On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Thursday, 24 March 2011

The problem is tracking, not cookies. Don't let the UK implement bad EC law

I sense a break in ranks in the UK digital rights movement with the announcement by Alexander Hanff of Privacy International that the UK will be implementing an EC law that prevents any website using a browser cookie without your consent, and that the government is likely to reject browser settings as an adequate consent mechanism.

Or maybe I'll simply be outcast for daring to suggest that a useful browser feature should not be blamed for a bad practice that happens to use that feature.

So much needs to be written on this I will start with a brief summary of my main points and update later.  For now, apologies, you'll have to rely on search engine if you need the background facts.  If you disagree, or I've got anything wrong, get in touch or leave a comment.

Problem 1: how can a website remember that a user does not consent to a cookie being stored on their machine if, in the absence of consent, the website is not allowed to set a cookie?

This isn't a tree falling in the woods philosophical conundrum, it's a hard technical problem.  You visit a website, it asks "do you consent to me using cookies?".  You click no, the pop-up goes away and you get your first page.  You then click to a second page on the site.  You get the same pop-up again.  And again, and again.

If a site can't set a cookie without consent, it can't distinguish from new visitors, and previous visitors who've said no.  It can't rely on the IP address for this, as more than one individual user can share a single IP address.

This is why browser preferences are a good technical solution.  If anything, the EC should have spent the last 8 years working with the tech community on the problem, rather than drafting laws.  If the browser controls were more prominent, and easy to use, it would help.

Maybe as a last resort, laws could force websites to indicate that your current browser setting allows tracking.  But laws should be there as a backstop, see my later points.

UPDATE: courtesy of @nevali I'm reminded of a solution to this: putting session identifiers back into the URL, like we (those of us writing websites prior to universal adoption of cookies by all browsers around 19097) used to do.  This is nasty, brings it's own problems, and will require EU websites to use software different to the rest of the world.  See next point.

Problem 2: it's a global market

How do we regulate websites operated from outside the EU?  Block them? I think not - that would need a massive censorship operation!  We can prevent EU companies from using them.  But then that may lead to a cost-overhead for companies operating within the EU that companies outside the EU don't face.

Problem 3: cookies are inherently good

The technical standard describing how cookies work (RFC 2965) are inherently privacy-friendly, and should if implemented rigorously prevent tracking of users between different websites.  I'll expand on this later, but essentially cookies can't be set on top-level domains (TLDs).  And cookies are inherited by sub-domains, but not super-domains, meaning subdomains can see cookies set by the parent website, but the parent website can't see the cookies of its children.

The reason tracking has got out of control is that cookies can be manipulated by JavaScript and other scripting languages, meaning a website can embed an element from a 3rd-party domain then utilise scripts to share data between the two domains, allowing tracking across all websites that embed the 3rd-party element.  This is the real problem.

Problem 4: the EC should be harmonising laws, not creating new laws

The EC usually gets involved when laws need to be harmonised amongst member states, and in this case the EC law usually reflects a middle-ground between member states.  This directive has somehow crept in, probably because measures are introduced in massive packages that make debate even harder, on what is already a complex subject.

The cookie law is a new law that no other member state currently has.  Action from the EU to address the massive implications of data gathering on an industrial scale is admirable, but this particular law is daft.


1 comment:

  1. Re. Problem 1: The directive says that you don't need to get consent if the cookie enables a service specifically requested by the user. There is no requirement to block all the cookies, only the ones that don't fall into the above exception. You could argue strongly that using a cookie to remember the users preference is is enabling a service he is specifically requesting.


Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.