them more rigid.

Here's an example of what I mean. The applicable law in the UK only requires a single "opt-in" (and it must be an "opt-in") to allow all cookies a web site wants to set, to be set. Those advising our Parliamentarians thought that was the best option as it's reasonable easy for web site owners to implement and isn't unduly taxing on visitors and yet still affords them a degree of privacy protection. But, other countries may take a different view and may require that separate "opt-ins" be obtained for each and every cookie - in other words, visitors can select those they will accept (eg SMF's) but refuse other cookies - such as Google Analytics'.

Unfortunately (for you) only 3 EU nations have so far passed the necessary legislation to uphold their treaty commitments to implement this Directive: Denmark, Latvia and the UK. Denmark is well-known to be somewhat paranoid about personal privacy in general so it is quite likely that their cookie acceptance requirements may be stricter than the UK's.

Just to add to the confusion, there is currently no guidance coming from the UK Information Commissioner concerning the requirements that UK-hosted sites must meet in order to comply with the requirements elsewhere in the EU for visitors from the EU to UK-hosted sites. If (say) Poland requires a separate "opt-in" for every cookie and a Polish user lands on a UK-hosted site where he is asked to accept all cookies as a "one-time deal", would that user have a legitimate complaint against the UK-hosted site? The current advice - which is subject to change - is that provided the UK-hosted site meets the requirements under UK law, then that is sufficient.

You should also bear in mind that similar legislation is likely to be passed in other territories, including the US, so that there is a degree of harmonization with regard to personal information and privacy. However the onus isn't just on yourselves as providers of Forum software, the browser companies have to get their house in order too because too many are not removing session cookies, or deleting expired cookies, when browser sessions are closed. And this they must do to comply with PECR.

My advice would be to plan for the worst case scenario which is that every cookie must be accepted every time someone visits a site. Now that's an extreme, I agree, and possibly will never be required in practice. Far more likely is either the UK-type scenario with a single "opt-in" for all cookies or individual "opt-ins" so that visitors can choose which cookies they accept and reject others. An Integration Hook could be provided so that Mod developers who need to set cookies - or whose mods do so - can do this through core functionality which would check to see if the user has accepted cookies in accordance with national requirements.

One of the big concerns from a UK standpoint is that, so far, no UK-hosted Forum owner has yet been investigated or prosecuted under the Data Protection Act - which governs the storage and use of personal information held by web site owners - it might look for DPA violations if "Cookie Law" violations are reported. Certain items of data are currently exempted such as a member's user name and his email address but in the case of the storage of IP Addresses, it's not quite so clear cut as that could pin-point the user geographically. And certainly the retention of personal information that a member voluntarily supplies to a Forum is covered by the Data Protection Act and whilst a member can edit or remove that information during his membership, he is prevented from doing so if he receives a ban and thus a violation occurs unless that site owner has registered as a Data Controller (and very few, if any, have because of the extra work and cost involved). I mentioned this from a UK standpoint but my remarks may hold good for other territories including the US which does, I believe, have similar regulations.

I hope this helps and hasn't confused you further!

live627

QuoteDon't want cookies? Disable cookies. It's built into every modern browser.
And that's what the legislatures don't get. Site admins shouldn't have to worry about it.

busterone

Quote from: Roph on April 22, 2012, 01:28:24 PM
Ugh, please stop helping CircleDock perpetuate this ridiculousness?

As an EU resident running multiple sites hosted or in other ways based in the EU, I, along with any other admin out there with at least half a brain cell, will proudly be doing absolutely nothing about this silliness. I view this law in the same light as those archaic laws forbidding passage for bees over certain towns. Completely ridiculous, pointless, and irrelevant.

As somebody who browses the web, I give sites permission to store, set and read their cookies because I have my web browser configured for it. By configuring my web browser to let sites set cookies, I am giving consent. I am opting in.

Don't want facebook tracking you? Install facebook disconnect. Don't want cookies? Disable cookies. It's built into every modern browser.

http://www.youtube.com/watch?v=arWJA0jVPAc
Well said. Don't want a cookie, simply turn them off in their browser.

CircleDock

Quote from: emanuele on April 22, 2012, 01:01:36 PM
Quote from: N. N. on April 22, 2012, 12:01:14 PM
I would really appreciate if someone who has researched or has legal knowledge, could indicate or otherwise help us understand as best as possible the EU regulation.
As far as I can understand the ICO is implementing the European Directive 2002/58/EC (see also this "explanation").

BTW, apparently there is also a brand new (January) draft for an European Regulation: http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf (I still have to read it, it's loooong!! :P)
Probably in the long term we will have to deal with that more than national implementations.
No, the "Cookie Laws" come from a 2009 or 2010 Directive and were passed into law by the UK Parliament last May (2011). What you have found is the proposal for even tougher data protection legislation which in fact the UK already has (Data Protection Act) but that Act may require some amendments if the new EU Proposals become a Directive.

Quote
Quote from: N. N. on April 22, 2012, 12:01:14 PM
Note that I'm not referring to ICO/UK implementation thingie, which is... huh, different. (I hope!).
Even if it is different, admins in the UK would have to comply with it. I think.
It's not just UK-hosted sites that must comply - it's UK owned and registered sites regardless of where they are hosted. If the Domain name is registered in, or to someone (or entity) in the UK, that Domain must comply with the law even if the site is hosted elsewhere.

emanuele

#115
Quote from: CircleDock on April 22, 2012, 01:56:26 PM
No, the "Cookie Laws" come from a 2009 or 2010 Directive and were passed into law by the UK Parliament last May (2011).
In the "explanation" link I posted is mentioned the 2009/136 that amends few articles and introduces others.
Do you have any number for the "2010"?

Quote from: CircleDock on April 22, 2012, 01:56:26 PM
What you have found is the proposal for even tougher data protection legislation which in fact the UK already has (Data Protection Act) but that Act may require some amendments if the new EU Proposals become a Directive.
ETA: the other thing I found will not become a Directive it will become a Regulation, so national laws will be irrelevant.

Quote from: CircleDock on April 22, 2012, 01:56:26 PM
Quote
admins in the UK would have to comply with it. I think.
It's not just UK-hosted sites that must comply - it's UK owned and registered sites regardless of where they are hosted. If the Domain name is registered in, or to someone (or entity) in the UK, that Domain must comply with the law even if the site is hosted elsewhere.
I wrote "admins in the UK", not "sites hosted in the UK". ;)


Take a peek at what I'm doing! ;D




Hai bisogno di supporto in Italiano?

Aiutateci ad aiutarvi: spiegate bene il vostro problema: no, "non funziona" non è una spiegazione!!
1) Cosa fai,
2) cosa ti aspetti,
3) cosa ottieni.

Tony Reid

I'd like to thank the smf team for taking this on - its very much appreciated.

I've not tried any of the mods - but just a thought (and I apologise if this has already been taken care of) , but the language string for 'Always stay logged in:' should be adjusted to remind the user that this will place a permanent cookie. Maybe something like '(This sets a cookie)' and a link to the privacy policy.

Its $txt['always_logged_in'] and it resides in  themes/default/languages/index.english.php

For those manually editing who do not normally jump into code - please do not use apostrophes in the language string unless you prefix it with a /

For example : 'You\'ve got a Privacy Policy' rather than 'You've got a Privacy Policy'

I'd also suggest removing the quick login functionality as this uses a dropdown to save the cookie setting - with the login option in the menu its not really needed anyway.

Tony Reid

Norv

Just to be clear on some of the questions, here and in the other topics on SMF's sessions - in short. It is essential for SMF forums to start the session as soon as possible (meaning set PHPSESSID one way or the other). It's out of the question to make something like this optional. According to the wording of this law/directive, even, it's strictly necessary, so it doesn't pose problems.

And on the funny side, you may wish to take a look European Data Protection Supervisor site.  *angel eyes*
http://www.edps.europa.eu/EDPSWEB/edps/EDPS
I'd suggest ICO to... recommend them compliance. :D
To-do lists are for deferral. The more things you write down the later they're done... until you have 100s of lists of things you don't do.

File a security report | Developers' Blog | Bug Tracker


Also known as Norv on D* | Norv N. on G+ | Norv on Github

CircleDock

Quote from: N. N. on April 23, 2012, 01:09:38 PM
Just to be clear on some of the questions, here and in the other topics on SMF's sessions - in short. It is essential for SMF forums to start the session as soon as possible (meaning set PHPSESSID one way or the other). It's out of the question to make something like this optional. According to the wording of this law/directive, even, it's strictly necessary, so it doesn't pose problems.
I think we all understand that SMF's session cookie is necessary but that's not the point. It can not and must not be set unless and until the visitor agrees to cookies being set.

If you go to the ICO's web site, you will be able to navigate that site even if you do not accept that site's cookies and I have the horrible feeling that this may well be necessary in SMF. Possibly this could be overcome by adding the session ID to the URL as has previously been done? Yes, I agree it's ugly, possibly creates other problems challenges and may well not be Search-Engine friendly however.

As UK-based owners we have to use ICO's web site as the benchmark against which to base our individual implementations.

As it stands, Emanuele's modification coupled with any necessary changes to accommodate SA-Chat and Google Analytics, is working. But there's one very important aspect that's not addressed at all and that relates to shared computers.

Tony Reid

Looks like the ICO might relax the analytics's side... in terms of action at least - I guess this is possibly due to the fact that the UK government's digital advisory committee is saying the the government websites use of analytics is a necessity and essential.

http://www.out-law.com/en/articles/2012/april/enforcement-of-cookie-consent-rules-for-analytics-not-a-priority-ico-says/
Tony Reid

Advertisement: