BBC BLOGS - dot.Rory
« Previous | Main | Next »

Cookie madness or consumer protection?

Rory Cellan-Jones | 12:18 UK time, Wednesday, 9 March 2011

"Are you going to write about this cookie madness? UK Tech web industry will suffer massively if this goes through..."
Shopping cart icon and cursor

The message which came to me via Twitter this morning proved one thing - that Christopher Graham had succeeded in his wake-up call to British website owners. Yesterday the Information Commissioner told firms and public sector bodies they needed to get ready for 25 May, when an EU directive could force them to change the way they use cookies.

Cookies, you may or may not know, are now essential to the running of most websites. They are small text files which do everything from remember a password, to counting your visits to the site, to serving you up advertising which is likely to match your tastes.

Now the EU directive means that website owners will have to obtain the consent of users before installing cookies on their computers. The web industry in the UK which was apparently unaware of this issue until yesterday has reacted with outrage. "Unworkable", "super-stupid", "meddling bureaucracy", were among the milder comments I saw.

Many are complaining that this will disadvantage European sites as they compete with others which are not facing the same restrictions. Nick Halstead runs Mediasift, which operates a range of websites, all using cookies. He told me:

"If we are suddenly required to put big pop-up boxes warning people that they are going to be tracked, even if they are for benign reasons, the user won't read the warning and will just go to a US site that does not have that same warning."

It appears the EU has moved on this issue after complaints from privacy campaigners, concerned about the use of cookies to track every detail of web use for behavioural advertising.

But website owners seem united in their feeling that this directive is an over-reaction: "People just don't care that much about privacy," says Nick Halstead. "Old versions of Internet Explorer used to warn you about cookies, but they stopped because people found it too annoying."

One business, however, welcomed the new rules. Debbie Procter of Wrappers, which sells covers for gadgets, told me that her site made a point of not tracking its customers. "There should be space on the internet for businesses that don't use cookies". She was worried that too many sites would become addicted to using cookies to follow their customers' every move: "We don't know how powerful behavioural advertising might be, it's about a balance." It is worth pointing out though that Wrappers also uses Amazon to sell its products and that website just would not work without cookies.

It may, however, be time for everyone to calm down about cookies. EU governments still have not worked out just how the directive will be implemented in domestic law, and what form "consent" to cookies will have to take. In the UK, the internet advertising industry appears confident that reminding people that their browser settings allow them to block cookies will be enough, while the Information Commissioner's Office seems to think that they will need to do more.

My suspicion is that consumers will actually notice very little after 25 May, and the definition of consent will be pretty vague. But at least the publicity now being given to this "cookie madness" may alert a few more people to the ways in which their web behaviour is tracked. Then we will find out just how many people really care about their online privacy.

Comments

  • Comment number 1.

    My problem with this legislation is that it is technically inept and seems (from what little we know) to fail to recognise the root issue of the user experience.

    First, the talk is of cookies - if the regulation is about cookies only this is incredibly naïve. There's at least two other mechanisms for tracking users without cookies (ETags and unique ids in URLs). If the legislation covers only cookies it will mean a lot of the nasty tracking practitioners move to using ETag if they haven't already, and they won't have to tell the users.

    Second, the issue and the legislation should be all about the requirement for users to "opt in" to being tracked - completely irrespective of the technology used.

    Cookies are a fundamental piece of functionality for the web - every website you allow to "Remember me" uses them and this is entirely voluntary and usually accompanied with sufficient info. This is different from unsolicited cookies used to track your movements between sites for advertising or other gain.

    Let's hope the legislation bears this all in mind and simply outlaws the use of cookies for user tracking (not logging in) without a suitable opt-in.

    Anything else will be a cockup.

  • Comment number 2.

    "Debbie Procter of Wrappers" is a terrible user case. The site is not a web application at all, just static pages listing products. To buy a product, you are taken to Google Checkout, which bundles you with a load of cookies.

    You can't run a web application without cookies.

  • Comment number 3.

    I use Firefox and Opera and both allow me to control cookies using an "ask me every time" setting. It can be tiresome but I prefer to know what is going on with my computer. I'm sure IE will have a similar setting. It's no big deal.

    As #1 says the real problem is tracking cookies which should only be allowed with the explicit agreement of the internet user.

  • Comment number 4.

    Re: #2, Wrappers use of cookies

    Wrappers might not use any cookies, but they do use a 1x1 transparent image to record stats on visitors, which means it's untrue to say that Wrappers makes "a point of not tracking its customers".

    I don't have time to sift through all 26 pages of the EU directive, so I'll wait until someone else has distilled it before commenting, but suffice to say if it applies to EVERY cookie, which it sounds like it will, it could make the internet quite a different place. This site - http://www.typepad.com/t/stats?blog_id=1471760&user_id=2711390 - gives a satirical look at what might be in store.

  • Comment number 5.

    If you want to know which sites use which tracking cookies, then install the Ghostery add-on (available for Chrome, Firefox and IE). It shows you which cookies are on each page and can be set to prevent cookies from various domains and can also whitelist certain sites.

    Very much recommended to reduce the amount of tracking that is possible.

  • Comment number 6.

    I would dispute that as a company I am persisting a cookie to the users machine. What I am actually doing is sending a cookie from my webserver to the users browser thus giving it (the browser) the opportunity to write it to disk. The user installed the browser (or Bill Gates did if we're talking IE), the user started the browser and the user (or Bill) configured it to accept and persist cookies.

    Its a bit like saying 'you sent me some junk mail and you are responsible for me putting it in the kitchen draw, which is now clogged up with the stuff. Pah! ;-)'

  • Comment number 7.

    I'm not overly concerned about cookies. I can after all install one of many extensions into my browser to manage them. At least cookies are controllable unlike tracking images and the myriad of other non-cookie related ways of tracking you on the net.

  • Comment number 8.

    Our website uses cookies for four things:

    - shopping cart
    - knowing you are logged in
    - 'remember me' setting for logging in
    - tracking visits from people who found our site via an affiliate (so we can pay the affiliate if the person buys something)

    The last of those is really the only thing that might be 'tracking' and isn't vital, the others are pretty much required for the website to work.

    If affiliate tracking isn't allowed, then that will hurt lots of people both those who sell via affiliates, and those who are the affiliates (it won't actually bother us that much as only a very small percentage of our sales is via affiliates)


    One thing that people (especially the MEPs) seem not to realise as well is - what if a user says 'no I don't want cookies from you'? Every time they go to your website they will be asked this question again (and you'd have to use a tracking ID in the URL to stop the question appearing on every page visit) - because you can't remember that they said they didn't want cookies! Remembering that would require you to use a cookie...

    (Also, using IDs in URLs is insecure - because those IDs get passed to anyone you send a link to and stored in bookmarks etc. If URL IDs are used to remember that someone is logged in, then you could give someone else access to your account).

  • Comment number 9.

    I think I put this quite well on my blog and on Twitter:

    The BBC article from yesterday says the directive says:

    "The directive demands that users be fully informed about the information being stored in cookies and told why they see particular adverts"

    Only it doesn't. It clearly says:

    "Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing."

    So the question of the Government shouldn't just be: whether using the browser settings to accept/reject cookies is consent; but also is the user given enough information to make this choice.

    Currently I don't think they are given enough information and not in the right place. Privacy policies are not the place to do this. The privacy policy has too much legal speak, is too long and covers too many things so users aren't given clear descriptions of what is happening with the data. How many people actually read a privacy policy?

    I don't think the average person minds a website collecting anonymous data to work out how to make the site better/work out if campaigns work/help pay affiliates. What they do mind is being targeted not by the website they are using, but by one of their partners that they have allowed to advertise on their site who then do this across multiple sites.

    A better option for the Government must be to be more education on the matter. A 'Cookies are bad we must block them' approach will result in businesses finding new ways to collect the data (as #1 says). Forcing websites to explain better what they are using the data for is the only way to allow the public to decide if they want to accept/block the cookies.

    Alec Cochrane

  • Comment number 10.

    From http://msdn.microsoft.com/en-us/library/aa479314.aspx

    ----
    Enter Cookieless Sessions

    In ASP.NET, the necessary session-to-user link may optionally be established without using cookies. Interestingly enough, you don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting.

    sessionState cookieless="true"
    ----

    If you're using ASP.net to power your web apps it's a complete non-issue. Next? :)

  • Comment number 11.

    This law is about as pointless as the "website classification" law that Germany tried to introduce at the end of 2010.

    If it only applies to companies in the EU, it burdens businesses here with rules on the web that puts them at a disadvantage to businesses elsewhere.

    Or does the EU really believe that US-based companies will voluntarily follow suite and ask permission to store cookies?

    And just how is this supposed to work? If I ask a website visitor permission and they decline, where do I store that information exactly, if not in a session cookie?

  • Comment number 12.

    A quick inspection of Ms.Proctor's site's source code revealed:



    ... or in plain text: the site stores where I came from (document.referrer) and where I visit (location.href). ie. it tracks me through the site.

    So much for the idea that the site "made a point of not tracking its customers". It just doesn't use cookies to do it.

  • Comment number 13.

    Legislating at this level amounts to asking people to always walk on the left side of the pavement, how exactly is this going to be enforced? Only the bigger websites would bother to comply. Sounds like a case of justifying ones job while filling the pockets of lawyers, annoying everyone in the process and yielding little to no results.

    Besides which, those that care will do something about it themselves since the problem can be entirely controlled at the user end.

  • Comment number 14.

    The irony is, if you need a user's consent before using cookies, you need to track this choice when they make it. And the only way for a website to do this is using cookies.

    This whole thing is ill thought out and completely unenforceable.

  • Comment number 15.

    Do most website owners even know if they are using cookies? IF you get some webhosting and install something like wordpress you don't need to know how it works and whether it uses cookies.

    Also it is the browser not the website that saves the cookie. All a website can do is ask if it can save the cookie so websites have already asked for permission its just up to the user whether they use a browser that makes the decision for them or not.

  • Comment number 16.

    From http://msdn.microsoft.com/en-us/library/aa479314.aspx

    ----
    Enter Cookieless Sessions

    In ASP.NET, the necessary session-to-user link may optionally be established without using cookies. Interestingly enough, you don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting.

    sessionState cookieless="true"
    ----

    If you're using ASP.net to power your web apps it's a complete non-issue. Next? :)

    ----

    URL rewriting for session ids is as old as the hills. Java has been using it for decades.

    It's not used in pretty much any sensible (ie. commercial) application because:

    a) It's impractical and clumsy to use.

    b) It's a *massive* security hole. Read the rest of the article. Session hijacking is incredibly easy. And no, there's no work around.

    Next? :)

  • Comment number 17.

    I half agree and half disagree with this new directive. I'm happy that the website I'm visiting uses cookies directly connected with that website to manage my visit. What I'm not happy with is when the website has an "iframe" tag or equivalent and these track their own cookies to a totally different website.

    I use Opera as my default browser, and with this it is easy to set it to ask every time a new cookie is requested and decide then and there to accept/reject the request, and with a facility to remember my decision. This latest (ish) versions of Opera don't distinguish between primary and 3rd party cookies, but in previous versions it did and I set the setting to just ask about 3rd party cookies.

    All we now need to do is to educate the general UK population to use these settinga, and to reject the 3rd party tracking cookies.

  • Comment number 18.

    This is never going to see the light of day in a practical world.

    I never understood the problem with my activity being tracked, what bad could possibly come of it? I guess that most internet users have the same thinking.

    The truth is that in the internet age privacy is over, and rather than trying to live in denial we should just get on with it and learn to live with the fact that a lot of people know a lot more about me than they did before.

    Rory it would be nice if you could get some clarification from the lady mentioned above from wrappers about them not tracking people as they were clearly bending the truth.

  • Comment number 19.

    'But at least the publicity now being given to this "cookie madness" may alert a few more people to the ways in which their web behaviour is tracked.

    Plus further insight into EU ways and means.

  • Comment number 20.

    Let's just make it illegal for any company (or government!) to track web users for any reason whatsoever. That does not debar the use of "cookies" or other tracking agents to identify users [i]provided[/i] that the specifif cookie is permitted by the user by direct opt in and [i]provided[/i] that the cookie is never used for any other purpose or shared with any other site.

    Privacy when not breaking the law of the land is what's wanted. I don't know how we got where we are at the moment, but it's time to beat a retreat.

  • Comment number 21.

    6. At 3:03pm on 09 Mar 2011, Ian Jones wrote:
    I would dispute that as a company I am persisting a cookie to the users machine. What I am actually doing is sending a cookie from my webserver to the users browser thus giving it (the browser) the opportunity to write it to disk...

    Its a bit like saying 'you sent me some junk mail and you are responsible for me putting it in the kitchen draw, which is now clogged up with the stuff. Pah! ;-)'
    -----------

    Its more like saying 'You walked into my shop and your NOT wearing a sign saying "no GPS" so I'm okay to attach a GPS tracker to you so I can follow what you get up too.'



  • Comment number 22.

    @budgie_b: so you'd prefer a series of popup messages on every web page you visit asking for your permission to send cookies? And if you say no you'll get the same popup message on the next page (since the browser can't use cookies to store your choice)?

  • Comment number 23.

    Most modern browsers have a "do not track" button so this is sufficient enough. I understand some websites need this info but cookies contain a darkside - they can contain viruses, trojans, malware, adware and the like

  • Comment number 24.

    This comment was removed because the moderators found it broke the house rules. Explain.

  • Comment number 25.

    sagat4: No they can't. A cookie is a simple text file passed backwards and forwards between browser and server within the http header. Perpetuating this kind of misinformation is the kind of thing that leads to these ridiculouse rules being put in place.

  • Comment number 26.

    Martin Richardson: Not really, most browsers default security settings mean that only cookies originating from the server (domain) involved in the http request will be sent to that server with the request. This means that as a server developer I cannot recieve a cookie that originated on another domain.

    In any case, my analogy was a bit tongue in cheek and not a very good one. Yours seems a touch paranoid if you dont mind my saying but it does highlight and interesting point. Out there in the real world most of your movement is tracked on CCTV. Your privacy rights are violated more on the shops and streets than they are on the internet.

  • Comment number 27.

    26. At 3:09pm on 10 Mar 2011, Ian Jones wrote:

    I infact fall on the side of thinking that cookies are a good thing, but wanted to highlight a point. Most people dont know what a cookie does, wat information it collects, or how the collector uses that information.

    CCTV if it was used to collect information would be like a cookie, but at the moment its not. If you can name one high street store that uses CCTV to track what each customer looks at, what they buy, how often they visit and then uses this information to target the customer the next time they visit, I would be amazed!

  • Comment number 28.

    Be kind to Cookies!

    As in #1 it is all forms of tracking that matter. And what matters is that the user knows about what is going on and why. If it is not for the benefit of the user than it should be stopped as in the end users will adopt techniques to avoid tracking. It should be completely illegal to track a user without the user's permission and further the tracking should only ever be used for the original purpose and details should be retained only for the stated time and completely destroyed thereafter. This should also apply to sites and services that require the user to log in.

  • Comment number 29.

    If a user cares about their privacy so much they should spend some time investigating the (clear) options available in all browsers to restrict a website's use of cookies. There is no law requiring your car doors to lock when you are not inside it, why should we have another law nannying the online world.

    Laws should not be designed to protect the ignorant from their own ignorance whilst annoying every other competent user.

  • Comment number 30.

    Meh. The people whining about this are only whining because it means extra work.

    Let's face it, web designers are chronically over-paid and underworked. Most websites are nowhere near the capability threshold of the platform - that is, the feature-set for most websites is very narrow compared to what could be achieved.

    There is ample evidence of huge reticence in the web design world to actually do anything - probably for good reason, mind. Facebook has about a tenth of the useful features it probably should have; development mostly occurs through third-party apps so that Facebook doesn't incur the wrath of it's mostly-stupid userbase which complains bitterly when it goes to the wrong website and can't log in to the site it didn't just visit (yes, that really happened).

    Good reason or no, this does appear to be contributing to a general stagnation. Because developers are not being pushed hard by the environment - either their employees or the clients (users, if you like) - they seem now unwilling to really do anything at all.

    Shifting from utilizing cookies will be annoying for those who did not bother to think about development properly in the first place; for everyone who put the work in when first developing their site, it'll be simple and painless.

    Those whining should shut up and do it right this time.

    Furthermore, it is irrelevant as to whether the public "cares" about privacy or not - they are entitled to it. The vast majority of the public did not, until recently, (and possibly still do not) consider the dangers of identity theft - should we therefore have ignored the problem until people "cared" about it? Usually, about the time when people start caring is when the horse excrement has not only hit the fan, but is floating nauseatingly visibly in your coffee.

  • Comment number 31.

    Oh, and on the "caring" note - most people probably don't have a damned clue what a "cookie" is. Why, therefore, would (or even should) they know to investigate how it impacts their privacy?

    I also do not understand financial law to the degree of an expert in finance, but I'd really rather not go to prison for tax evasion because an accountant decided that what I didn't care about couldn't hurt me.

  • Comment number 32.

    As with most things the basic assumption is WRONG.
    Those people that use cookies for 'nice' reasons will probably grumble and obey.
    Those people that use cookies for 'not nice' reasons will just ignore the whole thing and carry on.
    The ONLY way of making all websites using cookies display a warning message is to force the browser manufacturers to put the warning as part of the browser code, this used to be the case and was turned away from because most people have the 'tell me about cookies' turned off.

    Another bit of waste of time stupid legislation from the increasingly stupid paper shufflers we have lording it over us. I have noticed the stupidity extends in many directions, europe isn't the only stupid legislator - Westminster and even local councils seem to be just as stupid.

  • Comment number 33.

    Can we just have a bit of legislation that prevents clueless technophobic MEP's from passing laws, and instead passes this decision making process to people who actually know what they're talking about?

  • Comment number 34.

    Have the patronising idiots behind this ever visited a website and read the terms and conditions for using it?

    Ok, it's fairly likely not everyone will read them, but statements about use and statements about privacy policy are already published. There are some at the bottom of this page

 

BBC iD

Sign in

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.