Dear all,
not sure if this discussion already happens somewhere else, I couldn't find it on MediaWiki.org or by googling.
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if * the user has been informed beforehand in detail * the user has accepted the cookie * this acceptance was given freely, without doubt and through by action (This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen on sourceforge.org or here: * http://ec.europa.eu/justice/cookies/index_en.htm
I checked MediaWiki: * anonymous users don't get a cookie, unless the site owner added something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine
* as soon as I click the "Login" button on the wiki, a cookie is being set -> here we need to work, we need to ask first
So I see two possibilities:
1) catch the click on the "Login" link to show a banner first to ask for the users consent, on acceptance forward the user to the login page
2) modify the login process to set the cookie after the actual login and put an additional text on the login page like "by logging in I accept the usage of cookies by this website" -> as the login is an action which implies the consent, if we inform properly on the login form already
Any thoughts about this?
This issue also concerns all our Wikimedia websites, basically every MediaWiki out there where people may log into.
The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR.
/Manuel
[1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:ht...
[2] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion...
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider@wikimedia.ch> wrote:
Dear all,
not sure if this discussion already happens somewhere else, I couldn't find it on MediaWiki.org or by googling.
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if
- the user has been informed beforehand in detail
- the user has accepted the cookie
- this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen on sourceforge.org or here:
I checked MediaWiki:
- anonymous users don't get a cookie, unless the site owner added
something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine
- as soon as I click the "Login" button on the wiki, a cookie is being set
-> here we need to work, we need to ask first
So I see two possibilities:
- catch the click on the "Login" link to show a banner first to ask for
the users consent, on acceptance forward the user to the login page
- modify the login process to set the cookie after the actual login and
put an additional text on the login page like "by logging in I accept the usage of cookies by this website"
The cookie on the login page is for the anti-csrf (and captcha if needed) validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).
-> as the login is an action which implies the consent, if we inform properly on the login form already
Any thoughts about this?
This issue also concerns all our Wikimedia websites, basically every MediaWiki out there where people may log into.
The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR.
/Manuel
[1]
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:ht...
[2]
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion...
Wikimedia CH - Verein zur Förderung Freien Wissens Lausanne, +41 (21) 34066-22 - www.wikimedia.ch
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Am 10.03.2014 16:54, schrieb Chris Steipp:
- catch the click on the "Login" link to show a banner first to ask for
the users consent, on acceptance forward the user to the login page
- modify the login process to set the cookie after the actual login and
put an additional text on the login page like "by logging in I accept the usage of cookies by this website"
The cookie on the login page is for the anti-csrf (and captcha if needed) validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).
Thanks Chris for this comment.
So that leaves us with option 1) - a javascript banner. I think that shouldn't be too hard to implement.
A <div> which hovers over the Wiki page, the text, two buttons [accept] / [leave]. Accept points to Special:Userlogin, leave just closes the banner. A javascript that shows this <div> onclick() on the Login link, if no cookie has already been set by the Wiki.
Maybe even a LocalSettings.php variable $wgApproveCookies = true; that is true by default and allows admins of internal company wikis etc. to disable that banner.
As an option we could even add another setting $wgApproveCookiesAlways, which makes the same <div> to show up as soon as a user enters the wiki. That way we can support admins that have further extensions installed in their wiki which add cookies right away - like Google Analytics.
/Manuel
Am 10.03.2014 17:01 schrieb "Manuel Schneider" < manuel.schneider@wikimedia.ch>:
Am 10.03.2014 16:54, schrieb Chris Steipp:
- catch the click on the "Login" link to show a banner first to ask
for
the users consent, on acceptance forward the user to the login page
- modify the login process to set the cookie after the actual login
and
put an additional text on the login page like "by logging in I accept the usage of cookies by this website"
The cookie on the login page is for the anti-csrf (and captcha if
needed)
validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).
Thanks Chris for this comment.
So that leaves us with option 1) - a javascript banner. I think that shouldn't be too hard to implement.
A <div> which hovers over the Wiki page, the text, two buttons [accept] / [leave]. Accept points to Special:Userlogin, leave just closes the
banner.
A javascript that shows this <div> onclick() on the Login link, if no cookie has already been set by the Wiki.
Maybe even a LocalSettings.php variable $wgApproveCookies = true; that is true by default and allows admins of internal company wikis etc. to disable that banner.
As an option we could even add another setting $wgApproveCookiesAlways, which makes the same <div> to show up as soon as a user enters the wiki. That way we can support admins that have further extensions installed in their wiki which add cookies right away - like Google Analytics.
Is there any technical argument against this proposal?
Rupert
On Tue, Mar 11, 2014 at 10:33 PM, rupert THURNER rupert.thurner@gmail.comwrote:
Am 10.03.2014 17:01 schrieb "Manuel Schneider" < manuel.schneider@wikimedia.ch>:
Am 10.03.2014 16:54, schrieb Chris Steipp:
- catch the click on the "Login" link to show a banner first to ask
for
the users consent, on acceptance forward the user to the login page
- modify the login process to set the cookie after the actual login
and
put an additional text on the login page like "by logging in I accept the usage of cookies by this website"
The cookie on the login page is for the anti-csrf (and captcha if
needed)
validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).
Thanks Chris for this comment.
So that leaves us with option 1) - a javascript banner. I think that shouldn't be too hard to implement.
A <div> which hovers over the Wiki page, the text, two buttons [accept] / [leave]. Accept points to Special:Userlogin, leave just closes the
banner.
A javascript that shows this <div> onclick() on the Login link, if no cookie has already been set by the Wiki.
Maybe even a LocalSettings.php variable $wgApproveCookies = true; that is true by default and allows admins of internal company wikis etc. to disable that banner.
As an option we could even add another setting $wgApproveCookiesAlways, which makes the same <div> to show up as soon as a user enters the wiki. That way we can support admins that have further extensions installed in their wiki which add cookies right away - like Google Analytics.
Is there any technical argument against this proposal?
Rupert
What's the fallback for users without JavaScript enabled in this scenario?
Remco
Manuel Schneider wrote:
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if
- the user has been informed beforehand in detail
- the user has accepted the cookie
- this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
[...]
I checked MediaWiki:
- anonymous users don't get a cookie, unless the site owner added
something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine
- as soon as I click the "Login" button on the wiki, a cookie is being set
-> here we need to work, we need to ask first
So I see two possibilities:
[...]
Any thoughts about this?
In my opinion, you should e-mail legal@wikimedia.org if you're concerned about this issue. If the Wikimedia Foundation legal team feels that MediaWiki or Wikimedia wikis are inappropriately out of compliance with the EU privacy policy, they can say so explicitly and we can then discuss possible solutions.
As it is, I personally don't think there's an actionable issue here and I think we shouldn't change MediaWiki or Wikimedia behavior until there is.
MZMcBride
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider@wikimedia.ch> wrote:
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if
- the user has been informed beforehand in detail
- the user has accepted the cookie
- this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen (...) here:
That page actually sets a cookie without getting your consent first, and so does the other EU website you have linked. Which is a good indication of how seriously this is taken in the EU - not at all. Some content providers show you a small banner saying "by browsing our site you accept cookies blah blah blah" when you first visit, most don't even bother to do that.
I doubt there is any need to change MediaWiki because of that. There are several drop-in javascript plugins (CookieCuttr http://cookiecuttr.com/, Cookie Consent http://demo.cookieconsent.silktide.com/ etc) which a site admin can easily install if they want to ask for consent, but in practice that is not expected even from major websites, whatever the (not legally binding) recommendation from the Article 29 WP says.
I don’t know much about the matter, but I thought this policy was mostly about limiting tracking cookies. Let’s first ask legal@ if anything should be done at all, at this point.
On 11 Mar 2014, at 08:34, Gergo Tisza gtisza@wikimedia.org wrote:
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider@wikimedia.ch> wrote:
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if
- the user has been informed beforehand in detail
- the user has accepted the cookie
- this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen (...) here:
That page actually sets a cookie without getting your consent first, and so does the other EU website you have linked. Which is a good indication of how seriously this is taken in the EU - not at all. Some content providers show you a small banner saying "by browsing our site you accept cookies blah blah blah" when you first visit, most don't even bother to do that.
I doubt there is any need to change MediaWiki because of that. There are several drop-in javascript plugins (CookieCuttr http://cookiecuttr.com/, Cookie Consent http://demo.cookieconsent.silktide.com/ etc) which a site admin can easily install if they want to ask for consent, but in practice that is not expected even from major websites, whatever the (not legally binding) recommendation from the Article 29 WP says. _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it.
On asking WMF legals, no worries, they were already pointed to the possibility of an issue with 2009/136/EC / "EU cookie law" / revised ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply received, but I was merely giving a pointer and not interested in following up). Some fines were levied just few days ago, as a quick search reveals: http://www.bna.com/spanish-dpa-levies-n17179882151/.
As for Wikimedia projects, relevant links are * stub https://meta.wikimedia.org/wiki/Cookie_jar * draft https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_you_give_me_some_examples_of_types_of_cookies_and_how_you_use_local_storage.3F * https://www.mediawiki.org/wiki/Requests_for_comment/Performance_standards_for_new_features#Scope_and_issues
I believe most issues with cookies are currently/usually caused by some extensions which unconditionally add one or more. The biggest drive for their removal, so far, has been performance. Sometimes they are replaced with localStorage, which is better for performance, but I have no idea how better for privacy.
Nemo
Am 11.03.2014 12:57, schrieb Federico Leva (Nemo):
This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it.
I think, a bugzilla should be filed for this cookie issue (better tracking). I also think, we cannot ignore the legal issues in EU and other countries concerning "cookies".
T.
Note that the situation is different for Wikimedia projects than for Mediawiki. Whether or not WMF LCA thinks it is necessary for the Wikimedia-hosted services, it may still be a useful feature to build for users of Mediawiki who believe that the rule should apply to them. So don't let "WMF doesn't think it needs to be deployed on WMF wikis" stop anyone from developing it for Mediawiki-the-community-driven-widely-deployed-FLOSS-project.
Luis
On Tue, Mar 11, 2014 at 4:57 AM, Federico Leva (Nemo) nemowiki@gmail.comwrote:
This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it.
On asking WMF legals, no worries, they were already pointed to the possibility of an issue with 2009/136/EC / "EU cookie law" / revised ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply received, but I was merely giving a pointer and not interested in following up). Some fines were levied just few days ago, as a quick search reveals: < http://www.bna.com/spanish-dpa-levies-n17179882151/%3E.
As for Wikimedia projects, relevant links are
- stub https://meta.wikimedia.org/wiki/Cookie_jar
- draft <https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_
you_give_me_some_examples_of_types_of_cookies_and_how_you_ use_local_storage.3F>
Performance_standards_for_new_features#Scope_and_issues>
I believe most issues with cookies are currently/usually caused by some extensions which unconditionally add one or more. The biggest drive for their removal, so far, has been performance. Sometimes they are replaced with localStorage, which is better for performance, but I have no idea how better for privacy.
Nemo
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
On Tue, Mar 11, 2014 at 12:34 AM, Gergo Tisza gtisza@wikimedia.org wrote:
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider@wikimedia.ch> wrote:
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if
- the user has been informed beforehand in detail
- the user has accepted the cookie
- this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.)
An example how this is being implemented can be seen (...) here:
That page actually sets a cookie without getting your consent first, and so does the other EU website you have linked. Which is a good indication of how seriously this is taken in the EU - not at all. Some content providers show you a small banner saying "by browsing our site you accept cookies blah blah blah" when you first visit, most don't even bother to do that.
I doubt there is any need to change MediaWiki because of that.
Indeed. Plus Chris said it'd be problematic since it's providing anti-CSRF.
There are several drop-in javascript plugins (CookieCuttr http://cookiecuttr.com/, Cookie Consent http://demo.cookieconsent.silktide.com/ etc) which a site admin can easily install if they want to ask for consent, but in practice that is not expected even from major websites, whatever the (not legally binding) recommendation from the Article 29 WP says.
Let's please not do silly things like using Javascript when cookies work just fine as they are :)
-Chad
On 03/10/2014 04:46 PM, Manuel Schneider wrote:
The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if [...] The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR.
Are there any known cases, in Austria or elsewhere, where a violation of these rules actually has resulted in any penalty? Has it ever been taken to court?
wikitech-l@lists.wikimedia.org