European Electronic Communications Framework Compliance

[chrisjg]

I have now created a joomla module for my (session cookie ignoring) solution.

This is installed on http://kissjoomla.stempsite.co.uk

From earlier feedback:
If js is disabled the message and button is shown.
The menu item that appears after accepting cookies will display a page where a cookie is set.

In the admin the show/hide button can be disabled, and it can be placed to the left or right.
The text is also editable in the admin panel.

See the whole project at:

https://github.com/KISS-Web-Design/mod_cookiechoice

You can get the installation zip file from:

http://kisswebdesign.co.uk/support/joom ... choice.zip

No registration required.

I have only tested this on a new joomla 2.5 installation, but it _should_ work on 1.6 and up.

Chris.

[Webdongle]

@chrisjg

Tested on your test site. Session cookie drops onto visiting computer as soon as the site is opened by the Browser.

Test result No Avail it does not work sorry.

[chrisjg]

Ooops, I seem to have explained it wong (my bad). When I said 'session cookie ignoring' I meant that my solution ignores the setting of the seesion cookie (so it allows the session cookie to be set).

The reason I have left it to be set is because I am still unsure about the security issues of the site/database if there is no session cookie. I am also unsure of the effect it would have if the site is running across multiple servers and there is load-balancing.

I have manually blocked the session cookie to see what effect it has, and have not seen any problems (but only on a single server site, no cdn, no load-balancing).

I have (so far) not found a clear answer as to why, if it is not required, it is set for every visitor.

So, for the time being, I am ignoring the session cookie until I have a much clearer understanding of why it is used. I will classify it as 'essential' for the operation of the site.

That is my decision, others may (probably will) have a different view, that is OK too. It only goes to show the lack of clarity from the ICO regarding what is/isn't compliance.

For those who think this legislation needs a serious 'looking at' there are the following e-petitions for signing (in the hope that it will make a difference):

http://www.change.org/petitions/stop-th ... eb-cookies#
http://epetitions.direct.gov.uk/petitions/33035
http://epetitions.direct.gov.uk/petitions/31800
http://epetitions.direct.gov.uk/petitions/2811
http://epetitions.direct.gov.uk/petitions/14640

Chris.

[Xpresso]

I can confirm that nicholash plugin works on all the sites i have tested it in, so i'm not sure what the chances are of getting it adapted for 1.5?

[abernyte]

That is my decision, others may (probably will) have a different view, that is OK too. It only goes to show the lack of clarity from the ICO regarding what is/isn't compliance.

Can I go first? Only to boringly repeat that the Regulations says "... strictly necessary for a service explicitly requested by the user" God how I have come to hate the word essential these past 6 months.

ICO is to hold a press briefing on 18th May to outline its approach to enforcement. Don't expect to much clarity!

[mandville]

can i suggest a wiki page (save making another summary post) with details and links to the various methods as i know there are several not mentioned on here being worked on

[chrisjg]

Can I go first? Only to boringly repeat that the Regulations says "... strictly necessary for a service explicitly requested by the user" God how I have come to hate the word essential these past 6 months.

ICO is to hold a press briefing on 18th May to outline its approach to enforcement. Don't expect to much clarity!

lol. Not expecting much clarity either.

My position is

"The user has explicitly requested the page from my website, and expects it to be served in a safe and secure way - free from viruses, XSS vulnerabiliities, etc. Given that HTTP is stateless, a session between the user and the webserver is created to maintain navigation cohesion over load balanced servers. This requires the setting of a cookie on the users device, which expires on both the webserver and the users device at the end of the session, and contains no sensitive user data. Thus maintaining security and functionality."

Or some other tech-sounding half-made-up waffle.. Err, I mean legitimate reasons for defining the session cookie as essential for serving the page the user has explicitly requested!

I can't wait to see what happens on the 26th. Every UK website having a "set cookie" request on it, or no-one bothering and waiting to see what the ICO actually does about it.

I know there is a groundswell of people planning to trawl the web on the 26th and report every site that sets cookies to the ICO - effectively flooding them with reports and requests for investigation.

Not the way to do things, in my view, but these anonymous people have been heard discussing it on IRC.

Chris.

[Webdongle]

can i suggest a wiki page (save making another summary post) with details and links to the various methods as i know there are several not mentioned on here being worked on

Not sure a wiki page would be a good idea unless it was a secure page that the wiki admin wrote and updated. But it would be good to know what others are working on.

I only produced Kookie Grab as a stop gap and it doesn't stop all cookies. And I don't want to spend time developing Kookie Grab further if something better is being developed. nicholash's plugin works to stop the session cookie. The attempt by chrisjg is clearly a dead end because it does not stop the session cookie. And no other cookies show when cookies enabled, so no way of telling if it stopped them in the first place.

What are the other ones ? How many ? What cookies do they stop ?

[Gewitty]

I've been looking for a solution which will allow users visiting the site to switch off the use of cookies if they wish. This is to comply with the EU Directive on Privacy and Electronic Communications, which is being enforced in the UK from May 26th.

So far, I haven't managed to find anything which will do the job, which leaves me with two questions:

• Is there a module/plug-in or other solution available currently, or failing that...
  Could the Simple Pop-Up plug-in be used. It looks as if it could possibly be adapted for this purpose, but I'm not smart enough to figure out how to control the setting of cookies in this way

Any ideas would be welcome. I'm sure there must be hundreds of site admins scratching their heads about this one.

P.S. I came across this useful little bit of code, which puts a 'Cookie Alert' on every page of a site and links back to the site privacy policy. It's not a full answer, but it does go some way towards demonstrating that compliance is being sought. http://tiny url.com/cwrkz54

[chrisjg]

nicholash's plugin works to stop the session cookie. The attempt by chrisjg is clearly a dead end because it does not stop the session cookie. And no other cookies show when cookies enabled, so no way of telling if it stopped them in the first place.

There is a way of telling that it stopped them. If you click accept cookies, then a new menu item appears - click that and it takes you to a page, previously unavailabe, that sets a cookie:-
Name: TestCookie
Content: from+mod_cookiechoice
Host: kissjoomla.stempsite.co.uk
Path: /
Send for: Any type of connection
Expires: At end of session

That page is not available unless you accept cookies, hence the cookie is blocked. All modules installed after my cookiechoice module have access set to 'View cookies' (ie. only visible to users who accept cookies). It requires the admin to manually change its access to public (or other access level) if they choose.

Try to access that page (module, article, etc) without accepting cookies, or after blocking them, and you will get the default login page. You would have to manully remove the cookie to prove it is not set when trying to access the blocked page.

I still think that the ICO will exempt session cookies, but if I am wrong I will modify the module to exclude the session cookie if the site admin wants - I am still wading through lots of information about sessions and security, and could really do with a Joomla core developer to say that the session cookie is not required for anonymous visitors to the site to stay happy and secure.

Chris.

[Webdongle]

Nope, still no cookies showing for me.

[BenTasker]

Hi guys,

Thought I'd chuck my 2p in. My coffee is still brewing so it's likely I'll put together a better post later!

Session Cookies
----------------------------

Last time I checked the ICO accepted that these were service essential. Their site, in fact, sets a session cookie without permission, tells the user it's happened and asks about the other cookies.

My opinion is that setting session cookies should be OK under law, so long as you can justify their existence (i.e. it's not to track a users clicks etc). I doubt the ICO will pursue anyone for it, but it is a gamble. Whilst I completely agree with the idea that the user has explicitly requested a page, it's an argument you'd ultimately have to make in court!

For that reason, my intention is to provide the Site Admin the option to allow blocking of the session cookie. If I can figure out a way to replicate the functionality of the session cookie without setting it then it's another step forward (no hard ideas yet though). Because for many sites it is service essential, it's been a low priority in all honesty.


Once I've squashed a few IE7 (*spit*) bugs, we'll be launching Virya Cookie Monster later. You can see it in action on http://www.viryasoftware.com.

To the user, it's largely an altered version of the Kookie Grab module. We have however made a few changes that will benefit the Site Admin (given that they are transparent to visitors.) Some of these, I've seen no signs of others thinking about;


Search Engine Friendly
------------------------------------

The biggest issue I have with a lot of the solutions out there is that they don't discriminate between search engines and real visitors. It doesn't matter if we prevent Google from seeing Google-Analytics code, but it does matter if we are blocking an extension that actually contains content.

To use an example, assuming K2 sets cookies (must check, keep using it as an example!), Search Engine crawlers won't be able to see any of that content as they won't know to accept cookies.

As a side effect of the logic used to identify search-engines, I've also been able to give Site Admins the option to 'deflect' known bad-bots.



Auto-Detection
------------------------

This for us, was a key bit. Based on experience, not every Joomla admin is going to know about cookies, much less which extensions are a cause for concern.

We are going to build a back-end component that will auto-detect extensions and allow the admin to add them to the correct ACL with a click of a button. Due to time constraints (8 days to go!) we decided there wasn't time to get this out before the Law begins to be enforced, so the module comes with a Standalone PHP script that does the same (communicates with the DB on our server).

This is where we really need community support. There are too many extensions out there for us to add them all ourselves, so the more people who run the script and report cookie setting extensions the better (We'll also be making the API for the DB available once work is complete on it)!


Others
------------

We've also added the ability to select a 'Theme'. At the moment there's Corporate and Fun (the one in use on VS), and you can select from Banner or Lightbox mode (Page Peel should be coming later!).



I'm planning on pushing VCM out of the door today, but have quite a lot to get done first. As much as I hate supporting Internet Explorer 7, I don't think I've much choice in this instance. We also need to address an issue with ecommerce sites.






Chris: I can't say for certain with regards to Joomla, but a session cookie should not be required for basic sites. Anything where the user might as well be reading a static site (i.e. they can't interact to change things like font-size) shouldn't require the session cookie.

The problem is, web developers have been (rightly IMHO) using sessions to store user preferences for a long, long time. There will be extensions out there that store data in the session because it is the most appropriate place for it. The end result is, if you block session cookies some things may well break.

Security etc, however, shouldn't be an issue on one proviso: if a user logs in, you'll need to work on the basis that they've accepted the session cookie. There's no other easy way around it. You can't tie the login to their IP because they may be behind a proxy (hence every user of that proxy will be 'logged in'). You could perhaps combine IP and UserAgent, but it's a huge risk to take (what if they are on a homogeneous network?).

In all honesty, though, for a lot of sites I think disabling the session cookie will only lead to complaining users. It doesn't matter what the law says, if something isn't working then users will be quite vocal.




Anyway, my coffee has finished brewing and I'm feeling like I may be rambling a little so I'll sign off now!



Ben

[Webdongle]

Last time I checked the ICO accepted that these were service essential. Their site, in fact, sets a session cookie without permission, tells the user it's happened and asks about the other cookies.

They fixed that ages ago.

My opinion is that setting session cookies should be OK under law, so long as you can justify their existence (i.e. it's not to track a users clicks etc).

The exact text has been qouted several times, it applies to all cookies.
"Regulation 6 covers the use of electronic communications networks to store information, eg using cookies, or gain access to information stored in the terminal equipment of a subscriber or user.

Although devices which process personal data give rise to greater privacy and security implications than those which process data from which the individual cannot be identified, the Regulations apply to all uses of such devices, not just those involving the processing of personal data."

We are going to build a back-end component that will auto-detect extensions and allow the admin to add them to the correct ACL with a click of a button.

Yes, great ... that is what we need.

I'm planning on pushing VCM out of the door today

Can you make sure it works first please ? Because your site drops cookies before any choice is made on the Nag screen.

02.JPG

Addendum
One of the cookies is a Persistent 5year cookie by Statcounter. As much as I prefer Statcounter to Google Analytics ... Statcounter are snubbing the laws openly.

03.JPG

The cookies are removed if No is selected but if the site is navigated away from(before selecting) then they remain on the computer.

[zeno]

Ben

I'm not qualified to comment on your solution, but maybe something for later...

Your splash screen says:

We would like to use cookies to store information on your computer, to improve our website. One of the cookies we use is essential for parts of the site to operate and has already been set. You may delete and block all cookies from this site, but parts of the site will not work. To find out more about the cookies we use and how to delete them, see our privacy notice.

The two buttons say 'I accept cookies from this site' and 'No Cookies for me thanks'.

But it's not clear to me whether saying no deletes the cookie already dropped? Would it be worth clarifying that?

Would it be possible to link to your privacy notice so that someone can read that before deciding whether they want to accept or reject your cookies? Or is that getting to complicated?

Minor typo: you've got Cookies with an initial cap in the No button, but no where else. [/pedant]

[chrisjg]

@BenTasker

Some intial feedback:

I went to see your site, with noscript active. There is no notification - so there is no fallback for people who block JS, or use browsers that don't support js (lynx, dillo, netsurf, elinks has partial js support).

Without js enabled your site drops 3 cookies
http://www.viryasoftware.com/
3 cookies
Name 199cb938d4cb4493cc90612a064ff0ab
Value en-GB
Host http://www.viryasoftware.com
Path /
Secure No
Expires At End Of Session

Name de2897f3311c89a3270d580f561f2b58
Value e925d67121ff5b3bb50fbb68fb07a187
Host http://www.viryasoftware.com
Path /
Secure No
Expires At End Of Session

Name ja_pyro_tpl
Value ja_pyro
Host http://www.viryasoftware.com
Path /
Secure No
Expires At End Of Session

You need a safe fallback for non-js users.

When js is enabled the pop-up is very "in your face", probably by design, but it turned me off straight away and it obscures the content - I would leave a site that had a popup like that as soon as I landed.

I like the idea of distinguishing between bots/crawlers and real people though - that thought had not occured to me (d'oh!) and alot of content could end up not being indexed - so I think I will steal that idea from you :-) once I figure out how to :-(

The autodetection is a nice idea too, but I am wary of installing anything on a site that calls home - even if it is with the best intentions - and keeping the database up-to-date could end up being a nightmare. With different versions of extensions which may change to not set (or to begin setting) a cookie. Not to mention the huge number of extensions to keep track of, and templates of course. Would I rely on someone else to ensure it is correct and up-to-date? Probably not, especially if it is free. If it is paid for then I would want an SLA and some sort of guarantee about the accuracy.

Just my inital thoughts.

On the other points:

Registered users will have to accept cookies as part of the registration process, so the session cookie issue goes away for them. It is anonymous users that I have session cookie questions about - what could break. I have asked the Joomla core dev team, but have not had a response yet.

Anecdotally the session cookie for 'guests' does not seem necessary, and does not break anything by not having one. But I really want to know from the developers what the effect would be - does the JSession class recreate the session on every pageview (look for a cookie, check/clear the database, write a new entry, send the cookie), what effect does this have on the server (memory and cpu). The engineer in me wants facts and figures to base a decision on.

Just waiting to hear what todays ICO press meeting delivers. Not expecting much though.

Chris.

[chrisjg]

Nope, still no cookies showing for me.

Mmmmm, strange. I have run the site through on as many browsers and systems as I can and I get the second cookie everytime I visit the the second page.

I even went into the local iStore and pulled up the site there, and the cookie was set. Not sure why it is not working for you. I would like to understand why.

Would you mind telling me your system setup - OS, OS version, browser(s) and version(s), behind proxy, behind firewall, running in a virtual machine or native install. I will try to recreate what you have and pull up the site and see if I get the same result as you.

Thanks for your help.

Chris.

[chrisjg]

<sarcasm>And the ICO help us out again with a wonderfully clarifying press briefing</sarcasm>
http://www.theregister.co.uk/2012/05/18/cookie_law_ico/
The first paragraph, for those not wanting to follow the link:

Amid criticism that hardly any UK government websites comply with the new EU-mandated "Cookie Law" that comes into force on 27 May, the ICO has announced that it will be sending out some letters, and then waiting for people to complain.

Well thanks a bunch!
Another wonderfull quote from the same article

The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.

Making a judgement about what is acceptable - nice bit of buck passing right there.
I am dissapointed, but not surprised.
Chris.

[zeno]

Evans said: "We're not asking that user education has to give everyone a masters in computer science." He added that the legal definition of consent did not ask for proof that users understood what they were doing.

No sarcasm tags needed...

[giles]

I have been looking for a solution to this problem too and I think I may have found something: http://jpecrjs.dev.wolf-software.com/
It is a question of know what cookies Joomla and its components actually drop, and the path to them.

Giles

[mandville]

this is being discussed extensively at http://forum.joomla.org/viewtopic.php?f ... 7#p2810677
Please read the full topic and discuss there.

[BenTasker]

Can you make sure it works first please ? Because your site drops cookies before any choice is made on the Nag screen.

Told you I should've waited till the Coffee had brewed!

I've been so busy working on the component that I've not actually set the back-end settings yet. So aside from getting rid of the nag screen clicking 'Accept' or Reject will make no difference at the moment.

But it's not clear to me whether saying no deletes the cookie already dropped? Would it be worth clarifying that?

Good idea, I'll update the text

Would it be possible to link to your privacy notice so that someone can read that before deciding whether they want to accept or reject your cookies? Or is that getting to complicated?

Should be do-able using some functionality I've been working on this afternoon

Minor typo: you've got Cookies with an initial cap in the No button, but no where else. [/pedant]

Well spotted, I'm terrible for things like that!


Chris: The system should work with Noscript active (cookie blocking wise), but only once I've set the back-end options. I'll be doing that before releasing anything! That said, I do seem to have got a display tag the wrong way round, hence why you don't see the notification.

The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about they're going to inform users.

Very, very helpful of the ICO there!


Thanks for the input guys, very informative! I'll actually set the module up shortly, just doing a last round of tests on the changes I've made this afternoon then I'll update and configure the live site!


Cheers

Ben

[giles]

this is being discussed extensively at http://forum.joomla.org/viewtopic.php?f ... 7#p2810677
Please read the full topic and discuss there.

I found that one too Thanks for the heads up

[djcammy]

This is all very interesting reading.

One thing still confuses me (and apologies if this seems slightly off topic, but you're all obviously all trying to get the correct answer too on this): Who does this law actually apply to?

Ben, your company site says: "From 12th May 2012, all UK companies registered with the Information Commissioners' Office (ICO) must be in compliance with these laws..." Which seems to suggest that individuals, organisations not registered with ICO and non-European based companies, won't have to comply.

However, other articles I've read say "all" sites in the EU, or serving EU countries, will have to?

Am I being a bit dumb here?

If it is just ICO registered companies, that would certainly be a sigh of relief for a lot of people!

Thanks

David

[BenTasker]

Ben, your company site says: "From 12th May 2012, all UK companies registered with the Information Commissioners' Office (ICO) must be in compliance with these laws..." Which seems to suggest that individuals, organisations not registered with ICO and non-European based companies, won't have to comply.

You're correct, it applies to anyone serving a site accessible in the EU.

Realistically, most non-EU companies won't bother because how are the EU actually going to bring enforcement action, especially if that company doesn't operate in the EU.

The date is also wrong, should be the 26th!

But yeah, as of the 26th (bear in mind the law actually came into effect last year, it's enforcement that starts next week) every site operator needs to observe the rules.

[abernyte]

Well I am so glad that my expectation of clarity from the ICO press briefing was not too high. It saved a world of disappointment.
Enforcement letters to the worse 50 offenders and everyone else should be clearly showing how they are nearing compliance and the ICO will respond to user complaints thereafter. So it is rat on your competitor time!
The ICO will consider that websites will be responsible for all cookies on their site: even if the cookies come from third parties
They do expect all organisations not compliant on the 27th to have some evidence of taking action to be compliant.
The first step would include: doing a cookie audit, then making a judgement about what is acceptable, and then make an action plan about how they're going to inform users to gain consent.

Colour me amazed.

[zeno]

Maybe out of all that we might have a clearer idea what the hell the ICO thinks is acceptable...

[giles]

There is an offering just been launched which claims to solve the problem - for Joomla too. the only downside being that the domain + path for each cookie needs to be set correctly in order to ensure it works.

http://jpecrjs.dev.wolf-software.com/

Any thoughts on this?

[Webdongle]

@Ben

If instead on the Nag screen ... the accept button was put wehere the change mind button is so that:

• It displayed at the top of the screen asking if they accept
• No cookies were dropped unless the visitor clicked yes
• When clicked Accept then the wording changed to change mind

That would be great

When complete will it be commercial or non-commercial ? If non-commercial you have one tester here.

[mandville]

Any thoughts on this?

yes, proof it works with joomla and the cost.
on checking i could see the content before the alerter so it failed, also its not gpl - shame. next attempt to make money from FUD please

A single usage license is priced at £100 for a branded version and £125 for an unbranded version. This is a single one off fee, no monthly fees, no yearly fees, no fees based on number of hits!

[RCheesley]

@Webdongle we currently have the 'fun' theme enabled with lightbox mode. If you visit http://cookiedemo.viryasoftware.com/ I have enabled corporate mode with banner display. It needs a bit of style tweaking and Ben's just left the office (and I'm over at JAB!) but hopefully you get the idea about the different themes and modes we're putting in. (Please note Ben hasn't uploaded the latest version of the module to the demo site yet, I just flipped the mode over so you can see the different theme/mode so some stuff might not work).

When complete the module will be £10+VAT (where applicable) per year. The component Ben is working on will be on a monthly cost per domain, with a monthly & annual developers license available - mainly due to the extra work involved to keep the component and our db up to date, and the fact that it will do regular audits for you etc.

Ruth