Alastair’s Place

Software development, Cocoa, Objective-C, life. Stuff like that.

Congratulations - You Broke the ’Net

It should not have escaped the attention of any U.K.-based website operator or web developer that ICO has been banging its drum about the changes to The Privacy and Electronic Communications (EC Directive) Regulations 2003 and in particular section 6, which has been amended to say

Confidentiality of communications

6.—(1) Subject to paragraph (4), a person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

(2) The requirements are that the subscriber or user of that terminal equipment—

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information.

(3) Where an electronic communications network is used by the same person to store or access information in the terminal equipment of a subscriber or user on more than one occasion, it is sufficient for the purposes of this regulation that the requirements of paragraph (2) are met in respect of the initial use.

(4) Paragraph (1) shall not apply to the technical storage of, or access to, information—

(a) for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network; or

(b) where such storage or access is strictly necessary for the provision of an information society service requested by the subscriber or user.

ICO is emphasising the impact of these rules on cookies, but as you can see from the text of the actual regulations, above, they also cover any “information stored”. This would seem to include

  • The User-Agent string

  • The Accept-Language header

  • The URL itself (which may be covered by the exception in (4)(b), but not if it happens to contain session data)

  • Various information that is accessible to Javascript on the client side, but which may be of interest to the server merely to improve the end-user experience — for instance, the end user’s display size or colour depth, whether or not Adobe Flash or Java is installed and enabled, whether or not the end user is using a screen reader, and so on.

It is difficult to argue that the exceptions in (4) apply to all of this information, yet in most cases it would be unreasonable to demand explicit consent from the end user for any of it.

Further questions surround use of services like Google Adwords’ conversion tracking functionality; websites using this feature of Adwords are relying on the Adwords system setting a cookie on the end user’s machine when they click on an advert. This cookie isn’t actually under the control of the site operator—instead, it’s set by Google (via the server). How is “informed consent” supposed to operate in that case? It isn’t as if Adwords conversion tracking is the kind of thing that anyone should be worried about—all it does is tells the person paying for the advertising how much each advert-driven sale is costing them.

ICO also rightly points out that the legislation applies to session cookies. Yes, you did read that right. And looking at ICO’s updated guidance it’s hard to get the impression that they plan on ignoring that fact.

Ironically, the regulations are actually worse for free services than they are for paid-for services, because the definition given for an “information society service” in The Electronic Commerce (EC Directive) Regulations 2002 is

“any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing…”

and so exception (4)(b) doesn’t apply where remuneration would not normally be expected!

There’s some very wooly language in the ICO guidelines about what ICO considers would and would not fall within the exception, but even if ICO doesn’t think something is worth pursuing, there’s nothing stopping some crazy privacy campaigner from pursuing a private prosecution.

ICO does quite clearly say that you can’t rely on the availability of the “Do Not Track” header and associated browser preferences, contrary to the previous mutterings coming out of government on the issue.

I tried writing a letter to government to suggest some changes to the legislation that would provide some sanity, for instance by explicitly permitting the use of information sent by default by the user’s browser (like the User-Agent string), along with exemptions for session cookies and non-identifying properties of the user’s terminal equipment. In response, I was told that it wasn’t possible to change the law because that would require renegotiating at EU level—not an option at present, apparently. (I note, by the way, that the Danes apparently do not agree that additional work at EU level is necessary, since they have explicitly exempted session cookies, which cures at least one of the problems.)

At present, then, the European Union has broken the web. It turns out that most EU countries have been so slow at implementing the law that this hasn’t been a problem so far, but that situation won’t persist forever.

All of this could have been avoided had the EU actually consulted someone with sufficient technical expertise before changing the law. I made that point in my letter, and was told that various industry players had been consulted (the response listed Google, Apple and others), but it seems to me highly improbable that any competent technical expert would not have objected to the wording from the EU Directive, so my guess is that this consultation was after the fact.

Right now, the simplest thing seems to be to incorporate outside the European Union, and have the new entity run your company website. That would place both the site and the entity operating it outside of this idiotic piece of legislation and the regulators whose job it is to enforce it.