Tuesday, 29 January 2013

Cookie law

I blogged at the time about how stupid the legislation on browser cookies was.

Basically, the issue is, people started to notice targeted adverts. I have seen this myself. If I visit several camera web sites then all the adverts on other web sites start to be for cameras.

People feel somehow aggrieved that "they" (the advertisers) know something about them, and what they like or dislike, and this is "personal".

So, you have to wonder if this is something that should be regulated, and, also, given that the way it works crosses international borders you have to consider how it could be regulated even. Should profiling people in some way be illegal?

I don't know the answer to that, but the knee jerk reaction was a cookie law, outlawing the sending of information to a browser that is later sent back to something on the internet. The problem with such a law is that it actually covers normal browser links, a lot of general and needed headers, as well as cookies, so it is an unworkable law that undermines the whole way that browsers work. It is also the case that by the time the law came in the browsers had more sensible defaults covering the way data was sent back that helped address the issue and give users more direct control themselves.

Today I discovered https://panopticlick.eff.org/ which is interesting. It basically looks at standard browser things, like version number, operating system, plug-ins, and so on.

Using things like this one can create a unique fingerprint of a user with some ease. It is not foolproof, but more than adequate for the likes of advert targeting.

It works by using information that is provided by the browser, which is not information sent to it in the first place, so quite simply not covered by the cookie law at all.

As targeted adverts were not outlawed in the first place, advertisers can meet the cookie law completely, and maintain targeted adverts, and bypass user controls of cookies. Indeed, one can argue that such changes are a result of things like the cookie legislation - making it harder for people to stop targeted adverts than before the law.

So the law is worse than useless in that respect, as well as now plaguing us all with cookie policy pop-ups on web sites and driving everyone mad with that as well as targeted adverts.

Why can't people think a bit more before making stupid laws, please.

Also, as it is clear that this law is pointless - is there not a simple means to revoke it? I wonder if laws like this (and perhaps all laws) should have an automatic expiry date built in to the law at the start - requiring positive review and evidence before it can be extended. That would get rid of a lot of pointless and out of date laws from the statute books.


  1. Have used in on a few of my machines. Just used it now and im still unique. Just shows that they will track you cookie or not and shows how silly the law is

  2. I reckon all new laws should require proper evidence of their efficacy both before they're introduced and then regularly during their lifetime. Some people are making this sort of argument publicly: http://www.badscience.net/category/evidence-based-policy/

    Sadly most law originates outside the UK nowadays, so we're stuffed, really, unless we can persuade them over there. I don't think 'less law' is going to get much traction in Brussels.