Cookie law compliance

02.06.2013 19:06

On 15 June a new Slovenian law on electronic communications comes into effect. Among other things it implements the European cookie directive which makes Slovenia one of the last countries in the Union to comply with it.

Slovenian law makers decided on a stricter interpretation of the directive than most other countries, making illegal for instance storing any state on a visitor's browsers without her explicit consent. There are very few exceptions to this rule, for example where local state is the only way to implement some functionality (shopping carts for instance) or where this is expected (when you log in with a user name). But otherwise our Information commissioner is quite clear that various tracking cookies and such for anonymous users must go away unless a click-through warning is added to a web page. It remains to be seen to what extent this will be enforced though, especially since parts of the law also attempt to restrict what kind of processing you can do on plain web server access logs.

Since I started writing this blog I've been quite careful to respect the privacy of visitors on my web site. I never used cookies and for most of its existence these pages didn't include any third-party Javascript. I never used Google Analytics or other third-part analytics services and my own web server logs are only used for occasional local statistical processing when I'm curious about the number of visitors to particular articles.

I was therefore somewhat surprised when I was discussing this topic in our local Open data community and we ran some automated tests against my pages. It turns out the situation was not as rosy as I thought.

First problem was that against all odds cookies were getting set for my domain. I tracked it down to jsMath, which I use to typeset mathematical notation in some blog posts. jsMath uses a cookie to store settings you can change using a small toolbox that appears in the lower right corner of the website when a text with mathematical symbols is displayed (I'm quite sure nobody noticed it though).

That cookie isn't problematic however, since changing settings is an explicit action that is expected to save some state (the box also has an option for how long you wish the settings to be retained making that fact even clearer). However for some reason jsMath will always set a default cookie on the first visit, even if you don't touch any settings. That's not OK even though the cookie doesn't include any unique identifiers (and in fact is used solely on the client side, even though the browser will send it to my server on each HTTP request).

I'm not sure whether this is a bug in jsMath or if this is intentional. Anyway, the simple one-line patch below corrects this behavior and retains the setting-saving functionality if you happen to use it:

--- a/uncompressed/jsMath.js
+++ b/uncompressed/jsMath.js
@@ -1834,7 +1834,7 @@ jsMath.Controls = {
   cookie: {
     scale: 100,
     font: 'tex', autofont: 1, scaleImg: 0, alpha: 1,
-    warn: 1, fonts: '/', printwarn: 1, stayhires: 0,
+    warn: 0, fonts: '/', printwarn: 1, stayhires: 0,
     button: 1, progress: 1, asynch: 0, blank: 0,
     print: 0, keep: '0D', global: 'auto', hiddenGlobal: 1

The second problem I had was that a few of my posts embed YouTube videos. That's a problem since YouTube player will drop two Flash Local Shared Objects on the visitor's computer as soon as it is loaded (even if you use the nocookie domain).

To my knowledge it is now impossible to embed a YouTube video on a web site and comply with the Slovenian law unless you provide a click-through warning. Since I find those obnoxious I chose to remove all embedded videos and replace them with static thumbnails that you can click-through to watch the video on the YouTube web page itself.

The other option would be to find some other video hosting service that would not set cookies (if it even exists) or host video files myself (which didn't end well a while ago). Both of these require more time than I'm willing to spend fixing this issue at the moment.

Posted by Tomaž | Categories: Code


Tomaž, I really respect your diligence. I'm not being sarcastic (in case it would look like that).

Posted by Marko

Add a new comment

(No HTML tags allowed. Separate paragraphs with a blank line.)