The simple solution is to forbid 3rd party cookies (and while we're at it third party JS as well, which I think is a much bigger problem than 3rd party cookies. I'm sure that will send shudders through the industry). And enforce it at the browser level by default and put up a big fat warning what the consequences are when you disable it.
That way we don't need to have silly laws that nobody will respect and we can all get on with making stuff work.
Third party JS opens so many cans of worms that I think it would be better if we just forgot about that whole idea, it'll never be secure and it puts too many juicy bits in the wrong hands.
Well third party javascript makes a lot of people money how do you propose we get around their buying power?
Also what would the limits be of third party javascript be? Would it be allowed on the domain level so people could still use CDN's and other things easily such as cdn1.example.com, etc... if so It probably could be okay then people could use CNAME or A records to link to their legitimate third party javascript like analytics and ads and it could take away a lot of the possibility of malicious third party javascript.
The web however would probably have to change a bit because a lot of websites use third party javascript depending on your definition of it such as google's 1e100 domain and other such cdn measures that aren't necessarily served from a domain record.
This passed in Sweden about a year ago, as required by the EU-directive. What's happened since? Essentially, nothing.
While a few government-related sites show information on cookies and a checkbox for opting in, noting that the site may not work properly otherwise, the average site has made absolutely no changes.
I think this proposal sprung from good intentions, but has been executed poorly. It's likely aimed at reducing tracking-cookies, something which most of us would consider a good thing, but this is clearly not the right way. I know of no person or site that has gotten in legal trouble for not showing this "Cookie-warning" or an opt-in button. It's simply unenforceable.
>I know of no person or site that has gotten in legal trouble for not showing this "Cookie-warning" or an opt-in button. It's simply unenforceable.
Nor should it be. The day this becomes massively enforced (god forbid) is the day that an adblock-esque plugin will be created to bypass all of this idiotic government mandated nonsense. Those options exist in web browsers already.
And it is nonsense. It does nothing to protect users, for one. The average user has no idea what a cookie is, and will either blindly click accept or move on.
For two, its the government getting their hooks into mandating specific content on the web. Yes yes, slippery slope is a logical fallacy and all that, but when it comes to government expansion of power, it tends to ring true.
For three, it's a pain in the ass. I really do not care what kind of cookies random sites are sending me. If I did care, I'd be running a plugin to deal with it or changing my browser settings accordingly.
Fourth, it's more work for web developers for questionable benefit.
Maybe this is just me being a typical ignorant American, but this kind of nannyism is downright offensive to me.
They may have severely screwed up the implementation but there's very real and very murky tracking going on through ad networks using cookies and any other way they can think of. This is what the legislation was aimed at, but it went totally OTT.
99% of the time, there is no good reason for anyone to know what different sites I visit. Nor does anyone have any reasonable expectation that it is happening to them.
Also why an adblock-esque plugin? That really makes no sense to me. This is about a server not being able to set a cookie without explicit consent, I can't see how a plugin would help.
Either a "yes I accept the damn cookies everywhere" (you know, the hassle free system we have now) or a "no I don't accept the damn cookies anywhere" option.
People have an interesting way of engineering around annoyances.
Just to add, additionally, you can still track users just fine without cookies.
You can uniquely identify pretty much everyone on the internet by their browser version/plugins/etc etc, then do a callback with the info, store that serverside.
So if a user clicks to disable cookies, you can just fall back to tracking them via other methods if you really want to.
Having any policy around 'cookies' is idiotic and shows just how non-technical the government/politicians are.
There is a clear distinction between active and passive tracking. The law applies to active tracking, whereby something is stored on a user's computer and this something is subsequently retrieved/read. Cookie tracking is a form of active tracking. Passive tracking, whereby nothing is first stored on a user's computer, is not covered by the law. Indeed, it is difficult to see how it could ever be covered.
A common misconception of the EU directive is that it applies to cookies only leading to many technical people to laugh about it. Any method of storing information in the user's browser is covered: http://en.wikipedia.org/wiki/Directive_on_Privacy_and_Electr...
Article 5:
3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
the bbc recently changed to reflect this law (i assume). i don't know whether the law is tortuous or not, but the bbc's implementation was clear, easy to understand, and helpful. i used it to protect my privacy. seems like a good idea to me.
You can use your browser to protect your privacy - disable cookies.
Also the idea that disabling cookies somehow achieves something, is very naive. You'll still be tracked by any website that wants to track you. Your browser is uniquely identifiable.
Adding messages to every website that exists is unnecessary, and idiotic.
i already use ghostery, disconnect, do not track plus, and adblock. but i use the bbc site frequently, and want to be able to use the site well, while still avoiding ad-tracking. the new interface allows me to disable my "broad spectrum" tools and use a more nuanced approach. and yes, i do trust them.
more than that, this is the kind of interface my parents could understand and use.
finally, if i am an idiot then you're the dickwipe of humanity, a festering boil that should be lanced (with a cattle prod, anally), and a poopy-pants. you also come across as rather dull.
That way we don't need to have silly laws that nobody will respect and we can all get on with making stuff work.
Third party JS opens so many cans of worms that I think it would be better if we just forgot about that whole idea, it'll never be secure and it puts too many juicy bits in the wrong hands.