Server: Opt-In Cookies on first visit (GDPR / e-Privacy)

Created on 10 Apr 2019 · 3Comments · Source: nextcloud/server

4 Cookies are set before any visitor to the landing page has the ability to read the privacy policy or the terms of service. Some lawyers see this as grounds to send a seize and desist letter. And I must agree - while I do not know too much about the inner workings, why do there need to be cookies set before someone is logging into the service?

Concerning GDPR-Compliance, it is easy to just put the information into the privacy policy, and akin to this: https://github.com/nextcloud/server/issues/9739#issuecomment-412080268 have people read it (set a checkmark) and use an app for it.
But with the e-privacy regulation definitely coming within the next two to three years, it should be made possible to not set any cookies for anyone who just "stumbles" upon the site, until they have read a message that informs them about the cookies being set to login/register/use the site.

It could be as simple as an app, that allows to link to the privacy policy - maybe with a header link - that describes which cookies will be set.
It should then also be possible to say "no" to cookies, and then the site should let the visitor know, that the service can't be accessed because of the missing cookies. In that case, no cookies should be set though!

So I see two possibilities:

Don't set cookies before login, have checkmarks about privacy policy and/or terms of service.
→ This would be less annoying to people then a cookie pop-up message.
→ I have no idea about the technical feasability
Don't set cookies before a cookie message has been displayed (app, see above), and allow to not have cookies set but let the user know that they can now not use the service because the cookies are essential for it.
→ This may be more annoying for people, but gives them more information about how the service uses "their" data.

To keep in mind:
· shared links to the service

0. Needs triage enhancement

Source

RuudschMaHinda

Most helpful comment

We set 4 cookies

SameSite Lax cookie
SameSite strict cookie
Session ID cookie
Session passpharse cookie

1 and 2 (are related and) are there for security measures and do not contain any trackable information. These are required to make sure 3rdparty sites can't make cross site requests to for example download all your files just because your are logged in to your Nextcloud.

Cookie 3 and 4 are also related. Cookie 3 is the session id of the session you open on the server. This contains the status (if you are logged in or not) but more importantly it makes our CSRF protection possible.
Cookie 4 contains a passphrase. Because we store the session data encrypted on the server.

Cookie 3 and 4 are also session cookies (Which means your browser kills them after its session is closed). Further more cookie 3 and 4 are required for proper functioning of the site (just like for example a webshop has session cookies to track you shopping basket).

Long story short to my knowledge Nextcloud is not in violation of the GDPR with the cookies we set.