ITsecurity
twitter facebook rss

One rule for them…

Posted by on December 9, 2014.

Earlier this week I was engaging in an interesting discussion with some lawyers about the Article 29 Working Party opinion on Device Fingerprinting.  First of all, for those who do not know, Device Fingerprinting is a technique used by the advertising industry (and government intelligence agencies) to circumvent cookie blocking and allow them to still identify you when you visit a web site they have a presence on.  In 2009, Article 5(3) of Directive 2002/58/EU (aka the ePrivacy Directive) was amended to help protect European citizens from behavioural tracking and profiling.  The changes require companies to obtain consent from users before using cookies which are not strictly necessary for delivering the requested service or web page.  The wording of 5(3) is as follows:

3. Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

(emphasis added)

At the time, I became perplexed at media’s labeling of the Directive as the “Cookie Directive” because I felt this was misleading, given that the wording of 5(3) covers much more than cookies.  For example, an ActiveX plugin, JavaScript program, Virus or Malware etc. would all also be covered by the changes as they all involve either storing or gaining access to information in the terminal equipment of the user.  This means that device fingerprinting is also be covered as it requires both the storing of information (a Javascript file is stored in the terminal equipment) and access to information (that Javascript file is executed to collect various information about the device and send it back to the server using an AJAX request).  There are various other methods of device fingerprinting which might not involve using a Javascript program but they all rely at the very least, accessing information stored on the terminal equipment – they have to in order to build a unique identifier (usually a hash) based on that information.

My concerns are not without reason either, there are number of companies out there (such as Bluecava) who are actively building databases which currently extend to billions of devices world wide – many of which are devices owned by European citizens.  In 2011 I wrote to the Article 29 Working Party and the European Commission effectively begging them to go on the record and condemn these practices under 5(3) – but alas my pleas fell on deaf ears, I suspect partially because various actors within the Article 29 Working Party (namely the UK and Irish Information Commissioners) were actively working against the new rules.

Now almost 4 years later, after a change of leadership within the Article 29 Working Party, we finally have an official opinion from the group which supports my view – but it is far too late given that various companies are now multi-billion dollar global entities who’s revenues are based on the device fingerprints of hundreds of millions of European citizens and we are about as likely to make them delete those fingerprints as we are to fix global poverty.

Now back to the conversation I was having with lawyers on this issue – one of these lawyers (who will remain unnamed for privacy reasons) thinks that the rules should be more “business oriented”, which frankly makes no sense whatsoever – let me explain why.  The rules were put in place to protect people from privacy violations by commercial and government actors – they are citizen centric with a pure and simple focus of protecting citizens’ fundamental rights.  They are not and never were intended to make things simpler for business – they exists specifically to protect people from various commercial activities of businesses.  Why on earth would we even consider shifting that focus from a constitutional bulwark to a more “business oriented” focus – it would defeat the very purpose and reason the protection exists in the first place.

I find it incredibly frustrating with this shift in society which gives commercial entities more rights than the citizens.  If we look at copyright law as an example – companies are able to reap millions in statutory damages from citizens who distribute their digital content (movies and music) despite the fact that there can be no demonstration of material damage because they cannot prove that these same people would have purchased that content had they not been able to obtain it for free and thus cannot prove a lost sale.  Yet, when these same commercial entities choose to violate our fundamental right to privacy – a constitutional right, a human right – one of the keystones of our civilised society; citizens receive no statutory damages and find it incredibly difficult (pretty much impossible) to exercise their rights through captured regulators or an expensive legal circuit.  If a citizen wanted to take action against Sony for tracking their online behaviour in breach of Article 5(3) for example, under existing rules it would be literally impossible unless that citizen had vast personal wealth.

So a word to the advertising industry – you exist purely because society allows you to – you are not better than its citizens, you do not occupy an elevated position in society, you are not more important but you are expendable.  It is about time your familiarised yourself with your place and stopped trying to circumvent rules which exist to erect ethical boundaries you are incapable of creating yourselves.  It is high time politicians, regulators and legislators stopped kowtowing to corporate interests and started to reign in their behaviour to protect society from their harmful ways – they are supposed to follow the rules, not write them.

The Article 29 Working Party opinion is long over due and isn’t legally binding – but it is at least a move in the right direction.  Now we need the same regulators who form the body of that same Working Party to start enforcing these rules and that is the next major challenge, for what is the point of having rules and laws if those in a position to enforce them are captured by the very same parties they are supposed to be regulating?


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

2 thoughts on “One rule for them…

  1. You might also be interested in this development, the ICO has advised that websites ignoring Do Not Track requests may also be in violation of the Directive – http://www.cookielaw.org/blog/2014/12/4/ignoring-do-not-track-risks-cookie-compliance-failure/

    • Alexander Hanff on said:

      Yes I am aware of it but thanks for the feedback. Of course whether ICO will take any enforcement action is an entirely different matter – to date they have failed in most cases to take significant enforcement action against global corporations (especially big data corporations) so I won’t hold my breath.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Alexander Hanff, Expert Views, News_privacy | Tags: , , , , , , , ,