[OSM-talk] Cookies on OSM
In very simplistic terms, the EU cookie directive requires a web site to prominently disclose the fact that it uses cookies and what for (and in the case of tracking cookies to explicitly obtain the user's consent before doing so). I notice the OSM site doesn't yet do this, even though it uses cookies, but this mail is more about third party users who need to make their own statements about cookies they use when they embed OSM maps. If a OSM map is embedded in another site as an IFRAME as from the Export tab or similar, then it appears to plant two sets of cookies, ones starting _osm_... whose function seems pretty obvious, and ones starting _pk_... which are more mysterious. Please could someone who knows put up a brief page on the wiki which explains what these are for, for the purpose of helping sites make their cookie usage clear, as required by law (or at least for them to conduct the cookie audit needed in good faith). I am (I hope not naively!) assuming that OSM wouldn't indulge in any intrusive cookie tracking which would require explicit consent. Is anyone addressing this for the OSM site itself? I see there is a privacy policy, but that doesn't mention cookies and it isn't prominent on the home page as the directive requires. Thanks, David ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
Hi, On 07/11/12 14:03, David Earl wrote: I am (I hope not naively!) assuming that OSM wouldn't indulge in any intrusive cookie tracking which would require explicit consent. I believe OSM uses Piwik which is something like Google Analytics but without giving the data to a third party. That's probably the reason you are seeing this pk cookie. I don't know if that requires explicit consent. It's not much more than looking at log files really but I'm not up to date on legislation. (TBH I've seen a lot of is it ok if we set a cookie popups on UK web sites recently but none on German sites so I'm not sure if this is really an EU thing or just UK? Or UK being first in adopting some EU law into national law maybe, improbable as it sounds?) Bye Frederik -- Frederik Ramm ## eMail frede...@remote.org ## N49°00'09 E008°23'33 ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
(Change email address !!!) Frederik Ramm wrote: On 07/11/12 14:03, David Earl wrote: I am (I hope not naively!) assuming that OSM wouldn't indulge in any intrusive cookie tracking which would require explicit consent. I believe OSM uses Piwik which is something like Google Analytics but without giving the data to a third party. That's probably the reason you are seeing this pk cookie. THAT is interesting ... I need to look closer I'm using my own port of Piwik on a faster database. I don't know if that requires explicit consent. It's not much more than looking at log files really but I'm not up to date on legislation. Piwik requires explicit consent as it's not an 'essential' cookie Even session cookies are still a grey area! (TBH I've seen a lot of is it ok if we set a cookie popups on UK web sites recently but none on German sites so I'm not sure if this is really an EU thing or just UK? Or UK being first in adopting some EU law into national law maybe, improbable as it sounds?) The cookie directive was passed into law across EUROPE last May. The UK relaxed implementation in an attempt to get the browser developers to handle the problem centrally, but none have, so they now require that every website does the job themselves. I've ended up with a system which allows 'social media', 'piwik' and other cookies to be switched off separately ... http://medw.co.uk/ is an example. But I still need to link this in with the some of the third party elements fully yet. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
On 11/07/2012 13:36, Frederik Ramm wrote: Hi, On 07/11/12 14:03, David Earl wrote: I am (I hope not naively!) assuming that OSM wouldn't indulge in any intrusive cookie tracking which would require explicit consent. I believe OSM uses Piwik which is something like Google Analytics but without giving the data to a third party. That's probably the reason you are seeing this pk cookie. Thanks. I don't know if that requires explicit consent. It's not much more than looking at log files really but I'm not up to date on legislation. The general view seems to be that Google Analytics doesn't require explicit consent, merely disclosure, so I can't see that something even less intrusive could require explicit consent. (TBH I've seen a lot of is it ok if we set a cookie popups on UK web sites recently but none on German sites so I'm not sure if this is really an EU thing or just UK? Or UK being first in adopting some EU law into national law maybe, improbable as it sounds?) The directive was actually enacted in May 2011, but the UK Information Commissioner's office gave people until May this year to implement it. A few have, as you say (notably the BBC), but the ones that really go to town on the issues the directive is supposed to protect against - e.g. Amazon - have completely ignored it. There will have to be a test case before long if it is supposed to be taken seriously. (It is a daft law IMO, exactly the kind of 'red tape' the Government says it is committed to abolishing). David ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
On 11/07/12 13:03, David Earl wrote: In very simplistic terms, the EU cookie directive requires a web site to prominently disclose the fact that it uses cookies and what for (and in the case of tracking cookies to explicitly obtain the user's consent before doing so). So, how is http://www.frankieandshadow.com/gallery/ using PHPSESSID then ;-) Tom -- Tom Hughes (t...@compton.nu) http://compton.nu/ ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
Piwik requires explicit consent as it's not an 'essential' cookie Even session cookies are still a grey area! http://www.ico.gov.uk/for_organisations/privacy_and_electronic_commu nications/the_guide/cookies.aspx mentions: European data protection authorities opinion In June 2012, European data protection authorities (as part of the Article 29 Working Party) adopted an opinion which clarifies that some cookie uses might be exempt from the requirement to gain consent: Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user. First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised. I'm not sure which of the osm cookies count as session cookies, first party analytics cookies, or other. Ed ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
On 11/07/2012 13:55, Tom Hughes wrote: On 11/07/12 13:03, David Earl wrote: In very simplistic terms, the EU cookie directive requires a web site to prominently disclose the fact that it uses cookies and what for (and in the case of tracking cookies to explicitly obtain the user's consent before doing so). So, how is http://www.frankieandshadow.com/gallery/ using PHPSESSID then ;-) You can remove the ';-)' - my email wasn't a criticism, but is made in all seriousness to try to bring other web sites I have involvement in within the law. That includes my own site too (and I don't actually know the answer except that it is, of course, a PHP session cookie - that's the point of doing a cookie audit as required by the ICO). David ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
On 11/07/2012 13:53, Lester Caine wrote: Piwik requires explicit consent as it's not an 'essential' cookie No, the requirement is for informed consent. The ICO is clear that Implied consent is a valid form of consent and can be used in the context of compliance with the revised rules on cookies. Explicit consent (asking an explicit question in which the user can decline to have cookies set) is about whether a cookie is intrusive or not - aimed mainly at third-party tracking cookies. David ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
Ed Loach wrote: Piwik requires explicit consent as it's not an 'essential' cookie Even session cookies are still a grey area! http://www.ico.gov.uk/for_organisations/privacy_and_electronic_commu nications/the_guide/cookies.aspx mentions: European data protection authorities opinion In June 2012, European data protection authorities (as part of the Article 29 Working Party) adopted an opinion which clarifies that some cookie uses might be exempt from the requirement to gain consent: Some cookies can be exempted from informed consent under certain conditions if they are not used for additional purposes. These cookies include cookies used to keep track of a user’s input when filling online forms or as a shopping card, also known as session-id cookies, multimedia player session cookies and user interface customisation cookies, eg language preference cookies to remember the language selected by the user. First party analytics cookies are not likely to create a privacy risk if websites provide clear information about the cookies to users and privacy safeguards, eg a user friendly mechanism to opt out from any data collection and where they ensure that identifiable information is anonymised. I'm not sure which of the osm cookies count as session cookies, first party analytics cookies, or other. Until there is 'case law' nothing can be assumed. The current recommendation HAVE changed again since I started sorting this for our hosting customers. The key word above is 'might be' ... no one has yet produced a document that says 'is' ... so we either simply ignore the directive, or we provide the facility for people to be able to switch off 'social media' and 'analytics' cookie tracking even if some people's opinion is that it's not necessary. I'm option for the safe path since it does also allow users to switch off things that they may object to even with anonymous tracking. The law may be an ass, but it was VERY interesting identifying what cookies were created as a result of loading a supposedly clean site, and it is perhaps the 'due diligence' that has resulted from the exercise that is more important. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
Re: [OSM-talk] Cookies on OSM
David Earl wrote: In very simplistic terms, the EU cookie directive requires a web site to prominently disclose the fact that it uses cookies and what for (and in the case of tracking cookies to explicitly obtain the user's consent before doing so). So, how is http://www.frankieandshadow.com/gallery/ using PHPSESSID then ;-) You can remove the ';-)' - my email wasn't a criticism, but is made in all seriousness to try to bring other web sites I have involvement in within the law. That includes my own site too (and I don't actually know the answer except that it is, of course, a PHP session cookie - that's the point of doing a cookie audit as required by the ICO). Up until May I had simply assumed that PHPSESSID was a simple 'essential' cookie and that it was exempt, but that is the very cookie that has yet to be specifically flagged as exempt and is why I have wasted so much time on the safe approach. I also assumed that adding social media links to a site did not require ME to get permission, but the advise now makes it clear that it is the site which is responsible for these third party cookies! So we give people the option to refuse if they want to. While the ICO has changed the advise again in June it HAS also said that it will not be taking action against anybody any time soon, so sitting on hands is probably equally safe at the moment. -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk Rainbow Digital Media - http://rainbowdigitalmedia.co.uk ___ talk mailing list talk@openstreetmap.org http://lists.openstreetmap.org/listinfo/talk
