Thursday, 2 December 2010

Browser makers & ad networks are asked what they're doing to meet EU privacy rules

EU privacy regulators have asked browser providers and ad networks to explain the technical steps they're taking on browser cookies, data collection and consent in order to implement the regulators' recommendations on online behavioural advertising (press release summary) - especially in light of the amended ePrivacy Directive's requirements on storing / accessing information on users' equipment, which will become law from 26 May 2011.

There's been much debate and concern about exactly what will be required by the new law (eg just recently in the Wall Street Journal, ComputerWeekly). Must users positively accept each and every cookie, etc? The new law, the regulators' views on what's acceptable with cookies and the scope for confusion have been criticised by lawyers (including Google's chief global privacy counsel) as well as by the internet advertising industry.

The EU privacy regulators' letters of 28 Oct 2010 to browser makers and ad networks, which didn't name specific addressees, were published on the Article 29 Working Party's webpage listing adopted documents. (Spotted them a week ago on the Article 29 site but haven't had a chance to blog 'em till now. The 28 Oct date is not shown in the letter, but is on that website page.)

From their letters, it seems clear that European data protection regulators want to put pressure on browser providers to build in "privacy by design", and that they also take a pretty strict view of what needs to be done by browser makers and advertisers. They've asked for a reply in 6 weeks from the letter date, which makes it Thursday 6 December, ie next week. But I suspect that either they won't publish the replies, or we won't see them until the New Year at the earliest.

According to their letters the EU data protection authorities, said to be "united" in the Article 29 Working Party, take this view (most of which echoes their OBA opinion):

  1. Browsers should be set as standard to reject all third party cookies by default. "To complement this and to make it more effective, the browsers could require users to go through a “privacy wizard” when they first install or update the browser, in order to provide an easy way of exercising choice during use."
  2. Browsers should -
    1. convey, on behalf of the ad network provider, in a clear and comprehensive manner fully visible to the user, "the relevant information about the name of the data controller, the purposes of the cookies, the data that are collected and the further processing that personal data might be subject to", and
    2. "require the data subject to engage in an affirmative action to accept or reject both the setting of and the continued transmission of information through the cookie. Such consent must be informed and prior to the processing" - ie before a cookie can be set, the user must be given the required info and the opportunity to affirmatively consent
    3. (Note - this ties in with the draft Juvin report on the impact of advertising on consumer behaviour (2010/2052(INI), which the European Parliament's Internal Market Committee approved in early November and is up for a plenary vote this month, that says: "ensure the application of techniques making it possible to distinguish advertising tracking cookies, for which free and explicit prior consent is required, from other cookies")
  3. Cookie expiry - "ad network providers should only place cookies with a limited lifespan in the user’s terminal equipment and they should not prolong the expiry date, so that the scope of the user’s consent is limited in terms of time."
    1. Note - but how limited must "limited" be? If a cookie is set to expire after 99 years, that's still "limited", innit? It's interesting that an Interactive Advertising Bureau (aka Internet Advertising Bureau) code of practice recommending expiry after 48 hours was reported to have been swiftly withdrawn… (although the August 2010 draft code of conduct does still seem to be online, with no further consultation draft I can find).
  4. Continuous access to info? - "to ensure the maximum level of awareness among users of the tracking over time so that they can decide whether to continue or revoke their consent," users should be provided with "sufficient and clear information" so that they have "an easily available possibility of revoking their informed consent to being tracked".
  5. Advertisers should "provide sufficient and conspicuous visual notice, possibly by creating a symbol or other tools and related messages which should be visible and understandable on all websites where the tracking takes place and which sufficiently alert users to the tracking for advertising purposes."
  6. "It would be preferable" if advertisers didn't collect sensitive personal data at all (on sexual preferences, political opinions etc)
  7. "Ad network providers should implement retention policies which ensure that information collected each time a cookie is read, i.e. profile information, is automatically deleted after a justified period of time (they should provide reasons why they consider such period of time necessary in the light of the purposes of the processing)" - and the info should also be deleted if the individual revokes their consent or asks for their profile to be deleted.
  8. "Ad network providers shall enable individuals to exercise their rights of access, rectification and erasure."

Note that they've said "The term 'cookie’ includes HTTP and flash cookies [LSOs] as well as any other method of storing or gaining access to information already stored on the terminal equipment of a user or subscriber, see Article 5(3)" - which is correctly technology neutral, and in my view should certainly catch things like DOM storage, and HTML 5 web storage (already used - or abused? - in mobile phones) and application caching too. But it doesn't catch anything where the storage is done at the server end.

Talking about consent and revocation, I wonder if the Working Party had any discussions with the EnCoRe people?

Anyway, here are the original links of the letters to browser makers and to ad networks - NB they're TIFF image files, not PDFs, so I've OCR'd them and embedded them below for ease of ref, and I can't guarantee their accuracy 100% so please refer to the originals for the definitive version. The direct links to the OCR'd versions are - browser makers, ad networks (yes I used a URL shortener there, goo.gl does track the number of clicks so just use the embed if you'd rather not click; yes URLs can be used as tracking mechanisms):

Browser makers

Advertising networks

Observations

I haven't had time to think through the issues fully yet, but even though I'm in favour of increased transparency, and empowering individuals to better control access to and use of their private information, I'm not sure that requiring third party cookies to be automatically rejected by default is the way to go - or, indeed, requiring consumers to consent individually to every single cookie (or even the first cookie per advertiser).

Many sites just won't work without cookies, and I am not sure how many non-EU sites are going to be willing to change their ways just because European privacy authorities would like them to. (Though the Wall Street Journal reports that some publishers are reining in their advertisers' cookie tricks, partly because if anyone's gonna profit from their visitors it oughta be them, not their advertisers! Ah, the power of lucre.)

Going back to accepting individual cookies, the analogies with security warnings and security education are I think appropriate here. Not to mention alerts on chemical plant emergencies!

Some people like security expert Bruce Schneier consider that the proliferation of security warnings in Windows Vista, the vast majority of which were in many users' views unnecessary, resulted in poorer rather than better security - because users became accustomed to automatically just clicking "Allow" to make the many warning dialogs go away, rather than evaluating the security risks of each individual situation:

"Users stop reading them. They think of them as annoyances, as an extra click required to get a feature to work. Clicking through gets embedded into muscle memory, and when it actually matters the user won't even realize it."

This is actually rational behaviour on the part of users.

Similarly, if users keep getting asked about lots of third party cookies, they may get used to automatically clicking "Accept" without thinking about it, so that they can get on with browsing the site they want to visit.

How to improve the browser?

It seems to me that better technical steps to require would be as follows - effectively incorporating into browsers the features of products like Cookie Culler, leaving aside for now competition law issues, and I admit reflecting my own preferences and the way I use browsers and handle cookies -

  • More fine-grained, user-friendly cookie control - including their easy deletion by users (and here I mean "cookie" in the same broad sense as the regulators - Flash cookies etc should be easy to delete from the browser too. Maybe the Working Party should have written to Adobe too??)
  • Built-in ability to delete all cookies automatically when the browser is closed, except those for sites which the user specifically wants to keep (ie delete all except those on a gradually built up whitelist).
  • The first time site wants to save a cookie, the browser should provide a clear option (or, in this case only, a second popup so it doesn't get missed) saying "Site X wants to save a cookie" etc etc, and where you can choose "Always allow this site to save and read cookies", "Never allow this site to save or read cookies", "Let this site save a cookie but delete it when I close the browser", and hey, why not "Let this site save a cookie now but delete it after half an hour" (whether I remember to close the browser or not)?
    • I'm thinking along the lines of how the excellent free (donation based) Firefox extension NoScript works. Yes you get asked a lot the first time you use it, so there may be the annoyance and automatic clicking factor, but over time it reduces in number.
  • Cookie manager settings should be easy to find, so you can un-whitelist a site if you change my mind, whitelist or blacklist a new site from that page. Let's have a single comprehensive management screen for ALL types of cookies. Users don't care what type they are.
  • Don't forget though that advertisers and other sites can now track visits without their necessarily storing anything on the user's equipment, eg through IP address, through your browser's fingerprint aka Client-less Device Identification (CDI) (and see further this blog, UPDATE - and this WSJ article), so browser providers should also be ensuring that their browsers don't send anything more than the minimum necessary info to websites, and again perhaps provide fine-grained user control over what info is sent.
  • What about Javascript tracking scripts and third party scripts and web bugs? They don't necessarily store anything on the user's equipment (though maybe if they temporarily downloaded an image or other file that might do it…). Is there a way to get browsers to handle those natively, eg building in something like NoScript?
  • And stopping Evercookies?

What about a "Do Not Track" system, rather like "Don't call" lists? It's an interesting idea, see Arvind Narayanan's outline of some technical ways in which it could be done, though Robin Wilton's pointed out the absurdity of having to save a cookie on your computer to tell sites you don't want them to save a cookie to your computer. UPDATE - the US FTC are proposing such a system, says the New York Times. I've not read their report yet. See EFF summary and Do Not Track Stanford project. FURTHER UPDATE - see Jonathan Zittrain's views on this.

(Not that my Telephone Preference Service registration helps me. I still get all sorts of calls and hangups when I let my answering machine take it. All marketers should by law be banned from withholding their phone numbers when cold calling, in my view. The sods deliberately withhold their number, I'm convinced, so that callees can't find out who they are to report them. Bah.)

Is there another way?

It's obviously important to provide fine grained browser options for the user, and fine grained user control that is nevertheless user-friendly.

But what's more important is to have finer grained choices as to exactly what private information the user is prepared to "trade", in return for what services.

However much information we are given about a site's intentions regarding our personal data, at the moment we often have to either accept their cookie and say "Yes" to everything they want from us, or reject it and be barred completely from any access to their services. It's all or nothing.

SCL editor Laurence Eastham hit the nail on the head in a recent blog where he said, "why aren’t we demanding that web sites that need cookies offer a range of options with (or without) privacy settings that allow the user a real choice?", and made the point that -

"We need to be presented with choices that have meaning - and that can only be possible if the requirements insist that web site operators offer a range: the cookie that is strictly necessary for operation, the cookie that eases your experience but transmits only minimal information and the full-fat marketing cookie that makes the web site’s bells ring – and maybe a few more unusual flavours for the discerning palate."

In other words, it's not just the technical options on the user's browser that need attention - it's also, much much more importantly, making site owners and advertisers offer users a real variety of options - "give up more personal information, which we'll do X with, and in return we'll let you access more features on our site", for instance.

Would that all sites took a leaf from the book of the BBC, who carefully explain exactly what cookies are set when you visit their website, and by whom - ie third party cookies as well as their own list - what each is for, etc. All sites should be doing that, and more. It's not just a browser settings issue, it's down to the web site and the advertising network. A choice of different cookies for different purposes ought to be offered at the start of the first visit to the site or communication with a particular ad network (all in a single simple screen or dialog, not each in succession which would increase the annoyance and "automatically click Yes" factor).

A related point is, it's important to properly enforce the purpose limitation principle - a site shouldn't collect personal information that's excessive or irrelevant to the purpose of the site visit.

If I'm signing up for a messageboard to discuss with likeminded fellows our passionate mutual interest in watching paint dry (hey, they can dry at different speeds depending on the type of paint, didja know? I've timed 'em!), the site really doesn't need to know my exact birthdate or mother's maiden name. As I've said before.

What a site thinks it needs to know about visitors (everything?!) may be different from what a user thinks it need to know. There may be a big mismatch between the data collector's purpose for obtaining the data, and the data subject's purpose in visiting the site.

The problem with website use is that merely by browsing to a site you lay yourself open to all sorts of info being collected about you and your browser, and to being forced (some might say blackmailed) into giving up all sorts of private info just for the "privilege" of registering. (You might even now be done for infringing copyright just by visiting a site, but that's a different blog…)

For even basic site access a free service will often want something in return (they usually capture your IP address automatically anyway), but they should offer users a choice as to how much personal data they collect.

For now, the lack of real choice in how many personal details consumers are asked to cough up can be dealt with, in a way, by savvy users - who just give different details, or use various tactics on social networking sites. (With a banking site I've registered a different maiden name for my mother than her real one. With many free sites I give a totally different postcode.) But remember they still grab your IP address and can correlate different visits even on different days etc. Which is why I'm changing my ISP soon - it claims my service is for a dynamic IP address but I can't effectively change my IP address unless I switch off my router for at least a week (I can't, I'd get internet withdrawal), or possibly I could try forking out for a new router, but I don't know if that would work.

Raising user awareness and educating users is critical, generally. But I think everyone knows that. The question is how. And more user friendly tools will certainly help - again the question is what those tools should do.

We will see what transpires over the next year or so. Will browser providers really rise to the challenge, and will it make much difference if ad network and others just find other ways to gather info on users and profile them? (eg in another context, insurance companies running "fun" surveys, trawling public records, and social networking sites etc to get more info about people's lifestyles and how risky they are).

Background

Article 5(3) Directive 2002/58/EC (Directive on privacy and electronic communications), after the changes made by Directive 2009/136/EC (PDF), now reads -

Member States shall ensure that the use of electronic communications networks to store storing of information or to gain the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

The UK are just going to copy that wording out without change or embellishment, according to their consultation on the implementation of this updated law. Not surprising perhaps, as they've been criticised before for their "traditional, but wholly unhelpful way of re-wording a Directive" which "nearly always…throws up room for wholly unnecessary uncertainty and argument." But it's clear what the government really intend, from the accompanying impact assessment (p.146) which says:

"Option 1: Implement an ‘opt-in’ system for cookies
Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime."

There's still a few hours or so left to respond, for anyone who wishes! - the consultation runs "until" 3 December 2010 (no indication of what time).

Apparently under the Netherlands implementation it will be possibly to imply the user's consent from their browser settings.

Certainly Recital 66 of the amending Directive 2009/136/EC (PDF) says -

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Copyright note

I have shown OCR'd versions of the Working Party letters above based on the Europa copyright notice as I can find no ban on their reproduction, but if anyone from the Commission or Working Party objects please let me know and I'll take them down.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.