MediaWiki, Cookies and EU Privacy Policy 95/46/EG

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Manuel Schneider-3
Dear all,

not sure if this discussion already happens somewhere else, I couldn't
find it on MediaWiki.org or by googling.

The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
cookies only if
* the user has been informed beforehand in detail
* the user has accepted the cookie
* this acceptance was given freely, without doubt and through by action
(This is the summary by the Article 29 Working Party issued in a Working
Document 02/2013[2] on October 2nd, 2013.)

An example how this is being implemented can be seen on sourceforge.org
or here:
* http://ec.europa.eu/justice/cookies/index_en.htm

I checked MediaWiki:
* anonymous users don't get a cookie, unless the site owner added
something (eg. Google Analytics, Piwik or content served by another site
using cookies)
-> this is fine

* as soon as I click the "Login" button on the wiki, a cookie is being set
-> here we need to work, we need to ask first

So I see two possibilities:

1) catch the click on the "Login" link to show a banner first to ask for
the users consent, on acceptance forward the user to the login page

2) modify the login process to set the cookie after the actual login and
put an additional text on the login page like "by logging in I accept
the usage of cookies by this website"
-> as the login is an action which implies the consent, if we inform
properly on the login form already

Any thoughts about this?

This issue also concerns all our Wikimedia websites, basically every
MediaWiki out there where people may log into.

The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of
37.000 EUR.

/Manuel

[1]
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:html

[2]
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf
--
Wikimedia CH - Verein zur Förderung Freien Wissens
Lausanne, +41 (21) 34066-22 - www.wikimedia.ch

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Chris Steipp
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider <
[hidden email]> wrote:

> Dear all,
>
> not sure if this discussion already happens somewhere else, I couldn't
> find it on MediaWiki.org or by googling.
>
> The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
> cookies only if
> * the user has been informed beforehand in detail
> * the user has accepted the cookie
> * this acceptance was given freely, without doubt and through by action
> (This is the summary by the Article 29 Working Party issued in a Working
> Document 02/2013[2] on October 2nd, 2013.)
>
> An example how this is being implemented can be seen on sourceforge.org
> or here:
> * http://ec.europa.eu/justice/cookies/index_en.htm
>
> I checked MediaWiki:
> * anonymous users don't get a cookie, unless the site owner added
> something (eg. Google Analytics, Piwik or content served by another site
> using cookies)
> -> this is fine
>
> * as soon as I click the "Login" button on the wiki, a cookie is being set
> -> here we need to work, we need to ask first
>
> So I see two possibilities:
>
> 1) catch the click on the "Login" link to show a banner first to ask for
> the users consent, on acceptance forward the user to the login page
>
> 2) modify the login process to set the cookie after the actual login and
> put an additional text on the login page like "by logging in I accept
> the usage of cookies by this website"
>

The cookie on the login page is for the anti-csrf (and captcha if needed)
validation, so getting rid of it would be problematic from a technical
perspective (or would require a second click on the login page).



> -> as the login is an action which implies the consent, if we inform
> properly on the login form already
>
> Any thoughts about this?
>
> This issue also concerns all our Wikimedia websites, basically every
> MediaWiki out there where people may log into.
>
> The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of
> 37.000 EUR.
>
> /Manuel
>
> [1]
>
> http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:html
>
> [2]
>
> http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf
> --
> Wikimedia CH - Verein zur Förderung Freien Wissens
> Lausanne, +41 (21) 34066-22 - www.wikimedia.ch
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Manuel Schneider-3
Am 10.03.2014 16:54, schrieb Chris Steipp:
>> 1) catch the click on the "Login" link to show a banner first to ask for
>> the users consent, on acceptance forward the user to the login page
>>
>> 2) modify the login process to set the cookie after the actual login and
>> put an additional text on the login page like "by logging in I accept
>> the usage of cookies by this website"

> The cookie on the login page is for the anti-csrf (and captcha if needed)
> validation, so getting rid of it would be problematic from a technical
> perspective (or would require a second click on the login page).

Thanks Chris for this comment.

So that leaves us with option 1) - a javascript banner. I think that
shouldn't be too hard to implement.

A <div> which hovers over the Wiki page, the text, two buttons [accept]
/ [leave]. Accept points to Special:Userlogin, leave just closes the banner.
A javascript that shows this <div> onclick() on the Login link, if no
cookie has already been set by the Wiki.

Maybe even a LocalSettings.php variable $wgApproveCookies = true; that
is true by default and allows admins of internal company wikis etc. to
disable that banner.

As an option we could even add another setting $wgApproveCookiesAlways,
which makes the same <div> to show up as soon as a user enters the wiki.
That way we can support admins that have further extensions installed in
their wiki which add cookies right away - like Google Analytics.


/Manuel
--
Wikimedia CH - Verein zur Förderung Freien Wissens
Lausanne, +41 (21) 34066-22 - www.wikimedia.ch

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

MZMcBride-2
In reply to this post by Manuel Schneider-3
Manuel Schneider wrote:

>The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
>cookies only if
>* the user has been informed beforehand in detail
>* the user has accepted the cookie
>* this acceptance was given freely, without doubt and through by action
>(This is the summary by the Article 29 Working Party issued in a Working
>Document 02/2013[2] on October 2nd, 2013.)
>
>[...]
>
>I checked MediaWiki:
>* anonymous users don't get a cookie, unless the site owner added
>something (eg. Google Analytics, Piwik or content served by another site
>using cookies)
>-> this is fine
>
>* as soon as I click the "Login" button on the wiki, a cookie is being set
>-> here we need to work, we need to ask first
>
>So I see two possibilities:
>
>[...]
>
>Any thoughts about this?

In my opinion, you should e-mail [hidden email] if you're concerned
about this issue. If the Wikimedia Foundation legal team feels that
MediaWiki or Wikimedia wikis are inappropriately out of compliance with
the EU privacy policy, they can say so explicitly and we can then discuss
possible solutions.

As it is, I personally don't think there's an actionable issue here and I
think we shouldn't change MediaWiki or Wikimedia behavior until there is.

MZMcBride



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Gergo Tisza
In reply to this post by Manuel Schneider-3
On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider <
[hidden email]> wrote:

> The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
> cookies only if
> * the user has been informed beforehand in detail
> * the user has accepted the cookie
> * this acceptance was given freely, without doubt and through by action
> (This is the summary by the Article 29 Working Party issued in a Working
> Document 02/2013[2] on October 2nd, 2013.)
>
> An example how this is being implemented can be seen (...) here:
> * http://ec.europa.eu/justice/cookies/index_en.htm


That page actually sets a cookie without getting your consent first, and so
does the other EU website you have linked. Which is a good indication of
how seriously this is taken in the EU - not at all. Some content providers
show you a small banner saying "by browsing our site you accept cookies
blah blah blah" when you first visit, most don't even bother to do that.

I doubt there is any need to change MediaWiki because of that. There are
several drop-in javascript plugins (CookieCuttr
<http://cookiecuttr.com/>, Cookie
Consent <http://demo.cookieconsent.silktide.com/> etc) which a site admin
can easily install if they want to ask for consent, but in practice that is
not expected even from major websites, whatever the (not legally binding)
recommendation from the Article 29 WP says.
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Matthias Mullie
I don’t know much about the matter, but I thought this policy was mostly about limiting tracking cookies.
Let’s first ask legal@ if anything should be done at all, at this point.

On 11 Mar 2014, at 08:34, Gergo Tisza <[hidden email]> wrote:

> On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider <
> [hidden email]> wrote:
>
>> The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
>> cookies only if
>> * the user has been informed beforehand in detail
>> * the user has accepted the cookie
>> * this acceptance was given freely, without doubt and through by action
>> (This is the summary by the Article 29 Working Party issued in a Working
>> Document 02/2013[2] on October 2nd, 2013.)
>>
>> An example how this is being implemented can be seen (...) here:
>> * http://ec.europa.eu/justice/cookies/index_en.htm
>
>
> That page actually sets a cookie without getting your consent first, and so
> does the other EU website you have linked. Which is a good indication of
> how seriously this is taken in the EU - not at all. Some content providers
> show you a small banner saying "by browsing our site you accept cookies
> blah blah blah" when you first visit, most don't even bother to do that.
>
> I doubt there is any need to change MediaWiki because of that. There are
> several drop-in javascript plugins (CookieCuttr
> <http://cookiecuttr.com/>, Cookie
> Consent <http://demo.cookieconsent.silktide.com/> etc) which a site admin
> can easily install if they want to ask for consent, but in practice that is
> not expected even from major websites, whatever the (not legally binding)
> recommendation from the Article 29 WP says.
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Lars Aronsson
In reply to this post by Manuel Schneider-3
On 03/10/2014 04:46 PM, Manuel Schneider wrote:
> The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
> cookies only if
> [...]
> The Austrian Communication Law (§ 96 Abs. 3 TKG) defines a penalty of
> 37.000 EUR.

Are there any known cases, in Austria or elsewhere,
where a violation of these rules actually has resulted
in any penalty? Has it ever been taken to court?


--
   Lars Aronsson ([hidden email])
   Aronsson Datateknik - http://aronsson.se



_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Federico Leva (Nemo)
In reply to this post by Matthias Mullie
This conversation would IMHO be more appropriate on mediawiki-l because
it affects mainly third parties who care about the higher privacy
standards of EU, but thanks for starting it.

On asking WMF legals, no worries, they were already pointed to the
possibility of an issue with 2009/136/EC / "EU cookie law" / revised
ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply
received, but I was merely giving a pointer and not interested in
following up).
Some fines were levied just few days ago, as a quick search reveals:
<http://www.bna.com/spanish-dpa-levies-n17179882151/>.

As for Wikimedia projects, relevant links are
* stub https://meta.wikimedia.org/wiki/Cookie_jar
* draft
<https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_you_give_me_some_examples_of_types_of_cookies_and_how_you_use_local_storage.3F>
*
<https://www.mediawiki.org/wiki/Requests_for_comment/Performance_standards_for_new_features#Scope_and_issues>

I believe most issues with cookies are currently/usually caused by some
extensions which unconditionally add one or more. The biggest drive for
their removal, so far, has been performance. Sometimes they are replaced
with localStorage, which is better for performance, but I have no idea
how better for privacy.

Nemo

_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Thomas Gries
Am 11.03.2014 12:57, schrieb Federico Leva (Nemo):
> This conversation would IMHO be more appropriate on mediawiki-l
> because it affects mainly third parties who care about the higher
> privacy standards of EU, but thanks for starting it.

I think, a bugzilla should be filed for this cookie issue (better tracking).
I also think, we cannot ignore the legal issues in EU and other
countries concerning "cookies".

T.


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Luis Villa
In reply to this post by Federico Leva (Nemo)
Note that the situation is different for Wikimedia projects than for
Mediawiki. Whether or not WMF LCA thinks it is necessary for the
Wikimedia-hosted services, it may still be a useful feature to build for
users of Mediawiki who believe that the rule should apply to them. So don't
let "WMF doesn't think it needs to be deployed on WMF wikis" stop anyone
from developing it for
Mediawiki-the-community-driven-widely-deployed-FLOSS-project.

Luis


On Tue, Mar 11, 2014 at 4:57 AM, Federico Leva (Nemo) <[hidden email]>wrote:

> This conversation would IMHO be more appropriate on mediawiki-l because it
> affects mainly third parties who care about the higher privacy standards of
> EU, but thanks for starting it.
>
> On asking WMF legals, no worries, they were already pointed to the
> possibility of an issue with 2009/136/EC / "EU cookie law" / revised
> ePrivacy Directive on Fri, 16 Aug 2013 11:18:32 +0200 (no reply received,
> but I was merely giving a pointer and not interested in following up).
> Some fines were levied just few days ago, as a quick search reveals: <
> http://www.bna.com/spanish-dpa-levies-n17179882151/>.
>
> As for Wikimedia projects, relevant links are
> * stub https://meta.wikimedia.org/wiki/Cookie_jar
> * draft <https://meta.wikimedia.org/wiki/Privacy_policy/FAQ#Can_
> you_give_me_some_examples_of_types_of_cookies_and_how_you_
> use_local_storage.3F>
> * <https://www.mediawiki.org/wiki/Requests_for_comment/
> Performance_standards_for_new_features#Scope_and_issues>
>
> I believe most issues with cookies are currently/usually caused by some
> extensions which unconditionally add one or more. The biggest drive for
> their removal, so far, has been performance. Sometimes they are replaced
> with localStorage, which is better for performance, but I have no idea how
> better for privacy.
>
> Nemo
>
>
> _______________________________________________
> Wikitech-l mailing list
> [hidden email]
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>



--
Luis Villa
Deputy General Counsel
Wikimedia Foundation
415.839.6885 ext. 6810

NOTICE: *This message may be confidential or legally privileged. If you
have received it by accident, please delete it and let us know about the
mistake. As an attorney for the Wikimedia Foundation, for legal/ethical
reasons I cannot give legal advice to, or serve as a lawyer for, community
members, volunteers, or staff members in their personal capacity.*
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Chad
In reply to this post by Gergo Tisza
On Tue, Mar 11, 2014 at 12:34 AM, Gergo Tisza <[hidden email]> wrote:

> On Mon, Mar 10, 2014 at 8:46 AM, Manuel Schneider <
> [hidden email]> wrote:
>
> > The issue at hand is: EU privacy policy 95/46/EG[1] allows usage of
> > cookies only if
> > * the user has been informed beforehand in detail
> > * the user has accepted the cookie
> > * this acceptance was given freely, without doubt and through by action
> > (This is the summary by the Article 29 Working Party issued in a Working
> > Document 02/2013[2] on October 2nd, 2013.)
> >
> > An example how this is being implemented can be seen (...) here:
> > * http://ec.europa.eu/justice/cookies/index_en.htm
>
>
> That page actually sets a cookie without getting your consent first, and so
> does the other EU website you have linked. Which is a good indication of
> how seriously this is taken in the EU - not at all. Some content providers
> show you a small banner saying "by browsing our site you accept cookies
> blah blah blah" when you first visit, most don't even bother to do that.
>
> I doubt there is any need to change MediaWiki because of that.


Indeed. Plus Chris said it'd be problematic since it's providing anti-CSRF.


> There are
> several drop-in javascript plugins (CookieCuttr
> <http://cookiecuttr.com/>, Cookie
> Consent <http://demo.cookieconsent.silktide.com/> etc) which a site admin
> can easily install if they want to ask for consent, but in practice that is
> not expected even from major websites, whatever the (not legally binding)
> recommendation from the Article 29 WP says.
>
>
Let's please not do silly things like using Javascript when cookies
work just fine as they are :)

-Chad
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

rupert THURNER-2
In reply to this post by Manuel Schneider-3
Am 10.03.2014 17:01 schrieb "Manuel Schneider" <
[hidden email]>:
>
> Am 10.03.2014 16:54, schrieb Chris Steipp:
> >> 1) catch the click on the "Login" link to show a banner first to ask
for
> >> the users consent, on acceptance forward the user to the login page
> >>
> >> 2) modify the login process to set the cookie after the actual login
and
> >> put an additional text on the login page like "by logging in I accept
> >> the usage of cookies by this website"
>
> > The cookie on the login page is for the anti-csrf (and captcha if
needed)

> > validation, so getting rid of it would be problematic from a technical
> > perspective (or would require a second click on the login page).
>
> Thanks Chris for this comment.
>
> So that leaves us with option 1) - a javascript banner. I think that
> shouldn't be too hard to implement.
>
> A <div> which hovers over the Wiki page, the text, two buttons [accept]
> / [leave]. Accept points to Special:Userlogin, leave just closes the
banner.

> A javascript that shows this <div> onclick() on the Login link, if no
> cookie has already been set by the Wiki.
>
> Maybe even a LocalSettings.php variable $wgApproveCookies = true; that
> is true by default and allows admins of internal company wikis etc. to
> disable that banner.
>
> As an option we could even add another setting $wgApproveCookiesAlways,
> which makes the same <div> to show up as soon as a user enters the wiki.
> That way we can support admins that have further extensions installed in
> their wiki which add cookies right away - like Google Analytics.
>

Is there any technical argument against this proposal?

Rupert
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Remco de Boer
On Tue, Mar 11, 2014 at 10:33 PM, rupert THURNER
<[hidden email]>wrote:

> Am 10.03.2014 17:01 schrieb "Manuel Schneider" <
> [hidden email]>:
> >
> > Am 10.03.2014 16:54, schrieb Chris Steipp:
> > >> 1) catch the click on the "Login" link to show a banner first to ask
> for
> > >> the users consent, on acceptance forward the user to the login page
> > >>
> > >> 2) modify the login process to set the cookie after the actual login
> and
> > >> put an additional text on the login page like "by logging in I accept
> > >> the usage of cookies by this website"
> >
> > > The cookie on the login page is for the anti-csrf (and captcha if
> needed)
> > > validation, so getting rid of it would be problematic from a technical
> > > perspective (or would require a second click on the login page).
> >
> > Thanks Chris for this comment.
> >
> > So that leaves us with option 1) - a javascript banner. I think that
> > shouldn't be too hard to implement.
> >
> > A <div> which hovers over the Wiki page, the text, two buttons [accept]
> > / [leave]. Accept points to Special:Userlogin, leave just closes the
> banner.
> > A javascript that shows this <div> onclick() on the Login link, if no
> > cookie has already been set by the Wiki.
> >
> > Maybe even a LocalSettings.php variable $wgApproveCookies = true; that
> > is true by default and allows admins of internal company wikis etc. to
> > disable that banner.
> >
> > As an option we could even add another setting $wgApproveCookiesAlways,
> > which makes the same <div> to show up as soon as a user enters the wiki.
> > That way we can support admins that have further extensions installed in
> > their wiki which add cookies right away - like Google Analytics.
> >
>
> Is there any technical argument against this proposal?
>
> Rupert
>

What's the fallback for users without JavaScript enabled in this scenario?

Remco
_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
Reply | Threaded
Open this post in threaded view
|

Re: MediaWiki, Cookies and EU Privacy Policy 95/46/EG

Max Semenik
On 14.03.2014, 17:59 Remco wrote:

> What's the fallback for users without JavaScript enabled in this scenario?

Nothing. You can't login without cookies.

--
Best regards,
  Max Semenik ([[User:MaxSem]])


_______________________________________________
Wikitech-l mailing list
[hidden email]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l