Wednesday, 9 March 2011

More bad law (cookies)

The legislation on cookies on web pages is crazy.

The only real problem I am aware of seems to be advertisers profiling web page accesses to target adverts at people. I don't like it myself but can't pin down why more appropriate adverts on sites I visit is in fact bad. Even so many people really don't like it. I respect that. Making it a law is crazy though as it does not help.

The law at present is silly, but says if users can opt out it is fine. The change happening shortly is to say people have to opt in, unless strictly necessary for a service the user has request (e.g. shopping baskets and on-line banking, etc).

Sadly it applies to anyone using a communications system to store information in end users terminal equipment.

For a start a web server does not store anything- it sends a response to a request. The browser is what stores the information. It does not have to store cookies. The end users can set it not to in the settings. This is in itself proof that the server is not storing information. If the server was storing the information then the server would have to be the thing with the option to stop the information being stored. The fact the option is in the browser proves the browser does the storing and it is the end user that controls that. Sadly the ICO think differently and may convince a judge of that too. They seem to thing anyone operating a site is responsible for anything stored as a result, even if that is cookies served from third party sites and sites not in the EU. It means linking in any external resources (images, javascript, css, etc) becomes a legal risk and could mean just linking to other sites becomes a legal risk if the ICO follow on that logic.

Even so, if you consider sending data in response to a request is somehow causing information to be stored, then it must apply to all the information which is stored. That means the cache of the page or image and all the meta data such as last-modified date/time, expiry date/time, and so on. It includes the links in the page served. It includes the fact the browser history is updated. All of it. And most of that is definitely not strictly necessary to provide a service the end user has requested. Caches are not strictly necessary and so cache control meta data and last-modification date/times will need expicit consent to be stored. That means consent before the home page asking for consent is served. That is probably impossible.

This may seem overkill - surely we all know that it means cookies? Or at least means stuff that can be retried by the sending server later? Well that would cover Last-Modified as it is sent back in an If-Modified-Since header later and easily has a few billion combinations that could be used to hold a session identifier. Indeed, RFCs recommend browsers send back the exact string from Last-Modified in later If-Modified-Since requests thereby making it exactly like a cookie in operation. The problem is that this is part of normal cache operation and used on virtually every static web resource, so outlawing it would cause real problems, and in some cases costs (bandwidth costs).

But even if we only meant cookies, the law is stupid as cookies are used for a lot of not strictly necessary things which are also quite harmless. Simply tracking visits to a web site rather than number of page hits (very common). They are also used to hold preferences, even those that are there for disability access reasons. And nobody wants horrid pop-ups on every web site. They are often used to make a session track before a user goes to a shopping basket, and this would have to be changed to meet the rules.

If the law was actually enforced, we would see every web site that stayed in the EU having an landing pages "Yes I agree to terms of access to this site" like you get on adult web sites already. Even then, that may not meet the law as the page would go in the browser history before you agree. In fact the adult web sites (the very ones people do not want tracked) already have this sort of thing, and so you end up with their terms saying you agree to cookies and hence tracking!

If the law is not enforced properly you also have a bad situation. Almost anyone in the UK would be breaking this law. I bet having a facebook page makes you responsible for it in the eyes of the ICO and so probably makes you a criminal if you did not ask for explicit consent to store cookies (and last-modified time, and so on). So you have horrid uncertaintly. The powers that be can find yet another law that anyone they don't like is already breaking. It is not good for society to make everyone a criminal under a number of widely un-enforced laws. It allows a police state. The fact that this law cannot possibly actually tackle the problem it aims to also makes it a bad law.

How can we stop these bad laws?


  1. I am bemused as to what a website is supposed to do if the user chooses "No, don't store any cookies". As far as I an tell in that case the website would have to ask them the cookie question on every single page of the site as they browse around and as long as they keep saying no it would have to keep asking them.

    Why would it have to do that ? Because you wouldn't be able to set a cookie to indicate the user had opted out of cookies !

  2. I'm both conflicted and concerned by the new law, which does indeed seem unworkable. On we need cookies to help see how our website is being used (standard visitor tracking) and to keep people logged-in between several systems.

    On some of these things we can consider the "login" process to be part of consent, but how on earth we deal with the other stuff I do not know. Luckily the UK is useless at enforcement in this field.

    I'm a privacy advocate myself and so can understand the problem, but the new law is far too general.

  3. "For a start a web server does not store anything"

    HTML5 allows for local storage in a database - just sayin'

  4. Re: Fuzzycat

    While HTML5 does allow local storage, once again that is the *browser* responding to the HTML and storing stuff, the web server itself is merely serving the data requested by the client, it is up to the browser what it does with it...

  5. OK, all day I have been unable to reply to my own blog posts, and the main page did not believe I was signed in.

    Why? Because I turned off "accept third party cookies" in firefox this morning.

    Just goes to show how much cookies, and even "third party cookies" are essential to normal web use. Forcing consent pop-ups will be a nightmare.

  6. Following up on your point about caches, what happens in corporate environments where web pages are routinely cached? Can a user opt out of local caching but permit cookies from an external site? If not, can I get the ICO to have a go at my employer?

    IMHO politicians and technology don't mix.

  7. Following up on your point about caches, what happens in corporate environments where web pages are routinely cached? Can a user opt out of local caching but permit cookies from an external site? If not, can I get the ICO to have a go at my employer?

    IMHO politicians and technology don't mix.

  8. I have checked. I have ten, yes *TEN* cookies from

    I can confirm a specific tangible cost because that site has set
    cookies. It means a few extra bytes of upload when I access the site.
    That has a cost. It may be 0.00001p but it is a cost and I can work it
    out an justify it and quantify it.

    That means the day this law comes in I can issue a county court claim
    for those damages (rounded up to nearest whole penny, so 1p) plus court
    fees, against the site operators of I should add
    some charge for getting a 3rd party (my ISP) to packet dump and confirm
    the presence of the cookie perhaps.

    That is proper cookies from the site requested so no grey areas. Not the
    many other information stored but cookies. The very thing the
    legislation aims to tackle. And a usage which asked for no consent from me.

  9. The whole thing is insane. Like may new new laws if taken literally it will end up being a huge pain for legitimate EU websites and will be completely ignored by those who wish to ignore it. Or they'll just host their website in the USA or china and bypass the issue entirely.

    It's bizare that so much attention is paid to cookies which 99% of the time are used for legitimate uses, and they do nothing about the much bigger abuses that exist

  10. Utterly agree with what has been said. We only use third party cookies to track where visitors to our site come from and which pages they visit. These are essential marketing tools that identify what advertising works best for us and which are the most popular pages. Without these, as a small company with a tiny advertising budget, we are put at an even bigger disadvantage against the global companies with far more financial resources. Our third party cookies do not track or store any information that identifies the visitor. So what's the problem?