On May 4, 2012, at 11:00 AM, David Ledger wrote:
At 09:02 -0400 4/5/12, Walter Lee Davis wrote:
I don’t think there’s anything evil or wrong about the cookie law,
it’s actually legislating good common sense. I have always, on every
browser, set the cookies to “from the current server only”. The law
is not saying that your server can’t send cookies, just that third
parties (ad networks, Google, oh wait – that’s the same thing)
can’t do so without the user saying it’s okay.
I wish this was more than just the EU, personally.
A lot of the people who are arguing the loudest about this are upset
because things are changing. Just because comparatively few people
knew about the privacy implications of the default settings (allow
from anyone) doesn’t mean that it was right or even necessary.
I predict a new renaissance in server log analysis software, and
people will just get on with their lives. Google ads may become
(slightly) less creepy. Maybe.
Walter
You have a rosy view of UK law Walter. I haven’t studied the rules in
depth, but ‘same domain’ cookies don’t seem to be allowed except via
the ‘necessary’ condition. This is open to interpretation and only
those with deep pockets can argue on the interpretation. Our
lawmakers are very good at making laws that everyone wants but
wording them in some way that has unwanted impact.
If you build any sort of Web application (Rails, PHP, ColdFusion) you have to maintain state between one page and the next, since HTTP is a stateless protocol (each request stands alone, and doesn’t connect to any other request). While it is possible to fall back to querystring tokens (?u=asdf7234ajt or something like that) it is not all that secure without another factor. In that case, it is a business imperative that cookies be allowed, or your shopping/banking/whatever site can’t function at all, and I can’t imagine a court or judge that would think otherwise given even a cursory brief of the problem and available solutions.
If all you are doing is tracking individual users around your site for statistical reasons (as Google Analytics does) then you truly don’t need cookies at all if you have access to the server. (That’s what I meant by a boom in server log analysis software – the Apache server already tracks users by IP address and request, and good log analysis software can stitch this all together into a very compelling set of graphs and charts, all without any cookies at all.) Even if you don’t have access to the server, you can still grab a meaningful percentage of the necessary stats from a simple beacon image. I haven’t heard any indication that this is forbidden specifically. It’s how FreeCounter2 works, and how FreeCounter did before it.
What you can’t do without third-party cookies is track individuals around the larger Web, and I can only say that’s a good thing, both for reasons of privacy and to enforce constraints on the advertising industry. Constraints are good – they force you to be smarter and to focus your efforts where they will do some good. The current state of affairs is heavily over-balanced on the side of the advertisers; they have “total information” on everyone, and can micro-target their attacks to individuals if they like. This incredible precision leads to a mind-numbing mediocrity in the actual message delivered, though, because they are able to get such a precisely targeted message in front of so few people, they also have to make a lot of similar-but-slightly-different ads, rather than concentrating on making one or two insanely great messages that larger groups of people will respond to. Thus fragmentation or market leads to fragmentation of message and devolves to the mean of whatever you can crank out a lot of in a hurry. I say good riddance to that!
Walter
David
–
David Ledger - Freelance Unix Sysadmin in the UK.
HP-UX specialist of hpUG technical user group (www.hpug.org.uk)
email@hidden
www.ivdcs.co.uk
freewaytalk mailing list
email@hidden
Update your subscriptions at:
http://freewaytalk.net/person/options
