Thursday 16 September 2010

How to dunk a cookie

Matron just spent another day reviewing the odious consultation paper on the UK implementation of the Telecoms Package, a task for which she will surely be rewarded with free access to a bunch of delectable virgins in the afterlife. Today it was all about cookies (no, not the chocolate covered ones - she wishes!) and the government’s plans on how to deal with them.

Let us recap, dear reader: a "cookie" is a small text file implanted by a website on the hard disks of visitors to the site (often without their knowledge) which collects information about the visitors, such as their names, addresses, e-mail details, passwords and user preferences. It can be set by the visited website itself or by third parties like online advertising companies. They can be used to track a user’s movement around the web and the information they collect will usually be used to serve targeted behavioural advertising to the user as s/he goes along. Although cookies provide web users with some convenience (pre-completion of online forms, recognition by online retailers), they also enable website operators to build up user-profiles without the knowledge or consent of the individuals concerned. Such profiles are immensely valuable and form part of the personal data currency with which we all pay for our access to “free” online content.

Under the current regime, users only have a right to object to the use of cookies provided they have been provided with information about the fact that they are used in the first place and on how to block/remove them. In the UK, in typical fashion (we call it pragmatism and are very proud of it), we managed to combine this laissez faire approach with our even more laissez faire rule on implied consent, so that, in practice, it works roughly like this:

1. Almost all browsers have default settings which allow cookies to be set unless the user changes those settings. Changing those settings isn't exactly difficult, but it is still a task which is beyond most people over the age of 45. Plus those who would be capable of doing this, often can't be arsed. Plus, changing the setting usually means that the user will not be able to access some web pages that require a cookie to load (this state of affairs is perfectly lawful, even the revised E-Privacy Directive permits this to happen).

2. The website owner complies with the Directive (and the national laws implementing it) by including an inocuous little provision in its privacy policy that explains what a cookie is and how it can be blocked. The policy will also usually warn the user that blocking cookies might result in a "loss of their user experience". Apart from us hardcore privacy lawyers no one actually reads privacy policies, so the normal internet user will never see this information. Which is all in a good day’s work for those who set cookies, because if we knew about this, we might actually try to change the settings. And if we all suddenly decided to block cookies, the web would come to a veritable standstill.

This point was forcefully made by Struan Robertson on Out-Law in May 2009, when he publicly requested the EU powers that be to “kill this cookie monster”. Because the European Parliament, you see, had insisted, as part of the Telecoms Package, on changing the requirement from the oh-so-convenient opt-out mechanism to an opt-in approach. And that is what came to pass – albeit with a twist, but more of that later.

Article 5(3) of the revised E-Privacy Directive now requires member states to ensure that cookies may only be set “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. “But this will mean annoying pop-up windows galore and the end of online civilisation as we know it!” shouted the website owners. "Oh, cue the violins!", replied the European Parliament. The measure was passed, the European Parliament was happy, web users’ privacy will be properly protected and web services will go bust in their thousands.

But wait a minute! This can’t be, can it? Surely they wouldn’t allow this to happen? Of course, they wouldn’t! Because the cavalry, in the form of Recital 66 of the Citizen’s Rights Directive, is already on its way. It provides that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application". Aaah, Matron nodded sagely at the time, this is what’s going to happen: all UK website owners will re-phrase their privacy policies, stating that by NOT changing the default setting in their browser from "accept" to "reject" users will be deemed to have given their informed and voluntary consent to the setting of cookies. Implied consent rules mean that those policies will be binding on the users, who will continue to live in blissful ignorance of their existence and no one needs to be any the wiser about the use of those pesky cookies. So, when Struan and others started jumping up and down about how terrible this new law was, Matron was just a little bewildered.

However, turns out she wasn’t the only one who had an idea of how the UK government was likely to deal with this minor inconvenience. It seems a copy of the “UK Minister’s Handbook on how to handle undesirable EU laws” (Section 1: “transposition” means “copy the text of the Directive into a statutory instrument and then interpret it to within an inch of its life through codes of practice and regulatory guidance documents”) has made it all the way to Brussels. How else could one explain the pre-emptive strike that was the Article 29 Working Party’s opinion on online behavioural advertising in which it demanded strict opt-in requirements for cookies? If you want to use browser settings to get your opt-in, so the Working Party, the browser default setting must be “block all cookies”. Only then would users wanting to accept cookies be able to signal their affirmative consent. "Go away, browser owners!", it said. "Change your default settings! We’ll speak again when you’ve done that."

One would think that those were pretty clear words, but it seems they were not heard on this side of the Channel. The BIS consultation paper (and more importantly, the impact assessment) unsurprisingly does not agree with the Working Party’s position. Instead the UK government fears that any form of opt-in procedure would lead to a permanent disruption of services and to online providers potentially suffering substantial losses, both in relation to the costs they would incur in programming pop-up windows or changing browser settings, and in directly lost revenue from users choosing not to allow cookies (how dare they?). Reassuringly for website owners and online advertisers, the government quite openly admits that, in its opinion, the balance of interest between user privacy and the need to secure providers' revenue streams is quite heavily weighed in favour of the latter. As it points out, “online behavioural or interest based advertising made up roughly 50% of display advertising revenue in 2009, which was equivalent to £350 million”. Matron does not dispute that to take that sort of money out of the web may indeed cause some serious disruption and that we might have to start thinking about other ways of financing all that "free" online content.

But there is a, admittedly semi-heretic, question to be asked here: does it have to be like that? Isn’t it just a bit of a self-fulfilling prophecy to treat as widely accepted gospel the claim that “the internet as we know it today would be impossible without the use of these cookies” (BIS consultation paper, page 57)? We have witnessed unbelievable technological achievements in the last three decades. Does the industry really expect us to believe that if it were no longer allowed to use cookies, developers would not come up with a different (and hopefully more privacy-enhancing) way of generating revenue out of advertising? Of course, as long as it can get away with using cookies, business will have no incentive to finance research into an alternative. Maybe Matron is just stubborn, but sometimes this whole “privacy-is too-expensive” argument really p…es her off.

More interestingly, though, at this point, is this: how does the UK government expect to get away with this? As Matron explained above, under normal circumstances she would have expected nothing less. But surely, the fact that the Working Party has laid down the law as it sees it even before the Directive's implementation deadline runs out must change things? Even if the WP’s opinions are not binding, they are read, and largely adhered to, by national data protection authorities and the European Commission. Practicing lawyers take them into account when drafting documents and policies and, in most cases, businesses would know that they act in contravention of them at their peril.

So what is happening here? Does the government just play the long game, given that the Commission already thinks the UK in breach of several provisions of the Data Protection Directive and nothing bad has happened yet? Does it intend to buy UK businesses some time by adopting laws in full knowledge of the fact that that infraction proceedings might be issued against it (because those proceedings will take years to come to fruition)? Does it intend to sit this one out until the wind has changed?

As Matron said: remarkable chutzpah! Or maybe it's just that no one at the BIS actually read the WP opinion. After all, they have been busy lately…

Wednesday 15 September 2010

Assessing the impact

Having spent more than three weeks trying to overcome the post-holiday blues, Matron was abruptly dragged back into the grey skies of coalition government Britain yesterday when she worked her way through the fresh-from-the-press consultation paper on "Implementing the revised EU Electronic Communications Framework". That framework (also known as the "Telecoms Package") was adopted by the EU at the end of last year after a considerable period of legal and political wrangling between the Commission, Council members, MEPs and lobbists.

Now, Matron feels a little about the Telecoms Package how she feels about reading the works of Judith Butler or Stephen Hawking. If she applies razorsharp, quasi-transcendental focus she manages - for the length of one heartbeat - to understand what it is all about. But then the kitchen door slams shut with a bang or the cats loudly demand their dinner and - whoosh - it is gone. The reason for this, she feels, is that the Packages tries to wrap up all the legal issues that are somehow expected to affect the internet now or in the near future - regulators' powers, spectrum allocation, infrastructure, network security, interoperability, universal service obligations, quality of service, net neutrality, consumer protection and online privacy, to name but a few - into one neat little parcel, thereby creating something very much like a packet of Licorice Allsorts. There's something in there for everone; but because there is also so much in there that you don't fancy, it makes you want to head for a packet of winegums instead.

Nonetheless, needs must, so yesterday afternoon, Matron banned the cats to the bedroom, closed the kitchen door as a preventative measure, and sat down to read. The consultation paper itself is only (!) a concise 74 pages long, but it is accompanied by a rather lengthy impact assessment. Now, impact assessments are funny things, written by administrators to satisfy the beancounters, and most lawyers - Matron included - tend to avoid them like the plague. However, the sections in the consultation paper that Matron was scrutinising - the bit that dealt with the changes to the E-Privacy Regulations, data security breach notifications, information requirements, the cookie wars v2.0 etc. - referred to the impact assessment rather more often than usual. So, with an audible groan Matron gave it a go. And found some truly surprising stuff.

Hidden between "E-Privacy Directive: Annex 1: Data Breach Notification" and "E-Privacy Directive: Annex 3: Cookies" one can find an innocous little document titled "Information Provisions" which, under the heading "What is the problem under consideration? Why is government intervention necessary?", addresses a completely different policy objective from those set out in the Telecoms Package.

After pointing out that "[p]olice and security services will continue, under the amended E-Privacy Directive, to be able to request information from the providers of electronic communications services in order to aid in the protection of national security and following criminal cases", it then explains that the government must take steps "to increase the investment service providers put into being able to provide this information". To this end, the government wants to require those providers to "have a procedure in place to be able to respond to request for information from the police or security services" quickly and with a minimum of fuss. It also wants to impose the duty of checking that such procedures are in place on the Information Commissioner's Office. The intended effect of the government's policy is, apparently, "to increase the availability of suitable information for use by the police and security services" so as to enable them to provide "a high level of protection to citizens".

Like many of her ilk, Matron gets very nervous when it comes to laws that facilitate the "availability of suitable information for use by the police and the security services", particularly when there is no defintion of what actually constitutes such "suitable information". As the controversies over communications data retention and interception of communications under RIPA have shown, there is something of a chasm between what those service feel might be suitable and what civil liberties campaigners as well as many ordinary people feel those service should have access to. So what is funny about this new policy is this:

1. Access by public authorities of communications data and intercepted electronic communications are already laid down in the Acquisition and Disclosure of Communications Data Code of Practice and the Interception of Communications Code of Practice. They cover in quite some detail what the service providers must do in order to assist the authorities in relation to disclosure requests. Why then does the government feel that it must use this consultation to impose even more structured requirements on providers? Did the old system not work? Do they want to cover requests for data that are not yet covered by RIPA and its codes of practice? Would this make it easier to access data held by CSPs for other purposes, say the prosecution of copyright infringement?

2. The government somehow wants to hang this one on Article 15 of the E-Privacy Directive (as revised by the Telecoms Package) which, it concludes, gives an ‘opt-out’ from the Directive's provisions that prohibit the listening, tapping, storage or other kinds of interception of communication "in cases where these methods of information gathering are a necessary, appropriate and proportionate measure within a democratic society in order to safeguard national security, defence, public security, or for the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communications system". Although this is a fairly true description of the law as it stands (one could argue about the use of the word "opt-out"), it is surprising that this new requirements is included in this implementation proposal because - to Matron's knowledge - there is nothing in the Telecoms Package that requires the establishment of such procedural rules or, indeed, this level of micromanagement of the ways in which CSPs must comply with their duties under RIPA.

3. Why drag the ICO into this? It's not that Matron wouldn't be grateful, if the ICO had some power to inspect and review whether the disclosure of personal data by CSPs to the police under RIPA actually complied with data protection principles and the right to privacy. As the whole Phorm debacle has shown, there are some worrying gaps in regulatory oversight between the role of the ICO and that of the Interception of Communications Commissioner. But that is not what the ICO is asked or authorised to do. Instead, it is used as an enforcement agent whose duty seems to be to ensure that the police get their data in the most efficient way. That is surely not the ICO's job and it should not have to use its already meagre resources to play fetch for the security services.

4. There is nothing - nothing at all - said about this proposal in the main consultation document. This reminds Matron - as almost everything seems to these days - of yet another "Yes Minister" episode which mischievously dwells on the civil service's habit of hiding the important documents that it doesn't want the Minister to find, er see, "at the bottom of the fifth red box". Of course, Matron knows that one should never suspect conspiracy where mere incompetence will do, and maybe the good folks at the BIS did just forget to mention their plans in the place where everyone might read about them. But page 138 of a 180-page impact assessment seems to her as good a place as any to bury a proposal that might otherwise attract some negative headlines - particularly if it is published on the same day as another proposal which condemns ISPs to pay for 25% of the cost of pursuing illegal fileshares under the much-reviled Digital Economy Act. As the government itself admits, "there will be costs associated with service providers needing to implement internal procedures to respond to information requests" although it judges these costs to be "minimal". The government's rationale for imposing such extra costs at a time when it publicly touts that it wishes to liberate industry from overburdening regulation, is that the benefits for the general public from the police having access to that information outweigh the CSPs' business interests. They must therefore increase their level of investment to be able to provide this information (again - which information is that exactly?) "to the socially optimal level".

The BIS invites responses to the consultation by 3 December with plans to submit draft statutory instruments to Parliament in April 2011. Given that the Telecoms Package must be transposed by 25 May 2011, this seems to suggest that they do not expect there to be much parliamentary resistance to their plans or that they plan to overcome that resistance pretty sharpishly. After all, the old Labour government has provided them with a blueprint on how to do just that when it rushed the DEA through the wash-up with no regard for reason or democratic decorum. This approach is, of course, made much easier by the fact that the blasted thing is so complicated that - like with DEA - most MPs will not understand it anyway and are likely to follow their Whips' directions out of a desire to protect their poor brains from intellectual overload.

But this sort of stuff IS important and at a time when the new government still pretends that it intends to clean up the Augean stable that is the previous government's civil liberties record, this is a proposal to take note off.

Is Matron just her normal paranoid self and is blowing this completely out of proportion? She would love to be convinced that that is the case. Any volunteers out there?