The Joomla! Forum ™

methinks the session cookie is part of security but would like the Devs to explain it. If the cookie is part of security then should it not be classed as 'essential' ?

I have emailed the ICO several times on the issue of session cookies and have had no reply.(not that I expected one).

_________________
http://weblinksonline.co.uk/joomla-faq.html

I've spoken to the ICO and base Joomla is in the clear. Logon & basket cookies are acceptable as the user is option in by using the service. As long as there is no personal data in the cookie then it is ok. Google, i'm afraid that IP address are deemed personal info.
The ICO has said they will not pounce on a website that doesn't comply, as long as they are seen to have made some sort of effort..!
and .... relax...
J

But did you get it in writing ?

It is easy for some spokes person to say it doesn't matter. But if it's not in writing then what has been said will be no good if someone is prosecuted. However, what they put on their site does tend to indicate they will use common sense.

_________________
http://weblinksonline.co.uk/joomla-faq.html

name and proof please, and their reference number, along with a full transcript of the conversation

implied/assumed, dropping cookies on site arrival pre login/basket - was that questioned asked?

define personal data (do you mean identifying data?)

ahh thats identifying, so a session cookie is technically identifying
they keep sayingh that but define "effort"
nope.

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

There seems be a general consensus that session cookies will be exempt, no definative written statement from the ICO though.

The ICO are not even sure what compliance is yet, or what it will be in a years time!

They are waiting to see what businesses come up with and then use them as examples.

Dave Evans, Group Manager for Business & Industry at the Information Commissioner's Office (ICO), was interviewed in April this year - these are couple of his answers (full interview http://econsultancy.com/uk/blog/9610-q- ... compliance )
--------
Will you come up with a definitive answer on what compliance is?

We don’t know what compliance will look like in a year’s time.

There are lots of gaps here, and we want people to fill them with good practice. We can then point to examples of this and everyone will have a greater understanding of what is required.

We hope that this will pick up over the next month or so.

Will 'implied consent' solutions be enough in some cases?

The law does allow us some leeway, and if a company’s revenue would drop if it went for a strict opt-in, then we could look at different ways of educating users and gaining consent.

Just because analytics cookies are caught by this law doesn’t mean a strict opt-in is necessary. It could, in some cases, be seen as an essential part of the relationship.

If a website says ‘we’d like you to use cookies, but click here if you don’t want us to, and click anywhere else to continue'. If customers have seen this message, then this may be enough in most cases.

If it looks like an organisation has put enough information there, and it is clearly visible, such that it wouldn’t be likely that users would miss it, then it’s unlikely we would take that (complaint) further.

---------
This sounds different to the advice given in the guidance document produced by the ICO http://www.ico.gov.uk/news/latest_news/ ... tions.ashx

So, according to Dave, if a "strict opt-in" has a negative effect on revenue then there may be exemptions, and even Google Analytics cookies could be exempt from a "strict opt-in" because a business sees it as "essential".

Best advice (IANAL) is to wait a couple of months and see what the ICO say. In the mean time, update privacy policies to list cookies used on your site and add a "We are working on a solution to comply with the EU e-privacy directive 2009/136/EC" statement.

Chris.

No, that is not what is being said.Is obviously referring to the relationship between the users and websites. In other words if the users interaction is more than viewing the website ... like purchasing from it.


All of that article is full of ifs and maybes but no specific definition. An example of the lack of definition is
'this may be enough in most cases' is not specific. Specific is 'this will be enough in all cases

Again it is all left to speculation, there is nothing definitive being said.


Also nothing was said specifically about session cookies. nor was it said about non-commercial sites.

_________________
http://weblinksonline.co.uk/joomla-faq.html

can i highlight the following posts to you, and sorry but it seems like you didnt read the posts before you joined this topic
viewtopic.php?f=575&t=708343#p2796727 where the document you mentioned was already discussed with a different interpretation

the questions here
viewtopic.php?f=575&t=708343#p2799149

and the previous topic viewtopic.php?f=428&t=549868

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

I disagree, any revenue stream for the website owner that is based on numbers of visitors - sponsorship, for example, where you get more money from the sponsor because your analytics show x number of visitors/day, and that benefit is passed onto visitors by keeping the number of ads per page to a minimum - is an essential part of the website owners business, and because of the low number of ads/page the website has more visitors who are engaged by the content.
The legal contract between the sponsor and website coupled with the visitor expectation of low numbers of ads/page forms an ecosystem that relies on analytics, therefore the analytics cookie could be exempt from a strict opt-in
But that is only my interpretation of the answers to one interview.



Agreed, there were no definative statements about anything.

So if the ICO can't put a definative statement on what compliance truely is how can they expect anyone to be able to comply?

IANAL

The law should be clear and explicit, they have had an extra 12 months to put it together.

Too many ifs, buts and maybes show that the whole thing is a shambles. If nobody complies and says to the ICO "Give us definatve answers or we will carry on as we are", they would have no choice but to do so (instead of giving the non-answers we keep hearing) - or they would pick a couple of high-profile cases and take them to court.

The ICO may win, or they may not. Having a statute on the books is one thing, but prosecuting and winning are another.

In the English legal system there is the doctrine of judicial precedents, whereby the reported decisions of the courts form a binding source of law for future decisions. A judge is bound by decisions of courts of superior jurisdiction.

Additionally, Legal Certainty in the Rule Of Law states:

Legal certainty requires that all laws enacted and passed in the United Kingdom be applied in a precise and predictable manner. This means that when legislation is passed to convey a particular aim, that this aim is carried out within the law. Legal certainty should always show that when charged with an offence the prosecution must show that the law has been breached in a distinct way.

Basically until there is a legal precedent set by the UK High Court no-one will know for sure if the law truely applies, what it applies to (there must be a distinct breach, which requires a distinct definition) and to what extent.

Where that leaves us poor folks at the coal-face is anyones guess.

Chris.

Yes and my interpretation is different and Joe Blogs down the road has a different interpretation. The only certainty is that the ICO have produced guidlines but no definitive statements.

Also (as pointed out by mandville) this thread is about the impact on non-commercial sites and about the necessity of session cookies. Neither of which is covered in the article you mention.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Current advice is that the session cookie falls within Reg 6 part (a) and (b) of PECR 2003 as amended, but the "feeling" is that the session cookie alone will not form a priority for enforcement. The ICO can not come out and grant a blanket exemption for the session cookie as that would be contrary to the intention of the EU regulation which gave rise to PECR. The behind the scenes argument is that as soon as the session cookie is exempt it will be given a longer expiry date and then no longer will be the benign tool it is portrayed.
Calling the session cookie a security device will not make it "essential" as you have left off the remainder of that phrase ..."for a service explicitly requested by a subscriber"

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

anyone discussing this on the dev list?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

Oh yes...I have seen this film before. The phrase "as long as they are making some sort of effort" has been around since 2003 and then resurrected in 2011 as "working towards compliance"
This places the onus on the data controller to explain in court how they were taking the appropriate steps to obtain informed consent for an object placed on a subscriber computer without consent. So basically drop the cookie and explain in detail what you have done and why.
The EU regulation does not say "As long as there is no personal data in the cookie then it is ok" this is the ICO trying to please the big beasts in the ad industry ( Google et al) and fudge the issue. I remain sceptical that this will ever be passed by the EU, but the UK Regulator has a long history of absolutely no cojones when faced with Big Industry" so don't lose to much sleep. Relax....I think not if you are in a legal, official or regulatory environment.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

Yes, but from what I can gather it is the consensus seems to be that it is not a Joomla issue and should be handle by extensions.

_________________
http://weblinksonline.co.uk/joomla-faq.html

@Mandville and @Webdongle

I don't mind being chastised, but only when I am in the wrong.

--- part 1 ----


I did read the post, it links to the article but does not discuss it.
The text after the link does not refer to the article, and the quote in the same post is not from that article.
So the document was not discussed (requires 2 or more people to comment directly on it), and no interpretation of the document was made.
The post concludes (after the unrelated quote) with the glib statement:

Which has no bearing on the article, and is simply being facetious.

I therefore humbly suggest that you read the post again, and the article it links to, and the unrelated text and quote. Then point me to the place where a discussion about that article (in this forum) took place, and exactly where and how that post interprets said article.

Even the commments on the article itself only offer opinions, and the interviewer (in those comments) quite rightly points out that


[mod note: removed comment]
--- end of part 1 ---

[mod note: removed comment]

--- part 2 ---


Really? The original post that starts the thread makes no reference to the impact on non-commercial sites, and only mentions session cookies in the abstract - relating to making Joomla working without using session cookies.
The thread continues with discussions surrounding the session cookie and its impact on database access, before mandville posted about a meeting and you followed up with a post about the ICO (who used to write a cookie, but now don't).

satingoth (thread starter) then links to the article mandville said had already been discussed (see above).

At that point I joined the thread, asking for feedback about a possible solution I am testing. Thanks for the feeback, I am still improving it and may re-ask for feedback later.
I also asked about security regarding the session cookie and the effect of not setting it, but there does not seem to be a clear answer to that yet.

The thread continues with links to wolf-software and their solution(s) - to which I also contributed.

The thread diverts to a couple of "the ICO said but didn't put it in writing" posts. I also commented about the ICO and that is when I linked to the article in question, this time taking quotes from the article (some people don't want to follow a link) indicating that the ICO don't know the answers and are unwilling to be definative.

We (Webdongle and I) then disagree about the interpretation - which is OK, it just underlines the point about the ICO not being definative.

Mandville then posts that I didn't read the thread (see my answer above), then you (Webdongle) make the assertion regarding the thread being about the impact on non-commercial sites - which it isn't, as only 2 posts mention non-commercial sites (one asking if they are counted, and the other showing that they are).

Finally, while I agree that the article does not explicitly mention session cookies, it is a valid link for this thread due to the fact that it shows that the ICO do not know if session cookies (necessary or not) are to be included or exempt from the regulations.
--- end of part 2 ---

I will finish this post now, and await the replies with interest (and a super-soaker and a fire resitant all-in-one suit).

Chris.

viewtopic.php?f=428&t=549868 7 pages and 204 posts of previous discussion . webdongle, abernyte, me (and a few others) were there from the start.
My "meeting post " didnt specify session cookies but all cookies. can you point the post where ico is clarified "the other showing that they are"?
No session cookie in a phpsite is very dangerous thing, how will it know who is a valid user and who isnt?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}

This is sheer madness.

I have spent a good bit of time today trying to work out what on earth the ICO mean and what I need to do to comply. I am really no further on (although I have started to draft a privacy notice that I had never done before). Why aren't the ICO clear about what they are talking about? What's wrong with plain English and using the same jargon as cookies use?

/rant

Agree entirely

It's very concerning as I have clients asking for me for answers but at the moment, other than cookies involving Google Analytics, I'm not sure what to advise.

I know there's going to be conflict as well when it comes to the issue of charging for any work done as some will try and claim it's the responsibility of the web designer to ensure that the site meets current legislation whereas it's not, it's the responsibility of the individual business.

Whilst I appreciate that I am jumping in here a little late, I have read the complete thread, I have also read the guidelines and reviewed many other technical discussions on this matter...

Maybe I am missing something here, but....

At no point is the use of cookies condoned, it is merely described as needing to be "clearly defined to the user" with no personal identifiable information; and "opt-in"..

So, from my "interpretation" of the guideline and knowledge of how Joomla! core cookies are designed; it seems to me that there is little, if anything that needs to be changed from within Joomla! However, the site owner must ensure that, either, their terms of use or privacy policy clearly state the purpose of the "anonymous/guest" session and state that if the end user/site visitor, chooses to register that they are "opting-in" to have a session initiated on their behalf and cookie stored upon login to enable the site to provide the service they have selected to use. If additional 3rd Party components are used, such as shopping carts, language choices etc, this must also be covered by the Terms/Privacy statements with clear descriptions of their purpose and use. In addiiton to this, if the details provided by the end user are to also be used for the purposes of future marketing/contact programs, this then has to be separately stated and defined for exactly what purpose and must be "opt-in" (such as newsletters, but cannot just simply be included as "you register, you accept we will mail you" upon registration. So I see this as just needing to be a multi-level terms agreement between the user and the site. In essence, I see this as not actually being a Joomla! issue to resolve, but see it as the site developer / owner issue to resolve correctly.

Correct me (nicely) if I have missed something...

_________________
Joomla! on the fabulous Sunshine Coast...
hotmango, web & print http://www.hotmango.me/
Network SMARTS, Systems Engineering http://www.networksmarts.com.au/

Good article by the International Chambers of Commerce

http://www.international-chamber.co.uk/ ... _guide.pdf

They seem to suggest that only cookies used for advertising/income generation will require opt in where as others will only need a standard advisory page on the site.

Doc is summarised by PCPro as follows

In summary, the ICC’s guide places cookies into four categories and then explains its thinking about how each should be dealt with. The first category is Strictly Necessary. To fit this category, the cookie must be “related to a service provided on the website that has been explicitly requested by the user”. Aside from obvious cases such as shopping cart cookies and access to protected areas, the ICC suggests that remembering previously entered text so it’s not lost if the page refreshes falls into this category. No user consent is required for category 1 cookies.

The second ICC category is Performance Cookies. And here it gets interesting because the ICC includes analytics, advertising and Pay Per Click cookies in this category – provided they only store anonymous data and cannot therefore be used for behavioural targeting of ads. This was my biggest single concern with the regulations – I could see no way they could realistically be applied if it denied European website owners access to essential analytics information that would be available to owners elsewhere. Consent for cookies in this category, according to the ICC, can be obtained by placing appropriate wording in the site Terms and Conditions (most professional sites will have this already). So, no opt-in required.

The ICC’s third category is Functionality Cookies – cookies that remember user choices so that they have a more personalised experience. This might include detecting if the user has already seen a popup so that it isn’t shown again, submitting comments and remembering colours, text size etc. As with Performance Cookies, the ICC suggests you can comply with the regulations by inserting text into your terms and conditions rather than forcing users to choose explicitly.

This leaves the final category, the “bad boys” that the regulations were originally aimed at: Targeting/Advertising Cookies. We’ve all experienced the slightly creepy way ads follow us around the internet – they do this by collecting information about our browsing habits which is then used to serve up targeted ads. Even in this pretty clear-cut case, it’s possible to argue that the onus is on the ad serving network to request consent but, to be on the safe side, the ICC advises website owners to get clear, explicit consent from users if their site employs such technology.

@mandville

The earlier thread is 6 pages of posts from 2010 (2 years old) when there was even less clarity than now. The 7th page is a pre-cursor to this thread, with satingoth posting to it before starting this one.
I read that thread too, and plenty more info about this EU Directive all over the web, none of them give a definative answer to what compliance means.

As to the post "showing that they are":
viewtopic.php?f=575&t=708343#p2799177



Although there is not a link to the PECR document, ithe post clarly states that ALL websites are to be counted and not just commercial ones.
here is the link to Regulation 6 of PECR:
http://www.legislation.gov.uk/uksi/2003 ... ion/6/made

Hope that answers your question.

-----
Your other point about not having a session cookie being dangerous is correct.
IANAL
Which is why I believe that session cookies are essential for the safe and secure operation of a website - and are therefore exempt. If the website has members, this is even more clear cut because of the data protection act:

Session cookies are an appropriate technical measure to prevent unauthorised access to the personal data of website members held in that websites' database.

This is, as has been said many times in this thread and others around the web, subject to interpretation - and must (I believe) be clarified in a definative statement from the ICO.
In the mean time, I will not be making session cookies part of any opt-in policy. My interpretation, my decision, my problem if I am wrong.

-----
@RussW

I agree, this is for the site developer not Joomla to resolve. However, it would be nice (given the number of Joomla sites in the EU) if Joomla would _help_ in providing a solution. Although whatever Joomla does (or does not do) the responsibility for compliance is the site owners.

Chris.

It defines the different types of cookies yes
It explains different ways for the website yes
But it does not state what the ICO will find acceptable methods.

I have emailed the ICO several times asking for specific rather than 'guidance' information. No replies so my next step will be:
To email them outlining what I do on my site. Asking if they want me to add to or change anything. And put "If you do not reply to this email then it will be understood that you agree the site is in compliance with all laws you are responsible for enforcing". Then put a 'Tracer' on the email that will prove they have received it.

Addendum
I have since noticed a part about definition of session cookies.

_________________
http://weblinksonline.co.uk/joomla-faq.html

I think I may have a look at this for now

http://civicuk.com/cookie-law/configuration

At least with a view to providing information about the Joomla session cookie etc when the site loads even if not an exact opt out option

It can be used to block GA as well if it's decided that does need an opt in

OK Russ as nicely as I can

http://www.ico.gov.uk/for_organisations ... tions.ashx
So yes all cookies (unless exempt) must have 'explicit permission' granted.

However
http://www.international-chamber.co.uk/ ... _guide.pdf
So could we please have an official statement from the devs saying why the Joomla session cookie is Essential ? Then we could put that in our privacy policy.

Thanks Russ that would be good

Addendum
But the ICO say 'The Regulations apply to both types of cookies:" http://www.ico.gov.uk/~/media/documents ... tions.ashx

_________________
http://weblinksonline.co.uk/joomla-faq.html

Please bear in mind that when trying to pin the label "essential" on to any cookie in this Regulation we must not drop the remainder of the phrase...."for a service explicitly requested by the user"
There is a tendency to conflate the security aspect of the session cookie which we all agree is required for good reason with being "essential". These Regs also apply to LSO's
A Russ points out, this is all about consent. Since 2003 it was implied because of the browser default not being changed by the user, since 2009 it must be explicitly obtained.
IMHO Joomla has a moral responsibility to assist users in meeting compliance...and a legal responsibility to obtain my consent before these fora drop the Google tracking cookies that it currently does.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

The ICO have classed session cookies as 'essential' therefore they must consider session cookies as 'for a service explicitly requested by the user' to have defined them as essential.

_________________
http://weblinksonline.co.uk/joomla-faq.html

Did I miss that? I recall they used a phrase saying the cookies they had just dropped on you without consent were essential for the operation of the site. But that was them "working towards compliance". They no longer drop a cookie on a visitor, but it is an .asp server set up.

_________________
A pretty business indeed for a man to be allowed eight hundred thousand sterling a year and worshipped into the bargain! Of more worth is one honest man to society...than all the crowned ruffians that ever lived. Paine 1776

Yes you did, I quoted it a few posts back
http://www.international-chamber.co.uk/ ... _guide.pdf

But on closer examination it looks like it's ICC trying to look like ICO

_________________
http://weblinksonline.co.uk/joomla-faq.html

@chrisjg

I am not a sponsor and your pathetic attempt to try and discredit my posts by implying that I am .. is nothing but a childish prank. [mod note: removed attack ] .

_________________
http://weblinksonline.co.uk/joomla-faq.html

I created a plugin that will stop guests from getting a session cookie.

If the user does not have a session cookie, it is not a post request, or the session has a user id it will keep the session, otherwise it will tell the browser to delete the session cookie.

Since the cookie was never there nothing happens.

You can download it from:
http://www.... com/cjnocookies.html

This should allow users to still log in and everything work as normal. I have only tested it on my sites and I would love some feed back from others.

You will have to delete your cookies first, since if you submit the session cookie it will still keep it.

_________________
http://www.conquerjoomla.com<--- Click to Conquer Joomla!
https://twitter.com/#!/nchamilton <--- Follow me on twitter

registration required?
important spots before the complaints start


but does it drop a cookie to prevent cookies?

_________________
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be added to the foe list and possibly just deleted
{Community.Connect Administrator }{ Showcase & Security Moderator}