Visual display of tracking cookies - collusion

Thanks to the Guardian I've come across a Firefox plugin which gives you a visual display of tracking cookies. It's called Collusion. (Update 20 March 2021 It's now Lightbeam. Thanks to someone at Comparitech.com for telling me about this broken link.)

I've been vaguely aware that website were passing information to each other, as I noticed that if I visited crucial.com to look at memory then I'd see more Crucial adverts on other sites. Similarly with Dell. Then one day I found a link on a site next to an advert (unfortunately I didn't note it down) which gave more information on why I was getting these Crucial adverts. It was easy to understand and very upfront about how it used information from other sites to display relevant adverts.

Here's what you get if you visit the following sites:

• crucial.com
• dabs.com
• ebay.co.uk
• bucksfreepress.co.uk
• guardian.co.uk

Each circle represents a site that places cookies in your browser and a line means that the site at one end placed a cookies for the site at the other end of the line.

The most circles appeared when I visited bucksfreepress.co.uk (one of the red squares with a yellow i in the middle). I guess it's a sign of a struggling industry that it has to try so hard to be clever with its advertising.

Getting rid of cookies on our website - Wordpress, YouTube, AddThis, Google maps

The deadline for complying with the EU Cookie law is 26 May, which is just over a month away.

Rather than get permission to use cookies on our website which would either be intrusive or ignored we've decided to not use cookies. Here's what I've found as I work through the various things that use cookies.

Wordpress Comments

The built in wordpress comments feature sets cookies so that it can remember the commenters details for next time. I commented out (no pun intended) these three lines in wp-comments-post.php. (If you upgrade and this file gets changed you'll have to repeat this.)

// setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);

// setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);

// setcookie('comment_author_url_' . COOKIEHASH, esc_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);

Wordpress Jetpack Stats

The Wordpress jetpack plugin uses quantcast cookies (HT A. Cemal Eki). The wp-donnottrack plugin will stop this.

YouTube

When you get the YouTube embed code you can now tick the "low privacy" option. All this does is use the youtube-nocookie.com domain, so you could use that on existing iframe embed code. The SmartYoutube Wordpress plugin allows you to set an option so that this happens on all your embedded videos.

Addthis.com

For the addthis wordpress plugin go to the Advanced tab and put
{ data_use_cookies: false };
in the addthis_config values field. For an embedded button use this code:

<script type="text/javascript">
var addthis_config = { data_use_cookies: false };
</script>
This won't stop individual services, like twitter, using their own cookies, but it will stop the addthis.com cookies.

Google maps

For google maps use maps.googleapis.com rather than maps.google.com. HT barryhunter.

New Data Protection Directive and NGOs

The European Commission is proposing a reform to the Data Protection rules. Although they've highlighted a few things in the press release, there is some wording which may be of interest if you work for an NGO that is made up of different organisations in different countries. (It applies to companies too, but as UK charities have to be autonomous, as I understand it, we may have looser links with our partners, yet share data.)

As I Am Not A Layer, I shall just quote rather than make interpretations.

"...legitimate flows of data to third countries will be made easier by reinforcing and simplifying rules on international transfers to countries not covered by an adequacy decision, in particular by streamlining and extending the use of tools such as Binding Corporate Rules, so that they can be used to cover data processors and within groups of companies , thus better reflecting the increasing number of companies involved in data processing activities, especially in cloud computing;" from the communication.

"Member States shall provide that where a controller determines the purposes, conditions and means of the processing of personal data jointly with others, the joint controllers must determine the respective responsibilities for compliance with the provisions adopted pursuant to this Directive, in particular as regards the procedures and mechanisms for exercising the rights of the data subject, by means of an arrangement between them." from the proposal.

I found out today that the US is working on a Privacy Bill of Rights and working together with the EU. Good to see.

Are you getting permission to use cookies on your website?

I recently came back to this issue when reading a Data Protection update on Lasa's ICT Hub Knowledgebase. We use cookies for donations processing and that's OK as it's necessary for the transaction. However the problem for us, like many sites probably, is that Google Analytics uses cookies.

There's a good overview of the issue on the Webmasters Stackexchange site, including a link to a simple solution for getting permission. I reread the latest guidance and spotted for the first time that it said about such third party services that they

...will no doubt adapt to achieve compliance with the new rule...

Six months to go and there's no sign of it...

Has anyone seen a website, apart from the ICO themselves, getting permission to use cookies?

Is an email address personal data?

I was at a Data Protection seminar last week and this question came up. The answer was "yes, if the email address contains a name". However I wondered if that's always so clear cut: