|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 290 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
|
 Imago writes "Dear Nukers,
Recently I received a letter full of noble resentment from a group of distinguished academics, part of a H-NET list, to the effect that Nuke-based sites are dangerous to the general visitors, since they do indiscriminately set cookies and, in fact, are tracking their guests, irrespectively of their wish or lack of whatever desire to become members.
Here is what they say:
It is not clear to me as to why a site that is ostensively academic in its focus would have a need to track its users, but in any case, you (the members of the list) should probably be aware of this.
To this I replied:
Indology Net uses an advanced content management system with member's registration, topical subscriptions, private messaging, personal web mail and other extras which are impossible without setting cookies. Without these small pieces of code stored on your computer, not in our system, the CMS server would not be able to recognize you and to offer you the survices one has subscribed to. Cookies are not for tracking users - this is impossible, delete your cookies and you will see that the system will not recognize you, - they are for member's convenience and do not present any harm to one's hardware, software or moralware.
I am very much sorry for having to discuss such issue, but since there can be always questions, I'd like to assure you that using cookies is harmless. Cookies are not spies, please, treat them as friendly gobetweens.
The reaction was that I am underestimating the issue, that this CMS is doing a bad service to the community, that setting cookies is justified only "as long as one has explicitly agreed to subscribe, requested to receive such services, or overly declared the intention to become a member of the site in some manner or another... Cookies do store personal user information, and do make computer user habits available to the cookie owners, which is why browsers include settings for blocking their usage."
So, good friends, advise me what to reply and, most importantly, what to do. Can we disable setting cookies for guests? Or this is something without which Php-Nuke will not properly work?
Anyway, my targeted community is generating suspicions in the good will and net-morality of our Nuke sites. And this suspicions and blames come from a List hosted by the university that invented Internet.
Are they justified?"
|
|
Posted on Friday, January 16 @ 10:14:19 CET by Zhen-Xjell |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Privacy and Cookies (Score: 1)
by georgiaguy on Friday, January 16 @ 11:05:38 CET
(User Info | Send a Message) | i've muddled around with this without much success. though, in all honesty, it's been a half-assed attempt, not something that's gotten my full attention for long enough to properly address it. i don't see why it wouldn't work...if the cookie isn't there, then just go to the default "guest" mode. only start setting cookies (and make them session cookies) when the guests change languages, etc.
i would like to integrate some sort of terms and conditions statement into the user registration, which states what cookies are and why they are used, to which the user must agree before proceeding.
if anyone is interested in helping me pursue a cookie-less guest user MOD, send me an email to dari AT nukedgallery DOT net and we'll get something organized. |
Re: Privacy and Cookies (Score: 1)
by Imago on Friday, January 16 @ 11:43:31 CET
(User Info | Send a Message) http://www.euronuke.org | // integrate some sort of terms and conditions statement into the user registration, which states what cookies are and why they are used, to which the user must agree before proceeding
This is precisely what many people want - to not set cookies without first asking their agreement to do so. Please, keep us informed about the results of your efforts. |
]
Re: Privacy and Cookies (Score: 1)
by forbin on Tuesday, February 10 @ 11:40:07 CET
(User Info | Send a Message) | Disclaimer: I haven't tried this in PHPNuke.
In another web application server, we solved the problem by circumventing the cookie issue entirely. It's not a trivial amount of code, though. :-(
We created a unique identifier for each registered user, and another unique identifier for each current session. Instead of using cookies, we used hidden form fields in the HTML sent to the browser. The contents of the field were an MD5 hash, so users couldn't muck about with it. Our framework code ensured the hidden hash fields were passed back and forth on every HTTP request and response. All of the actual data was stored in a server-side database: both the session data and the persistent user data.
Problem solved.
We could legitimately claim that our site did not use cookies. Our privacy statement said something on the order of "we keep track of only the data necessary for handling user preferences and the accounts of registered users, but we don't use cookie technology to accomplish this." [I am not a lawyer... this is a paraphrase of whatever the legal beagles cooked up.]
I wonder how hard this would be to add to a PHPNuke site? Certainly it's possible to implement in PHP. Could even write a code wrapper so it uses cookies for browser sessions accepting them, and hashed hidden fields for the browser sessions that reject cookies.
Thoughts? Comments? |
]
| | | | |
Re: Privacy and Cookies (Score: 1)
by georgiaguy on Friday, January 16 @ 11:14:57 CET
(User Info | Send a Message) | ok, so i checked the cookies that an anonymous user receives from the site...a stock 6.9 install places a language cookie, valid for 1 year. MS_Analysis places a screen resolution cookie, valid for 21 years.
i think it would be an easy MOD to have the language default to english without a cookie. nuke can check for the cookie, and if it's there, use the language setting that is stored in it, otherwise just use english. this way, any english-speaking user (or whatever the default site language is) would be able to anonymously visit the site with no cookies being set (except for situations like MSAnalysis..though I'm not sure why that sets a cookie, instead of just storing the data directly). |
Re: Privacy and Cookies (Score: 1)
by forbin on Tuesday, February 10 @ 11:38:37 CET
(User Info | Send a Message) | Disclaimer: I haven't tried this in PHPNuke.
In another web application server, we solved the problem by circumventing the cookie issue entirely. It's not a trivial amount of code, though. :-(
We created a unique identifier for each registered user, and another unique identifier for each current session. Instead of using cookies, we used hidden form fields in the HTML sent to the browser. The contents of the field were an MD5 hash, so users couldn't muck about with it. Our framework code ensured the hidden hash fields were passed back and forth on every HTTP request and response. All of the actual data was stored in a server-side database: both the session data and the persistent user data.
Problem solved.
We could legitimately claim that our site did not use cookies. Our privacy statement said something on the order of "we keep track of only the data necessary for handling user preferences and the accounts of registered users, but we don't use cookie technology to accomplish this." [I am not a lawyer... this is a paraphrase of whatever the legal beagles cooked up.]
I wonder how hard this would be to add to a PHPNuke site? Certainly it's possible to implement in PHP. Could even write a code wrapper so it uses cookies for browser sessions accepting them, and hashed hidden fields for the browser sessions that reject cookies.
Thoughts? Comments? |
]
Re: Privacy and Cookies (Score: 1)
by forbin on Tuesday, February 10 @ 11:38:55 CET
(User Info | Send a Message) | Disclaimer: I haven't tried this in PHPNuke.
In another web application server, we solved the problem by circumventing the cookie issue entirely. It's not a trivial amount of code, though. :-(
We created a unique identifier for each registered user, and another unique identifier for each current session. Instead of using cookies, we used hidden form fields in the HTML sent to the browser. The contents of the field were an MD5 hash, so users couldn't muck about with it. Our framework code ensured the hidden hash fields were passed back and forth on every HTTP request and response. All of the actual data was stored in a server-side database: both the session data and the persistent user data.
Problem solved.
We could legitimately claim that our site did not use cookies. Our privacy statement said something on the order of "we keep track of only the data necessary for handling user preferences and the accounts of registered users, but we don't use cookie technology to accomplish this." [I am not a lawyer... this is a paraphrase of whatever the legal beagles cooked up.]
I wonder how hard this would be to add to a PHPNuke site? Certainly it's possible to implement in PHP. Could even write a code wrapper so it uses cookies for browser sessions accepting them, and hashed hidden fields for the browser sessions that reject cookies.
Thoughts? Comments? |
]
Re: Privacy and Cookies (Score: 1)
by forbin on Tuesday, February 10 @ 11:43:06 CET
(User Info | Send a Message) | Whoops! Didn't mean to double post; it looked like the first post failed. Sorry!
Perhaps the moderators will be kind enough to delete my duplicate post (and this followup message)??
Thanks in advance! |
]
| | | | |
Re: Privacy and Cookies (Score: 1)
by kipuka on Friday, January 16 @ 12:01:03 CET
(User Info | Send a Message) | What you could tell them is you are using software which was designed for a wide range of users. If they don't want to become a member, they can set their browser not to accept cookies from your site. I think everything should operate the same except features for which you require login and their default language. I also recommend you educate them that practically every site on the net, even academic ones, maintain server logs which capture visitors' IPs, where they came in from, usage times, and every single page, graphic, and file they access.
phpnuke's cookies store a dozen or so pieces of information. Four of which contain personally identifiable info: username, password, uid and whether they are an admin. The rest are user selected custom settings. If the person is a guest, the script captures his IP, which btw I disagree with, and stores that in a cookie on his computer in addition to the language. IMO the ones for guests could be elimated.
Cookies are needed for automatic login. To keep a person logged in as he surfs from page to page requires either using them or a sesssion id in the url. The latter of which creates non-friendly addresss for both humans and search engines.
In summary, yes guests are being tracked but really no more than other sites are doing, including academic ones unless you are using a script that monitors IPs like the Protector or MS-Analysis. |
Re: Tracking (Score: 1)
by Imago on Friday, January 16 @ 12:38:47 CET
(User Info | Send a Message) http://www.euronuke.org | Thank you, you put it in a better language than I did, though the argumentation is one and the same.
Perhaps I am misunderstanding the meaning of the phrase "tracking somebody." For me, this means to collect information about smb and to store it on your computer, not on the computer of that smb. |
]
Re: Tracking (Score: 1)
by kipuka on Saturday, January 17 @ 05:49:02 CET
(User Info | Send a Message) | I was trying to give suggestions on what you could tell them. I think their viewpoint is valid, but at the same time I think they're naive about server-side logging and what it captures. The important thing is always how is the info used. Visitors don't know but a site's owner does. IMO he should tell them in a privacy statement.
Tracking means being able to follow any individual visitor and what he is doing. This can be done totally server-side or a combination of client/server side. Many sites take the info they collect and analyze it on an aggregate level not down to any specific visitor unless he's causing trouble. Software tools like Protector, WhoIsWhere, etc, and some log analyzers provide the ability to watch each person's activity and thus is invading his privacy. Some sites with ads use webbugs planted in pages and also place cookies on people's computers to not only track their actions but also the computers used. Most people do not like being tracked this closely. There needs to be some balance between privacy and a site's security.
I don't know why phpnuke intentionally stores the IP in addition to the language in a cookie for guests. Maybe it's to help limit voting in polls and manage sessions. By setting it, a webmaster could easily use it for other purposes. Like georgiaguy, I also think this may be a pretty easy fix by just not setting any cookies for guests. I've surfed phpnuke sites before with cookies set to off, which is my normal browser setting, and they worked fine without them. If he can't figure out what to comment out in the code, then I'll take a look. He's already created a modified signup which is great. I also recommend you create a privacy statement to describe what info your site collects and how you are using it.
|
]
Re: Tracking (Score: 1)
by kipuka on Saturday, January 17 @ 07:51:03 CET
(User Info | Send a Message) | | Correction: Sorry, my bad. A guest's cookie does not have the IP in it or any other personally identifiable info. It only contains the language. Their IP is captured and stored in the database which I mistakenly thought was placed in the cookie. |
]
| | | | |
Re: Privacy and Cookies (Score: 1)
by georgiaguy on Friday, January 16 @ 15:44:02 CET
(User Info | Send a Message) | here is what i've done:
using the AUP from this site, altered to reflect slightly different policies. basically, it places the burden on the user. they can choose to read the whole thing and accept, or not to read it and accept anyway. |
Re: Privacy and Cookies (Score: 1)
by georgiaguy on Friday, January 16 @ 15:45:17 CET
(User Info | Send a Message) | | crap, it editted out my image, even though it showed up in the preview. oh well...take a look at this [www.nukedgallery.net] |
]
Re: Privacy and Cookies (Score: 1)
by MrFluffy on Saturday, January 17 @ 08:10:10 CET
(User Info | Send a Message) http://www.conrads-berlin.de | I also tried to incorporate a privacy policy on my sites, motivation was to get IE6 to accept my cookies in a medium or higher security setting.
I found some info on P3P policies on a german site and began working on it. You can see the results so far HERE [www.ayhsel.de] (details will have to be corrected yet to match the real use of data including 3rd party modules).
Upon REGISTRATION [www.ayhsel.de], in the final stage of submission I inserted a block of text explaining the use of cookies, the possibility to block cookies locally and included a link to the written policy (also found in the footer).
Basically all of this is based on IBM's P3P Privacy Policy Editor.
cu,
MrFluffy |
]
| | | | |
Re: Privacy and Cookies (Score: 1)
by Zhen-Xjell on Saturday, January 17 @ 10:01:29 CET
(User Info | Send a Message) http://castlecops.com | In my Internet tenure, I've found that cookies stir up lots of conversation. Fundamentally, they are doing their job correctly on PHP-Nuke and other forum websites. The portal uses them to identify your username.
What the real issue becomes is when third party cookies are used, for instance, ad companies like Fast click and Double click. Banners on sites drop their own cookies that ultimately "track" the user from site to site. It is this use of cookies that is the issue.
Even toolbars by Alexa and Google drop cookies to track their users.
Folks who do not understand the difference are the ones that create the heated cookie cutter debates.
In a PHP-Nuke portal with no external banners, cookies are doing their job correctly. They are allowing the members to log into the portal and stay logged in. Why would such a portal cause a stir on 'tracking' its members in such an instance? |
| | | | |
Re: Privacy and Cookies (Score: 1)
by Guardian on Saturday, January 17 @ 19:57:40 CET
(User Info | Send a Message) | I think the debate over cookies will go on forever.
There are pro's and con's as in any other debate.
However, I think what should be highlighted is not the fact that cookies are set but the fact they are set for user convenience and not from some other ulterior motive such as spyware.
If surfers did not want cookies stored on their PCs, they should either stop surfing the 'net or set an appropriate cookie security level in their browser.
|
| | | | |
Re: Privacy and Cookies (Score: 1)
by tompet on Saturday, January 17 @ 21:40:19 CET
(User Info | Send a Message) http://www.successwebmasters.com | In Sweden we did get a law some months ago, that stated that all sites that uses cookies has to inform their users how they use the cookies and to what the information is used. And then have to give the user the possibility to enter an other site without cookies or to leave the website.
It did seem like a stupid law in the beginning but I think it is good to inform the users about cookies and how they are used as well as the information. It is actually a part of the privacy statement but the information has its own page.
After we started to give this information on our website, in Swedish, we have had no complaint about cookies or any other security questions from users. I think the whole problem often is that many websites doesn't have clear and correct information about themselves, how they handle privacy, cookies and also IP-adresses. (We also have an IP-adress policy that says that we save IP-adresses in case of missuse of the website. It make our serious users fel safe and others, hopefully, to don't do any "tricks".)
It is your website, you not only decide what content it should be there but also how it should be used, free, cost money, security, use cookies or not, etc. But you have to tell your users so they can choose if they agree to it or not. |
| | | | | |
