Joomla and EU Privacy Regulations

[Abernyte]

Now that the enforcement activity is live in the EU for breach of the 2009 Electronic Privacy Directive is it possible to add the ability to delay the dropping of the session cookie in Joomla until consent is obtained.

Ideally a system which blocks all cookies including the session cookie until informed consent is obtained would be better. Two or three attempts have been made via extensions but only one can be placed in the JED and it does not handle the session cookie. One extension can block the session cookie  but the implications of that are unclear and it would be better handled via the Joomla core in any case.

[JCR - Lab]

Le 26/05/2012 19:25, Abernyte a �crit :

Hi,

According to official Data Protection Directive, session cookies are not
in the scope.
What is meant by this directive is keeping privacy of personal data, a
session cookie is not personal data, as in Joomla! it only keeps a
session live.

However, il you keep private data, such as some kind of membreship, you
are responsible, according to this directive, to not dispatch those data
to third parties.

This Directive is pretty dark and unclear, it's a real fact.

[Abernyte]

I can assure you that the Directive and the national regulations made by EU all member nations refer to all cookies requiring consent, session, 1st party, 3rd party, LSOs are all included. I suggest that you read the extensive forums topics on this subject.

On Saturday, 26 May 2012 19:00:51 UTC+1, djanu...@gmail.com wrote:

Le 26/05/2012 19:25, Abernyte a �crit :

[JCR - Lab]

Le 26/05/2012 20:33, Abernyte a �crit :

> I can assure you that the Directive and the national regulations made
> by EU all member nations refer to all cookies requiring consent,
> session, 1st party, 3rd party, LSOs are all included. I suggest that
> you read the extensive forums topics on this subject.

I read the Directive, submited it to our lawyers... and had their
expertise about this.

This Directive is in the same vein as French Hadopi Act.

All modern sites use session cookies. Most lawyers in France, Germany
and other EEC countries agree on a fact: this is not applicable.

EEC Directives technically unapplicable are legion.
This one is really technical crap

[brian teeman]

as you can see session cookies are included http://www.ico.gov.uk/Global/privacy_statement.aspx at least as defined in the UK

On Saturday, 26 May 2012 20:31:55 UTC+2, djanu...@gmail.com wrote:

Le 26/05/2012 20:33, Abernyte a �crit :

[JCR - Lab]

Le 26/05/2012 23:47, brian teeman a �crit :

> as you can see session cookies are
> included http://www.ico.gov.uk/Global/privacy_statement.aspx at least
> as defined in the UK

This only a view showing as those regulations may differ from country to
country..

French lawyers agrre that such a rule is a technical nonsense..

Maybe uk lawyers thnk differentltly.. But if one have to agree to a
sessioncookie, 99.99% of existing web sites are outlawed, but with no
other tech solution.

[Rouven Weßling]

All these points - and more - will remain unclear until we'll have some court decisions.

For example part of the rule seem to be that that it's ok to set cookies when it's necessary for user initiated actions (e.g. log-in, remember me or a cart)

Since the UK seems to be the country that steers up the most discussion I suggest reading this recent development: http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

Best regards
Rouven

[Abernyte]

We are unlikely to get  any other view from business other than " it's too difficult, it's too costly, it doesn't make sense"  Yet cookies are permitted when "strictly necessary for a service explicitly requested by a user" which covers the shopping cart.  This noise from business is about not blocking targeted advertising at any cost. 

We know that this is technically achievable in Joomla. There is an extension already written ( but not in the JED) which blocks the session cookie until login. There are two (one in the JED) which blocks some 3rd party cookies.  This would still be better handled for the core as the developers are unsure of all the implications of blocking session and other cookies on Joomla.

In which other area of the world is Joomla not compliant with national legislation and so reluctant to become so? 

[Chris Davenport]

It's technically achievable to stop Joomla issuing cookies, but only at the expense of breaking certain functionality, such as being able to log in.  It might also have other negative effects, such as preventing form submissions, but I haven't checked that.  Personally, I would be reluctant to add an argument to Joomla that deliberately breaks the functionality of a website, which is why I would prefer that this "feature" be implemented as an optional, downloadable extension.  If the extension developer needs a change to the Platform or the CMS code (for example, a new event is required to hang a plug-in on) then open a tracker item, add a patch or make a pull request and it will be reviewed.

Chris.

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/Ygp3vzjXGGsJ.

To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

--
Chris Davenport
Joomla Leadership Team - Production Working Group
Joomla Documentation Coordinator

[Webdongle]

"It's technically achievable to stop Joomla issuing cookies, but only at the expense of breaking certain functionality, such as being able to log in.  It might also have other negative effects, such as preventing form submissions"

Yes we know that and so does the ICO but that is not the point.  The point is that in order to conform to the law that users must consent to cookies before they are dropped.  If they choose not to accept them that is their prerogative.

On Sunday, 27 May 2012 10:03:08 UTC+1, Chris Davenport wrote:

It's technically achievable to stop Joomla issuing cookies, but only at the expense of breaking certain functionality, such as being able to log in.  It might also have other negative effects, such as preventing form submissions, but I haven't checked that.  Personally, I would be reluctant to add an argument to Joomla that deliberately breaks the functionality of a website, which is why I would prefer that this "feature" be implemented as an optional, downloadable extension.  If the extension developer needs a change to the Platform or the CMS code (for example, a new event is required to hang a plug-in on) then open a tracker item, add a patch or make a pull request and it will be reviewed.

Chris.

On 27 May 2012 09:30, Abernyte <gordon...@gmail.com> wrote:

We are unlikely to get  any other view from business other than " it's too difficult, it's too costly, it doesn't make sense"  Yet cookies are permitted when "strictly necessary for a service explicitly requested by a user" which covers the shopping cart.  This noise from business is about not blocking targeted advertising at any cost. 

We know that this is technically achievable in Joomla. There is an extension already written ( but not in the JED) which blocks the session cookie until login. There are two (one in the JED) which blocks some 3rd party cookies.  This would still be better handled for the core as the developers are unsure of all the implications of blocking session and other cookies on Joomla.

In which other area of the world is Joomla not compliant with national legislation and so reluctant to become so? 

On Sunday, 27 May 2012 00:14:55 UTC+1, Rouven Weßling wrote:

All these points - and more - will remain unclear until we'll have some court decisions.

For example part of the rule seem to be that that it's ok to set cookies when it's necessary for user initiated actions (e.g. log-in, remember me or a cart)

Since the UK seems to be the country that steers up the most discussion I suggest reading this recent development: http://www.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent

Best regards
Rouven

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-cms/-/Ygp3vzjXGGsJ.

To post to this group, send an email to joomla-dev-cms@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-dev-cms?hl=en-GB.

[elin]

Joomla cannot guarantee that websites built with it comply with all local laws and should not ever claim to do so since that would open it up to liability if it failed in some way.  If you think about it, forcing EU sites to comply with US law or even Swedish sites to comply with German law or any sites outside of China to comply with whatever the laws are in China are is not only not helpful or practical it may in fact lead us into contradictory states.  If there is something like section 508 that becomes a standard for implementing a generally agreed on set of goals then we can use that as a standard, but you would not want to ever say that Joomla ensures that your site complies with section 508. All we would say is that Joomla makes it possible to comply with Section 508.

At Joomla and Beyond we actually had a discussion about this in the session on sample data and we thought about adding  a sentence or two to the installation  or  core data that says that web masters should check the laws of their locations and ensure that they comply with them. However the Joomla project should in no way  provide legal specific legal advice to users.

If people think it is a useful general feature to be able to turn cookies off and still run Joomla sites (people can do this in their browsers already and who knows how many people have their browsers set for this) then it makes sense to accommodate this in the core just like we make sure the front end can run without javascript.  I would only add it to the core if there was a way to do it that still provides an acceptable user experience. 

So I think that if someone or some group wants to start working on implementing "running joomla without cookies"  they should just start working on implementing it. You don't need permission and when it is ready put it into the feature tracker and people can evaluate the work and see whether it seems to be smart and polished enough to be merged.  We could talk about the standards of what the means, but to me this is not about having some terms of service type pop up , which is easy, it's about recoding in every place in the code base where there is currently an assumption that a cookie is present.  Instead of getting whatever notice/warning/error/fatal error that they get when an expected cookie is not there the user should get some kind of acceptable user experience (which still might include a notice that not all features are available because cookies are turned off). Really though, I'd say someone just decide that they are going to make a cookie branch in their repo, invite other people to help if you want, and then just start doing the work. 

Elin

[Marius van Rijnsoever]

Joomla depends on cookies in order to provide any interactive
experience (tokens are linked with session cookie, even for users that
are not logged into the website). Its probably not going to be
practical to remove Joomla dependance on cookies.

A solution would be a plugin that detects IP address from countries
like the UK and have a popup mootools box that states "Cookies need to
be enabled in order for you to experience this website". (IP address
limiting would prevent users seeing this popup when it does not
apply). The user then has the option to accept cookies, or face a
website that does not work very well.

Such a plugin would do well on the JED.

Thanks, Marius

[Daniele Rosario]

Hi guys, i was following the discussion and i think someone already dealt with this.

http://www.herdboy.com/team-blog/item/eu-cookies-and-joomla-the-cookie-monster

I'm not related in any way to that website, but i know the developer, and i know

that Nicholas from Akeebabackup has tested it and like it.

Not sure if this can be interesting for the discussion ;)

Daniele Rosario

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To post to this group, send an email to joomla-...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cm...@googlegroups.com.

[elin]

I reviewed the latest update/clarification to the UK policy, which has in the past seemed to be among the most aggressive. The UK interpretation is now considerably less rigid than it seemed a year ago.

http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx

http://www.ico.gov.uk/news/blog/2012/~/media/documents/library/Privacy_and_electronic/Practical_application/cookies_guidance_v3.ashx

Based on that, some things that I think would be useful are:

1. For someone to volunteer to add a page to the wiki that documents all cookie use in a default Joomla site in a way that someone who wanted to copy and paste it into a privacy policy could use it. (Corollary: Extension developers should provide the same kind of text if they use their own cookies.)

2. For someone to work on the login view and module so that when the Remember Me feature is enabled webmasters have the option to add text indicating that this feature uses cookies (see sample language on this in the report).

For webmasters the most interesting aspect of this update to me was that they want you to make the privacy policy (that all sites should have and that should already include a summary of all cookie use on a site--this is nothing new it's just good common sense practice and essential for US based sites) needs to be visually highlighted as important information and should not be in teeny tiny type in the footer of your page. We obviously cannot enforce that, but we could think about whether the newer sample data should include some kind of like that says "Put your privacy policy here" without giving specific advice about what that policy should include. 


Elin

On Wednesday, May 30, 2012 9:54:22 AM UTC-4, Daniele Rosario wrote:

Hi guys, i was following the discussion and i think someone already dealt with this.

http://www.herdboy.com/team-blog/item/eu-cookies-and-joomla-the-cookie-monster

I'm not related in any way to that website, but i know the developer, and i know

that Nicholas from Akeebabackup has tested it and like it.

Not sure if this can be interesting for the discussion ;)

Daniele Rosario

On Wed, May 30, 2012 at 3:48 PM, Marius van Rijnsoever <mari...@gmail.com> wrote:

Joomla depends on cookies in order to provide any interactive
experience (tokens are linked with session cookie, even for users that
are not logged into the website). Its probably not going to be
practical to remove Joomla dependance on cookies.

A solution would be a plugin that detects IP address from countries
like the UK and have a popup mootools box that states "Cookies need to
be enabled in order for you to experience this website". (IP address
limiting would prevent users seeing this popup when it does not
apply). The user then has the option to accept cookies, or face a
website that does not work very well.

Such a plugin would do well on the JED.

Thanks, Marius

--
You received this message because you are subscribed to the Google Groups "Joomla! CMS Development" group.

To post to this group, send an email to joomla-dev-cms@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-cms+unsubscribe@googlegroups.com.