MediaWiki, Cookies and EU Privacy Policy 95/46/EG

List overview All Threads
Download

newer

older

Travel sponsorship requests for...

Project Proposal for FOSS OPW...

Manuel Schneider

10 Mar 2014 10 Mar '14

3:46 p.m.

Dear all, not sure if this discussion already happens somewhere else, I couldn't find it on MediaWiki.org or by googling. The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if * the user has been informed beforehand in detail * the user has accepted the cookie * this acceptance was given freely, without doubt and through by action (This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.) An example how this is being implemented can be seen on sourceforge.org or here: * http://ec.europa.eu/justice/cookies/index_en.htm I checked MediaWiki: * anonymous users don't get a cookie, unless the site owner added something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine * as soon as I click the "Login" button on the wiki, a cookie is being set -> here we need to work, we need to ask first So I see two possibilities: 1) catch the click on the "Login" link to show a banner first to ask for the users consent, on acceptance forward the user to the login page 2) modify the login process to set the cookie after the actual login and put an additional text on the login page like "by logging in I accept the usage of cookies by this website" -> as the login is an action which implies the consent, if we inform properly on the login form already Any thoughts about this? This issue also concerns all our Wikimedia websites, basically every MediaWiki out there where people may log into. The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR. /Manuel [1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:h… [2] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinio… -- Wikimedia CH - Verein zur Förderung Freien Wissens Lausanne, +41 (21) 34066-22 - www.wikimedia.ch

Show replies by date

Chris Steipp

10 Mar 10 Mar

3:54 p.m.

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider(a)wikimedia.ch> wrote:

...

The cookie on the login page is for the anti-csrf (and captcha if needed) validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).

...

-> as the login is an action which implies the consent, if we inform properly on the login form already Any thoughts about this? This issue also concerns all our Wikimedia websites, basically every MediaWiki out there where people may log into. The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR. /Manuel [1] http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:h… [2] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinio… -- Wikimedia CH - Verein zur Förderung Freien Wissens Lausanne, +41 (21) 34066-22 - www.wikimedia.ch _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Manuel Schneider

4:01 p.m.

Am 10.03.2014 16:54, schrieb Chris Steipp:

...

> 1) catch the click on the "Login" link to show a banner first to ask for > the users consent, on acceptance forward the user to the login page > > 2) modify the login process to set the cookie after the actual login and > put an additional text on the login page like "by logging in I accept > the usage of cookies by this website"

...

Thanks Chris for this comment. So that leaves us with option 1) - a javascript banner. I think that shouldn't be too hard to implement. A <div> which hovers over the Wiki page, the text, two buttons [accept] / [leave]. Accept points to Special:Userlogin, leave just closes the banner. A javascript that shows this <div> onclick() on the Login link, if no cookie has already been set by the Wiki. Maybe even a LocalSettings.php variable $wgApproveCookies = true; that is true by default and allows admins of internal company wikis etc. to disable that banner. As an option we could even add another setting $wgApproveCookiesAlways, which makes the same <div> to show up as soon as a user enters the wiki. That way we can support admins that have further extensions installed in their wiki which add cookies right away - like Google Analytics. /Manuel -- Wikimedia CH - Verein zur Förderung Freien Wissens Lausanne, +41 (21) 34066-22 - www.wikimedia.ch

rupert THURNER

11 Mar 11 Mar

9:33 p.m.

Am 10.03.2014 17:01 schrieb "Manuel Schneider" < manuel.schneider(a)wikimedia.ch>gt;:

...

Am 10.03.2014 16:54, schrieb Chris Steipp: >> 1) catch the click on the "Login" link to show a banner first to ask

for

...

>> the users consent, on acceptance forward the user to the login page >> >> 2) modify the login process to set the cookie after the actual login

and

...

> put an additional text on the login page like "by logging in I accept > the usage of cookies by this website"

> The cookie on the login page is for the anti-csrf (and captcha if

needed)

...

validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).

banner.

...

A javascript that shows this <div> onclick() on the Login link, if no cookie has already been set by the Wiki. Maybe even a LocalSettings.php variable $wgApproveCookies = true; that is true by default and allows admins of internal company wikis etc. to disable that banner. As an option we could even add another setting $wgApproveCookiesAlways, which makes the same <div> to show up as soon as a user enters the wiki. That way we can support admins that have further extensions installed in their wiki which add cookies right away - like Google Analytics.

Is there any technical argument against this proposal? Rupert

Remco de Boer

14 Mar 14 Mar

1:59 p.m.

On Tue, Mar 11, 2014 at 10:33 PM, rupert THURNER <rupert.thurner(a)gmail.com>wrote;wrote:

...

Am 10.03.2014 17:01 schrieb "Manuel Schneider" < manuel.schneider(a)wikimedia.ch>gt;:

Am 10.03.2014 16:54, schrieb Chris Steipp: >> 1) catch the click on the "Login" link to show a banner first to ask

for

>> the users consent, on acceptance forward the user to the login page >> >> 2) modify the login process to set the cookie after the actual login

and

> put an additional text on the login page like "by logging in I accept > the usage of cookies by this website"

> The cookie on the login page is for the anti-csrf (and captcha if

needed)

validation, so getting rid of it would be problematic from a technical perspective (or would require a second click on the login page).

banner.

Is there any technical argument against this proposal? Rupert

What's the fallback for users without JavaScript enabled in this scenario? Remco

Max Semenik

6:55 p.m.

On 14.03.2014, 17:59 Remco wrote:

...

What's the fallback for users without JavaScript enabled in this scenario?

Nothing. You can't login without cookies. -- Best regards, Max Semenik ([[User:MaxSem]])

MZMcBride

11 Mar 11 Mar

2:03 a.m.

Manuel Schneider wrote:

...

The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if * the user has been informed beforehand in detail * the user has accepted the cookie * this acceptance was given freely, without doubt and through by action (This is the summary by the Article 29 Working Party issued in a Working Document 02/2013[2] on October 2nd, 2013.) [...] I checked MediaWiki: * anonymous users don't get a cookie, unless the site owner added something (eg. Google Analytics, Piwik or content served by another site using cookies) -> this is fine * as soon as I click the "Login" button on the wiki, a cookie is being set -> here we need to work, we need to ask first So I see two possibilities: [...] Any thoughts about this?

In my opinion, you should e-mail legal(a)wikimedia.org if you're concerned about this issue. If the Wikimedia Foundation legal team feels that MediaWiki or Wikimedia wikis are inappropriately out of compliance with the EU privacy policy, they can say so explicitly and we can then discuss possible solutions. As it is, I personally don't think there's an actionable issue here and I think we shouldn't change MediaWiki or Wikimedia behavior until there is. MZMcBride

Gergo Tisza

7:34 a.m.

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider(a)wikimedia.ch> wrote:

...

That page actually sets a cookie without getting your consent first, and so does the other EU website you have linked. Which is a good indication of how seriously this is taken in the EU - not at all. Some content providers show you a small banner saying "by browsing our site you accept cookies blah blah blah" when you first visit, most don't even bother to do that. I doubt there is any need to change MediaWiki because of that. There are several drop-in javascript plugins (CookieCuttr <http://cookiecuttr.com/>, Cookie Consent <http://demo.cookieconsent.silktide.com/> etc) which a site admin can easily install if they want to ask for consent, but in practice that is not expected even from major websites, whatever the (not legally binding) recommendation from the Article 29 WP says.

Matthias Mullie

9:35 a.m.

I don’t know much about the matter, but I thought this policy was mostly about limiting tracking cookies. Let’s first ask legal@ if anything should be done at all, at this point. On 11 Mar 2014, at 08:34, Gergo Tisza <gtisza(a)wikimedia.org> wrote:

...

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider(a)wikimedia.ch> wrote:

Federico Leva (Nemo)

11:57 a.m.

This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it. On asking WMF legals, no worries, they were already pointed to the possibility of an issue with 2009/136/EC / "EU cookie law" / revised ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply received, but I was merely giving a pointer and not interested in following up). Some fines were levied just few days ago, as a quick search reveals: <http://www.bna.com/spanish-dpa-levies-n17179882151/>. As for Wikimedia projects, relevant links are * stub https://meta.wikimedia.org/wiki/Cookie_jar * draft <https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_you_give_me_some_examples_of_types_of_cookies_and_how_you_use_local_storage.3F> * <https://www.mediawiki.org/wiki/Requests_for_comment/Performance_standards_for_new_features#Scope_and_issues> I believe most issues with cookies are currently/usually caused by some extensions which unconditionally add one or more. The biggest drive for their removal, so far, has been performance. Sometimes they are replaced with localStorage, which is better for performance, but I have no idea how better for privacy. Nemo

Thomas Gries

6:40 p.m.

Am 11.03.2014 12:57, schrieb Federico Leva (Nemo):

...

This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it.

I think, a bugzilla should be filed for this cookie issue (better tracking). I also think, we cannot ignore the legal issues in EU and other countries concerning "cookies". T.

Luis Villa

6:42 p.m.

Note that the situation is different for Wikimedia projects than for Mediawiki. Whether or not WMF LCA thinks it is necessary for the Wikimedia-hosted services, it may still be a useful feature to build for users of Mediawiki who believe that the rule should apply to them. So don't let "WMF doesn't think it needs to be deployed on WMF wikis" stop anyone from developing it for Mediawiki-the-community-driven-widely-deployed-FLOSS-project. Luis On Tue, Mar 11, 2014 at 4:57 AM, Federico Leva (Nemo) <nemowiki(a)gmail.com>wrote;wrote:

...

This conversation would IMHO be more appropriate on mediawiki-l because it affects mainly third parties who care about the higher privacy standards of EU, but thanks for starting it. On asking WMF legals, no worries, they were already pointed to the possibility of an issue with 2009/136/EC / "EU cookie law" / revised ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply received, but I was merely giving a pointer and not interested in following up). Some fines were levied just few days ago, as a quick search reveals: < http://www.bna.com/spanish-dpa-levies-n17179882151/>gt;. As for Wikimedia projects, relevant links are * stub https://meta.wikimedia.org/wiki/Cookie_jar * draft <https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_ you_give_me_some_examples_of_types_of_cookies_and_how_you_ use_local_storage.3F> * <https://www.mediawiki.org/wiki/Requests_for_comment/ Performance_standards_for_new_features#Scope_and_issues> I believe most issues with cookies are currently/usually caused by some extensions which unconditionally add one or more. The biggest drive for their removal, so far, has been performance. Sometimes they are replaced with localStorage, which is better for performance, but I have no idea how better for privacy. Nemo _______________________________________________ Wikitech-l mailing list Wikitech-l(a)lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l

-- Luis Villa Deputy General Counsel Wikimedia Foundation 415.839.6885 ext. 6810 NOTICE: *This message may be confidential or legally privileged. If you have received it by accident, please delete it and let us know about the mistake. As an attorney for the Wikimedia Foundation, for legal/ethical reasons I cannot give legal advice to, or serve as a lawyer for, community members, volunteers, or staff members in their personal capacity.*

Chad

7:06 p.m.

On Tue, Mar 11, 2014 at 12:34 AM, Gergo Tisza <gtisza(a)wikimedia.org> wrote:

...

On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider < manuel.schneider(a)wikimedia.ch> wrote:

Indeed. Plus Chris said it'd be problematic since it's providing anti-CSRF.

...

There are several drop-in javascript plugins (CookieCuttr <http://cookiecuttr.com/>, Cookie Consent <http://demo.cookieconsent.silktide.com/> etc) which a site admin can easily install if they want to ask for consent, but in practice that is not expected even from major websites, whatever the (not legally binding) recommendation from the Article 29 WP says.

Let's please not do silly things like using Javascript when cookies work just fine as they are :) -Chad

Lars Aronsson

10:46 a.m.

On 03/10/2014 04:46 PM, Manuel Schneider wrote:

...

The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of cookies only if [...] The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of 37.000 EUR.

Are there any known cases, in Austria or elsewhere, where a violation of these rules actually has resulted in any penalty? Has it ever been taken to court? -- Lars Aronsson (lars(a)aronsson.se) Aronsson Datateknik - http://aronsson.se

3748

days inactive

3752

days old

wikitech-l@lists.wikimedia.org

Manage subscription

13 comments

13 participants

tags (0)

participants (13)

Chad
Chris Steipp
Federico Leva (Nemo)
Gergo Tisza
Lars Aronsson
Luis Villa
Manuel Schneider
Matthias Mullie
Max Semenik
MZMcBride
Remco de Boer
rupert THURNER
Thomas Gries