My JavaScript book is out! Don't miss the opportunity to upgrade your beginner or average dev skills.

Saturday, June 06, 2015

The European's Cookie Law Absurdity

Update once you have read this, feel free to read about my simplified solution too.
This post is not yet another rant on how pointless the "cookie law" banner is, this is a technical walk through on why such banner is absolutely unnecessary and, in 99% of the cases, wrongly implemented (not due lack of competences from who serves a website, rather lack of common sense and logic from whoever wrote this law).

1st - Users's IP Should Be Resolved Upfront

This is the very first misunderstood point about this law, and nobody is talking about it. There are already 2 technical needs in order to succeed in the banner intent:
  1. if your visitor/user is not in Europe, you most likely don't want to show the pointless banner
  2. if your visitor/user is in Europe, you must provide awareness in the guessed visitor/user language
If you surf known giants websites and services from the U.S. you think this law doesn't exist. You might eventually realize this law exists only if you visit the very same website from Europe. Take ARM site as example, and its bottom left banner: it's so obtrusive it might cover part of the navigation or, in some case, even special promotions or events:
Please note that is not an ARM website problem only, many international websites that had to implement such banner didn't bother spending time optimizing this experience, potentially requiring the update of every static page they've served since 90's, they most likely did the simple "is that IP from Europe? throw this banner!".

How to pretend to recognize where a user comes from

If our website works differently accordingly with the user choice about cookies, we might want to resolve the user's IP upfront and synchronously, resulting in a delayed response, and for cheap hosts a more stressful operation, that might even make the server more vulnerable to DDoS attacks.
This operation has a cost even if performed asynchronously, this is why there are online services such MaxMind GeoIP which aim is to provide an always updated list of IP ranges capable to resolve as Countries or even City, without any limit.
These folks are mentioned here because I've used their DB in the past and they offer a less precise but free alternative that requires the right link, info, and copyright but doesn't cost and doesn't use network. I was using a CSV file already in 2004 and while the PHP4 script is outdated, you can easily see how simple it is. A proper database import from the CSV thought would give us better performance.

Where is Europe failing here?

Imagine that starting from tomorrow a European law decides that only cars that use bananas instead of petrol are allowed to go around but nobody knows where to find bananas because Europe didn't supply them. At that point, private bananas corporates will become rich at the expense of every car owner.
In a "unified EU country" where the antitrust already bothered every tech company in the world, the "unified government" keeps making laws that favorites private services and push backs its own citizens. You say NO? ... so, where is the IP2GeoLocation database/service every European tax-payer can access at no extra costs?

The language barrier

Let's assume I am Italian, which I am, and I don't speak English. I visit the ARM (or mostly any other) website and all I can see is a very disturbing pop-over that says something I don't understand, with an X on it that universally means close.

Have I just inadvertently given consent to throw my privacy in the trash bin, be under "big-brother" cameras, and have my picture shown everywhere on the Web as a meme that will ruin my life forever?
The correct answer is: I've no idea what I've just agreed on.

This problem exists for every tourist in this world. Not only websites that pretend to be smart are so dumb that we are automatically redirected in the German, Italian, English, or Russian version of the website, using the same IP rule of thumb (user comes from Russia, must be Russian), there is no way we can solve this problem if not implementing a "never change my country or language" in both our browsers and on the server.

This is yet another simple User Experience case where the App never fails: it doesn't change its behavior or language accordingly with the country you are ... you open the app you use daily, you find the app you use daily. Even Google search fails here, keeping redirecting me to French results and sites just because I took a train London-Paris that in 2 hours apparently made me a French citizen ... this is part of the daily WTF Tech people still need to figure out, and in all this mess glory, the only punished person is the humble user that simply went to her/his favorite website to read her/his country news.

Where is Europe failing here?

The analysis of the language barrier has probably never been done. Europe is not like U.S., we speak many different languages and we can travel freely within EU countries. A law that cannot be reasonably implemented in order to improve, instead of destroy, the User Experience, is a law that should be instantly banned, period.

2nd - a11n (Accessibility)

Second only because those lucky that don't surf from Europe won't have also this specific problem, accessibility is another topic that this law didn't apparently consider much.
Most popovers or banners are shown either asynchronously or in a position fixed at the top of the page and here is just a very basic list of problems we have already:
  1. if shown asynchronously, a person might be interrupted in the middle of the reading and with a "natural tabindex order" changed, due classic link or button to close the banner
  2. if styled on top through CSS, and such CSS has been loaded asynchronously following "best practices", the banner might be placed at the end of the page to either avoid z-index problems or simply as less relevant (eventually shown asynchronous) content. In this case a screen-reader might completely ignore such banner info until it reaches the end of the page (too late).
If I add the fact that both JavaScript or CSS could be disabled, specially for people behind a screen-reader that don't really care about downloading tons of KB of CSS since they won't benefit much from them, we can realize this law could make regular navigation harder, and again gaining no benefits for any user, not even those that with current status of the web already have difficulties we don't imagine.
I wonder if there's any screen-reader user representative in the EU group of politics that made this law, or I actually would like to know their opinion too hoping it's me missing or misunderstanding the great achievement this law did for them.
Update
Apparently it's about 3 years that UK Government knows this Cookie's law conflicts against the disability one, thanks to idea15 for the link.

3rd - Incompatible with the Web

Let's forget for a moment this law is called Cookie's Law, as if we're living in the 90's, but it targets any sort of client/side technology which aim is to store user preferences in order to improve a User Experience and even cross site, where needed ...
The easiest, most compatible way, to avoid per each single visited website that banner for the next visit is to store a cookie.
I honestly imagine the person that signed this law as such:

There are several technical reasons this law is incompatible with the way the World Wide Web works, and here is just a subset of this list:
  1. we cannot control iframes or any other externally embedded resource, so that even if our site doesn't directly use cookies at all, the sharing of an authorized third parts content, which is not under our control, will not allow the user to be informed about that page, but rather chose on our page, and every other page that use that very same embedded content, that such embedded content might contain cookies, even if it doesn't, and just to play safely. It's like telling users that "crystal meth is not the problem, that pusher that didn't inform you is"
  2. the size of a foreign content might be not suitable for any text, so that even if the embedded content should be responsible for the cookie warning, it might be unable to inform the user (as example, Facebook like or Twitter share or fave buttons)
  3. giving the ability to external content to inject a warning in case it's needed opens vulnerabilities to our site, so there's no solution here no matter how we analyze the problem (and the current law is again the wrong answer that does not solve any problem)
  4. if the user has disabled cookies because already aware or for any other reason, most websites will keep showing forever an explicit opt out unable to respect the user choice. Fall-backs are needed, but all of them might fail anyway (no localStorage, no sessionStorage, no IndexedDB, no WebSQL, what else ... a server side session?)
  5. apparently nobody provided a list of browsers, with their relative or minor versions, that should be supported. Developing for the Web and serving a Website means also being able to support target browsers. If the technical responsible for this law uses IE8 to verify such law, we need to know it so that we can eventually grant the ability to see and drop such info. Please remember that position fixed is buggy there. Lynx? These users might be the luckiest surfers ever these days ... should we protect them too? I'm sure they cannot wait for it ...
  6. taking this very specific blog platform as example, I cannot control redirects it does. I cannot control if only via JavaScript and some poor sniffing if the users agreed or didn't and I cannot change its content accordingly if not, again, via JavaScript. Most platforms should be in charge of this matter but truth is, these don't. It's apparently our fault as publishers through a platform that, yet apparently, doesn't care.
The list of incompatibilities with the real-web-world is much bigger than this one, but at least we have already a basic idea on how superficial the analysis of risks and problems has been done before shipping this law. We, EU citizens, pay for these kind of laws daily, isn't that great? Aren't we happy?

4th - If the consent is implicit, we need only an opt out

Imagine somebody throws at you a bucket of ice-water, and you scream NO after you're already wet and frozen. Now repeat this per every new person you meet on the street: how brilliant is this?
Best part of this "game", is that people you've met that heard your NO won't probably throw at you ice-water next time, but every new person they know, every friend of them, everyone they're linked to, or every person they mention, will repeat this procedure: throw at you a bucket of ice-water, waiting for you to scream after that NO.
This is the story of the current status of the cookie law: they didn't bother browsers which are already capable of giving incremental permissions while surfing, such Geo Location, File Uploads, or Full Screen, they bothered the entire Internet and everyone surfing it in Europe which has to repeat the same procedure over and over. In few words, this Europe's law is technically causing a Repetitive strain injury to all Internet users, and all of them receive that ice-water welcome by default!

How could this problem be solved once for all

Instead of repeating this absurdity check for each consent and eventually each user's country, browsers vendor could arbitrary allow a property/flag that mutates both their User Agent string and their Sent Header: first one for the JavaScript inspection, where any other read-only property on the global scope would do, the second one for every server request, where the page can be served accordingly and there's no need to retrieve the country.
Indeed we have a solution that would work regardless where you are, a solution that could be implemented as a form of respect for every user surfing the Internet in this world, or at least where this kind of law is enforced.

This would actually protect users and their privacy, this would not require third parts databases or solutions, this would not affect performance on the server, and this would not affect performance on the client, which does not have to download scripts and CSS and HTML and JS in order to confirm they simply want to surf the Internet.

Unfortunately, I believe this is not convenient for the Internet advertisement and data selling business behind most big players, or I couldn't explain any of this madness otherwise ... so Cookie's law it is, with the entire World Wide Web penalized if surfing from Europe, and all of this thanks to EU politics that with such law didn't protect more at all any citizen, they just bothered all of them instead, "ignoring" the real problem: congratulations!

As Summary

Same as I don't understand politics that well, and indeed I do something else for living, I assume politics don't understand technology that well neither.
I don't think we need a European referendum here, we rather need top-notch competence up there: this is objectively a silly law that is damaging more the Internet, instead of improving it, where everyone simply agrees to surf so that nothing has been fixed.
Please do EU citizen a favor and drop this law ASAP, creating one that solves the problem instead of showing poor analysis and lack of common sense.
Thank You!

I also would like to understand how come most famous social networks, where tracking our activity is all they live on and sell, do not even bother with this, at least not from UK!

2 comments:

idea15 said...

You may enjoy this blog post, where a colleague here in the UK confirmed that the cookie law conflicts directly with disability law. https://idea15.wordpress.com/2015/01/20/the-cookie-law-informed-consent-and-disability/

Cristian Carlesso said...

I remember when this law came out I though, yes, of course politicians asked people to change all the existing websites, involving all the existing developers, which can also have lost access to some website where they results as the legal owner (...) to implement their solution (everyone of course will found a different way to show it) instead of asking 6 browser vendors (ok, let's say 20 to include the more obscure one) to show that in the browser in a unique / intelligent way.

I obviously had too to implement the banner in a day, and since if you store the information in the cookie by law you have to have a page explaining what is the key and what it does, and that required passing through at least 3 different people, I decided to use window.name instead ...

nice post about some of the reasons why this law is stupid and shouldn't exist, or at least it could have been solved by working with the browser vendors instead of imposing solutions without thinking of the background of the technology and the possible consequences.