Thursday 16 September 2010

How to dunk a cookie

Matron just spent another day reviewing the odious consultation paper on the UK implementation of the Telecoms Package, a task for which she will surely be rewarded with free access to a bunch of delectable virgins in the afterlife. Today it was all about cookies (no, not the chocolate covered ones - she wishes!) and the government’s plans on how to deal with them.

Let us recap, dear reader: a "cookie" is a small text file implanted by a website on the hard disks of visitors to the site (often without their knowledge) which collects information about the visitors, such as their names, addresses, e-mail details, passwords and user preferences. It can be set by the visited website itself or by third parties like online advertising companies. They can be used to track a user’s movement around the web and the information they collect will usually be used to serve targeted behavioural advertising to the user as s/he goes along. Although cookies provide web users with some convenience (pre-completion of online forms, recognition by online retailers), they also enable website operators to build up user-profiles without the knowledge or consent of the individuals concerned. Such profiles are immensely valuable and form part of the personal data currency with which we all pay for our access to “free” online content.

Under the current regime, users only have a right to object to the use of cookies provided they have been provided with information about the fact that they are used in the first place and on how to block/remove them. In the UK, in typical fashion (we call it pragmatism and are very proud of it), we managed to combine this laissez faire approach with our even more laissez faire rule on implied consent, so that, in practice, it works roughly like this:

1. Almost all browsers have default settings which allow cookies to be set unless the user changes those settings. Changing those settings isn't exactly difficult, but it is still a task which is beyond most people over the age of 45. Plus those who would be capable of doing this, often can't be arsed. Plus, changing the setting usually means that the user will not be able to access some web pages that require a cookie to load (this state of affairs is perfectly lawful, even the revised E-Privacy Directive permits this to happen).

2. The website owner complies with the Directive (and the national laws implementing it) by including an inocuous little provision in its privacy policy that explains what a cookie is and how it can be blocked. The policy will also usually warn the user that blocking cookies might result in a "loss of their user experience". Apart from us hardcore privacy lawyers no one actually reads privacy policies, so the normal internet user will never see this information. Which is all in a good day’s work for those who set cookies, because if we knew about this, we might actually try to change the settings. And if we all suddenly decided to block cookies, the web would come to a veritable standstill.

This point was forcefully made by Struan Robertson on Out-Law in May 2009, when he publicly requested the EU powers that be to “kill this cookie monster”. Because the European Parliament, you see, had insisted, as part of the Telecoms Package, on changing the requirement from the oh-so-convenient opt-out mechanism to an opt-in approach. And that is what came to pass – albeit with a twist, but more of that later.

Article 5(3) of the revised E-Privacy Directive now requires member states to ensure that cookies may only be set “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”. “But this will mean annoying pop-up windows galore and the end of online civilisation as we know it!” shouted the website owners. "Oh, cue the violins!", replied the European Parliament. The measure was passed, the European Parliament was happy, web users’ privacy will be properly protected and web services will go bust in their thousands.

But wait a minute! This can’t be, can it? Surely they wouldn’t allow this to happen? Of course, they wouldn’t! Because the cavalry, in the form of Recital 66 of the Citizen’s Rights Directive, is already on its way. It provides that the user's will to accept cookies "may be expressed by way of using the appropriate settings of a browser or other application". Aaah, Matron nodded sagely at the time, this is what’s going to happen: all UK website owners will re-phrase their privacy policies, stating that by NOT changing the default setting in their browser from "accept" to "reject" users will be deemed to have given their informed and voluntary consent to the setting of cookies. Implied consent rules mean that those policies will be binding on the users, who will continue to live in blissful ignorance of their existence and no one needs to be any the wiser about the use of those pesky cookies. So, when Struan and others started jumping up and down about how terrible this new law was, Matron was just a little bewildered.

However, turns out she wasn’t the only one who had an idea of how the UK government was likely to deal with this minor inconvenience. It seems a copy of the “UK Minister’s Handbook on how to handle undesirable EU laws” (Section 1: “transposition” means “copy the text of the Directive into a statutory instrument and then interpret it to within an inch of its life through codes of practice and regulatory guidance documents”) has made it all the way to Brussels. How else could one explain the pre-emptive strike that was the Article 29 Working Party’s opinion on online behavioural advertising in which it demanded strict opt-in requirements for cookies? If you want to use browser settings to get your opt-in, so the Working Party, the browser default setting must be “block all cookies”. Only then would users wanting to accept cookies be able to signal their affirmative consent. "Go away, browser owners!", it said. "Change your default settings! We’ll speak again when you’ve done that."

One would think that those were pretty clear words, but it seems they were not heard on this side of the Channel. The BIS consultation paper (and more importantly, the impact assessment) unsurprisingly does not agree with the Working Party’s position. Instead the UK government fears that any form of opt-in procedure would lead to a permanent disruption of services and to online providers potentially suffering substantial losses, both in relation to the costs they would incur in programming pop-up windows or changing browser settings, and in directly lost revenue from users choosing not to allow cookies (how dare they?). Reassuringly for website owners and online advertisers, the government quite openly admits that, in its opinion, the balance of interest between user privacy and the need to secure providers' revenue streams is quite heavily weighed in favour of the latter. As it points out, “online behavioural or interest based advertising made up roughly 50% of display advertising revenue in 2009, which was equivalent to £350 million”. Matron does not dispute that to take that sort of money out of the web may indeed cause some serious disruption and that we might have to start thinking about other ways of financing all that "free" online content.

But there is a, admittedly semi-heretic, question to be asked here: does it have to be like that? Isn’t it just a bit of a self-fulfilling prophecy to treat as widely accepted gospel the claim that “the internet as we know it today would be impossible without the use of these cookies” (BIS consultation paper, page 57)? We have witnessed unbelievable technological achievements in the last three decades. Does the industry really expect us to believe that if it were no longer allowed to use cookies, developers would not come up with a different (and hopefully more privacy-enhancing) way of generating revenue out of advertising? Of course, as long as it can get away with using cookies, business will have no incentive to finance research into an alternative. Maybe Matron is just stubborn, but sometimes this whole “privacy-is too-expensive” argument really p…es her off.

More interestingly, though, at this point, is this: how does the UK government expect to get away with this? As Matron explained above, under normal circumstances she would have expected nothing less. But surely, the fact that the Working Party has laid down the law as it sees it even before the Directive's implementation deadline runs out must change things? Even if the WP’s opinions are not binding, they are read, and largely adhered to, by national data protection authorities and the European Commission. Practicing lawyers take them into account when drafting documents and policies and, in most cases, businesses would know that they act in contravention of them at their peril.

So what is happening here? Does the government just play the long game, given that the Commission already thinks the UK in breach of several provisions of the Data Protection Directive and nothing bad has happened yet? Does it intend to buy UK businesses some time by adopting laws in full knowledge of the fact that that infraction proceedings might be issued against it (because those proceedings will take years to come to fruition)? Does it intend to sit this one out until the wind has changed?

As Matron said: remarkable chutzpah! Or maybe it's just that no one at the BIS actually read the WP opinion. After all, they have been busy lately…

No comments:

Post a Comment