Closing web sites due to legislation
Hello participants of Mailing List.
Since 2008 I've wrote large series of articles about closing web sites due
to legislation. There were a lot of cases (from that time) in Ukraine
concerning multiple laws, where our law enforcements closed (temporarily or
permanently) web sites. And for a long time I was planning to write some
articles (at least summary articles) to the list on this topic. For example,
recently I've wrote article about closing sites by tax administration and
soon I'd write new articles on this topic (including closing sites due to
Euro 2012). But at first I'm presenting another article for you.
This article concerns law in European Union, so it can be more interesting
then laws in Ukraine (but those cases still will be interesting for you,
because similar laws can exist in other countries). In this article I'm
talking about such law as "EU Cookie Law"
(http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx).
Since May 2011 this law introduce such changes to online privacy laws in the
EU, that visitors of web sites must be asked for their consent for the use
of cookies. One year have been given (at least in UK) to web sites to
changes their behavior according to new law and since 26th of May 2012 this
law will be working in full force (in UK in this case).
Which means that web sites which not correspond to new legislation can be
fined (up to 500000 Euro). As stated in Internet, this law affects any web
site targeting an EU audience. I.e. not only sites in EU countries (for
local audience), but all sites made for EU audience. There is not closings
of web sites, just fines, but if fine will be large enough for the owner of
particular site, then he can close the site, so this law is suitable for my
series of articles about closing web sites due to legislation.
What does it mean for web sites.
They must change the common way of working with cookies (how it was since
invention of HTTP cookies), i.e. "silent way", and become using "loud way" -
to ask all users and visitors before setting cookies.
What is correct situation.
I've seen some EU sites, including ICO's site, which ask before setting
cookies, but small number of sites. Most of EU sites which I've visited for
last year didn't do it, so they were not compliant with EU Cookie Law.
The deadline - 26th of May 2012 - will come soon, so let's look how much
popular sites in EU are compliant with new law:
http://www.google.fr - doesn't compliant (silently set two cookies)
http://www.google.de - doesn't compliant (silently set two cookies)
http://fr.yahoo.com (redirected from yahoo.fr) - doesn't compliant (silently
set seven cookies)
http://www.bing.com/?cc=fr (redirected from bing.fr) - doesn't compliant
(silently set eleven cookies)
http://ec.europa.eu - at main page it doesn't set cookies, but after I've
visited next page it silently set one cookie.
So ICO should first start fining EU government sites ;-) and only then come
to web sites of Internet companies. Government sites should show themselves
as a good example to other sites concerning observance of the law. Will be
any fines concerning this law we will see (I'm not aware of any case for
now, but we'll see after 26th of May 2012). But there is another aspect.
Security aspect of this law.
There is a connection between EU Cookie Law and security of web sites (this
is main reason for writing this article). If web site will be hacked and
cookies will be set for visitors silently (automatically), then this site
can be fined - even if by default this site are compliant to EU law (asks
before setting cookies).
So vulnerabilities at any web site can be used to expose it to fines in EU
due to this law. It can be as serious vulnerabilities, which leaded to full
compromise of this site, or Cross-Site Scripting (as persistent XSS, as even
reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
these sites to not correspond to new law. So those web sites with IBM Domino
with multiple XSS and HTTPRS vulnerabilities, which I've announced last
week, are falling to the risk of fines (besides all other risks). So this
law is a good reason for web sites to improve their security.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Dear MustLive,
I think you've misunderstood the European law somewhat.
In Europe, a website must inform the user if it intends to store data
(e.g. cookies but also HTML5 Local Storage) on the user's computer, and
inform about what the data is going to be used for.
The law does NOT require the website to ask the user whether it can store
data or not. Meaning you automatically accept whether the website will
store e.g., cookies or not.
The information about how data is stored and what it is used for, must
also be in common understandable language (meaning "legal language" is not
allowed).
The website must however, provide the option to disallow cookies being
stored on your computer.
Of course these laws you described may be applicable in Ukraine only, but
the EU-law is as I described above. (So please, don't make up things you
don't know about. This is not a joke, these are all facts.)
Please note that the EU-laws does not apply outside EU. Countries such as
North Korea probably doesn't (excuse my language) give a damn about these
laws. It does of course apply to human individuals in Europe, companies in
Europe, domains registered in Europe and servers in Europe.
Best regards,
MaXe
On Wed, 23 May 2012 23:55:14 +0300, "MustLive"
mustlive@websecurity.com.ua wrote:
Hello participants of Mailing List.
Since 2008 I've wrote large series of articles about closing web sites
due
to legislation. There were a lot of cases (from that time) in Ukraine
concerning multiple laws, where our law enforcements closed (temporarily
or
permanently) web sites. And for a long time I was planning to write some
articles (at least summary articles) to the list on this topic. For
example,
recently I've wrote article about closing sites by tax administration
and
soon I'd write new articles on this topic (including closing sites due
to
Euro 2012). But at first I'm presenting another article for you.
[................. Removed to save bandwidth on the Internet. ]
Unfortunately, it's not so easy. Citing the directive
(http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:00
36:En:PDF):
"'3. Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal equipment
of a subscriber or user is only allowed on condition that the subscriber or
user concerned has given his or her consent, having been provided with clear
and comprehensive information, in accordance with Directive 95/46/EC, inter
alia, about the purposes of the processing. This shall not prevent any
technical storage or access for the sole purpose of carrying out the
transmission of a communication over an electronic communications network,
or as strictly necessary in order for the provider of an information society
service explicitly requested by the su"scriber or user to provide the
service.';
So:
- First provide "clear and comprehensive" information on purpose of cookies
- Obtain consent from user
- Only then store information
This is the legal, binding part. There's also a non-binding pre-amble
article that says:
"Where it is technically possible and effective, in accordance with the
relevant provisions of Directive 95/46/EC, the user's consent to
processing may be expressed by using the appropriate settings of a browser
or other application. The enforcement of these requirements should be made
more effective by way of enhanced powers granted to the relevant national
authorities."
This law is now giving lots of headache to both regulators and website
operators across EU that results in beautiful mess of twenty seven
contrary, national interpretations. DLA Piper reports nicely documents this
mess:
http://www.dlapiper.com/files/Uploads/Documents/DLA_Piper%20_%20How_the_EU_h
as_implemented_the_new_law_on_cookies.pdf
Some countries believe that it's possible to get user content via the
browser - but there are no compliant browsers. Some believe an explicit
pop-up is required, just as ICO did to amusement of the industry - because
they obviously stored user's consent in the cookie, so if you did not agree,
they would display that "do you agree" ad nauseam until you agree.
And the legals have a lot of fun deploying all their best dialectics to
prove that website owner's compliance can be derived from some random user's
browser settings :)
-----Original Message-----
From: websecurity-bounces@lists.webappsec.org
[mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of MaXe
Sent: Wednesday, May 30, 2012 4:01 PM
To: websecurity@lists.webappsec.org
Subject: Re: [WEB SECURITY] Closing web sites due to legislation
Dear MustLive,
I think you've misunderstood the European law somewhat.
In Europe, a website must inform the user if it intends to store data (e.g.
cookies but also HTML5 Local Storage) on the user's computer, and inform
about what the data is going to be used for.
The law does NOT require the website to ask the user whether it can store
data or not. Meaning you automatically accept whether the website will store
e.g., cookies or not.
The information about how data is stored and what it is used for, must also
be in common understandable language (meaning "legal language" is not
allowed).
The website must however, provide the option to disallow cookies being
stored on your computer.
Of course these laws you described may be applicable in Ukraine only, but
the EU-law is as I described above. (So please, don't make up things you
don't know about. This is not a joke, these are all facts.)
Please note that the EU-laws does not apply outside EU. Countries such as
North Korea probably doesn't (excuse my language) give a damn about these
laws. It does of course apply to human individuals in Europe, companies in
Europe, domains registered in Europe and servers in Europe.
Best regards,
MaXe
On Wed, 23 May 2012 23:55:14 +0300, "MustLive"
mustlive@websecurity.com.ua wrote:
Hello participants of Mailing List.
Since 2008 I've wrote large series of articles about closing web sites
due
to legislation. There were a lot of cases (from that time) in Ukraine
concerning multiple laws, where our law enforcements closed
(temporarily
or
permanently) web sites. And for a long time I was planning to write
some articles (at least summary articles) to the list on this topic.
For example, recently I've wrote article about closing sites by tax
administration
and
soon I'd write new articles on this topic (including closing sites due
to
Euro 2012). But at first I'm presenting another article for you.
[................. Removed to save bandwidth on the Internet. ]
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
Hi all,
On Wed, May 23, 2012 at 11:55:14PM +0300, MustLive wrote:
now, but we'll see after 26th of May 2012). But there is another aspect.
Security aspect of this law.
There is a connection between EU Cookie Law and security of web sites (this
is main reason for writing this article). If web site will be hacked and
cookies will be set for visitors silently (automatically), then this site
can be fined - even if by default this site are compliant to EU law (asks
before setting cookies).
That's one of the reasons why I don't like this new EU law. It can be easily
exploited - innocent people can be fined (criminalized) just because they were
hacked (and you cannot force people to care about their security just because
we do it most of our lives).
I am completely aware of the fact that most security people (that care about
personal privacy) would consider this law to be a good and necessary one.
Potential advantages of this law are clear to most people, but let's talk
about a negative impact of this "great" EU law:
If you want to have this EU regulation - it means:
-
increased expenses for the web application owners, because they need to
change their applications according to this new EU law -
a lot of money from our taxes - because someone in the EU must to enforce
this law, to check if all websites are compliant according to this law,
to notify them if not and to sue them finally
This law strongly affects Internet users' freedom -> if most people have no
problem to access the most web sites without specific "cookie" consent and do
it fully voluntarily, you have no moral right to force web applications owners
to increase their expenses and change their applications and steal another
money from taxpayers to force this law (which can be quite expensive), just
because you think that these people do not care about their personal privacy
and they should.
I do care about my privacy a lot (and I think other people should care too),
but this EU regulation/law means "global enforcing" for all people (including
those ones who do not care about their privacy at all and very often they are
aware of it).
So if someone thinks that people should care about their Internet privacy,
he should use non-invasive ways to promote it (e.g. make security-awareness
videos, web sites and), but he has no moral right to enforce this kind of EU
for all EU citizens using their taxpayer money, just because he thinks that
people deserve much more privacy.
Imagine this hypothetical situation:
This EU regulation would cost us e.g. one million € every year.
Every EU citizen could decide voluntarily if he wants to pay another 50 cents
for every "safe" web site he accesses where it is guaranteed that he has to
give "explicit consent" for everything or if he wants to access to "current"
web site where there are no such guarantees (just a reputation of the given
website / website's owners).
And now guess how the most people would decide :)
So vulnerabilities at any web site can be used to expose it to fines in EU
due to this law. It can be as serious vulnerabilities, which leaded to full
compromise of this site, or Cross-Site Scripting (as persistent XSS, as even
reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
these sites to not correspond to new law. So those web sites with IBM Domino
with multiple XSS and HTTPRS vulnerabilities, which I've announced last
week, are falling to the risk of fines (besides all other risks). So this
law is a good reason for web sites to improve their security.
But security is often expensive. And if you have a complex website of some
NGO/NPO without any profit, you cannot force them to invest any money to
security. For them it is often more acceptable to have few hacks per year
and manage it internally than invest a lot of money to improve their security.
Security has to be (primarily) cost-effective.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
I asume that the background of this law is the posibility to avoid
obscure ways to follow the user across his navigation throught different
websites. I mean Google analitics, Google Adsense and all kind of ads
platforms (or facebook like buttons, twitter 'tweet this'...). All that
bussines follow the user navigation and draw profiles of persons. I
asume that the majority of this list knows the value of all this data.
Problem? all that websites are from outsite EU, and the 'power' of taht
information don't remains inside the union (outside our interests).
Then the future of this law can take not only one way because the
implementation remains to each country.
I think this law will not be useful for the european people, this is
just another way to repress and control people and initiatives.
For my techy background I think this law comes from the ignorance of our
legislators.
greetings
Marc
Al 31/05/12 23:31, En/na Pavol Luptak ha escrit:
Hi all,
On Wed, May 23, 2012 at 11:55:14PM +0300, MustLive wrote:
now, but we'll see after 26th of May 2012). But there is another aspect.
Security aspect of this law.
There is a connection between EU Cookie Law and security of web sites (this
is main reason for writing this article). If web site will be hacked and
cookies will be set for visitors silently (automatically), then this site
can be fined - even if by default this site are compliant to EU law (asks
before setting cookies).
That's one of the reasons why I don't like this new EU law. It can be easily
exploited - innocent people can be fined (criminalized) just because they were
hacked (and you cannot force people to care about their security just because
we do it most of our lives).
I am completely aware of the fact that most security people (that care about
personal privacy) would consider this law to be a good and necessary one.
Potential advantages of this law are clear to most people, but let's talk
about a negative impact of this "great" EU law:
If you want to have this EU regulation - it means:
-
increased expenses for the web application owners, because they need to
change their applications according to this new EU law -
a lot of money from our taxes - because someone in the EU must to enforce
this law, to check if all websites are compliant according to this law,
to notify them if not and to sue them finally
This law strongly affects Internet users' freedom -> if most people have no
problem to access the most web sites without specific "cookie" consent and do
it fully voluntarily, you have no moral right to force web applications owners
to increase their expenses and change their applications and steal another
money from taxpayers to force this law (which can be quite expensive), just
because you think that these people do not care about their personal privacy
and they should.
I do care about my privacy a lot (and I think other people should care too),
but this EU regulation/law means "global enforcing" for all people (including
those ones who do not care about their privacy at all and very often they are
aware of it).
So if someone thinks that people should care about their Internet privacy,
he should use non-invasive ways to promote it (e.g. make security-awareness
videos, web sites and), but he has no moral right to enforce this kind of EU
for all EU citizens using their taxpayer money, just because he thinks that
people deserve much more privacy.
Imagine this hypothetical situation:
This EU regulation would cost us e.g. one million EUR every year.
Every EU citizen could decide voluntarily if he wants to pay another 50 cents
for every "safe" web site he accesses where it is guaranteed that he has to
give "explicit consent" for everything or if he wants to access to "current"
web site where there are no such guarantees (just a reputation of the given
website / website's owners).
And now guess how the most people would decide :)
So vulnerabilities at any web site can be used to expose it to fines in EU
due to this law. It can be as serious vulnerabilities, which leaded to full
compromise of this site, or Cross-Site Scripting (as persistent XSS, as even
reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
these sites to not correspond to new law. So those web sites with IBM Domino
with multiple XSS and HTTPRS vulnerabilities, which I've announced last
week, are falling to the risk of fines (besides all other risks). So this
law is a good reason for web sites to improve their security.
But security is often expensive. And if you have a complex website of some
NGO/NPO without any profit, you cannot force them to invest any money to
security. For them it is often more acceptable to have few hacks per year
and manage it internally than invest a lot of money to improve their security.
Security has to be (primarily) cost-effective.
Pavol
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
On Tue, Jun 05, 2012 at 12:48:24PM +0200, Marc Palau wrote:
I asume that the background of this law is the posibility to avoid obscure
ways to follow the user across his navigation throught different websites.
I mean Google analitics, Google Adsense and all kind of ads platforms (or
facebook like buttons, twitter 'tweet this'...). All that bussines follow
the user navigation and draw profiles of persons. I asume that the
majority of this list knows the value of all this data.
If some people want to care about their tracking, they can start to use Do
Not Track Plus, Ghostery, Noscript or some other privacy-protecting plugin
immediately and for free. But to steal tax money from all people to enforce
this EU regulation because we want to protect privacy of all people (most of
them do not care), is simply not fair.
Problem? all that websites are from outsite EU, and the 'power' of taht
information don't remains inside the union (outside our interests).
Yes. And that will be a reason why many big portals will just move outside of
the EU because of expensive or stupid regulations.
Then the future of this law can take not only one way because the
implementation remains to each country.
I think this law will not be useful for the european people, this is just
another way to repress and control people and initiatives.
Yes. And it will be another regulation that makes the EU less competitive
(for Internet portal, business, ..) compared to the other non-regulated world.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
Pavol and guys!
Here are some more comments concerning your thoughts on this topics. Thanks,
you've wrote a lot of comments, so I need to comment many of the most
important ones. This is second letter and later I'll write more ;-). And
besides comments, I'll write concerning more examples of laws and their
relation to security.
(and you cannot force people to care about their security just because we
do it most of our lives).
I agree with all your argumentation, Pavol (those aspects which you referred
to security, similarly can be referred to privacy). Just will add the note
concerning forcing people.
From one side, forcing is not very acceptable way, but from other side it's
needed to remind people - to change current nihilistic situation. And in my
opinion for security it must be more active, then for privacy. So forcing
people, in non-aggressive and peaceful way, i.e. by reminding (like
reminding about holes at websites or in webapps, as I'm doing for more then
7 years) can and should be done. And much more for security, then privacy
(and this EU law concerns only privacy, so "as always they forgot about
security").
For example if EU legislators will make situation with much better security
of web sites in EU, then there will be much less possibilities for exposing
web sites (and their owners) for fines after their hacks. As you see correct
order (first security and then privacy) can make situation better and with
less pitfalls (but EU legislators just forget about security and
over-concentrated on privacy). In other words, forcing can and should be
done (only positive one), especially concerning improving security - and it
can be done without any additional laws (even without this EU law), but with
current legislation. In my next letters, when I'll be showing different
examples of current legislation and cases of using these laws (in Ukraine
and USA), I'll write more about it.
And now guess how the most people would decide :)
Yes, it's nice example and the results is predictable :-). This is the case
when usability (and "don't make a pain in a head"-ability) wins over
privacy. But similar situation we have in case of usability vs. security (in
most cases in different applications, especially in webapps). Situation with
captcha is one of the well-known.
Interesting rhetorical question: does any country in EU can to not implement
this law, because of "not well-thought law", "people are protesting" or
"there are no money for implementation" (aka "financial crisis"). I
understand that it's obligatory for every member of EU (I've wrote it
rhetorically), but anyway some prudence can be made, like it was done in UK.
So I wish for every country in EU to implement this law harmlessly. And
there are a lot of other interesting laws, about which I'll write soon.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Pavol Luptak" pavol.luptak@nethemba.com
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Friday, June 01, 2012 12:31 AM
Subject: Re: [WEB SECURITY] Closing web sites due to legislation
Hi all,
On Wed, May 23, 2012 at 11:55:14PM +0300, MustLive wrote:
now, but we'll see after 26th of May 2012). But there is another aspect.
Security aspect of this law.
There is a connection between EU Cookie Law and security of web sites
(this
is main reason for writing this article). If web site will be hacked and
cookies will be set for visitors silently (automatically), then this site
can be fined - even if by default this site are compliant to EU law (asks
before setting cookies).
That's one of the reasons why I don't like this new EU law. It can be easily
exploited - innocent people can be fined (criminalized) just because they
were
hacked (and you cannot force people to care about their security just
because
we do it most of our lives).
I am completely aware of the fact that most security people (that care about
personal privacy) would consider this law to be a good and necessary one.
Potential advantages of this law are clear to most people, but let's talk
about a negative impact of this "great" EU law:
If you want to have this EU regulation - it means:
-
increased expenses for the web application owners, because they need to
change their applications according to this new EU law -
a lot of money from our taxes - because someone in the EU must to enforce
this law, to check if all websites are compliant according to this law,
to notify them if not and to sue them finally
This law strongly affects Internet users' freedom -> if most people have no
problem to access the most web sites without specific "cookie" consent and
do
it fully voluntarily, you have no moral right to force web applications
owners
to increase their expenses and change their applications and steal another
money from taxpayers to force this law (which can be quite expensive), just
because you think that these people do not care about their personal privacy
and they should.
I do care about my privacy a lot (and I think other people should care too),
but this EU regulation/law means "global enforcing" for all people
(including
those ones who do not care about their privacy at all and very often they
are
aware of it).
So if someone thinks that people should care about their Internet privacy,
he should use non-invasive ways to promote it (e.g. make security-awareness
videos, web sites and), but he has no moral right to enforce this kind of EU
for all EU citizens using their taxpayer money, just because he thinks that
people deserve much more privacy.
Imagine this hypothetical situation:
This EU regulation would cost us e.g. one million € every year.
Every EU citizen could decide voluntarily if he wants to pay another 50
cents
for every "safe" web site he accesses where it is guaranteed that he has to
give "explicit consent" for everything or if he wants to access to "current"
web site where there are no such guarantees (just a reputation of the given
website / website's owners).
And now guess how the most people would decide :)
So vulnerabilities at any web site can be used to expose it to fines in EU
due to this law. It can be as serious vulnerabilities, which leaded to
full
compromise of this site, or Cross-Site Scripting (as persistent XSS, as
even
reflected XSS) or HTTP Response Splitting vulnerabilities. Because it's
possible to set cookies via XSS and HTTPRS vulnerabilities - which makes
these sites to not correspond to new law. So those web sites with IBM
Domino
with multiple XSS and HTTPRS vulnerabilities, which I've announced last
week, are falling to the risk of fines (besides all other risks). So this
law is a good reason for web sites to improve their security.
But security is often expensive. And if you have a complex website of some
NGO/NPO without any profit, you cannot force them to invest any money to
security. For them it is often more acceptable to have few hacks per year
and manage it internally than invest a lot of money to improve their
security.
Security has to be (primarily) cost-effective.
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
+421905400542]
Hi,
On Tue, Jun 12, 2012 at 11:50:23PM +0300, MustLive wrote:
I agree with all your argumentation, Pavol (those aspects which you
referred to security, similarly can be referred to privacy). Just
will add the note concerning forcing people.
From one side, forcing is not very acceptable way, but from other side it's
needed to remind people - to change current nihilistic situation. And in my
opinion for security it must be more active, then for privacy. So forcing
people, in non-aggressive and peaceful way, i.e. by reminding (like
reminding about holes at websites or in webapps, as I'm doing for more then
7 years) can and should be done. And much more for security, then privacy
(and this EU law concerns only privacy, so "as always they forgot about
security").
Yes, but you are doing it on your own using your own time and money.
EU legislators will do it using tax payers money. That's a big difference.
Interesting rhetorical question: does any country in EU can to not implement
this law, because of "not well-thought law", "people are protesting" or
"there are no money for implementation" (aka "financial crisis"). I
understand that it's obligatory for every member of EU (I've wrote it
rhetorically), but anyway some prudence can be made, like it was done in UK.
So I wish for every country in EU to implement this law harmlessly. And
there are a lot of other interesting laws, about which I'll write soon.
Yes, that's because the EU is not about people's opinions and their needs,
but about high-level politicians and their interests.
(OK, in the recent year I became a really big euro-skeptic).
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
Pavol!
EU legislators will do it using tax payers money. That's a big difference.
Good remark. They want to spend tax payers money for creating new
bureaucratic institution aka "cookies police" :-) for fining these people
(tax payers). If teaching people for their own money (i.e. teaching that
there is a law and people must not forget about it) in some cases can be
acceptable (there are a lot of paid education in this world and "fines
system" is using the same paradigm), then creating for tax payers additional
headache, time wasting and new taxes (fines) can't be acceptable.
(OK, in the recent year I became a really big euro-skeptic).
This year I've already met and spoke with euro-skeptics (even "official
course" of Ukraine is euro-integration). Particularly I mean my brother,
with whom I've long conversation in the beginning of the year on
"euro-skeptic" topic, after that case with Hungary president. Which was
kicked out from his post by EU politicians (of course covertly, officially
it was due to "plagiarism"). And when yesterday I've heard in the news about
the same "plagiarism" scheme with Rumania prime minister - it didn't made
me wonder :-). The same political SWATing tactics (such political
pranking) - exposing of disagreeable politics.
Nobody DDoSed government sites of these countries or hacked their web sites
to make defacement or put some "plagiarism" to their sites, but they
revealed plagiarism from the past - which considered as more effective
attack to kick them from their post. This is very different approach from
methods of hacktivists. But let's finish with politic and back to web
security topic ;-).
Yes. And that will be a reason why many big portals will just move outside
of the EU because of expensive or stupid regulations.
Concerning this aspect, Pavol, I'll remind you, that in my first publication
I've wrote, that "as stated in Internet, this law affects any web
site targeting an EU audience". In this sentence I've referenced to web site
http://silktide.com/cookielaw. The author of this web site in his article
and in comments to his YouTube video about Cookie Law wrote, that domain and
hosting location is irrelevant, but location of the company is important.
I.e. it's enough to have web site targeting an EU audience (per se any site
on official language of any EU country can be such one) and to have
registered business in EU to fall down under this law. So if owners of big
portals will move their domains/hostings outside of the EU, but leave their
offices inside it, then they still will be under EU jurisdiction.
Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
----- Original Message -----
From: "Pavol Luptak" pavol.luptak@nethemba.com
To: "MustLive" mustlive@websecurity.com.ua
Cc: websecurity@lists.webappsec.org
Sent: Saturday, June 16, 2012 10:37 PM
Subject: Re: [WEB SECURITY] Closing web sites due to legislation
Hi,
On Tue, Jun 12, 2012 at 11:50:23PM +0300, MustLive wrote:
I agree with all your argumentation, Pavol (those aspects which you
referred to security, similarly can be referred to privacy). Just
will add the note concerning forcing people.
From one side, forcing is not very acceptable way, but from other side
it's
needed to remind people - to change current nihilistic situation. And in
my
opinion for security it must be more active, then for privacy. So forcing
people, in non-aggressive and peaceful way, i.e. by reminding (like
reminding about holes at websites or in webapps, as I'm doing for more
then
7 years) can and should be done. And much more for security, then privacy
(and this EU law concerns only privacy, so "as always they forgot about
security").
Yes, but you are doing it on your own using your own time and money.
EU legislators will do it using tax payers money. That's a big difference.
Interesting rhetorical question: does any country in EU can to not
implement
this law, because of "not well-thought law", "people are protesting" or
"there are no money for implementation" (aka "financial crisis"). I
understand that it's obligatory for every member of EU (I've wrote it
rhetorically), but anyway some prudence can be made, like it was done in
UK.
So I wish for every country in EU to implement this law harmlessly. And
there are a lot of other interesting laws, about which I'll write soon.
Yes, that's because the EU is not about people's opinions and their needs,
but about high-level politicians and their interests.
(OK, in the recent year I became a really big euro-skeptic).
Pavol
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel:
+421905400542]