ePrivacy: how the Euro cookie crumbles
The EU’s Privacy and Communications Directive is meant to protect us, as internet users. But opponents argue that ill-considered national regulations and technical challenges could cost businesses dearly. Adrian Bridgwater investigates.
Computer users have become accustomed, even conditioned, to being asked if they want to “accept or enable cookies” as a normal part of surfing the internet. While many users have come to place enough trust in the efficacy of their browser, and their anti-malware protection software, to accept cookies, rumblings from the European Union in the shape of its ePrivacy directives could knock the jar over.
Last year saw the introduction of the EU’s Privacy and Communications Directive, which (on paper) took effect on May 26. The directive states that websites operated by UK companies should seek to gain consent from their users before sending a cookie to their computer.
Whether this is unworkable legislative scaremongering or simply misguided technical illiteracy on the part of the European Commission is still subject to debate. The fact that the EU is trying to alter what many argue to be part of the natural organic balance of the web may yet prove to be more damaging than the problems it is trying to solve.
“The commission has taken the view that ability for users to understand what’s happening when they are browsing websites was not being made clear to them,” says Duncan Matheson, an information privacy expert at PA Consulting. “So they felt there was a need to update the Privacy and Communications Directive. That was undertaken in 2009. That was transposed into UK law, which came into effect in May 2011.
“The ICO took a decision to delay the implementation by giving one year’s grace to organisations to implement the changes so that from this year, they can consider enforcing new rules to require all organisations to make it clear on a website what cookies are being used what they are being used for and to get consent from the user,” he says.
A little bit of code, a little loss of privacy
Cookies themselves might seem innocuous. They are just small data files that hold specific information about a website, and the users themselves. They record the sections and subsections visited in a web browsing session. Both a web and the user’s computer can send information to the cookie; and data is “written to” the cookie when – for example – someone clicks the “submit” option on a website.
But the cookie concept hinges on these files remembering a certain amount of information about the way the user interacted with that site. Websites themselves are engineered to run scripts that are aware of the values held in a user’s cookies. This way, content can be tailored to a user each time they visit that site – and in many cases – across different websites too.
For internet users, and certainly for the companies that deal with them, this makes browsing the internet far more convenient. Indeed, there are plenty of people in the online world who would argue that cookies are always a good thing. But their very existence has been questioned over the last eighteen months. On the face of it, there are predefined rules that control cookie usage, visibility and privacy. But concerns had been thrown up even before the EU’s involvement.
Cookies are only ever able to store information that users themselves have volunteered to give up, or that the web server already has stored. And again, web purists argue that cookies do not, in themselves, present any direct risk to personal data. A cookie is no more or less secure than information being stored on most commercial databases.
Regardless of EU rulings, if a user does not want to enter their bank account numbers on a website that might store them as a cookie, then they should not really be entering that information anywhere else online either, unless it is a secure banking site.
Brussels spouts
Is this just another example of bureaucrats in Brussels moving on from telling us exactly how straight a cucumber is supposed to be or how to weigh bananas to the internet realm? Well, it’s worse than those two examples, say critics.
The European Union’s Privacy and Electronic Communications Directive is intended to compel website owners to seek consent from users before they can send cookies. But that simple premise masks a complex technical issue that, opponents argue, could permanently harm online business.
Cloud services firm Star, which focuses on mid-market business in the UK, says that the directive, which will not now fully come into law for the next two years, needs a lot of work. The burden for heavily consumer-facing website owners, such as e-tailers, could be crippling.
“UK businesses don’t need more complex legislation, more distraction from their operations, or the additional costs this will undoubtedly impose upon them,” says Martino Corbelli, Star’s chief customer officer. “Contrary to the EU’s grand pronouncements of a €2.3 billion ‘saving’ from these moves, there is no way the proposed bill can save UK businesses money. Although there is some common sense in unifying the rules across the EU, the commissioner has been heavy-handed, placing UK businesses at a disadvantage to its global rivals.”
Some say the impact of this directive – should its full effect be felt – on each and every user’s web experience will be considerable. Not only would websites need to be re-engineered, but tracking when and where consent has, or has not, been given and whether some sites should be exempt from these rules, could give rise to considerable confusion and concern.
Surprise, surprise
Although the UK authorities initially made promises of “no overnight changes”, communications minister Ed Vaizey’s comments have arguably done little to help the dust settle. “We recognise that some website users have real concerns around online privacy but also recognise that cookies play a key role in the smooth running of the internet,” he stated last year. “It will take some time for workable technical solutions to be developed, evaluated and rolled out so we have decided that a phased-in approach is right.”
Phased-in or not, the Government has come across as rather slapdash in its approach to the regulations. Adam Malik, founder and organiser of IT-themed summit and showcase Digital London, has suggested that at an individual level, there is little chance of consumers really being able to wrest back control of cookie data.
“Some large organisations may be able build in these controls for their major sites and portals, but with our lives reliant on data to let us into the buildings we work in, to pay our wages and record our marriages, birth and deaths, the possible reality of consumers truly owning all our own data, including full control of our cookie files, is still some way off,” he says. “UK businesses are more likely to comply than most, not least because of a possible fine of one per cent of turnover, but this is an additional tax on all businesses who hold electronic customer records.”
Workable technical solutions, to use the Government’s preferred term, include the use of multiple pop-ups to check on user preferences. Users writing on technical discussion forums have already dismissed this suggestion as a joke: such is the apparent credibility gap between the authorities’ intentions and the directive’s implementation.
And as spongy and intangible as the Government’s language has been, there is then the sobering, but no less worrying, stance of the Information Commissioner’s Office (ICO). The ICO has said: “Those who choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules.”
And in a “show and tell” that will leave many ‘next generation’ web developers and designers speechless, the ICO has provided an example of how to implement cookie choice freedom on its own website.
The ICO’s (eat its own dogfood) statement reads: “In short, we are following our own advice. We conducted an audit of the cookies we use on our site, and put a plan together aiming to provide our users with information and choices around those cookies. In making our plans we considered the usability of our site, as well as who we are and what we do. We acknowledge that what’s appropriate for the ICO and our website won’t be appropriate for all sites and, as we’ve stated in our advice, website owners should decide the most appropriate ways of providing choices about cookies on their sites.”
Malik remains sceptical. “Unintended consequences abound. Some reports claim companies will need to notify customers of data breaches within just 24 hours. But today, with so much data held in the cloud, this is impractical. Individuals have the moral right to ask for data deletion. Whether this means that entire enterprises, some employing thousands of tax-paying workers, should be jeopardised is a moot point. What would happen if a complaint about a data breach caused Sainsbury, Tesco or British Airways to go into receivership?”
That sounds far-fetched, but smaller companies, particularly tech start-ups whose operations are now in jeopardy, are justly concerned.
Count your cookies
The Department for Culture, Media and Sport (DCMS) is reportedly working with browser vendors (Microsoft, Mozilla’s Firefox team, Apple and others will surely be involved) to investigate a browser-based solution to this problem. But real-world responses from industry appear to have been relatively muted. A “count your cookies” audit of the number of cookies employed may be the best the Government can hope for at this stage, if the private sector does muster some kind of tangible response.
The ICO bases its position around the freedom to be able to tell users whether cookies have been disabled, or not, when they visit a website. “We are setting our analytics cookies only when a user provides their consent,” asserts the ICO.
But the Privacy and Communications Directive is just one of a number of updates to EU web legislation, much of which has not been updated since 1995. Whether this has compounded the industry’s “what on Earth”, head-scratching response is hard to judge. EU directives themselves do have a reputation for ambiguity, or being open to cross-language, cross-culture interpretation. This one is no different.
At a practical level, the problem could be even deeper rooted. Website publishers will very often have no more than a passing, or at least incomplete knowledge of their site’s architectural pedigree, blood group and full origins. Such legacy issues may prove fiendishly expensive to remedy.
And site owners may, to give another example, have paid no more than lip service to cookie usage and data tracking when they signed their outsourced website hosting and content management agreements. Bringing it all into line will not be easy.
Sitting on a razor-wire fence
So it is hardly a surprise to find that companies are floundering in a sea of confusion. Should they attempt to take conscientious steps towards the sort of compliance the Government is advocating, or should they sit on what might turn out to be a barbed-wire fence that ends up hurting them even more? ICO spokesperson David Evans has already admitted that there is no “silver bullet” here for businesses (or charities, for that matter) looking to comply with the new cookie rules.
But amidst the fog and fug of this discussion, it is easy to forget the initial raison d’être for these discussions in the first place. Wasn’t it all about us the users and our personal privacy? Wasn’t the original plan to make the internet better for everyone?
European director of security research for Trend Micro, Rik Ferguson, argues that users can still benefit from the Government’s intended reforms, albeit in a very small way. “Obviously online advertisements are inescapable. And it makes sense to have adverts relating directly to your actual interests being displayed, rather than say pushing horse saddles to an ardent motorcyclist.
“The balance of benefits though seems clearly in favour of advertisers and site owners. Advertisers gain a hugely increased insight into consumer behaviour in general and are able to effectively target their material with a higher degree of accuracy, site owners should also theoretically reap the benefits of increased click-through, resulting in a higher income.”
But Ferguson says that an opt-out cookie control system grates strongly with his idea of personal information protection. “My browsing habits and interests are my own and it is my choice whether I choose to share them. While there are portals that enable you to opt-out en masse from the advertising cookies of all the major networks, perhaps the most effective defence is to run your browser in private browsing mode or use the browser settings to opt out of tracking, where available.
“The implementation of the EU directive on cookies is certainly going to make the web experience a little less seamless for us all. It may even have the unintended and unfortunate consequence of educating users into the habit of clicking ‘allow’ on every pop-up, including the dubious ones, if that is the way in which websites implement it.
“However the DCMS has made clear in a letter that ‘either’ the modification ‘or’ the user leaving at default his or her browser settings, can be interpreted to signify consent as long as the user is adequately informed. If you consider the kinds of EULAs and T&Cs we are already expected to read and consent to before using various services it is clear that ‘adequate information’ can easily be buried in small print or 72-page documents, which again will leave in the ‘allow everything’ culture,” says Ferguson.
Plus ça change
It could be as simple as a case of plus ça change, if we return to the concept of the self-perpetuating, organic internet, which finds its natural balance and equilibrium without government intervention. After all, the internet is not governed by the same rules of demand and supply that the Government might ascribe to the potato-growing industry. Nor is this the construction industry, with its deep-rooted connections to nationwide economic indicators, to be inserted into the Chancellor’s money supply model as he sees fit.
This is the internet, where information is power. Where transparency is key. Where user freedom is everything. And we all know what happens if you eat too much cookie dough before it’s been baked properly. Indigestion.