[Openid-specs-ab] Fwd: New EU laws

Anthony Nadalin tonynad at microsoft.com
Thu Mar 10 00:15:29 UTC 2011

Doesn't this actually have to manifest itself as a law in each country (which may take a long time)?

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Wednesday, March 09, 2011 4:13 PM
To: Henrik Biering
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Fwd: New EU laws

The method we are discussing for session management is not unlike what some people do for tracking cookies.

I would not want to have session management and Single Logout caught up in the same net.

As you say this will take forever to sort out if it goes ahead.

Though at some point we m,ay want to pre-emptively show how cookies can legitimately be used in this sort of application.

John B.
On 2011-03-09, at 8:44 PM, Henrik Biering wrote:

Fortunately this updated directive does NOT target cookies that are placed/read in order to provide the basic service requested by a user.

But it is causing great concern to people providing services such as third party advertisement and analytics tracking users (or rather devices) across the internet.

One problem is that the directive itself is (mildly stated) very unclear and the national implementation efforts so far totally uncoordinated. Thus it is likely that the directive will be interpreted and legally implemented in about 30 different ways across Europe. This may imply significant localization efforts for international content providers and e-commerce sites.

Another major problem is that a publisher (e.g. newspaper) currently often does not know or control the individual media agencies or advertisers who may place cookies on a users computer while the end user is visiting the publishers site. According to legal people it is the owner of the visited site who must manage the consent for all third party cookies. This means that even if the third party service provider gets a users global accept for tracking the user, such a consent would not in itself be legally adequate for the publishing site.

Also this is not convenient for a user who might have allowed e.g. an analytics service at 1000 sites before he decides to disallow its tracking entirely. So maybe this can end up being a good business case for Oauth / UMA, allowing the user centralized consent management for the  sites they visit as well as for the third party services relating to these sites. At least I will try to influence the danish draft decree (core part provided below in english translation, public hearing ends 1 April) in a way that makes this a viable option.

---------------- Core part of the proposed Danish decree of the Directive ---------------
§ 3 Natural or legal persons may not store information or gain access to information already stored in an end users terminal equipment, or enable third-parties to store information or gain access to information if the end user does not give consent after receiving adequate information about the storage of or access to data.

Paragraph. 2. By consent, cf. 1, means any freely given specific and informed expression of will, by which the end user agrees to the storage of data or access to already stored information in the end users terminal equipment.

Paragraph. 3. Information, cf. 1, is appropriate when it as a minimum

1) appears in a clear, concise and understandable language, or alternatively by means of pictures,

2) contains information about the purpose of storage of or access to data in the end users terminal equipment

3) contains information about how long the information is intended to be stored in the end users terminal equipment

4) contains information about the name of any natural or legal person who stores or acesses the information

5) provides a readily available access for end users to refuse consent or revoke consent to the storage of or access to data and a clear, precise and understandable instructions on how the end user is using such access and

6) is readily available by a full and clear disclosure to the end user. Moreover, information about storage or access to information on the end users terminal equipment through an information and content service must be permanently, directly and easily accessible to the end user of the information and content services.

§ 4 Notwithstanding § 3, natural or legal persons may store information or gain access to information already stored in an end-user terminal equipment, if

1) the storage of or access to information has the sole purpose of transmitting communications over an electronic communications network or

2) the storage of or access to data is required to enable the provider of an information and content service, explicitly requested by the end user, to deliver this service.

Paragraph. 2. Storage of or access to information in an end-user terminal equipment is required, cf. 1, No. 2, if the storing of or access to information is a technical requirement to provide a service that works in accordance with the purpose of the service.
----------------------- End -------------------------------


By 09-03-2011 15:55, John Bradley wrote:
Something to keep in mind with respect to session management.

Without seeing the regulation it is hard to know what to make of it.

I suppose every site in the EU might have to ask for permission to create a session cookie on the persons computer before letting them in.

I can't think of any alternative other than mutual TLS to do it.

Though now that I think about it, it could be a way to push e-id cards?

John B.

Begin forwarded message:


Websites will have to gain 'explicit consent' from visitors to store or access information on their computers from 25th May.

A new European e-Privacy directive has been announced today and will affect any business tracking users via their cookies online. Exact details from the Department for Culture, Media and Sport (DCMS) are currently being drawn up and will not be available until the end of May, but enforcement and penalties are not expected in the short term as businesses are given a window to 'address their use of cookies'.

The new law is an amendment to the EU's Privacy and Electronic Communications Directive and will require UK businesses and other organisations to obtain consent from visitors to their websites in order to store and retrieve usage information from users' computers.

Speaking today, the Information Commissioner Christopher Graham warned UK businesses and other organisations running websites that they must 'wake up' to the EU legislation.

He said: "While the roll out of this new law will be a challenge, it will have positive benefits as it will give people more choice and control over what information businesses and other organisations can store on and access from consumers' own computers.

"We are proactively working with the government, businesses and the public sector to find a workable solution. We recognise that the internet as we know it today depends on the widespread use of cookies and there are of course legitimate business reasons for using them. So we are clear that these changes must not have a detrimental impact on consumers nor cause an unnecessary burden on UK businesses. One option being considered is to allow consent to the use of cookies to be given via browser settings.

"Once the new regulations are published there will be a major job of education and guidance to be undertaken. In the meantime, both the business community and public sector organisations need to start thinking clearly about how they will meet the requirements of the new directive."

The Information Commissioner's Office will be responsible for regulation, while the Department for Culture, Media and Sport will lead on the implementation on the new measures in the UK.

Minister for culture, communications and the creative industries, Ed Vaizey, said: "Revisions to the e-Privacy directive will provide consumers with more choice and control over their internet experience. But at the same time we need to make sure these changes do not make using the internet more difficult.

"Businesses need to be working to address the way they use cookies. We recognise that work will not be complete by the implementation deadline. The government is clear that it will take time for meaningful solutions to be developed, evaluated and rolled out."

You receive


Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110310/e2013603/attachment.html>

More information about the Openid-specs-ab mailing list