Eat up your cookies now

The UK guidance on the legislation is worth a read, and makes it clear that setting cookies by default is not acceptable in almost all circumstances. The Information Commissioner’s Office has an optional cookie dialogue as their chosen solution; other examples of which are at which has a third party cookie list which no one who actually drills down would agree to I suspect:

We use a number of social media tools to enhance visitor interaction on our site. If you already use these platforms their cookies may be set through our website. Data may then be collected by these companies that enables them to serve up adverts on other sites that they think are relevent to your interests. If you do not use such platforms then our site will not place these cookies on your device. See this for more information about high temp epoxy.

Twitter Cookies: ab_sess_search_relevance_ranked_hits_189, dnt, t1, auth_token_session, secure_session, twll, twid, ab_sess_wtf_user_to_user_rec_155, ab_sess_search_relevance_social_167, ab_sess_t1_actions_156, __utmc, __utmv, __utmb, __utma, __utmz, _twitter_sess, _twitter_sess, ab_sess_activity_ddg_126, ab_sess_activity_up_top_98, ab_sess_promoted_arrows_and_pills_78, ab_sess_Relevance_V1-49, _sm_au_d, auth_token, external_referer, guest_id, k, lang, original_referer, pid

Facebook Cookies: lu, L, L, datr, e, c_user, c_user, presence, sct, sct, _sm_au_d, act, _e_bWDI_21, _e_bWDI_22, _e_bWDI_23, _e_bWDI_24, _e_CTMK_0, _e_CTMK_1, _e_CTMK_2, _e_e6Yv_0, _e_e6Yv_1, _e_e6Yv_2, _e_0ITr_10, wd, x-referer, xs, xs, reg_ext_ref, reg_fb_gate, reg_fb_ref, reg_ext_ref, reg_fb_gate, reg_fb_ref

Google Cookies: PP_TOS_ACK, IGTP, NID, ULS, OTZ, APISID, SAPISID, SSID, _sm_au_d, S, S_awfe, SID, SS, W6D, BEAT, HSID, PREF

Microsoft Cookies: MC1, WT_FPC

Hopefully this makes it clear to people that “social” platforms are now in the somewhat less social surveillance business (STASI media?).

What about the browser, should it not be helping people make these decisions, and not putting the onus onto websites? Is accepting cookies a statement of willingness? The UK guidance makes it clear that most users do not understand what is happening right now, and do not know or understand about the changes they could be able to make. Do Not Track is unfinished, and may well need legislation to support it, as servers may just ignore it. The European legislation will hopefully help move away from just use cookies for everything, pushing some of the holdouts to statelessness (.Net and Java particularly, though many PHP websites often session cookie by default when there is no need), and make people review cookies rather than just defaulting to them. Remember you had the last year to work on removing default cookies from your web systems, enforcement starts in a few weeks.

Will people take any notice? The attitude so far has apparently been generally to ignore it, outside of government sites. But this is not going away, and there are enough privacy activists who will like using a new tool against people that it would be dangerous to continue to ignore it. Will it kill the internet? Personally I think that the giant spam internet that has arisen from the internet advertising boom is a huge negative that is more likely to kill the internet, and I have already had to install an adblocker on my work computer.