Sunday 20 May 2012

European Cookie Law

Yesterday, Andy Budd tweeted the following:

Wondering if the browsers are doing anything about the EU cookie law? Would be so much slicker if this could be handled at the brower level.

That got me thinking and, as I like to work out how things work, I started to ask Andy how he would see this being implemented. A few tweets later and it's obvious I need more than 140 characters to explain what is going through my mind, hence this post.

Cookie Law, What Cookie Law?

The Cookie Law is a UK law that derives from a European Directive and requires all site owners to disclose their use of cookies and allow visitors to opt in. The law came into force on 26th May last year and the ICO said at the time that it would not enforce it for the first 12 months. Those 12 months come to a close at the end of next week.

Andy's Idea

Andy's idea is to use the browser to handle this law. This is a good idea for the following reasons:

  1. Every single web site has been implementing the law their own way so using the browser would be a good way to bring a bit of standardisation to it;
  2. The browser is the agent that uses and stores the cookies created by web sites so it is the best place to enforce the choice of the user whether to opt in or not and to keep track of that choice between multiple visits.

Operational Outline

So far, so good. Then comes the question: how do you implement such a thing in the browser? At a high level, you need to do the following when visiting a web site:

  • Identify whether the web site falls under the jurisdiction of the Cookie Law;
  • If yes, then identify for each cookie presented by the web site:
    • What is that cookie used for,
    • Whether that use is covered by the exceptions detailed in paragraphs (4)(a) and (4)(b),
    • If not, ask the user for consent.

Let's take all those one at a time to see where we get to.

Jurisdiction

The first step is to identify whether a given web site is subject to the Cookie Law. In order to do this reliably, you would need a cryptographically secure token that can be linked back to a company identity, including a country. Extended Validation Certificates already offer something similar but do they contain a country code in a machine readable format? I simply don't know. And what about sites that use plain HTTP rather than HTTPS?

In all instances, you will have three possible outcome to whether the site falls under the Cookie Law: yes, no or don't know. In the first case, you also need to know what variation of the European Directive to apply. European Directives being what they are, each member country is free to implement it their own way so German law will be different from British law. Conversely, in the last case, what should the browser do? Display a warning or let you go on?

To complicate matters, there is also the question of whether cookies served by a domain other than the main site's domain, such as cookies from ad networks, fall under the main site's jurisdiction or their own domain's jurisdiction. IANAL so I have no idea what the answer is.

Finally, what would prevent a multi-national company to advertise its web site to the browser as being in a non-European jurisdiction even if they do business in Europe?

What is that Cookie for?

The next step is to identify what each cookie is used for. This could take the form of a machine readable file located at a well known URL or referenced by a link tag in the page's header. This was tried before in the form of P3P and it failed to gain traction. Any such standard would have to learn from the issues faced by P3P in order to succeed.

Once this is done, it would be a case of having a number of uses recognised as falling under the exception paragraphs while any other use would require opt in. You would then en up with three possible outcomes regarding whether user opt-in is required for any given cookie served by the web site: yes, no and don't know, the latter being the case if the web site does not provide any information for that particular cookie. This last case will be the controversial one because you can't be too stringent otherwise web sites won't have time to implement the standard but on the other hand you have to at least let the user know that a machine readable privacy use for that cookie is missing otherwise it gives an easy cop out for web sites that don't want to play fair.

Opt-in Management

Once a user has given or declined consent for particular cookies to be stored on their browsers, said browsers can remember such decisions and act accordingly next time the user visits the same web site. It would also be nice if the browser could notify the site of the user's decision so that web sites can avoid creating declined cookies altogether. This should then be accessible to the user in a similar way to saved passwords.

Do Not Track, etc.

A couple of parting thoughts:

  • How should all this interact with features like Do Not Track?
  • How can it be made flexible enough such that it can be extended the day other countries implement similar laws?

Answers on a postcard or in the comments below.

Monday 2 April 2012

Energy Use

I've been using iMeasure roughly since I moved into the new house and here's what the graphs look like so far:

iMeasure Energy Usage Graph

iMeasure Energy Usage Graph

There are two immediate observations on this graph:

  • electricity use is not seasonnal,
  • gas use definitely is!

The first observation tells me that my main electricity usage is probably not lighting as it doesn't change with the amount of daylight. So it's probably down to the big electrical items such as the washing machine and the fridge. I should be able to reduce that usage the day I replace them with new efficient models. One additional tidbit of trivia: the spike at the beginning of the graph is down to the sanding machines used when I had the wooden floors of the house sanded and varnished.

The second observation tells me that I need to work on insulating the house. In fact, I had thermal imaging done recently by the excellent Sustainable Lifestyles and it showed me very clearly that I have some low hanging fruit to pick first, in particular the loft insulation (or partial lack thereof) that results in very cold spots above the bay window in the master bedroom:

Cold Spot Above Bay Window

Cold Spot Above Bay Window

And at the junction points between walls and roof, the fact that whoever fitted the insulation in the loft didn't bother to fit it properly at the bottom causes cold spots underneath:

Cold Spots Where Wall Meets Roof

Cold Spots Where Wall Meets Roof

All this should be reasonably easy to fix so that will be my project for the summer and hopefully it should shave some of that spike off the graph for next year.

Sunday 15 January 2012

Recycling Smoke Alarms

We all know that we should have smoke alarms fitted in our homes. Those alarms can be damaged and will need replacing every ten years or so anyway. So what do you do with the old ones? Chuck them in the bin? Well, the fact that they are the subject of a best practice guide on the National Household Hazardous Waste Forum suggests that this is probably not the right solution. And indeed, looking at the back of mine, I can see why:

The back of my smoke alarm showing that it is a ionization alarm that contains a small amount of radioactive Americium 241

Ionization smoke alarms contain a small amount of radioactive material, Americium 241. Looking back at the best practice guide above, there are apparently three ways to deal with it:

  1. By a person authorised under section 13 of the Radioactive Substances Act 1993,
  2. By returning it to the manufacturer,
  3. By chucking it in the bin as long as you don't chuck in other radioactive waste and you only throw away one smoke alarm per bin bag.

Option 3 doesn't sound like recycling, while I don't know anybody who can help me with option 1. So that leaves option 2. As I've got the manufacturer's details on the back of the alarm, and their address is confirmed on their web site, that smoke alarm is going to find itself put into a jiffy bag, back to where it came from.

Note that there is another type of smoke alarms: photoelectric ones. They do not contain any dangerous material so are probably safer to dispose of. However, they are geared to detect different types of fires so for maximum protection you should have a combination of both photoelectric and ionization alarms.

For more questions on recycling stuff, have a look at the Recycle This web site.

Update

As very sensibly pointed out by Earth Notes, there may be an even easier way to deal with them: under the WEEE Directive, you can probably just give the old one to the retailer when you buy a new one.

Friday 13 January 2012

Yodel redefines the word Safe while John Lewis redefines Eco-Friendly

Last week-end I visited the John Lewis web site and bought a couple of Buiani folding chairs. I was advised that they would be delivered within 7 days via a standard delivery service, as opposed to the specialist delivery service you get when you buy larger items and who are very good.

So when I came back home on Wednesday night, I found a very large (more on that later) cardboard box outside my front door and in the letter box was this delivery notice:

Yodel delivery notice

Yodel delivery notice

You will note how they checked the a safe place box. They actually left the parcel outside my front door. Luckily I live in a relatively safe place so theft is unlikely. On the other hand, leaving an unprotected cardboard box outside, in London, in January, with something inside that may suffer from getting wet strikes me as a tad optimistic. Or did check the weather forecast before leaving the box outside?

Another thing that I found rather puzzling was the size of the box. It would have made sense had it contained normal chairs. But folding ones: surely they'd be shipped folded? All was revealed when I opened the box:

The big box

The big box

You will note the green stickers on the left side of the chairs with the FSC logo advising me that those chairs are made from wood from well-managed forests. Brilliant! Unfortunately the amount of Air Pad packaging filling in the box probably offsets all eco-friendly credentials imparted by the FSC logo. On the plus side, it probably means that I now have enough air pads to send presents to my two nieces until they reach adult age (uncles are meant to spoil nieces and nephews, that's part of the job description).