Navigating cookie privacy is getting legislators lost

This is a guest post by Mike O’Neill, Technical Director of Baycloud Systems, which develops scalable cloud based systems that address privacy issues, such as CookieQ, a web application that delivers a Cookie Consent button to any web page.

The Internet, driven by technological innovation and the free market, has brought huge benefits. But freedom without responsibility or accountability simply leads to chaos and lawlessness. People are losing trust in on-line commerce as increasingly they find their personal information being harvested and sold without their knowledge or consent, and realise that the “free” services offered to them are in exchange for becoming the product, not the purchaser.

When you surf the internet the sites that you visit are communicated to others. Some will combine your surfing history with others anonymously so they can supply statistical analytics information. Some will use it to target you with “behavioural tracking” advertisements, while others may simply sell your browsing history on.

When you visit a site that includes a “web beacon” another party receives an indication that you have visited the site. These beacons, which are often display advertisements placed by advertisement data aggregators such as Microsoft, Yahoo, Google, AOL or Quantserve, are now ubiquitous. They include “like” and similar buttons from social networking websites such as Facebook, LinkedIn & Twitter. You do not have to click on these web beacons for them to work; you only need to visit a page where they are located. The record of sites visited can then be associated with other information the beacon operators or their partners hold about you such as your age, name, address and list of friends. It can also, by using the HTTP Referrer Header , be associated with the site you linked to the new site from, which can also indicate the search terms you used to find the site. Web beacons use several techniques to identify you including those based on HTTP cookies, HTML Local Storage , “Flash Cookies”, ETAG tracking and (the far less accurate) browser fingerprinting technique. Some combine some of these techniques to make sure they can continue to track even if you delete all the cookies in your browser.

A US Today/Gallup poll last year showed that consumers were largely opposed to these tactics. Of those surveyed 67% said that advertisers should not be allowed to do this, and 61% thought that free access to the net was not worth the invasion of privacy involved. Only 14% thought that all advertisers should be allowed to do specific ad targeting, 37% saying that no advertisers should do this, and 47% saying they would accept it as long as they could choose the advertisers.

It cannot be in the interest of healthy on-line commerce for brands that use online advertising to be associated with tracking potential customers without their consent. As more people realise what information advertisers have harvested from them they may lose trust in the brands they associate with the practice. Brands and advertisers should seize the opportunity to interact with their customers in an honest and transparent way as part of the process required to gain consent for behavioural advertising.

Legislators in the US and Europe, motivated by the necessity to reflect popular opinion and civic morality, have drafted laws with the intent of protecting consumer’s rights to privacy. Recently this protection has been extended to cover the technology used for tracking.

The E-Privacy Directive came into force in May in Denmark, Estonia, Finland, Sweden and the UK with the other 22 countries missing their deadline but committed to follow. The law requires that web site operators obtain consent before they store any information in a visitor’s browser. It has been drafted in this way to cover any technique that may be developed to uniquely track consumers, not just cookies, although it does not cover the browser fingerprinting technique which does not need to store information in browsers. The European level technical and legal advisory committee that is responsible for the legislation, the Article 29 Working Group, has recently reiterated its opinion that consent cannot be assumed and must be specifically asked for before any tagging information is stored. It has also called for “streamlined procedures whereby users could accept (or decline) cookies of the various ad network providers publishing ads on one website, in a centralized way, while respecting granularity”.

In the US a bill to give consumers the right to stop collection of their personal information has passed the California Senate Judiciary committee and a similar bill, the Do-Not-Track Online Act 2011 has been introduced in the US Senate. This will call for the ability of consumers to specify that all their web requests are labelled with a DNT (Do Not Track) indication, and that web sites that receive the indication do not use any tracking technique.

The proposed US legislation has some weaknesses compared with the EU framework. It does not require browsers to have the DNT indication set by default, making it less effective at protecting the privacy of consumers who may not know how to change their browser settings, or why they should. It is also worse for brands and advertisers. Many consumers, especially the more educated and therefore probably with higher income, will still find how to set the DNT indication and leave it set. This will remove the opportunity of brands to interact with them in order to establish trust and to gain consent for tracking. The Do Not Track standard does, however, offer a way to signal to beacons not to use the browser fingerprinting technique.

Recent comments by some senior EU Commission figures such as Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda, have unfortunately confused the situation. Probably motivated by the need to reach a common privacy framework with the US, and also to incorporate controls over tracking using browser fingerprinting, she has expressed support for recent self-regulation proposals put forward by the advertising industry while calling for the creation of a standard on how web sites should respond to a US type DNT track indication. Neither of these can comply with EU law as they are both based on opt-out consent models where consent (for tracking) can be assumed if no action is taken by consumers. The IAB proposal has now been rejected by the Article 29 Committee, and it has asked them to come up with further proposals based on the required opt-in model.

The browser companies, which are often also the advertising data aggregators, have introduced some enhancements that enhance a consumer’s ability to manage third party cookies, but have not been able to overcome internal business unit pressure and introduce an opt-in mode. The insertion of Do Not Track indications is now supported by Internet Explorer 9 and Firefox 4 Beta, but only available to consumers who can navigate their way into the complex settings and switch from the default opted-in case. The Tracker Protection List standard put forward by Microsoft and now a feature of Internet Explorer 9 shows good potential for giving consumers specific control over third party cookies as used by web beacons, but this currently has some weaknesses, especially the ease by which blocking rules can be overridden.

It is unlikely that effective self-regulation will be forthcoming from the advertisers or the, mostly US based, browser companies alone because of the enormous revenue they currently attract from behavioural advertising. Even Mozilla, the organisation responsible for the Firefox browser, gets almost all its income from advertisers, with nearly 90% from Google alone.

But with the push from legislators, especially in Europe with 500M affluent consumers, technology based solutions are now becoming available from independent European start-up companies which can give consumers transparent control of tracking and at the same time give brands and advertisers the ability to interact with potential customers to gain their consent and trust. It is now possible to imagine a legal framework combining the technical clarity of the EU e-privacy regulations with the flexibility and ability of the US proposed DNT header to rule out browser fingerprinting. This, combined with incremental improvement to standards and further innovative technology, will help make the Internet a safer environment, respectful of individual privacy and to encourage consumer confidence in on-line commerce.