Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Do you ask to use cookies or check IP?
37 points by ge96 on May 26, 2017 | hide | past | favorite | 54 comments
This whole EU thing...

Until today I had no problem throwing Google Analytics on a site, same with Facebook for a share button (not sure if this uses a cookie).

Recently when I figured out how to use cookies and now use it for tracking/faster lookup for site usage... I came across the thing of "asking for permission to use cookies" ahh... this is like the noscript/accessibility/modifying social media buttons thing...

Is this something to be concerned about? For me it's not a credentials thing, though it is an identifying thing, just for easier database lookup to update the user's interaction with a site ie. pages visited, scrolls, stuff clicked on... for data driven dev.

I do intend to put the question but it seems like an annoying thing for them to deal with. When I see it I'm like "Ahh..." and don't click them myself. But I've seen very few sites ask.

Edit: I think the most useful thing I've found for cookies is the persistence for example using guides to use your website to help people get used to how it works. Then they only see it once until the cookie expires.

I realize that's probably the definition/reason for cookies is persistence.




Check out: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

First party session cookies (e.g. login cookies) and several other reasonable uses are exempt.

The law is most strongly targeted at google analytics / facebook / omniture / etc cookies, which are third-party tracking cookies that follow the user around the Internet.

In your case, if you are setting a first-party non-persistent cookie which does not "identify" the user (except to determine usage patterns on the site) then it would be pretty reasonable to consider it exempt from notification.

However, you should throw up a cookie warning if you are setting a persistent cookie or using third-party tracking scripts (which will go ahead and use third-party tracking cookies).


TIL session cookies are exempt. Seems it's a very misunderstood law, and is designed to make people think about tracking


Yeah this law is very unclear. Probably written by tech-agnostic folks, mostly.

The intention is mainly to prevent tracking without permission (so maybe 'no-tracking law' may have been a better name), no matter how you technically implement that. Obviously this concerns social media and analytics (not only third-party).

It's weird how the law states that a website must ask specific permission, given that (modern) browsers support the Do Not Track HTTP header [1]. IMO this would've been much more friendly to visitors (i.e. decide once if you want to get tracked or not; it's mostly the same few parties (Facebook, Google, et al) tracking you anyway).

[1] https://en.wikipedia.org/wiki/Do_Not_Track


Oh yeah

>...follow the user around the internet

that is interesting, I'm not even sure how that would work once they leave your site (I am not aware at this time).


uhh… your site embeds google analytics, which sets cookies on google's domains. other site embeds google analytics, it reads the google cookies… and so on.


right I thought of something else. this thought did cross my mind but can't prove it. caught in the web (of Google)


As a European who had to make sure the provisions contained in this law were implemented on a few high-traffic sites targeting consumers, I can definitively say that the law is at least a little bit "controversial" and unclear. We had to request the assistance of a law firm to make sure we complied.

Originally it looked like you had to give the users an option to decide if they allow the use of tracking cookies or not, potentially having to deal with NOT pushing such cookies in case the user did not consent. In reality, most of the implementations I've seen are just informing the customers that tracking cookies are used and let them know that usage of the site represents consent of such usage, adding that they can modify the browser preferences if they want to modify their cookie preferences. Additionally, you have to link to a cookie policy that you publish on the site.

As a clarification, this law does not apply to cookies in general: certain cookies, sometime referred as technical cookies (e.g. session) are exempted as long as they're not used for tracking purposes.


> As a clarification, this law does not apply to cookies in general: certain cookies, sometime referred as technical cookies (e.g. session) are exempted as long as they're not used for tracking purposes.

That's good to know. Any chance you know/can link to the specific section that makes that exemption?


Here's an excerpt taken from the EU Internet Handbook [0]:

Cookies clearly exempt from consent according to the EU advisory body on data protection- WP29 [1] include:

- user‑input cookies (session-id) such as first‑party cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session or persistent cookies limited to a few hours in some cases

- authentication cookies, to identify the user once he has logged in, for the duration of a session

- user‑centric security cookies, used to detect authentication abuses, for a limited persistent duration

- multimedia content player cookies, used to store technical data to play back video or audio content, for the duration of a session

- load‑balancing cookies, for the duration of session

- user‑interface customisation cookies such as language or font preferences, for the duration of a session (or slightly longer)

- third‑party social plug‑in content‑sharing cookies, for logged‑in members of a social network.

[0] http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

[1] http://ec.europa.eu/justice/data-protection/article-29/docum...


Hmm, interesting to note that it doesn't allow for long-lived 'remember me' style cookies without the notice.


Which is a bit silly as it's a tracking cookie by default


I understand their point - a cookie can be used purely for a session ID, without using it to track the user for other purposes (e.g. a cookie unrelated to the session could be used to track which pages the user visits, regardless of whether there're logged in)


thanks a lot, this is very helpful/enlightening.


Please, somebody, make a service such that I can centrally "agree to cookies" for all sites that use this service. It would make my life easier as a user and also as a potential web site owner.

Side note: I personally hate this kind of thing where good meaning people force me to consent to or decline something. I liked the grey area where I didn't consent nor forbid tracking, and could be morally outraged and use a website at the same time. I think there is little use in displaying terms of service that nobody reads or understands, and especially terms that you have to accept if you want to use a service (which you most of the time not strictly have to use to live, but realistically, to take part in out society... yes, I have to access most of the services I do).


What we should've done is made browser vendors add EU cookie consent instead of every. single. website.

Then I can configure my browser for Always/Never/Ask or whatever.

That would've been too simple, of course.


Well, if you look in the options you'll find Firefox actually does have an option whether to accept all cookies, only first party, no cookies or always ask. Chrome also has an option to deny all cookies, third party cookies or accept all (no ask here).


Is it still only Safari that has the "from websites I visit" option? That's the most sensible one to me.


Does that mean same-domain? That basically meets the EU requirement for most tracking systems I think (where they're third party that is).

"Accept the session cookie but not the Google Analytics one."


It means it will accept cookies for other domains if you have visited the other domain explicitly before. This makes things like embedded widgets work.


Ah see, that's the opposite of what I'd want, personally at least.

The whole point imo of blocking cookies for privacy reasons is so that things like that can't track me around the web - explicitly visited or not.


Firefox got rid of the always ask option in version 44.


There is a browser extension called CookiesOK: https://cookiesok.com/


IIRC uBlock used to have an anti-cookielaw-popup blocking list you could enable. It worked quite well for a bunch of websites.


There may be same changes to the cookie law soon: http://www.lexology.com/library/detail.aspx?g=859d2614-cf11-...


> from scanning the contents of their users’ email for the purposes of delivering targeted advertising

that's how you make money... if only I could read people's minds as they dreamt... cue the exploding egg (Futurama)


I seemed to recall having read so too. Thanks for the link. This should be higher up IMO.


Finally!


Has anyone ever been prosecuted or fined under this law, in any country?

Although many high profile sites now show the cookie banner, it still seems like 99% of sites operating out of the EU don't show anything, even when they use Google Analytics or use ad networks that use cookies.


(I am only describing the situation in Germany)

I can say from my own founding experience that you want to avoid being investigated, at least in Germany. While I am a big privacy fanatic, the current way rules are implemented is quite labor intense for small founder teams.

As a matter of fact, cookie laws will be your most benign issue to solve. The biggest challenge is that most tech startups that deal with personal data need to appoint a certified privacy officer, which can be ridiculously expensive.


> 99% of sites operating out of the EU don't show anything

Good.


I think the EU is dropping this bs law. They figured out how the internet works, finally.


Are you sure? Seems like it's still Neuland.


This law is nonsense. You don't have to respect it if you are not in the EU.


I seriously doubt you have to respect if you are in the EU too. Unless you are the size of Facebook, Google etc.


It sure is nonsense since, most of the time, the site may already have dumped a boat load of cookies before the opt-in appears on the screen.

"You don't have to respect it if you are not in the EU."

Like most of these silly laws, it depends how big you are, Google couldn't get away with it but 99.9% of smaller websites could.


Google couldn't get away with it because Google does business in the EU and has subsidiaries in the EU so it needs to comply with EU law.

It's no different than physical products. If you produce and ship your product locally to the local market that is not part of the EU and someone exports your goods to the EU, it's their problem if they need to comply with EU law, not yours. If you want to distribute your product in the EU directly and maybe even create a separate company within the EU to do so, you have to comply with EU law or face consequences.


Yes, absolutely, thanks for the clarification.


>For me it's not a credentials thing, though it is an identifying thing, just for easier database lookup to update the user's interaction with a site ie. pages visited, scrolls, stuff clicked on... for data driven dev.

This is exactly what the law is targeting, using cookies to track users.

Realistically, as long as you don't and have no plans to do business in the UK (Edit: EU, not just the UK) you should be fine. But it can't hurt to put small notice to be safe.


My understanding is the rule comes from some form of EU legislation, in which case the issue is far more extensive than just the UK, ~500 million people.


That's correct.

https://www.cookielaw.org/the-cookie-law/

> It started as an EU Directive that was adopted by all EU countries in May 2011. The Directive gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then updated its own laws to comply. In the UK this meant an update to the Privacy and Electronic Communications Regulations.

...

> All websites owned in the EU or targeted towards EU citizens, are now expected to comply with the law.


Not tempting fate here, I will update the site(I'm pretty sure I will to be safe, at the risk of annoying users with a popup, possibly losing functionality on the site) with this in mind, what would they do? Fine me? Air lift me into a European prison? Haha that would be interesting.


If you have no business in EU this law is not for you and you can ignore it. If you're in the EU you may get a fine if you're unlucky.


The whole part of business is "you made money through exploiting their otherwise personal information" ?

Interesting... it's like when you sign up for those discount cards at stores, do I see some law somewhere that says "By the way we collect and sell your data for money which can potentially be used against you in the future to deny you health care..." I don't know... out of my field here... but. Interesting, probably worrying about nothing as usual.

Like worrying about modifying the icons of big social media sites... what blog/website doesn't create their own version/theme of those buttons...

Yeah I'm not clear on that definition of business, if your site has ads, it's meant for the Philippines, and a person in the EU visited your site, and you made money from those ads... is it my fault? Doesn't Google Adsense have to know the content of my site and the visitor to serve ads... Ahhhh


I asked about "soliciting" everyone or checking IP (despite proxy/vpn) so you don't get the prompt. It reminds me of those email-popups when I see a popup appear even in site not necessarily a window.

Our site is deployed in the Philippines (though does no use a .ph domain) so I wonder if the UK thing would even apply. Currently no products/associated with the site so no "business" not even ads at this time.


Yeah it does seem contradicting, however in my case, no user sign up/don't know who exactly is visiting due to changing IP's. This is the point of the unique string in cookie

It's mostly to update tracking data regarding site usage and not overwrite existing entries

What does that mean to "track" haha, I don't mean location. Identifying... unique


When I write my terms of service, which I try to keep in simple language, I usually make known what I use cookies for or that I do log IP addresses, which is only used to prevent abuse of the application.


Is that necessary ie. if you log an ip, you need ToS? Also a ToS you just right yourself, no "legitimate" way? Like those "Copyright 2017" at the bottom of a page.

The ips are normally dynamic/I wouldn't think you could reliably use them to target them for whatever.

Something to address though as we log IP's though servers in general know IP's by connecting right? How is that different? "Not logged"


I feel if you are taking any personal information, including an email address, you should have some kind of terms of service. If you set cookies on a personal computer, that could warrant a terms of service.

You can find Terms of Service generators online and you just modify it to be even more simple terms. If I were a large corporation, like Apple, I'd probably have lawyers writing it for me, but I do my best not to store too much personal data, while informing my users of the data collected from them. And if I do store it, its encrypted. I can't read it or recover it.

It is good practice to spend a few hours, at least once before you develop a good program, to check out the terms of services on a bunch of websites. It helps to understand the types of language to use and what to mention or not mention, especially those websites closely related to whatever you are doing.

My personal opinion is that the shorter your privacy policy and terms of service, the better. No reason to put up content that you can't even understand, so you may as well write something that you and your visitors can easily understand.

Terms of Service: information about the usage of your product.

Privacy: information about your considerations when collecting and storing data from your visitors.


Thanks a lot that is really helpful.

Interesting point about the encryption. Do you think IP's need to be encrypted? I sometimes get IPV6's but mostly IPV4. We don't collect/ask for emails yet at this point... pretty much just using IP (not even sure why we collect it) and generate a 12-char unique string set to cookie for analytics upload/lookup.

I will have to take a look at some generators.

edit: wait that part about encryption, if I can't read it, what use is it? You're talking same thing with passwords like don't store it as plaint text, store the hash? If that's the case yeah... but then the cost server-side to decrypt/run batch processing... I guess part of the job...


It is just common practice for me to encrypt most data that goes into the database. First and foremost, for security. Privacy is important too. And also, encrypting data actually saves more bytes, as the encryption method I use outputs a pattern of random characters. While it can be long at times, it tends to eliminate special characters, periods, spaces, etc. So I'd think the database is more optimized by practicing data encryption.

Also, if you think about all the major companies that have gotten hacked in the past, with sensitive data leaks, you have to wonder how that data was able to get breached and then deciphered. At least if that happens to you, you can at least make it harder for the hacker. And people know about these data breaches.. yet it doesn't stop them from using those products, but that is because those companies are huge. A small business cannot afford to have a data breach and expect its reputation to remain stable.

Edit: The thing about data encryption is that for some methods, you can encrypt two strings so they end up being the exact same thing when encrypted. Then you compare that data for a match or an unmatch. It is just a more secure way of doing things. It is up to you on how you want to store your data. Databases do come with some protection themselves, but encrypting data is just one additional step for security.


What about performing operations on that encrypted data though? Is it still "indexable"

Not disagreeing with you. Encryption is something I have to learn/get into I think I was looking at AES256, I mean I use the standard bcrypt with openssl for password/login.


IP's are considered personal data according to GDPR, which will go into effect May 2018.

http://privacylawblog.fieldfisher.com/2016/can-a-dynamic-ip-...

It's been made clear in the General Data Protection Regulation ("GDPR") that IP addresses should be considered as personal data as the text includes "online identifier", in the definition of "personal data". Recital 30 clarifies that "online identifier" includes IP addresses."


Interesting... I don't understand the internet protocol enough to argue but calling it "personal" when it cycles/controlled by your ISP... I don't know, but the law is the law and I follow it without question haha.

So will need to add that to a future ToS


Well, none of the pages I saw asked me to allow them for storing cookies. They just inform me about the cookies and the ways I can use to remove them.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: