I'm mostly against top-down regulations like this. They rarely solve the problem and make other problems.
But HTTP cookies are a horrible hack mostly created to by-pass the problems of stateful sessions with a stateless protocol. HTTP needs fixing or perhaps something on top of it. The current state is a disgrace.
It's not OK advertising groups track people's internet use around the world with 1x1 pixels and all those tricks. And never mind the evil Adobe tracking people with Flash, those are even worse and much harder to delete from your computer.
There are just too many poorly implemented web services using ridiculous amounts of large cookies. People run into problems because of the 8KB HTTP header limits in Apache and 16KB in IIS. Also I've worked for a large dotcom using multiple J2EE technologies running out of cookies in IE6/7 (20 max) and losing sales as people couldn't add a check-out/basket cookie.
Programming a cookie-based website preventing session hijacking is quite hard and even major sites had issues. How can you expect people less competents like mom-and-pops shops and banks to be secure?
This problem needs a proper solution from standards and browser vendors.
That's one law I will simply be breaking. If the powers that be want to take me to court for it then yes, please. Let's get it over with.
I also wonder if this law as it is written right now goes for sites hosted in the EU or for sites that are visited by EU citizens (which would have much further reaching consequences).
Laws cannot extend beyond physical territory. All sites hosted on European servers have to comply; EU laws do not extend to any sites hosted on foreign servers.
This is not true. Example: you have to collect and transfer to EU tax authorities VAT for downloadable goods sold to customers located in the EU if you're not located in EU. If you don't, you can't sell to EU customers. This is ridiculous, but I guess, they can "force" you to block EU users from accessing your website.
I'm not sure how this is actually enforceable, but I think you'll have problems with EU (for example, if you decide to go to Europe for holidays) for not complying with their rules. Which is sad.
Do you have any citation for that ? It is completely contrary with what I know of EU tax law.
An EU citizen buying abroad is responsible for paying the VAT (usually to customs), not the merchant, and if it is 'downloadable' then VAT only applies if the merchant is european.
The law is active since July 2003. There were a lot of buzz among e-commerce companies and shareware developers about it.
The changes eliminate an existing competitive distortion by obliging non-EU suppliers to charge VAT as EU suppliers when they are providing electronic services to EU non taxable persons, something which EU businesses had been actively seeking for some time.
Depends. AFAIR there are at least some german laws that are active because the provider of the service is sitting in germany, independent of where the servers are.
Which would be really bad for business, because there's a surprising amount of stuff hosted in the EU.
Broadly speaking, if your primary markets are not America or Asia and you are the type of company that buys racks of space in datacenters without blinking, western EU is where you'll probably be.
The main factors are servicing, bandwidth and reliability.
For example, many trans-national African projects are hosted in the EU because it's simply cheaper to set up infrastructure there, because you're piggybacking on the infrastructure that's already there (long-term shared costs). Once in place, it's easier to service because you outsource service contracts on things like hardware to the vendor, who can give you a decent quote because ... they have a servicing system in place.
Power comes from the power grids that are in place, and that's very reliable. Bandwidth comes from the bandwidth structure that's .. you got it .. already in place and being upgraded all the time.
Now try and set up a load of servicable hardware in a reliable datacenter (bandwidth and power-wise) in Africa. Or Eastern Europe. Or the Middle-East. It's doable, but the price tag goes up, up, up. To service your account your vendor will have to invest in local infrastructure, hire competent servicing personnel near site, find a way to deliver hardware components in a timely manner without access to a general depot, etc. And because you're the only one requesting this you'll have to pay for it all.
You could try and move into the Russian Federation, but the operational costs there are, ah, unpredictable. Also, the Russian networks do not extend well beyond the metropolitan areas (trans-national traffic is also a work in progress).
I could go on, but my point is that the western EU hosts and accounts for a lot of traffic.
I sincerely doubt this Directive will have much impact. There are just too many interests involved.
I'm in European territory. For general purpose and informative sites, like a personal site, this makes no sense.
But, when you're talking about stores, web applications, entire online platforms (including advertising ones), I think you have to ask user permission to do whatever with user's data. I guess this is why EC decided to ask for opt-in.
Many sites, including Google, Facebook, Wikipedia, require registration, and you have to agree with the TOU and Privacy Policy, where usually they place the cookies TOU and policy.
How do they enforce this? I guess browsers with extensions like Firefox (eg. CS lite) would be advantaged. I remember only Chrome and Firefox with extensions and Opera's widgets.
EDIT: (some conspiracy) could this be a move against IE? (ActiveX is discouraged)
Honest question: Can somebody explain to me why this is a bad thing? Ads can be served without cookies, right? Sure, (behavioural) targeting would break, but is that really a problem?
There is a huge redundancy here: if a user does not want cookies, every modern browser gives the user an ability to simply deny cookies. Just use the browser and solve the problem.
Now, even if you want to allow cookies (and have signaled as much in your browser), a site will have to disrupt your browsing experience to accept a cookie from the website.
Completely redundant and adds yet another layer of bureaucracy on top of website design. Very EU.
And there are plenty of good uses for cookies without having to register: session tracking for shopping carts (so that you can add items without logging in), session tracking for sites that show you a navigation breadcrumb...
I don't think it's reasonable to construe a software default as a conscious choice. Yes, people ought to know enough about technology to know what these defaults are. But the world is large and busy, and people don't have time for every possible choice; that's why we have defaults.
Cookies are by far the most prevalent system for identifying which user made a given web request. This isn't just about advertising. Pretty much every site that supports "logging in" (including HN), and many sites that don't, use cookies to track user sessions.
Have you ever seen two lawyer argue over what "strictly necessary" means? One would claim that ad serving cookies are always "strictly necessary" to an online business, the other would argue that cookies are never "strictly necessary" because you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.
Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a hole the size of reality in the law through which many truckloads of lawyers salary can pass.
Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!
> you can replicate most cookie functionality with a "?sessionid=12354" header in a GET request.
That is very very risky. Let's say that [popular-site-with-logins] is hosted in EU and switches to ?sessionid=... style. Now people start sharing links to their content in the "normal" way (select url, copy, paste) and suddenly you have problems with random users being logged in as someone else. (or you have to limit session to ip, which annoys mobile users)
Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.
Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!
Indeed "strictly necessary" to achieve what? If it doesn't tell you then that leaves a whole the size of reality in the law through which many truckloads of lawyers salary can pass.
Strange how all those lawyers aiding the writing of the law would miss such a thing ...!?!
Yes. Sure, but they do so to provide some functionality the user actually wants. And if he does, you can ask him. When she's signing up would be the perfect time. Another checkbox you have to click. Annoying enough, but no big problem.
Sure, other (non-sign-up) functionality might also need cookies (changing font size, switching themes, the small things) and you might not want to annoy the user with stupid checkboxes for those kinds of stuff, but other than that?
The law appears to ban only long term cookies, so you are still ok if you use session cookies (such as those used for logins) which expire when the browser is closed.
Now comes the hacks: serve javascript with a unique id in it. Set the cache policy to never re-download, or recheck the file. Use you lawful (semi) permanent cookie.
The user obviously asked for the data to be stored, since it's part of caching.
Or am I going to have to ask the user before being allowed to cache anything locally?
Sites can use cookies to remember if someone left a menu open or closed, and keep the menu that way on new pages.
You can use cookies to act as a "bread crumbs" trail, so people can see what other pages/products they have looked at.
If you make a multi-lingual site, you can use a cookie to remember what was the last language the user chose, and show all future pages in that language, without them having to change it on every page.
It doesn't just break behavioral targeting, it breaks conversion tracking. Most campaigns are run with Cost Per Acquisition (CPA) goals, regardless of how they're priced (CPM vs CPC, etc). Figuring out actual CPA depends on being able to match up conversions with ads being served. In most cases, campaigns are being run across multiple ad networks, so you can't just look at total conversions and divide by all impressions.
The process for doing this relies on being able to set a cookie when the ad is served and read the cookie back on the landing page for the conversion. Taking away the ability to track conversions will set the online advertising industry back significantly, which is why the major opposition to legislation like this comes from advertising companies.
But HTTP cookies are a horrible hack mostly created to by-pass the problems of stateful sessions with a stateless protocol. HTTP needs fixing or perhaps something on top of it. The current state is a disgrace.
It's not OK advertising groups track people's internet use around the world with 1x1 pixels and all those tricks. And never mind the evil Adobe tracking people with Flash, those are even worse and much harder to delete from your computer.
There are just too many poorly implemented web services using ridiculous amounts of large cookies. People run into problems because of the 8KB HTTP header limits in Apache and 16KB in IIS. Also I've worked for a large dotcom using multiple J2EE technologies running out of cookies in IE6/7 (20 max) and losing sales as people couldn't add a check-out/basket cookie.
Programming a cookie-based website preventing session hijacking is quite hard and even major sites had issues. How can you expect people less competents like mom-and-pops shops and banks to be secure?
This problem needs a proper solution from standards and browser vendors.
http://en.wikipedia.org/wiki/HTTP_cookie#Drawbacks_of_cookie...