I was at the University’s Webmasters’ Workshop event at the OeRC on Friday, and got talking to Dan Q of the Bodleian Libraries about the soon-to-be-enforced ‘cookie law’. We realised that it’s possible to achieve cookie-like behaviour without actually setting a cookie. We’d initially thought that this would circumvent the ‘cookie law’, but having looked at the text of the legislation as quoted in the ICO’s guidance on cookies it appears that this cookie-less approach would also be unlawful, and is certainly against the spirit of the law. I present the idea here as a thought experiment, and to point out that one might need to be careful before implementing any ‘workarounds’ to continue to track visitors.
A cookie is simply an arbitrary bit of data handed to a browser that it will then hand back on subsequent requests. The cookie can be used to store a (semi-)permanent identifier that can be used to track the user, and it’s this functionality we want to duplicate.
XMLHttpRequest to retrieve
/track/. This returns a never-expiring
301 Moved permanently response with a redirect to a URL containing a tracking identifier, say /track/sgnklsfg/. The browser retrieves this URL, and receives another never-expiring document. The document is a bit of XML containing the identifier, which can be retrieved using from the original
Further update: The redirect is probably unnecessary. There's also the possibility that the cached resource containing the identifier might drop off the bottom of the browser cache after a relatively short time. In this case, Dave's suggestion is probably a more reliable way to track a user.
The law is complicated, and I am not a lawyer. This is my interpretation of the law, and it is liable to differ from that of professionals.
The relevant section of the Privacy and Electronic
Communications Regulations Act 2003, as ammended, is:
- Subject to paragraph (D), a person shall not store or gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (B) are met.
- The requirements are that the subscriber or user of that terminal
- is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
- has given his or her consent.
- Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (B) are met in respect of the initial use.
For the purposes of paragraph (B), consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.
- Paragraph (A) shall not apply to the technical storage of, or access to, information--
- for the sole purpose of carrying out the transmission of a communication over an electronic communications network; or
- where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.
This doesn't mention cookies by name, only the act of causing to be stored or retrieving information from the user's browser without consent unless it is necessary in order to provide the requested service. A broad interpretation might be that as CSS generally contains no semantic content then it is not strictly necessary, and so requires the permission of the user. Likewise advertising. Other techniques for identifying the user, such as browser fingerprinting access information stored in the terminal equipment without permission, and so are presumably unlawful. Likewise subscribing to orientation events would be forbidden as it isn't "strictly necessary" for providing a service, just convenient. It all seems a bit too woolly and all-encompassing. You might be interested in Silktide's page on what is affected by the "Cookie Law".
As mentioned earlier. the wording of the legislation would seems to suggest that this cookie-less approach would still be as unlawful as the equivalent using cookies.