Privacy_XH

Third Party Plugins to CMSimple - how to install, use and create plugins

Moderator: Tata

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Privacy_XH

Post by cmb » Thu Jan 24, 2013 4:38 pm

Hi Hugo,
Hugorm wrote:Yes, I mean signalling 'cookie accept status' (both yes and no) in as small yet visible a space as possible.
This could be added to Privacy_XH easily. In fact it is possible right now to add to the template something like:

Code: Select all

<?php if (isset($_COOKIE['privacy_agreed']):?>
<p>You already have given your informed consent.</p>
<?php else:?>
<p>You haven't yet given your informed consent.</p>
<?php endif;?>
Hugorm wrote:Somehow I have to secure that I'm not at any risk when linking to other websites.
When I don't do a hyberlink I'm not to blame - but it is poor service to the visitor.
I'd say it's a great service to the visitors, if you inform them about leaving the site.

I'd wanted to add both ideas to the demo already, but I haven't found the time yet. I'll report back, when that's done (probably tomorrow).
Hugorm wrote:notice the amount of data in the sample link.
Do you mean the "link" to the example privacy statement you have given? The actual statement is about 6.5 KB. That's not very much. It can easily be inserted on a CMSimple page (shouldn't noticeably hurt the performance), or for the variant you have set up it could be added to the separate file.

On http://www.bistro-bogarts-ingelheim.de/?Impressum you can find a disclaimer that is nearly 4 KB large, which is integrated in the content file of CMSimple. Seems to be not a problem. :?

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Hugorm
Posts: 112
Joined: Thu May 22, 2008 6:45 pm
Location: Denmark

Re: Privacy_XH

Post by Hugorm » Thu Jan 24, 2013 5:12 pm

Hi Christoph

Tanks again for your effords and great ideas.

When I use the link as an example I try to say 'see what is requested by law - the poor user have to read it'.
We all have to write the information and in many languages (and versions).
Maybe it does not take much space in memory - but it sure takes time.

You may think it's good service to inform that the user is leaving my site - but I'm affraid that it is not enough to comply with the danish cookie law.

I have had a quick look at your link, and I do not belive it is ok with danish cookie law - there must be a decription of each used cookie.

Kind regards
Hugo

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Privacy_XH

Post by cmb » Thu Jan 24, 2013 5:49 pm

Hi Hugo,
Hugorm wrote:When I use the link as an example I try to say 'see what is requested by law - the poor user have to read it'.
We all have to write the information and in many languages (and versions).
Maybe it does not take much space in memory - but it sure takes time.
Ah, I see. Actually that's really sad. I'm afraid the cookie law brings a lot of work for everybody: webmasters, visitors and webdevelopers (now one has to carefully to consider, if he sets a cookie at all, or if he can do without one).

At least the burden for the webmaster might be alleviated. Aren't there some official templates, which can be used in adapted form for the privacy statement? Does somebody else is aware of any, which complies with the Danish cookie law? And perhaps anybody who writes such a template, might offer to let others use it (of course on their own liability). Such templates might be linked from http://www.cmsimplewiki.com.
Hugorm wrote:You may think it's good service to inform that the user is leaving my site - but I'm affraid that it is not enough to comply with the danish cookie law.
I had some text in mind, which tells the user that the cookie law might not be adhered to by the site he's going to visit.
Hugorm wrote:I have had a quick look at your link, and I do not belive it is ok with danish cookie law - there must be a decription of each used cookie.
So I'll extend the list in the Wiki about these details for my plugins. I hope other plugin developers will join ASAP. I'm not quite sure how session cookies should be handled. The session could contain many different information (sometimes only some file paths access etc.); does this have to be listed and explained also in detail?

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Hugorm
Posts: 112
Joined: Thu May 22, 2008 6:45 pm
Location: Denmark

Re: Privacy_XH

Post by Hugorm » Thu Jan 24, 2013 6:27 pm

Hi Christoph

You wrote:
>Ah, I see. Actually that's really sad. I'm afraid the cookie law brings a lot of work for everybody: webmasters, visitors and webdevelopers (now one has to carefully to consider, if he sets a cookie at all, or if he can do without one).<
exactly!

You wrote:
>At least the burden for the webmaster might be alleviated. Aren't there some official templates, which can be used in adapted form for the privacy statement? Does somebody else is aware of any, which complies with the Danish cookie law? ...<
That is THE question! The Danish IT-oficials have tried - as far as I know - no luck so far.
Medias have tried: minecookies.org
An allmost offical tried: e-boks.dk/page.aspx?pageid=3af57360-d710-4542-8537-6a417cdc3652
(sorry the text is in danish - just look at the amount of text).

You wrote:
>So I'll extend the list in the Wiki about these details for my plugins. I hope other plugin developers will join ASAP. I'm not quite sure how session cookies should be handled. The session could contain many different information (sometimes only some file paths access etc.); does this have to be listed and explained also in detail?<
Sesion cookies and cookies needed for the process of the site is somehow not in need of an 'informed concent'. The handling - no one knows.
I would wait to change the wiki until the officials have a solution.

Kind regards
Hugo

maeg
Posts: 525
Joined: Fri Feb 20, 2009 2:27 pm
Location: Agerbæk, Denmark
Contact:

Re: Privacy_XH

Post by maeg » Fri Jan 25, 2013 6:54 am

Hi

I don't Think the Danish law is so komplex. If you take a look at gowerments "how to dó...with cookies" at http://www.evm.dk/~/media/oem/pdf/2011/ ... relse.ashx

I Think that the privacy_xh Can dó it, if we make a link in the text to the site that Tell What cookies the current site is using, and What they are used for.

Hugorm
Posts: 112
Joined: Thu May 22, 2008 6:45 pm
Location: Denmark

Re: Privacy_XH

Post by Hugorm » Fri Jan 25, 2013 10:28 am

Hi Maeg

I hope you are right - - - - -
retsinformation.dk/Forms/R0710.aspx?id=139279 is indicating otherwise:
- look at § 1 stk 8
- look at § 3 stk 1. It is saying informed concent before you read a cookie at the user. Also if cookie is from 3. party!

- and than the one I can't figure out, chich cookies do not need an informed concent: § 4

Please note that on minecookies. org clearly is stated: Erhvervsstyrelsen har vurderet, at den nuværende mærkningsordning minecookies.org ikke er tilstrækkelig til at opfylde lovkravet om samtykke.
Which IMO means that link can not be used at the first informed concent - the concent must be fully informed (what i a cookie, what can it do, it can be removed. I hope we do not have to write what a cookie might be used for on our sites). I too hope that the details secondly can be shown as link.

Kind regards
Hugo

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Privacy_XH

Post by cmb » Fri Jan 25, 2013 11:45 am

Hi maeg, hi Hugo,
Hugorm wrote:It is saying informed concent before you read a cookie at the user.
This is the case, when you use Privacy_XH and guard all plugin calls in the template and the content (and all additional code you've added "manually"). Neither the core (when the visitor is not logged in) nor Privacy_XH set any cookies, so they can't read them with PHP, nor do they use some JavaScript (or alternative client side scripting) to read any cookie at all, before the consent is given by the visitor.

One has to consider how cookies work: http://en.wikipedia.org/wiki/HTTP_cookie#Implementation.
Hugorm wrote:and than the one I can't figure out, chich cookies do not need an informed concent: § 4
That is probably hard to do. If in doubt one better might avoid any cookies, before the visitor has given consent.
Hugorm wrote:Which IMO means that link can not be used at the first informed concent - the concent must be fully informed
It is possible to put the complete information in the short privacy message of Privacy_XH directly. Of course this is not easy to do, as the complete message in HTML has to be written in a simple textarea in the language settings. If required, I can extend Privacy_XH to optionally display the contents of a CMSimple page instead of the language text "Message".
Hugorm wrote:I would wait to change the wiki until the officials have a solution.
This might be best to avoid unneccessary work. I hope the situation clears up ASAP.

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Hugorm
Posts: 112
Joined: Thu May 22, 2008 6:45 pm
Location: Denmark

Re: Privacy_XH

Post by Hugorm » Fri Jan 25, 2013 12:10 pm

Hi Christoph

I really would like to agree with you.
Unfortunately I'm not convinced that § 3 agrees.
> Lagring af eller adgang til oplysninger i terminaludstyr

§ 3. Fysiske eller juridiske personer må ikke lagre oplysninger eller opnå adgang til oplysninger, der allerede er lagret, i en slutbrugers terminaludstyr eller lade tredjepart lagre oplysninger eller opnå adgang til oplysninger, hvis slutbrugeren ikke giver samtykke hertil efter at have modtaget fyldestgørende information om lagringen af eller adgangen til oplysningerne.<

IMO you have to explain about cookies at the very first start of your site (before the plugin - even before the include...).
Then you can ask for concent, which wil now be 'informed'.

IMO that is destroying the internet - but is IMO what the official are requesting in Denmark. (I'm not the law - I'm just very worried!).

If one uses the text of privacy_XH I belive there is not enough room presently - you need some kind of unblockable 'pop-up' obtaining the accept-cookie.

Kind regards
Hugo

cmb
Posts: 14225
Joined: Tue Jun 21, 2011 11:04 am
Location: Bingen, RLP, DE
Contact:

Re: Privacy_XH

Post by cmb » Fri Jan 25, 2013 1:38 pm

Hi Hugo,
Hugorm wrote:Unfortunately I'm not convinced that § 3 agrees.
Google translates this as:
Saving or access information in the terminal equipment

§ 3 Natural or legal persons shall not store information or gain access to information already stored, in an end-user terminal equipment or allow third-party store information or gain access to information if the end user does not consent, after having received complete information about storing or access to information.
The only potential with Privacy_XH is the wording "gain access to information already stored". Of course Privacy_XH has to check, if the cookie "privacy_agreed" is already set. If that's not allowed, that means you are not even allowed to use any cookies at all. The problem persists even if you set up an intro page, which doesn't use a content management system at all. Even there it has to be checked, if the cookie is set. The alternative solution I'd posted on Tuesday does it this way.

The only alternative to check for a cookie, would be to use an GET or POST parameter which signals, that the consent has been given. E.g. after the user gives his consent, a request in the following form has to be sent: http://www.example.com/?consent=yes. But than somebody could post this URL somewhere, and everybody who clicks the link, would be identified as someone who already has given his consent. A POST parameter would be somewhat more save, but even then somebody could set up a web form somewhere, which will request the foreign domain with the wrong information, that consent already has been given. And then it's quite unclear, who is guilty (at least the webmaster has not explicitly got the informed consent before cookies are read and written).

To state it again: this clause seems to forbid the use of cookies at all. But this could have been explained in simpler words. ;)
Hugorm wrote:you need some kind of unblockable 'pop-up' obtaining the accept-cookie.
It's not possible to have an unblockable pop-up. Everything done with some client side technologie could be blocked. Even a fixed positioned <div> that covers the complete browser viewport, won't work, if the user chooses his own styles, or the browser does ignore CSS at all (e.g. Lynx). And even if it were possible, the problem remains: it has to be checked, if the cookie was already set.

Coming back to the mentioned §3: in the strictest sense of interpretation, this only prohibits client side access (e.g. by JavaScript) to information stored in the terminal resp. to store information there with some client side technology, as no server side technology (e.g. PHP) is able to gain access to this information or to change it. The server can only access what is sent by the client, and it can only sent back the "request" to store some information in the client.

To determine what is actually meant by this paragraph, one probably has to read the complete text of the law. :(

Christoph
Christoph M. Becker – Plugins for CMSimple_XH

Hugorm
Posts: 112
Joined: Thu May 22, 2008 6:45 pm
Location: Denmark

Re: Privacy_XH

Post by Hugorm » Fri Jan 25, 2013 2:11 pm

Hi Christoph

You wrote:
>The alternative solution I'd posted on Tuesday does it this way.<

I have setup 114pc.dk/edbtst with the code - not good looking - anyway of a template or just a better looking?

You wrote:
>.. this clause seems to forbid the use of cookies at all....<
IMO not forbid - just demand prior information. (systems keeping track of your sw-versions is included as I see it).

You wrote:
> To determine what is actually meant by this paragraph, one probably has to read the complete text of the law.<
I really like this statement - many danes have tryed - even try to make money out of solutions - So far I haven't heard about any approved, by officials, solution.
Experts are still 'fighting'.

Maybe we have to make some system like aproving a lizence for a software and in that agreement state that the user must understand the nature of cookies and saved data? By this we would have a concent and asked the user to get the basic information about cookies on his own.
It will destroy must of sites information but keep us free from penalties.

Kind regards
Hugo

Post Reply