[WEB SECURITY] Closing web sites due to legislation

Paweł Krawczyk pawel.krawczyk at hush.com
Thu May 31 05:20:06 EDT 2012

Unfortunately, it's not so easy. Citing the directive

"'3. Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal  equipment
of a subscriber or user is only allowed on condition that the subscriber or
user concerned has given his or her consent, having been provided with clear
and comprehensive information, in accordance with Directive 95/46/EC, inter
alia, about the purposes of the processing. This shall not prevent any
technical storage or access for the sole purpose of carrying out the
transmission of a communication over an electronic communications network,
or as strictly necessary in order for the provider of an information society
service explicitly requested by the su"scriber or user to provide the


1) First provide "clear and comprehensive" information on purpose of cookies
2) Obtain consent from user
3) Only then store information

This is the legal, binding part. There's also a non-binding pre-amble
article that says:

"Where it is technically possible and effective,  in accordance  with the
relevant  provisions  of Directive 95/46/EC, the user's consent to
processing may be expressed by using the appropriate settings of a browser
or other application. The enforcement of these requirements should be made
more effective by way of enhanced powers granted to the relevant national

This law is now giving lots of headache to both regulators and website
operators across  EU that results in beautiful mess of twenty seven
contrary, national interpretations. DLA Piper reports nicely documents this


Some countries believe that it's possible to get user content via the
browser - but there are no compliant browsers. Some believe an explicit
pop-up is required, just as ICO did to amusement of the industry - because
they obviously stored user's consent in the cookie, so if you did not agree,
they would display that "do you agree" ad nauseam  until you agree.

And the legals have a lot of fun deploying all their best dialectics to
prove that website owner's compliance can be derived from some random user's
browser settings :)

-----Original Message-----
From: websecurity-bounces at lists.webappsec.org
[mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of MaXe
Sent: Wednesday, May 30, 2012 4:01 PM
To: websecurity at lists.webappsec.org
Subject: Re: [WEB SECURITY] Closing web sites due to legislation

Dear MustLive,

I think you've misunderstood the European law somewhat.

In Europe, a website must inform the user if it intends to store data (e.g.
cookies but also HTML5 Local Storage) on the user's computer, and inform
about what the data is going to be used for.

The law does NOT require the website to ask the user whether it can store
data or not. Meaning you automatically accept whether the website will store
e.g., cookies or not.

The information about how data is stored and what it is used for, must also
be in common understandable language (meaning "legal language" is not

The website must however, provide the option to disallow cookies being
stored on your computer.

Of course these laws you described may be applicable in Ukraine only, but
the EU-law is as I described above. (So please, don't make up things you
don't know about. This is not a joke, these are all facts.)

Please note that the EU-laws does not apply outside EU. Countries such as
North Korea probably doesn't (excuse my language) give a damn about these
laws. It does of course apply to human individuals in Europe, companies in
Europe, domains registered in Europe and servers in Europe.

Best regards,

On Wed, 23 May 2012 23:55:14 +0300, "MustLive"
<mustlive at websecurity.com.ua> wrote:
> Hello participants of Mailing List.
> Since 2008 I've wrote large series of articles about closing web sites
> to legislation. There were a lot of cases (from that time) in Ukraine 
> concerning multiple laws, where our law enforcements closed 
> (temporarily
> permanently) web sites. And for a long time I was planning to write 
> some articles (at least summary articles) to the list on this topic. 
> For example, recently I've wrote article about closing sites by tax 
> administration
> soon I'd write new articles on this topic (including closing sites due
> Euro 2012). But at first I'm presenting another article for you.
> [................. Removed to save bandwidth on the Internet. ]

The Web Security Mailing List

WebSecurity RSS Feed

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter

websecurity at lists.webappsec.org

More information about the websecurity mailing list