In these times of social and fiscal upheaval, it's good to see that the EU continues to tackle the really important issues.
posted by Optamystic at 2:01 AM on May 27, 2011 [1 favorite]

Isn't that what browser-side cookie settings are for?
posted by bjrn at 2:03 AM on May 27, 2011 [3 favorites]

Prediction: this will become the EU's "I invented the internet". Expect critics to reference it in response to all future internet-related rule-making.
posted by ryanrs at 2:06 AM on May 27, 2011

Wow, that's ugly. On the bright side, the EU will have dissolved by the time this comes into force.
posted by Optamystic at 2:07 AM on May 27, 2011 [3 favorites]

European Union: land of rainbows, unicorns, health care, and free cookies.

Thus continues the downward slide.  :_-(
posted by ryanrs at 2:18 AM on May 27, 2011 [3 favorites]

You must tick the 'I accept cookies from this site' box to accept.

cute.
posted by mexican at 2:19 AM on May 27, 2011

Sorry guys, but technically Europeans do not "install cookies," they "eat biscuits". I'm sure Americans love "installing cookies into their internal power systems", and often "upload carbonated coolant into their frontal liquid slots" while "inputting televisual information via their wireless visual sensor balls". Europeans just drink lemonade while watching TV.

I for one am glad Brussels is taking a stand against foreign foods like "cookies", and if you don't like it, you can shut your frontal liquid slot and ram your central processing sphere right up your excess roughage output chute, you fucking CYBORGS.
posted by the quidnunc kid at 2:22 AM on May 27, 2011 [53 favorites]

...and they went ahead and set a cookie anyway (ASP.NET_SessionId). maybe words like "require", "consent", and "any" have a different meaning in the UK?
posted by mexican at 2:24 AM on May 27, 2011 [10 favorites]

Mexican: it's a dumb law, and there's no case law yet, obviously, but the consensus seems to be that cookies that are required for the site to function are ok (eg tracking a logged-in user) but other cookies (say, 3rd party cookies for advertising) aren't. Yeah, I know, it's stupid. Browsers already do it. There are more important issues to worry about. etc etc etc.
posted by Leon at 2:27 AM on May 27, 2011

One word: unenforceable.
posted by hudders at 2:29 AM on May 27, 2011

I wonder if this will apply to all those Facebook 'Like' widgets which seem to be almost everywhere?
posted by Lanark at 2:39 AM on May 27, 2011

hudders: a couple of high-profile 1/2 million pound fines will do wonders for this rule's enforceability.
posted by Leon at 2:42 AM on May 27, 2011

The EU has no authority outside of the EU so Facebook and millions of other websites remain unaffected by this ruling.

Which is one of the reasons why it's so dumb. Nothing like hamstringing the locals while allowing Johnny Foreigner to continue unmolested. It's like the EU doesn't want a tech industry and would rather outsource to Asia.
posted by hudders at 2:43 AM on May 27, 2011 [1 favorite]

This is pretty stupid. I mean, I'm in the UK and have a couple of websites that use WordPress. Do they use cookies? Fuck knows. And they're hosted in the US, does that make a difference?
posted by EndsOfInvention at 2:51 AM on May 27, 2011 [2 favorites]

Hmm, actually from the article it seems to imply that this only applies to the websites of businesses?
posted by EndsOfInvention at 2:52 AM on May 27, 2011

Oh, "The Register", home to those tech journalists who couldn't make the cut for the Daily Mail.

Firstly, the EU doesn't issue "laws". It issues directives and regulations. The former provide broad guidelines that have then to be transformed into more detailed and adapted national legislation (member states, as in this case, often take their time). The latter are directly enforceable.

The e-Privacy Directive (Directive 2002/58/EC of the European Parliament and of the Council, to call it by its full name), is, as its name indicates, a directive. It was passed eight years ago. It thus has to be implemented into national law. It isn't something that was ordered from on high by some faceless bureaucrats working in a computerless office. After being proposed by the DG Information Society of the European Commission, it was consulted with various bodies, debated and voted both at the European Parliament (home to directly elected representatives from all over the EU) and at the European Councils (where the governments of the individual member states are represented.)

What does it say about cookies? Well, Art. 5, point 3.:

Member States shall ensure that the use of electronic
communications networks to store information or to gain
access to information stored in the terminal equipment of a
subscriber or user is only allowed on condition that the
subscriber or user concerned is provided with clear and
comprehensive information in accordance with Directive 95/
46/EC, inter alia about the purposes of the processing, and is
offered the right to refuse such processing by the data
controller. This shall not prevent any technical storage or access
for the sole purpose of carrying out or facilitating the transmission
of a communication over an electronic communications
network, or as strictly necessary in order to provide an information
society service explicitly requested by the subscriber or
user.

That seems eminently sensible to me. And there are ways in which this can be implemented at the receiving end (notably at browser level). Also, Facebook, Google et al have an interest in staying in the EU market, so this may even benefit users even in countries like the US, where lawmakers put individual privacy behind the interests of big business. They should certainly be shocked by Art. 13 (1):

The use of automated calling systems without human
intervention (automatic calling machines), facsimile machines
(fax) or electronic mail for the purposes of direct marketing
may only be allowed in respect of subscribers who have given
their prior consent.
posted by Skeptic at 2:54 AM on May 27, 2011 [33 favorites]

The worst bit (for me) is that I have no idea if I'm effected by this ruling or not.

I work for ExampleLtd, a UK based web dev company which is entirely owned by Delaware based ExampleInc. Do I have to comply with these rules or not?

Is it where I'm sat that's important? Or where my company is based? Or where the client is based? Or the server? Or where the contract was signed?

I've just done a lot of work for a big US publishing house, who service an international market. It was written in the UK and it's either hosted in Docklands or Texas (I have no idea which). Does this site need to comply with the rules?
posted by sodium lights the horizon at 2:55 AM on May 27, 2011

Thanks, Skeptic.
posted by vacapinta at 2:59 AM on May 27, 2011

sodium You are not affected by the directive. Nobody is. A directive is implemented through national legislation. The British law implementing this directive is what may affect you, although it probably won't, because it is something more likely to be applied at the end user level.
posted by Skeptic at 3:00 AM on May 27, 2011

Dont worry, The UK wants to redefine "consent" so you, er, don't have to get consent:

"...in its natural usage 'consent' rarely refers to a permission given after the action for which consent is being sought has been taken. This absolutely does not preclude a regulatory approach that recognises that in certain circumstances it is impracticable to obtain consent prior to processing." - Ed Vaizey, communications minister.
posted by ComfySofa at 3:03 AM on May 27, 2011 [1 favorite]

Sorry guys, but technically Europeans do not "install cookies," they "eat biscuits".

You'd think that but no: your american cookie is a loan word from dutch.
So we europeans get to take the biscuits and still have all the cookies...

(..as long as we click yes, install.)
posted by Sourisnoire at 3:16 AM on May 27, 2011 [2 favorites]

You know what, Skeptic, when the ICO website is telling me that there's a new law and a random bod on the Internet is telling me there isn't, I'm tempted to go with the ICO. Sorry and all. And it doesn't change the fact that I've heard none of the answers to my questions.

Of course, if you're allowed to store operational cookies, then I propose using one to record that you've said "no" to using cookies. It's only fair, because otherwise your opt-out users will be bombarded with opt-in notices.

I hereby propose the following...
AllowCookies[uniqueidentifier] = false
posted by sodium lights the horizon at 3:21 AM on May 27, 2011

sodium My problem is not with the ICO summary, but with the characteristically breathless "Register" article. As this page at the ICO website indicates, what will affect you is not the Directive itself, but its implementation through the British "Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011". The page also provides guidance about how the ICO intends to enforce them, and how to comply with them.

You are welcome.
posted by Skeptic at 3:31 AM on May 27, 2011 [4 favorites]

I'm a little surprised by all the skepticism here. We've had any number of discussions about the dangers of advertisers tracking you, building a model of your preferences, selling it. All the standard internet-freedom tropes.

This is an attempt to contain that, by at least having the user OK things. Some cookies go through, yes. The ones that are required for a site. That's a good approach, because otherwise you'll have issues with a company saying "would you like to enable cookies? Some cookies are needed for the functioning of the site", and then you've just enabled all cookies, not just the required ones.

This is quite easy to enforce. The fact that not every company is in Europe doesn't matter as much as everyone is saying. The Bureau of whatever [enforcement arm of privacy commissioner, probably] gets non-required cookies installed on their computer without consent? Well there's a fine. Or the company can pack up and leave. There's at least some history of this - here in Canada our privacy commissioner got Facebook to back down and comply with our privacy law. Facebook's one of the biggest companies around, we're not what I'd call an overly powerful country. link.

Sure, it's not perfect. But goddamn it, I'm impressed that they're trying something about it, rather than just complaining about how in the future, advertisers will [insert generic dystopian cyber-punkesque scenario here] and there's nothing we can do.
posted by Lemurrhea at 3:38 AM on May 27, 2011 [8 favorites]

Firstly, the EU doesn't issue "laws". It issues directives and regulations.

Worth repeating.
posted by Authorized User at 3:49 AM on May 27, 2011

As long as we dont have to request permission before engaging snark.
posted by memebake at 4:13 AM on May 27, 2011 [1 favorite]

After being proposed by the DG Information Society of the European Commission

In other words: They wanna know...what you're thinking. Tell them what's deep inside.

(pure cookies)
posted by ShutterBun at 4:21 AM on May 27, 2011 [3 favorites]

First, see comments above referencing the labyrinthine way the EU regulates things. EU member states are now directed to legislatively support the directive. Then spend a while reading this and the various other articles linked from it until your eyes cross.

Now.

The EU has no authority outside of the EU so Facebook and millions of other websites remain unaffected by this ruling.

Unless they do business in the EU. Which, given that the EU represents a market with more money to spend than any other single market on the planet, most of those millions of websites that have European customers (including Facebook, which sells quite a lot of advertising in Europe) do. And their European arms are required to comply with the laws of the nations in which they do business; those laws will in time implement this directive.

Given the draw of the common market, regulation is fast becoming Europe(-outside-Germany-which-sells-spiffy-machines-to-Chinese-factories)'s biggest export.
posted by Vetinari at 4:33 AM on May 27, 2011

ShutterBun It's worse than that. In EU insider lingo, the name of that Directorate General (that's what "DG" stands for), which deals with ICT stuff, is usually abbreviated to "InfoSoc". Say what you will, the European Commission will never understand PR.

The funniest thing about this is that, despite its Orwellian name, "DG InfoSoc" is mostly staffed by computer geeks highly sympathetic to the Open Source and "information must be free" crowd. As a result they are considered a highly annoying bunch of interfering hippies by most of the rest of the Commission, notably DG Enterprise, which houses a lot of MBA types.
posted by Skeptic at 4:48 AM on May 27, 2011 [3 favorites]

This is so dumb.
posted by Civil_Disobedient at 5:22 AM on May 27, 2011

I'm curious, if you choose to accept cookies, do they use a cookie to remember that you've done so?
posted by jacquilynne at 5:44 AM on May 27, 2011

You can't trust the user's browser settings to accept or deny cookies - what if they couldn't figure out that one dialog box? It'll be much easier to give them one dialog box per website they visit; even the users who couldn't figure out cookie settings the first time will be pros by the fiftieth time.

I personally don't trust automatic access anywhere. Did Matt *really* mean for his server to tell me HTTP/1.1 200, or am I on this website without permission? I'd better email and check, just as soon as I phone to see if I'm allowed to store information in the terminal equipment of his SMTP servers.
posted by roystgnr at 5:48 AM on May 27, 2011 [1 favorite]

Awesome! With this law in place, maybe web designers will stop storing context in cookies. I hate it so much when I want to send a link to someone but can't because you have to navigate to the page to find it, you can't just send a link.
posted by DU at 5:50 AM on May 27, 2011

I predict that browser plug-ins that auto-accept these cookies will quickly become popular, followed by effective phishing and other schemes that take advantage of some newly opened security hole of such plug-ins.
posted by meinvt at 6:20 AM on May 27, 2011

                 Please click here \/ to receive a cookie.

The funny thing is if you click that if you don't want cookies installed, you'll have to click 'no' every single time because they can't store your no-cookie preference without storing a cookie

This is kind of an interesting rule, it would definitely cause more problems for those companies that put tracking 1x1 gifs and stuff like that more then sites that just require a login.
posted by delmoi at 6:56 AM on May 27, 2011 [1 favorite]

Skeptic (and others): The directive being discussed is actually 2009/136/EC which amends 2002/58/EC. Implementation by member states of this directive was due by yesterday (Thursday). Article 5(3) that you quote in your first posting in this thread was replaced by the following:

Member States shall ensure that the storing of infor­ mation, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user con­ cerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications net­ work, or as strictly necessary in order for the provider of an information society service explicitly requested by the sub­ scriber or user to provide the service.

This language has been interpreted by most of the people who have read it to require the explicit OPT-IN consent of web users who visit a site. That is, before a website is allowed to set a cookie, it must ask your permission (some people think EVERY TIME) before it does so. I guess some might think that this is a good way to go about setting cookies, but I don't think anyone can argue that it isn't a sharp change in the normal day-to-day operation of the Internet (in which you are presumed to be ok with cookies on your machine, unless you instruct your browser otherwise).

I am a privacy lawyer (albiet in the US), and the EU privacy lawyers I've been hearing from are essentially completely baffled by what this directive (and its various national implementing legislations) mean, and how they should be complied with. The Register, for all you may not like it, is mostly on the ball here. That's why the UK and pretty much every other member state save two are, as of this morning, not in compliance with 2009/136/EC.
posted by Inkoate at 6:56 AM on May 27, 2011 [5 favorites]

Lanark: "I wonder if this will apply to all those Facebook 'Like' widgets which seem to be almost everywhere?"

Those use IFrames, not cookies. You're actually pulling the 'Like' button down from Facebook's website. It's a clever bit of code, and doesn't share your Facebook information with the site that you're visiting.

Cookies aren't terribly secure, but they're more secure than most people give them credit for. For instance, Metafilter cannot access my GMail cookies.
posted by schmod at 6:57 AM on May 27, 2011

i love the EU.. it's one of the most effective ways in which an european country can get rid of the politicians no one wants.
Whatever happened to the directive that said that cellular charging connectors and chargers were to be standardized?
posted by 3mendo at 6:58 AM on May 27, 2011

This is the best thing to come out of E.U. since Da Butt
posted by ShutterBun at 7:04 AM on May 27, 2011

It's a clever bit of code, and doesn't share your Facebook information with the site that you're visiting.

Yes but it shares your browsing history with Facebook, thats the problem.
posted by Lanark at 7:05 AM on May 27, 2011 [2 favorites]

The EU has no authority outside of the EU so Facebook and millions of other websites remain unaffected by this ruling.

Unless you want to do business there, like accept advertising money.

Whatever happened to the directive that said that cellular charging connectors and chargers were to be standardized?

Seems like they are standardizing on USB micro-b, which is annoying since I have a bunch of mini-b devices already that I can share cables with.
posted by delmoi at 7:06 AM on May 27, 2011

Yeah, there isn't much point in regulating websites, but browsers are regulatable.

It's perfectly fine that clicking facebook's like button will tell facebook that you liked that site. It's unreasonable for the button's existence to notify facebook.

For example : They could impost restrictions upon any non-explicit code execution and tracking tools that make commercial browsers : provide a url bar, maybe even editable, and deny cookies to sites not listed in the url bar, including scripts loaded from those sites.
posted by jeffburdges at 7:16 AM on May 27, 2011

Thanks for the heads-up, Inkoate. This seems a case of a small change of legislation having all sorts of unintended consequences. What will happen next will probably be the following:

a) The Member States will remain non-compliant;
b) a shitstorm will break out in DG InfSoc (probably already broke out months ago) until a new Directive amending 2009/136/EC is proposed (in the EU, the Commission holds the exclusive power of proposing new legislation, even if the Council and the Parliament can subsequently amend the Commission's proposals out of recognition);
c) the new Directive will then go through the whole EU legislative treadmill;
d) at the last stage, some random MEP (Swedish Pirate Party, perhaps?) will manage to slip some other outrageous amendment into the new Directive.
e) go back to a).
posted by Skeptic at 7:19 AM on May 27, 2011

The funny thing is if you click that if you don't want cookies installed, you'll have to click 'no' every single time because they can't store your no-cookie preference without storing a cookie

The no-cookie preference "strictly necessary" for site functionality, and as such, explicit permission should not be required.
posted by Leon at 7:22 AM on May 27, 2011

Don't worry, there are attorneys here working on figuring out how to sue the nefarious bastards that use flash cookies and HTML5 local storage to track you. See, we don't have strong regulatory agencies, so we rely on tort law to curb abuses.
posted by wierdo at 7:37 AM on May 27, 2011

The problem here is that it's trying to solve a social problem (websites trying to track people) using a technical fix (require cookie authorization). The problem is that regulating technology like this can lead to problems when technology changes. And furthermore, you can just use a technological patch to get around the law.

For example, the law refers to information stored on a users 'terminal'. But what happens when the information is stored in a proxy? Like what if websites just start requiring you to use facebook, which actually gets you the users's real name and a unique ID? Currently, sharing that info with 3rd party advertisers is against the rules, but obviously facebook can change that at any time. So in that case the EU can come up with some new rules, and then 8 years later it's a rule? By then it's all about brain implants or whatever.

A better solution, IMO, would be to subsidize the development of technology that's resistant to tracking
posted by delmoi at 7:51 AM on May 27, 2011

There is already a much larger subsidy for developing the tracking technology. Advertisers will continue to subsidize Facebook, Amazon, and Google for us because their tracking data is such a cache [sic] cow.
posted by blackfly at 8:14 AM on May 27, 2011

Delmoi, how is the legal approach a "technical fix" but the "development of technology" isn't? The advantage (such as it is) of the law is that if you come up with some bullshit technological gimmick to get around the regulation we can still sue you. For better or for worse the law is flexible.
posted by Wood at 8:17 AM on May 27, 2011

If the ICO are showing folks "the way forward", why isn't the yes-to-cookies form translated into French, Spanish and Welsh (the language options I get offered, maybe this varies by location?)
posted by humph at 8:25 AM on May 27, 2011

Is there some requirement somewhere that mandates that people who know about the internet can't make any IT policies and people who make IT technologies are not allowed to know how the internet works? I'm pretty sure it's a world-wide mandate.
posted by fuq at 8:39 AM on May 27, 2011

The no-cookie preference "strictly necessary" for site functionality,

Delmoi already described how the site could function perfectly without storing any cookies: simply ask the user again every single time you want to store a cookie. How strict is the legal definition of "strict"?

and as such, explicit permission should not be required.

So we can risk sending a cookie to people who have just explicitly given us a legally binding instruction not to send them cookies (right after we pay some lawyers to reassure us that making the site less annoying will qualify as "strictly necessary" to a judge)... or we can just pop up the cookie request dialog box on every page, freeing us from legal liability while simultaneously pestering users into accepting the cookies we really want to send them.

I'm not seeing the incentive to go with option 1, even if the argument would hold up in court.

And as questionable legal arguments go, I'd rather contend that the users' browser preferences count as permission. I'd still lose, but at least I wouldn't have had to stretch the truth first.
posted by roystgnr at 9:17 AM on May 27, 2011 [1 favorite]

The problem is that user's browser preferences default to granting permission. The problem with regulating browsers is that not all browsers are commercial products (firefox, for example)
posted by delmoi at 10:48 AM on May 27, 2011

In EU insider lingo, the name of that Directorate General (that's what "DG" stands for), which deals with ICT stuff, is usually abbreviated to "InfoSoc". Say what you will, the European Commission will never understand PR.

If you've got to believe in something, believe in us 'cause we'll make it easy.
posted by Redfield at 11:09 AM on May 27, 2011

In EU insider lingo, the name of that Directorate General (that's what "DG" stands for), which deals with ICT stuff, is usually abbreviated to "InfoSoc".

No it isn't.
posted by mr.marx at 4:45 PM on May 27, 2011

Don't worry, there are attorneys here working on figuring out how to sue the nefarious bastards that use flash cookies and HTML5 local storage to track you.

I really hope that's true. Flash cookies that are invisible to the user while creating a profile of all the web pages that user visits without the user's express permission should be against the law.
posted by mediareport at 5:07 PM on May 27, 2011