Eat up your cookies now

Last year, in May 2011, the UK introduced its local version of the European Directive 2009/136/EC catchily know as The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, but usually referred to as the cookie law. This roughly says that you need to ask permission before using cookies (or other local storage by implication) as these can be used to accumulate personally identifiable information.

In the UK, enforcement was delayed by a year, to give people time to rewrite their software and UX, something which as far as I can see most people have been busy not doing.

graffiti eyes

On this blog, which is always ahead of the times, I decided to address the situation this week, well ahead of time. The solution I have decided to adopt for this blog is to remove all cookies as far as possible, that is other than the WordPress login cookies that only affects me (yes I am moving off WordPress very soon, but still working on my preferred environment). So I deleted the Google Analytics account for this blog, and removed the Javascript. I believe that is all the cookies, as I do not think I have any other ones on any of the other content. In terms of your privacy, well I think Google Analytics does a reasonably good job of disguising it to some extent, but I could probably work out who some of my readers were. Of course if you comment you can do under your real name, but there is no obligation; although WordPress does ask for your email, that is only for trying to retrieve an icon, and there is no verification, so feel free to use [email protected].

However whether Google use Analytics information in a way that you, or the law in Europe, might consider as a privacy issue I really don’t know. To use a free service for analytics from the largest company tracking users on the internet is pretty dubious in many ways. The information from analytics is clearly enough to pay for the service, as they have not rationalized it or moved it to a paying service unlike many other services, although they have underinvested, and only just removed Flash. There is an interesting scope for purely statistical analytics in Europe, by which I mean without storing cookies or other data, just based on correlation of events and numbers, definitely an interesting idea for a startup to pursue here. AB testing, conversion tracking and so on can all be done without collecting personal data or using cookies with equal statistical effectiveness, people are just wedded to the easy traditional way, and need to do some more work.

The UK guidance on the legislation is worth a read, and makes it clear that setting cookies by default is not acceptable in almost all circumstances. The Information Commissioner’s Office has an optional cookie dialogue as their chosen solution; other examples of which are at Cookielaw.org which has a third party cookie list which no one who actually drills down would agree to I suspect:

We use a number of social media tools to enhance visitor interaction on our site. If you already use these platforms their cookies may be set through our website. Data may then be collected by these companies that enables them to serve up adverts on other sites that they think are relevent to your interests. If you do not use such platforms then our site will not place these cookies on your device.

Twitter Cookies: ab_sess_search_relevance_ranked_hits_189, dnt, t1, auth_token_session, secure_session, twll, twid, ab_sess_wtf_user_to_user_rec_155, ab_sess_search_relevance_social_167, ab_sess_t1_actions_156, __utmc, __utmv, __utmb, __utma, __utmz, _twitter_sess, _twitter_sess, ab_sess_activity_ddg_126, ab_sess_activity_up_top_98, ab_sess_promoted_arrows_and_pills_78, ab_sess_Relevance_V1-49, _sm_au_d, auth_token, external_referer, guest_id, k, lang, original_referer, pid

Facebook Cookies: lu, L, L, datr, e, c_user, c_user, presence, sct, sct, _sm_au_d, act, _e_bWDI_21, _e_bWDI_22, _e_bWDI_23, _e_bWDI_24, _e_CTMK_0, _e_CTMK_1, _e_CTMK_2, _e_e6Yv_0, _e_e6Yv_1, _e_e6Yv_2, _e_0ITr_10, wd, x-referer, xs, xs, reg_ext_ref, reg_fb_gate, reg_fb_ref, reg_ext_ref, reg_fb_gate, reg_fb_ref

Google Cookies: PP_TOS_ACK, IGTP, NID, ULS, OTZ, APISID, SAPISID, SSID, _sm_au_d, S, S_awfe, SID, SS, W6D, BEAT, HSID, PREF

Microsoft Cookies: MC1, WT_FPC

Hopefully this makes it clear to people that “social” platforms are now in the somewhat less social surveillance business (STASI media?).

What about the browser, should it not be helping people make these decisions, and not putting the onus onto websites? Is accepting cookies a statement of willingness? The UK guidance makes it clear that most users do not understand what is happening right now, and do not know or understand about the changes they could be able to make. Do Not Track is unfinished, and may well need legislation to support it, as servers may just ignore it. The European legislation will hopefully help move away from just use cookies for everything, pushing some of the holdouts to statelessness (.Net and Java particularly, though many PHP websites often session cookie by default when there is no need), and make people review cookies rather than just defaulting to them. Remember you had the last year to work on removing default cookies from your web systems, enforcement starts in a few weeks.

Will people take any notice? The attitude so far has apparently been generally to ignore it, outside of government sites. But this is not going away, and there are enough privacy activists who will like using a new tool against people that it would be dangerous to continue to ignore it. Will it kill the internet? Personally I think that the giant spam internet that has arisen from the internet advertising boom is a huge negative that is more likely to kill the internet, and I have already had to install an adblocker on my work computer, disable Flash everywhere, delete my Facebook account, block third party cookies, start removing sites from Google search and so on. So some legislation that does not go along with these moves and puts the consumer first is welcome, even if you might argue that it is not the best designed legislation ever. And if your business model requires cookies, time to think about something else, you still have a few weeks.