Today, June 2nd, is Festa della Repubblica in Italy. But it's also “cookiegeddon”: this midnight is an important deadline, as all webmasters will be forced to comply with the guidelines by the “Garante per la protezione dei dati personali” about the management of cookies, to implement a few European Union directives (informally known as the “EU Cookie Law”). For this reason, you're going to find a few new things on this site: a new page called “Privacy” has been added, the page footer has been updated, and before accessing some third-party services, such as embedded YouTube videos or the commenting facility provided by Disqus, you will have to agree to their cookie usage.
But I'm writing this post also to express a few thoughts, both as a webmaster and a web user. I'm starting with the user perspective, since my webmaster technical approach to the problem has been driven by that.
I think that the European Union “cookie law” has got a point, because as a user I don't like being profiled at all, I don't like behavioural marketing, above all I don't like being subjected to these things while being unaware of them - yes, as a software engineer I understand what's happening whenever I visit a website, but most of people don't and can't. So, enforcing an advisory page about this makes sense. Unfortunately, as usual, the law is ambiguous, verbose, difficult to understand (especially the one implemented in Italy), and - above all - there are missing parts that, in the end, make things worse as they were before. To be practical: I've been running my web browser with cookies disabled by default for ages, only enabling those that are needed for delivering a service. While everybody can do that - because all browsers provide tools for cookie management - in practice only technically skilled people can, because they have to understand how cookies work. The proper solution to the problem would be to force websites to provide the advisory and to let people choose, with a simple dialog box, every single kind of cookies/services they want to be enabled. Instead what I'm seeing is that some newpapers, in case you don't accept their new cookie policy, just prevent you from reading, because as soon as you scroll the page, a refresh is forced and the page is shown again from the top (unintentional bug or feature?). Probably I can still go to the cookie management tool in the browser and selectively allow only the cookie behind this new “feature”, but it's cumbersome and requires even more technical skills than before. As the net result, people now are being forced to accept more stuff than they did before.
Unfortunately, it's the same monolithic approach that is spreading in the technology world... Consider Android: there's a reasonably well designed permission scheme, by which you can incrementally allow an app only the things it actually requires. But as apps evolve, they tend to require everything. For instance, once I had a home-banking app: the initial version only required network access, which is obvious. Then updates added features such as geo-location of teller machines, augmented reality, calling the support phone number... Lots of things, totally useless for me, stuffed into a single bloated app, which now requires almost all the permissions, such as accessing the phone, my contact list, the GPS, the camera... jeopardising the incremental approach that Android offers. Insane. Instead, please make a basic app with only basic stuff, and an optional advanced app (thanks to Android, this approach can be offered with a seamless integration). For me everything that is useless is evil: so all bloated apps have been removed.
So, I took the chance of this forced update to my websites to review and jettison all the useless stuff. StoppingDown and my personal site went totally cookieless. In fact, the only cookies they used were those from Google Analytics and I recognised that I don't need that service: I only want stats about visitors' countries, browsers, browser screen resolution, most visited pages, all things that can be searched into the server logs and don't require cookies. So, bye bye Google Analytics. For the site you're reading, I need Disqus plus some embedded YouTube video. I went the incremental way: instead of asking you to either accept any kind of cookies or disable any extra feature, you will be asked case by case. See for instance the comment stuff just below. For YouTube, I configured the code so cookies are used only when you start playing the videos: there's simply a short advisory near each embedded videos.
In other words, I'm offering you most of the contents without avoidable complexity, and asking you for approving extra complexity only in those specific cases where it's needed. I think this it's the way technology should go.