phpBB and the EU cookie law - the cookie opt-in regulation

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
User avatar
MichaelC
Consultant
Consultant
Posts: 3642
Joined: Mon Dec 21, 2009 3:36 pm
Location: Surrey, UK
Name: Michael Cullum
Contact:

Re: Web site owners are warned about cookies

Post by MichaelC »

Callum95 wrote:Any business doing business in the EU is expected to comply with the EU's cookie law. I'm not sure how that would apply to bulletin boards, though.
It would still apply and it would be the server owners (aka the web host) that would get asked to remove the content by the authorities, then assuming that they have suitable policies (e.g. terms of service) they could terminate, suspend or if the authorities fine the web host, the web host could in return fine the content holder (aka the board owner).
:)
Formerly known as Unknown Bliss.
Formerly Website Team Lead/Manager & Development Team.
Please don't PM me for support (or stuff that belongs in the forums or tracker) but otherwise feel free
Rezan
Registered User
Posts: 2
Joined: Thu Mar 29, 2012 8:44 am

Cookies

Post by Rezan »

Hello All,

I was wondering if anyone knows what are the function of the following cookies within PHPBB Forum.

· phpbb3ck_k
· phpbb3ck_sid
· phpbb3ck_u

It is very urgent. Any answer will be appreciated.

I was wondering if those cookies are OK for EU Cookies Law.

Thanks
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22919
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Cookies

Post by Mick »

Yes, they are session cookies and what particular part of the cookie law are you talking about?

Edit:
Rezan wrote:It is very urgent
Come on, I thought this was very urgent?

Edit again:

Having done a quick search on here I found this information:

That law is to do with tracking cookies, which phpBB doesn't use, not session cookies which phpBB does use. The new requirement is essentially that cookies can only be placed on machines where the user or subscriber has given their consent. The privacy policy, which all of your users have agreed to through clicking 'yes' on the T&C page on registration, clearly states cookies are collected and what they're used for. That policy is also freely available on the login page.
"The more connected we get the more alone we become" - Kyle Broflovski©
Rezan
Registered User
Posts: 2
Joined: Thu Mar 29, 2012 8:44 am

Re: Cookies

Post by Rezan »

Mick wrote:Yes, they are session cookies and what particular part of the cookie law are you talking about?

Thank you for your answer.

There are some information about the EU Cookie Law here.

http://www.cookielaw.org/the-cookie-law-explained.aspx

http://www.cookielaw.org/the-cookie-law-explained.aspx

Thanks

Edit: So that means the cookies above are allowed and there is not need to do anything.
User avatar
Mick
Support Team Member
Support Team Member
Posts: 22919
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably.

Re: Cookies

Post by Mick »

As far as I'm aware yes but if you have any further doubts I suggest you contact a lawyer.
"The more connected we get the more alone we become" - Kyle Broflovski©
User avatar
/a3
Registered User
Posts: 411
Joined: Sun Sep 19, 2010 9:08 am
Location: /dev/random

Re: Cookies

Post by /a3 »

Rezan wrote:Edit: So that means the cookies above are allowed and there is not need to do anything.
I have done some reading, and here is what I've found (PS. I'm not a lawyer, and this is not legal advice):
HTTP cookie - Wikipedia wrote:In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if:
1. the user is provided information about how this data is used;
phpBB is open source, which means information on how the data is used is publicly available in the source code.
HTTP cookie - Wikipedia wrote:2. the user is given the possibility of denying this storing operation. However, this article also states that storing data that is necessary for technical reasons is exempted from this rule.
phpBB stores session cookies all of the time, even for guests. Some boards have a guest topic-marking feature that requires cookies to be enabled. Also, guests can use cookies to control the text-size on some proSilver boards. There is currently no way to prevent data from being stored as a non-logged-in guest besides disabling cookies. This would be nice for users that aren't logged in, perhaps using P3P or something similar, but it is not the case at the moment.

Of course cookies are used for logged-in users to browse the board. Whether that counts as a "technical reason" or not is open to interpretation.

It should be noted that phpBB can be used without cookies, but perhaps a security risk if the person's session identifier is found from a referrer. phpBB3 reduces this risk by only allowing people from a limited IP range, based on the session IP address, to use that session.
$ git commit -m "YOLO"
Rezan
Registered User
Posts: 2
Joined: Thu Mar 29, 2012 8:44 am

Re: Cookies

Post by Rezan »

Thank you very much for all you explanation and information.
It is really kind of you.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Cookies

Post by Pony99CA »

/a3 wrote:I have done some reading, and here is what I've found (PS. I'm not a lawyer, and this is not legal advice):
HTTP cookie - Wikipedia wrote:In particular, Article 5, Paragraph 3 of this directive mandates that storing data (like cookies) in a user's computer can only be done if:
1. the user is provided information about how this data is used;
phpBB is open source, which means information on how the data is used is publicly available in the source code.
I'm not a lawyer either, but I wouldn't think being open source would meet the spirit (or perhaps even the letter) of the law. I suspect that the law is calling for the cookie details to be listed in a Privacy Policy document that is linked to from the site that the user is visiting.

Why don't I think that the source code is sufficient? First, how does a user know that a board is using phpBB? The credit link may have been removed. Second, how would the user find the source code (especially if there's no credit link)? Finally, is it reasonable to expect a user to search the source code to find which cookie did what? That's a horrible burden to place on a visitor to your site.

It seems like phpBB (especially being somewhat U.K. centric) might want to update their Privacy Policy to describe cookie usage in more detail (and link to the Privacy Policy from the footer). That doesn't seem like an unreasonable burden to place on the development team. I even gave a rough outline of how to implement cookie consent.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
User avatar
/a3
Registered User
Posts: 411
Joined: Sun Sep 19, 2010 9:08 am
Location: /dev/random

Re: Cookies

Post by /a3 »

Pony99CA wrote:I'm not a lawyer either, but I wouldn't think being open source would meet the spirit (or perhaps even the letter) of the law.
Yeah, actually I have no idea. ;) But being open source would help, no doubt about that. It's a lot more difficult to discover how companies like Facebook, or other companies that don't use source code that is publicly available. Correct me if I'm wrong, but the primary target of such laws were companies like Facebook and Google. Of course that's not a reason to not comply with the law.

If a case did go to court, a board owner could easily point to the phpBB source code to show how cookies are being used on their site.
Pony99CA wrote:It seems like phpBB (especially being somewhat U.K. centric) might want to update their Privacy Policy to describe cookie usage in more detail (and link to the Privacy Policy from the footer). That doesn't seem like an unreasonable burden to place on the development team. I even gave a rough outline of how to implement cookie consent.
I don't think I could disagree with that. An update to the privacy policy to include these details would certainly be helpful.

It's not so much phpBB's privacy policy, but the "default" policy that is provided by phpBB. But that's nitpicking anyway.
$ git commit -m "YOLO"
User avatar
HGN
Former Team Member
Posts: 4706
Joined: Wed Dec 03, 2008 1:53 pm
Location: The Netherlands
Name: Alfred
Contact:

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by HGN »

Four topics concerning the EU cookie law are merged into this topic, to have all questions and opinions at one place.
andybarnes
Registered User
Posts: 4
Joined: Mon Apr 16, 2012 10:31 am

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by andybarnes »

Rezan wrote:Hello All,

I was wondering if anyone knows what are the function of the following cookies within PHPBB Forum.

· phpbb3ck_k
· phpbb3ck_sid
· phpbb3ck_u

It is very urgent. Any answer will be appreciated.

I was wondering if those cookies are OK for EU Cookies Law.

Thanks
Hi all,

Just looking at this today.

My understanding from a lot of reading this morning is that UK website owners must have users 'opt in' for any cookies that aren't essential. The obvious one being something like Google Analytics. However as soon as you hit the forum, the 3 session cookies above are created. Are they essential in terms of the application wouldn't work without them? Does anyone know where I can find an overview of what they are used for?

One example I've seen is that a cookie that welcomes a user back to a site is non essential, so I'd be interested to know if these really are 'essential' cookies. I imagine as others have mentioned, once the user registers, they are accepting the further use of cookies from that point. So I'm just interested in the 3 that Rezan mentions? Any help would be great!
User avatar
callumacrae
Former Team Member
Posts: 2662
Joined: Tue Feb 12, 2008 12:28 pm
Location: London, UK
Name: Callum Macrae
Contact:

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by callumacrae »

All cookies that phpBB leaves are essential, and the policy which is agreed to on signup covers anything anyway.
macr.ae = my website. you probably won't like it.
Proud user ofProud user of
User avatar
HGN
Former Team Member
Posts: 4706
Joined: Wed Dec 03, 2008 1:53 pm
Location: The Netherlands
Name: Alfred
Contact:

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by HGN »

callumacrae wrote:and the policy which is agreed to on signup covers anything anyway.
I think the question is regarding guests that are not signing up, but receiving the cookies anyways.
andybarnes
Registered User
Posts: 4
Joined: Mon Apr 16, 2012 10:31 am

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by andybarnes »

HGN wrote:
callumacrae wrote:and the policy which is agreed to on signup covers anything anyway.
I think the question is regarding guests that are not signing up, but receiving the cookies anyways.
Yep, I was more concerned about the three that are created for anonymous users. If they are essential, then that's fine to an extent - although the ICO have said they are taking a narrow view on that.

To be honest, this law is to stop people farming out browsing data for advertisers and the like, and those are the companies that will be targeted initially - along with those who have had complaints about them. So something like this shouldn't really be an issue - it's just it is going to be the law soon and it would be great to have some solid facts.
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: phpBB and the EU cookie law - the cookie opt-in regulati

Post by Pony99CA »

andybarnes wrote:To be honest, this law is to stop people farming out browsing data for advertisers and the like, and those are the companies that will be targeted initially - along with those who have had complaints about them. So something like this shouldn't really be an issue - it's just it is going to be the law soon and it would be great to have some solid facts.
It won't likely be an issue -- unless some "activist" decides to make it one.

In the U.S., we have the Americans with Disabilities Act (ADA) which basically requires businesses to make allowances for those with disabilities (wheelchair ramps, for example). Well some brilliant disabled guy decided to just go around to various businesses that he likely never would have gone to and sue those who weren't in compliance. He did it so often that his lawyer and he were declared vexatious litigants. (Reference: http://www.insidecounsel.com/2006/09/01 ... f-business)

And apparently, there's another attorney who does this, too, having been plaintiff in over 1,000 lawsuits.

How much easier is it to do that on the Web?

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.
Post Reply

Return to “phpBB Discussion”