Again, I don't see that a user of the internet needs to know about how
cookies work. My mum shops online, she cares about her privacy but she
doesn't want or need to understand the process sufficiently well in order to
shop. The vast majority of browsing public have a right to have their
privacy protected but shouldn't therefore be required to educate themselves
with what is going on. The manufacturer of my car wasn't required by law to
have me understand how an engine works and I'm glad they weren't, a high
level understanding of the fact I get in and it goes is enough for me.
The pretence is fine - people should make informed decisions about the
amount of information they disclose online.
The problem is that if a site takes the view that the user should be
consulted about all cookie storage - then they have to ask the user whether
they want to store cookies or not.
Should the user say yes - all is (relatively) fine - you store their answer,
Should the user say no - you can't store the no answer anywhere. You can't
set a cookie because that option has just been removed from you. You can't
log something on IP or user agent (browser) because those are shared. You
therefore need to ask people each time they go there whether they want
cookies or not, and each time they need to tell you know, because there is
no persistence in the answer implicit in the protocol and the legislation
has forbade you to integrate any.
Even if they say yes and you silence the question in the short term, that
yes answer will not be returned if they use a different device or if after a
time the cookie is removed or expired.
So you end up asking them the question lots of times regardless of how they
answer. Which is annoying.
Then you ask the question of what is being stored anyway. If you're
authenticating a user, you're probably storing their username and some other
things relating to the session. All of which is provided by the user, and
therefore can be conditionally supplied subject to principle 1. You might
even go so far as assuming that them having provided a username permits you
to refer to them with that name and the fact they want some relationship
with your web site permits you to administer that relationship. I would
imagine most people understand that if they supply a username, the site will
use it as part of their authentication to that site.
I think its very dangerous that there is somewhat of a lack of understanding
across a lot of camps, and that translates in to poorly drafted legislation
and vague guidance.
I'm all for privacy but please, employ someone with a grasp of the technical
----- Original Message -----
From: "Sandeep Das" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Saturday, September 29, 2012 5:04 AM
Subject: Re: [data-protection] Friday food for thought - Cookies
I never said that the consumer is educated. I said that there is a need to
make him/her educated
And I would question why this legislation is annoying
All archives of messages are stored permanently and are
available to the world wide web community at large at
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)