So I woke up yesterday, like many web developers, to the news that the often threatened European anti cookie law is finally upon us after three years and will be coming into force on the 25th of May. The radio 4 show I was actually listening to delivered this news in the form of an interview with a typically uninformed governmental type who appeared to think that this law would be a massive pain in the backside to developers but that we “had no choice”.
Even the BBC article I just linked to doesn’t get all the facts right! Our own minister of culture takes a bit of a smarmy attitude (quote “we should not see any delay in action as a ‘get out of jail free card'”). It’s very clear that whichever bunch of suited monkeys came up with this ridiculous ruling also weren’t in possession of all the facts before making the decision. The UK, unfortunately, is bound as part of their EU agreement to enforce this law otherwise they’ll be in quite a lot of trouble, so all eyes at the moment should be on the interpretation that our government implements in order to comply. Given the level of competence they’ve shown in recent years, confidence certainly isn’t high. It should be of absolutely no surpise to anyone that the industry is simply not prepared because nobody with half a brain would ever think something this ridiculous would ever come to fruition.
Well, I’m here to just clarify that the “Pain” that this will apparently cause developers is absolutely MINUTE compared to the pain this will cause users. If you’re a developer, you’ll already know the scale of what we’re dealing with. We’re a resourceful bunch and will be able to handle whatever these cretins throw at us (heck, we do that at work every day right?).
Users, on the other hand, are stuck with this forever. Fortunately regular web users are also pretty resourceful and I dare say some kind of loophole will be discovered to get around whatever we end up with. The people that will probably be hit hardest will be the most vulnerable web users (i.e. the thickies that don’t even know what a browser is). So what have those users got to look forward to?
Well, contrary to what all these articles tell you, cookies are not evil things that infect your computers and steal personal information. They are tiny key-value pairs that store information to give you persistant state accross the otherwise stateless web. They’re also used to power many commonly used web framework concepts such as the session (where a little encrypted session-key cookie is placed on the clients browser to give them a persistant session for 30 minutes or so). Decline cookies and it’s bye bye “being logged in” and bye bye “shopping cart”.
Web analytics software that companies use to track website performance and improve usability / conversions are mostly also cookie powered (including google’s own solution and analytics-leaders omniture). Yes, this software will certainly be used to track user behaviour in order to improve a websites conversion rate, but this is no more unscrupulous than the “nectar card” system which people use every day. Will be pretty interested to see how those companies deal with whatever happens.
To take this one step further – it is actually scientifically impossible for this not to be annoying for users. If the site itself needs to get permission to plant a cookie, and the user says no, then it’s going to have to ask again on every single page because without planting a cookie there’s no way for the site to know that it already asked you! Actually that isn’ strictly true – in the absence of cookies, the last bastion of maintaining state therefore becomes the utterly insecure and easily by-passable query-string.
And it’s worth pointing out as well that the querystring can be used to track user behaviour just as easily as a cookie can, and is far less private (asp.net developers – you can achieve this functionality by adding the “cookieless” attribute to your Session settings in web.config). In fact, banning cookies will only really “wound” the beast they are trying to kill. Pretty much the only thing that cookies give you uniquely is the ability to tell whether someone has visited your site before (and all associated data that you might have given them last time they did).
If we’re lucky, the ban will be restricted to uses of cookies for certain things rather than just being a blanket ban, but unfortunately this is also scientifically impossible. There is absolutely no way for anyone monitoring cookie usage to tell what a particular cookie does without seeing the accompanying server side code (unless it’s obvious from the name). Unless it’s a blanket ban then, this will be an un-enforceable law.
Speaking of those organizations who will be enforcing this… how are they going to prove that a website didn’t ask users permission? Will we all now be expected to keep databases proving our innocence? And how on earth would we actually obtain this proof to begin with? It’s not like we can match a web request to an actual person (you certainly can’t get that sort of information from the IP address of your average web user).
I don’t mind going out on a limb here and saying that I personally think that this law will never happen or if it does happen it will be implemented in such a way that nothing will actually change for the most part. I will also put my hand up and admit that I have probably jumped straight to the “worst case scenario” when going through the implications. With any luck it’ll end up just being a mandatory note in the footer.
To all the privacy lobbies out there campaigning for this: Listen up. If you don’t want people knowing your IP address, don’t use the internet (your IP address is included in every request you make and there’s nothing you can do to stop it being there). If you don’t want people knowing your personal details, don’t type them into the internet. If you don’t want people knowing what you’re buying online, don’t buy things on the internet. Quit trying to wreck it for the rest of us. Focus your energies on campaigning against specific abuses of privacy, such as people selling your details to advertising firms or other such actions.
So I stand by my initial point: This is an unenforcable law dreamed up by a ridiculous group of people. If attempts are made to enforce it then I predict european web-wide rebellion! To agree to these laws would be to hand a whopping great e-commerce victory to the rest of the world. The only people ultimately harmed by the decision would be users and I’ll be damned if I’m going to give my own users a rubbish web experience just for this.