EU Anti Cookie Laws – Utter Nonsense

So I woke up yesterday, like many web developers, to the news that the often threatened European anti cookie law is finally upon us after three years and will be coming into force on the 25th of May. The radio 4 show I was actually listening to delivered this news in the form of an interview with a typically uninformed governmental type who appeared to think that this law would be a massive pain in the backside to developers but that we “had no choice”.

Even the BBC article I just linked to doesn’t get all the facts right! Our own minister of culture takes a bit of a smarmy attitude (quote “we should not see any delay in action as a ‘get out of jail free card'”). It’s very clear that whichever bunch of suited monkeys came up with this ridiculous ruling also weren’t in possession of all the facts before making the decision. The UK, unfortunately, is bound as part of their EU agreement to enforce this law otherwise they’ll be in quite a lot of trouble, so all eyes at the moment should be on the interpretation that our government implements in order to comply. Given the level of competence they’ve shown in recent years, confidence certainly isn’t high. It should be of absolutely no surpise to anyone that the industry is simply not prepared because nobody with half a brain would ever think something this ridiculous would ever come to fruition.

Well, I’m here to just clarify that the “Pain” that this will apparently cause developers is absolutely MINUTE compared to the pain this will cause users. If you’re a developer, you’ll already know the scale of what we’re dealing with. We’re a resourceful bunch and will be able to handle whatever these cretins throw at us (heck, we do that at work every day right?).

Users, on the other hand, are stuck with this forever. Fortunately regular web users are also pretty resourceful and I dare say some kind of loophole will be discovered to get around whatever we end up with. The people that will probably be hit hardest will be the most vulnerable web users (i.e. the thickies that don’t even know what a browser is). So what have those users got to look forward to?

Well, contrary to what all these articles tell you, cookies are not evil things that infect your computers and steal personal information. They are tiny key-value pairs that store information to give you persistant state accross the otherwise stateless web. They’re also used to power many commonly used web framework concepts such as the session (where a little encrypted session-key cookie is placed on the clients browser to give them a persistant session for 30 minutes or so). Decline cookies and it’s bye bye “being logged in” and bye bye “shopping cart”.

Web analytics software that companies use to track website performance and improve usability / conversions are mostly also cookie powered (including google’s own solution and analytics-leaders omniture). Yes, this software will certainly be used to track user behaviour in order to improve a websites conversion rate, but this is no more unscrupulous than the “nectar card” system which people use every day. Will be pretty interested to see how those companies deal with whatever happens.

To take this one step further – it is actually scientifically impossible for this not to be annoying for users. If the site itself needs to get permission to plant a cookie, and the user says no, then it’s going to have to ask again on every single page because without planting a cookie there’s no way for the site to know that it already asked you! Actually that isn’ strictly true – in the absence of cookies, the last bastion of maintaining state therefore becomes the utterly insecure and easily by-passable query-string.

And it’s worth pointing out as well that the querystring can be used to track user behaviour just as easily as a cookie can, and is far less private ( developers – you can achieve this functionality by adding the “cookieless” attribute to your Session settings in web.config). In fact, banning cookies will only really “wound” the beast they are trying to kill. Pretty much the only thing that cookies give you uniquely is the ability to tell whether someone has visited your site before (and all associated data that you might have given them last time they did).

It’s also scientifically impossible to actually get the users permission in a bulletproof way! Most browsers already have a “prompt me about cookies” setting but apparently just turning this on won’t be enough (already stated). They can’t really use javascript because people might not necessarily have that turned on, and they can’t use a DOM element because those can just be manipulated away. Placing the responsibility to ask permission for cookies in the laps of web developers has basically ensured that there is no bullet proof way of making sure the user gives that permission. Nice one!

If we’re lucky, the ban will be restricted to uses of cookies for certain things rather than just being a blanket ban, but unfortunately this is also scientifically impossible. There is absolutely no way for anyone monitoring cookie usage to tell what a particular cookie does without seeing the accompanying server side code (unless it’s obvious from the name). Unless it’s a blanket ban then, this will be an un-enforceable law.

Speaking of those organizations who will be enforcing this… how are they going to prove that a website didn’t ask users permission? Will we all now be expected to keep databases proving our innocence? And how on earth would we actually obtain this proof to begin with? It’s not like we can match a web request to an actual person (you certainly can’t get that sort of information from the IP address of your average web user).

I don’t mind going out on a limb here and saying that I personally think that this law will never happen or if it does happen it will be implemented in such a way that nothing will actually change for the most part. I will also put my hand up and admit that I have probably jumped straight to the “worst case scenario” when going through the implications. With any luck it’ll end up just being a mandatory note in the footer.

To all the privacy lobbies out there campaigning for this: Listen up. If you don’t want people knowing your IP address, don’t use the internet (your IP address is included in every request you make and there’s nothing you can do to stop it being there). If you don’t want people knowing your personal details, don’t type them into the internet. If you don’t want people knowing what you’re buying online, don’t buy things on the internet. Quit trying to wreck it for the rest of us. Focus your energies on campaigning against specific abuses of privacy, such as people selling your details to advertising firms or other such actions.

So I stand by my initial point: This is an unenforcable law dreamed up by a ridiculous group of people. If attempts are made to enforce it then I predict european web-wide rebellion! To agree to these laws would be to hand a whopping great e-commerce victory to the rest of the world. The only people ultimately harmed by the decision would be users and I’ll be damned if I’m going to give my own users a rubbish web experience just for this.


8 thoughts on “EU Anti Cookie Laws – Utter Nonsense

  1. It’s a series of tubes.

    And if you don’t understand those tubes can be filled and if they are filled, when you put your message in, it gets in line and its going to be delayed by anyone that puts into that tube enormous amounts of material, enormous amounts of material.

    Don’t put no cookies, cake or milk In those tubes!

    • Can’t tell whether you’re serious or not!

      The max size of a cookie is already set to a ridiculously high 4kb (but I can’t think of any reason anyone would put that much data in) and the only dramatic speed impact the user would see would be on the site that deposited that cookie because that’s the only one it’ll be included in the requests for. That would be the site’s own fault and the user would probably leave the site and never come back. If you’re instead talking about the speed impact of having another cookie in the hash table – i’m pretty sure this impact is negligable!

    • okay, this is a very good point but why not then just have the forced-prompting apply to third party cookies? Most users will have prompts come up for them anyway through their browsers.

  2. That was 2011. Five years later, I must have clicked “accept cookies” roughly 20,000 times – enough for Repetitive Stress Injury. And I never, ever clicked “don’t accept”, simply because I know that the site won’t work then. So this EU “law” is indeed utter crap. So close to Christmas, I have one urgent desire: Make the name of the guy public who cooked up this nonsense. I want to congratulate him that one Billion users have performed 20,000,000,000,000 clicks in his honour. It is the incredible arrogance of such guys, and of the institutions that allow him to do such damage, which drive EU citizens away from the European Union. Happy Brexit, folks.

      • Wellll…. 60 Mio internet users in UK, 5 years, 10 “I accept cookies” clicks per day, that makes three Billion utterly useless clicks. I believe that “brexit was the answer” – not the right answer, I agree, because much more is at stake, but THE answer. If an institution treats citizens with so much arrogance, then they shouldn’t be surprised if people vote with their feet. Btw remember the bent banana and curved cucumber directives? They caused a lot of uproar but didn’t hurt anybody. The cookies clicks DO hurt, and there is no resistance from the sheep. Sad.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s