The Joomla! Forum ™

It's not a matter of being out of business, but a matter of jurisdiction.

I could very well set up a site to pump extra long-lasting cookies on EU-based clients and there's not a thing anyone can do.

I could also just block connections from Europe altogether, and notify users from that country why they are blocked. In the end, the Internet WILL see this as damage and route around it - and it will be unfortunate for users in the EU if the Internet decides to route around them completely.

Harsh? Yes, it is. It's not my fault you folks in the EU failed miserably at explaining the stateless nature of the Internet to your politicians.

_________________
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.

...and there endth the lesson! I fear you are correct although hearing it from an Australian doesn't soften the blow. http://www.alrc.gov.au/news-media/media ... eme-review

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

So the conclusion is not to panic and wait on solutions form browser developers and CMS programmers whilst taring our hair out and running blindly into walls whilst coming up with a hacky solution.

This is such a mess... Most users don't know what a cookie is and will just click yes (as they do with all other dialogue boxes) just to get rid if it... We going to spend days of our lives reverse engineering our 6 year old sites so that the user can - without thought - click yes and say, "Wonder what that was all about"

Sigh!

There is a discussion in the CMS google group regarding this subject. https://groups.google.com/d/msg/joomla- ... TA9-H3ZicJ

Create a privacy policy document and link to it in a very prominent place on your site. Explain in that policy exactly what information you collect and what you do with that information.

There is no reason to panic or tear your hair out.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

@Jenny
Sound advice which I suspect is the best course of action at present. Said advice still leaves you in contravention of the legislation of course if you have dropped the Google Adsense and Session cookie prior to them reading your helpful policy! At the end of the day it has nothing to do with what you are doing with the cookie it is the placing without prior consent that is the Actus Reus. What your policy refers to is the Mens Rea.
However as the ICO and UK Gov alphasite are both in that position I would say we are fireproof for now!

Edit following reading Elin's post on that link:

With the greatest respect to Elin, that is wrong in the, EU at least. The "reasonable care" would be if someone got a cookie despite your clear and implicit warning. She is quite correct in that there is no need for panic. The EU passed this legislation in 2009 after all. Why we are still not in a position to implement in 2011 it is quite another topic altogether!

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

Just when you thought you had seen the last of landing pages, we now need one to advise about the cookies...
oh well

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

There is a ton of information in http://eur-lex.europa.eu/LexUriServ/Lex ... 036:En:PDF that people need to think about and take into consideration, on a number of levels and issues. I am sure that when the actual governmental bodies decide on what action people have to take or give recommendations on how people are to deal with these issues, things will become much clearer.

For right now I don't think it is wrong to take the road of doing your upmost to inform while enacting reasonable care and consideration. I don't think it is anything to get in a tizzy about.

Edit: what is surprising is it has actually been around since 2003? The Privacy and Electronic Communications (EC Directive) Regulations 2003 http://www.legislation.gov.uk/uksi/2003 ... tents/made

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

The 2003 Regulation allowed the Browser setting to give implied consent. That is: the user has not changed the default setting of allowing cookies to that of blocking them, ergo they must have given their consent to being tracked via cookies.
I for one do not see the Browser makers falling over themselves to change the default setting to that of block all cookies. Neelie Kroees has already had that conversation with them hence the 2009 change in wording.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

Sorry to contradict your very sensible footdragging, but the Government has already issued advice on what you should be doing. Comply with the Regulation.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

Yes well of course comply with the regulations.

What has changed is that users have to explicitly give consent. No more can you get away with an ambiguous, amorphous privacy policy or terms of service. The days of cookie-cutter PPs and TOSes are most likely numbered (excuse the cookie pun I couldn't resist).

Considering for instance where the governmental bodies noted above are not actually complying with their own regulations - I would say the time for panic has not arrived. The time for considering a plan of action and implementing it has arrived, as ICO has given everyone a year to get into compliance.

And there is much to chew on regarding the issue considering all the chatter about it.

I agree with portions of the above referenced article such as: "Why implement a law when you have only just started to tell people what they can do to abide by it?" I would go one further.. why implement a law that you cannot yourself comply with?

And considering the privacy watchdog organizations that the law is aiming to further the aims of are none too pleased about the situation, I am not sure how this will all play out over the next year.

Expecting every user, everywhere on every site and every page to agree to a pop up(s) allowing cookies. Well that just sounds like fun surf time will be had by all doesn't it?

Edit: Well my point of bringing up 2003 is that the whole issue of privacy online, tracking, data collection has been around for ever. Gov and action groups making policies regarding it for about a decade. I mentioned it as a further point to the "Don't Panic" argument.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

As usual, by not understanding the technology, policy makers have got it all bass ackwards again.

Rather than ask 10 million websites to change the way they issue cookies, they should target several dozen browser makers to beef up their interface to better inform about, and give more granular control over, cookie management.

_________________
Online since 1995.

It is interesting to note how the ICO has moved towards compliance. On their site they acknowledge that a session ID has been dropped on arrival but that it is necessary for the proper functioning of the site.
So far so good for the Joomla session ID.
They also acknowledge that there is no technical solution to that for now.
However they have blocked the Google Adsense cookie until you explicitly agree to accept it acknowledging that it is not essential for the site operation.
Where now for these extensions?
They can now argue that they have taken all reasonable steps to comply with the Directive, for now at least.
When you say the we have been given a year to comply, that it is not strictly the case. It is that type of interpretation that has squandered the past 18 months and left us scrabbling around after enactment.
The ICO's position on the grace period is:


The repeated entreaty to Keep Calm and Carry On is good and well intentioned advice, however, Joomla cannot hide behind it for long.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

I am working to adress the cookie issue, I am thinking everyday on how best to handle the situation, it may take me 20 years but i am working on it.
As for the ICO, I do note that i can continue on their site without agreeeing to anything.

A list of native cookies set by joomla may be needed on top of the list of cookies set by any extension. That will please the devs (and jed if they need to check for them)

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

/sarcasm

I have succumbed and included the ICO warning text on the front page of my sites. Using the JHider plugin it disappears once you have logged in. It seemed the least ugly approach along with my earlier suggestion for pre login text.
At least I won't be first into the tumbrel!

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

i have already pitched this with JED off record but it may need a more official approach.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

No the keep calm and carry on attitude isn't what has people thinking they need to scramble now. It is that the bodies that made up the regulations, could not themselves give clear instructions or methods on how to comply that has wasted 18 months.

That another year has been tacked on is due to still the same lack of clear instructions and methods on how to comply that even they cannot enact (but are tryin and realizing that there actually is no way to comply - see session id issue noted above)

It is interesting that they say in essence this is the regulation, but there is no possible way or technical solutions available to actually comply with the regulations.

If you are concerned about complying right now and don't want to look like you are hiding or putting your head in the sand: I would say create a list of all cookies that your site may drop. Compile a list of what each cookie does, what information you store and track and how that information may be used, create a check box saying yes I agree to these cookies being placed on my machine, and that to enter into your site that box must be checked. Place all of this on a artfully designed plain html splash page. And voila you are in compliance right now.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

Oh yes...fantastic solution isn't it! Party like it's 1999.

I do disagree that the wasted 18 months was while we awaited direction on how to comply. I challenge you to name any legislation enacted in the past 10 years that came with an instruction pack on how to implement it?

Of course leaving this with the end user masks where Joomla sits. OSM are so far back into the closet on this issue that I expect to see Mr Tumnus elected to the board.
The case for the prosecution is as follows:
M'lud, this organisation makes and distributes software that drops a cookie without explicit consent. The cookie is non-invasive and non-persistant, but no consent is sought before it is placed. Further, they host and encourage a number of extensions which place a very persistent cookie which could be used to track M'lud's lunch time pron-surfing sessions. They are a very technically able group and there is no evidence they are working towards compliance, as opposed to being unable to reach compliance. As M'lud is aware the offence is absolute and committed now if no such evidence can be adduced.
The parent body is domiciled in Her Majesty's Western Colonies and is disinclined to recognised the jurisdiction of M'luds court.

Now the case for the defence is: What exactly?

Please do not take offence at me being Devil's Advocate. Too many people seem to think we can sit a watch this unfold as bystanders. Using Joomla out of the box now is actionable directly in 3 countries of the EU and teetering on the brink in the rest.
If Joomla contained a module to enable the download of cracked MS Windows keys do you think we would wait 18 months for it to comply with US Law?

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

I am not advocating for sitting while it all unfolds. Currently the only solution is to not have any site load, collect any data, drop a cookie, or basically anything until the person browsing has been appropriately informed and they have specifically opted in for any and all activity by explicitly giving consent by ticking a box and clicking ok, or otherwise taking specific action to indicate they accept and agree.

The only solution I see is to go back to the days of the popup or splash page as is suggested as the only solution available right now by the ICO. That way you do not have to provide any defense at all as you absolutely complying.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

Lets start with small step by identifying all the cookies that the core of joomla sets and establishing if
1) they are needed for the site to operate
2) if not always needed then under what circumstances can they be disabled and provide a method for doing so

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Then at this point you are agreeing that Joomla "Out of the Box" is not an issue?


Yes the popup route. But I thought you stated that taking all reasonable steps to comply was not enough that you couldn't just take steps to comply but you have to:


So if Joomla is complying regarding the session id cookie because it is essential for site operation, and considering Joomla! cannot control or limit what anyone will put in their joomla site themselves on their website, or if extension developers utilize cookies in their extensions, or if third party advertisers put cookies in their advertising. What exactly are you asking Joomla to address?

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

Is the session id cookie essential for site operation?

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

I may be mistaken, but wasn't it established that the only cookies J drops out of the box is session?

Installation session cookie
Frontend session cookie
Backed session cookie



Well are we going to talk about how/if/whether Joomla! out of the box complies with the law? Was that not the original discussion? Or the giant question as to whether session id cookies are essential to website operations and if/how/when/solutions that make make session id cookies obsolete? Could that be a separate discussion from this discussion as it is a totally different topic?

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

apologies if i missed that earlier in the thread.

Moving forward then is the frontend session cookie essential for site operation

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

As far as i can tell (testing in 1.5.23) if you disable registration, and disable the login module, a frontend cookie is not delivered. I could be mistaken and it would be great if someone can confirm, or not confirm.

If that is the case then the above question is moot, as it is essential for site operation for a session id cookie when registration/login is enabled. If it is not enabled no cookie is dropped on the front end meaning there is not a problem with complying regarding out of the box J.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

Looks to me that a session cookie is set.

Steps to reproduce
1. Clean install on 1.5.23 with sample data
2. unpublished login module
3. set "Allow User Registration" to no
4. visit frontend of site
5. Clear all cookies in browser
6. refresh

one cookie is set - can be verified by typing the following in the address bar

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

In 1.6.3

Installation: session cookie
Frontend: session cookie
Backend: session cookie and jpane slider cookies (lots depending on the amount of surfing around) with default admin template.

On the frontend 1.6.3 with registration disabled and all login modules disabled a session cookie is dropped.

Thanks for testing Brian. I tried again and didn't see a cookie. in 1.5.23 with login and the login module unpublished on a totally fresh installation with sample data. Not sure why my experience is different from yours.

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

login module uninstalled or disabled?

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

Sorry fixed that above.. unpublished (disabled).

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com

If I may observe that the issue of "working towards compliance" is a UK only fudge while a technical solution is sought.
The UK regulator has agreed to not pursue any organisation which is clearly "working towards compliance" in respect of an non-invasive cookie hence their own site has a displayed warning regarding their session cookie and a check box to explicitly accept their non-essential Google Analytics cookie.

So to answer your question; yes Joomla out of the box is still affected...unless you have taken some mitigation and can evidence "working towards compliance."

In Finland, Estonia and Denmark no such grace period is available as full compliance has already been signalled to the EU. The rest...following soon.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

The Estonia Gov. website drops 6 cookies with no such notification or explicit agreement to them being dropped. http://www.valitsus.ee

The Denmark official website drops 9 cookies with no such notification or explicit agreement to them being dropped http://www.denmark.dk Their website on foreign affairs drops 6 cookies similarly. http://www.um.dk

The Finnish goverment site drops 5 cookies with no such notification or explicit agreement to them being dropped http://www.government.fi/

So full compliance has already been signalled to the EU by these governments with no grace period?

_________________
Co-author of the Official Joomla! Book http://officialjoomlabook.com
Marpo Multimedia http://marpomultimedia.com