Cedric Laurant

Posts Tagged ‘European Union’

Hey Browser, Don’t Expect Your Users to Know All About “OBA” and Cookies

In Opinions on 5 June, 2011 at 14:53

A recent Wall Street Journal blog article (“Hey EU, Don’t Expect the Browser to Solve All Your Privacy Issues” by Ben Rooney of 26 May 2011) highlights the point of view of some in the browser industry (in the article, Mozilla’s Global Privacy & Policy Leader, Alex Fowler) by arguing that it should not be for browser companies to solve EU “privacy issues” with online cookies, and it would not be fair for the EU legislator to put all the burden on the browsing technology to comply with the new EU legal requirements that affect how browsers manage cookies.  According to that industry representative’s opinion, privacy is not only a browser problem, and it cannot solve the cookie issue only through technology.  The problem would not be so much the cookie but what companies do with the data they collect.  “By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture.”

“According to Mr. Fowler, the problem is not so much the cookie, it is about what people do with the data that they collect. By focusing just on the cookie and then trying to push the problem on the browser makers, it would miss the bigger picture, he said.

And as a browser manufacturer, and especially one that was built by an open-source community, their first duty was to the user, not to helping out websites comply with legislation.”

"Accept cookie?" (Photo by "ansik")

If browsers make online profiling possible by design…

Although I do agree that it is too simplistic to put all the compliance burden (in particular Directive 2009/136/EC, which came into force last 25 May) on a single actor, the article evades some essential facts.

First, it’s the browser that is making it easier for online advertisers, publishers and other online tracking companies to collect users’ personal data.  If the browser makes that tracking possible in the first place, it is logical that they should help find a solution to prevent it, or at least bring back more effective control for its users.

… they should share its compliance burden

Second, compliance is not only on the browser manufacturers’ shoulders, but also on all the companies that receive users’ information thanks to browsers.  It is not a “tech mandate” but it is confronting all stakeholders to their obligations to comply with laws (like the already cited European Directive) that aim at protecting browser users and consumers from online tracking without their awareness and consent.

A reader (Kimon Zorbas, VP IAB Europe)’s comment under the post states:

“We share the concerns of Alex Fowler on the risk of technology mandates. A focus on browsers is also problematic as it pushes potential (compliance and not only) liabilities to the browser manufacturers. That can’t be right. The internet industry will strongly oppose tech mandates. What users want is knowledge – once they know and have a choice they are comfortable. We recognise this and accept it and those are the guiding principles for good self-regulation. On OBA or other areas.”

“OBA” you said?

I would have to complete this statement (“What users want is knowledge – once they know and have a choice they are comfortable”) since it lacks a crucial piece of information.  Assuming users know about “OBA” (which, it should be explained, means online behavioural advertising (more explanations here) and what OBA does (track users on an individual basis, mine their data – even very sensitive personal data such as financial and health information – and make decisions about that profiling without their being aware of it); assuming then that users are equipped with adequate tools to understand what the Internet tracking industry truly learns about them; assuming also that they can prevent the tracking from effectively taking place,… – that’s a whole lot of assumptions, don’t you think? – then you could say that users would have made a “choice” because they would have made it based on truly transparent information.  Until that actually happens, it is difficult to pretend that there is any “choice” at all for the regular browser user.

But what kind of “cookie” are you talking about?

Mr. Fowler is right: “the problem is not so much the cookie, it is about what people do with the data that they collect.” However, one can’t put all the cookies in the same basket: there is a big distinction to make among them.  Knowledgeable people talking about them should not entertain the confusion.  There are the ones – let’s call them, for simplicity’s sake – the “good cookies” – that make the browsing experience swift and fluid, remember your username or the content of your online shopping cart.  And the legislator has never opposed their use, neither in the European Union nor in the United States.  Then, there are the cookies – let’s name these the “bad” ones – whose purpose is completely different from what the “good” cookies were originally meant for: marketing companies, publishers and other OBA actors use them to surreptitiously track users and profile them at a level most of them probably would not imagine nor expect.  These are the cookies browsers should block to offer their users a first line of defense against online tracking that a vast majority of people browsing the Internet, were they aware of it, would never accept.  And surveys have showed this time and time again.

If the industry is confused about cookies…

The new “Do Not Track” HTTP header-based browser feature is a step in the right direction.  However, browser manufacturers should implement it in a way that does not rely on users’ previous knowledge of “OBA”, “bad cookies” and other forms of online tracking, especially if they know that most of them are not even aware of the extent of the profiling information their browser helps third party advertisers to compile about them.  Now, is the browsing industry ready to effectively put their money where their mouth is when they proclaim that “their first duty [is] to the user”?

… why should they expect the regular online user not to be?

For the browser-savvy Internet users, those who do know fully well about what OBA and cookies do, it would be up to them to change their browser settings to accept them. If the companies using online tracking tools are so keen about the benefits of online behavioural advertising for consumers, it should not be difficult to convince them to accept being tracked.  For the rest of us, cookie diet is recommended, but of the online kind.

A panel will explore the topic of “Do Not Track” in the context of online behavioral advertising at the upcoming Computers, Freedom & Privacy Conference on 14 June in Washington, DC.  I invite you to check it out.



Release of “European Privacy & Human Rights 2010”

In News on 31 January, 2011 at 01:28

On Data Protection Day, 28 January 2011, and after 10 months of efforts, we published the European Privacy & Human Rights 2010 report (“EPHR”), a collective work that investigates the European landscape of national privacy and data protection laws and regulations, as well as any other laws or recent developments that have had an impact on privacy, in particular over the last two years.  The research field encompasses jurisdictions of all 27 EU Member States, two EFTA countries (Norway and Switzerland), three EU accession candidate countries (Croatia, Macedonia and Turkey), and the EU itself as a jurisdiction.

The study presents an overview of European privacy and data protection laws and developments in 33 reports, each available in English and translated into the country’s official language. It is accompanied by a comparative legal and policy analysis of privacy topics, with its particular methodology, criteria and metrics and key findings, as well as a privacy ranking of all countries surveyed, a summary of country developments, and privacy resources.

Privacy ranking chart based upon "European Privacy & Human Rights 2010" (EPHR Project/Privacy International)

Privacy ranking based upon "European Privacy & Human Rights 2010" (EPHR Project/Privacy International)

The “EPHR 2010” report is part of a broader project that comprises 3 action areas:

  1. action area 1: the report itself;
  2. action area 2: the dissemination of information and its publication on multiple online and offline platforms, and
  3. action area 3: the development of innovative awareness-raising campaigns.

The last two are yet to be finished over the next 6 months. The video above is one of the first outputs of “action area 2”.  You can find more information about the EPHR project from the presentation I gave last February 2010 in Barcelona, and about the video here.

Many people contributed to this report: first of all, my colleague Matteo Bonfanti, with whom I completed and edited all country reports; more than 90 privacy and data protection experts from 32 countries all over Europe: colleagues, academics, privacy advocates and lawyers; the research teams at Privacy International (Gus Hosein, Alexander Hanff and others , who built the comparative legal and policy analysis) and at the Center for Media and Communication Studies of the Central European University (my colleague Kristina Irion in particular, who also coordinates the whole EPHR project).  Last but not least, the European Commission’s Special Programme “Fundamental Rights and Citizenship (2007-2013)” funded most of this project, including the video.  Without their help, none of this would probably have seen the light of day.

The EPHR report builds upon the legacy of EPIC & Privacy International’s Privacy & Human Rights survey, to which more than 300 privacy experts from all over the world have participated over more than a decade, making this survey the world’s most comprehensive report on privacy and data protection ever published.


New Blog: “Information Security Breaches & The Law”

In News on 7 August, 2010 at 22:15

Last June, I have started with a colleague, Marie-Andrée Weiss, a blog dedicated specifically to the topic of information security breaches (“Information Security Breaches & The Law”) from both a legal and technical perspectives.

The blog, which is written in English and French, and later will also be in Spanish, will include opinions, comments on recent news, laws or other developments, research notes and conference reports in the area of information security breaches, mainly in the United States, Europe and Latin America.  It also features a “Security Breaches Library” that includes links to major recent reports and surveys, upcoming conferences, calls for papers and news, all on the same subject of information security breaches.

It should be of interest to company executives concerned with information security issues in their business, as well as to professionals practicing in the field of information security, privacy and data protection, along with the interested general public.

Below is an outline of the first blog posts:

  • Will France adopt a law requiring the notification of security breaches? (August 6, 2010): A French bill “to better guarantee the right to privacy in the digital age” has implemented the European Directive 2009/136/EC by requiring the data controller to inform the “Data Protection Correspondent” or the French data protection authority, of a breach of integrity or confidentiality. Those involved in the breach must also be informed, at least if security breaches are “likely to adversely affect” their personal data. The bill follows the recommendation of the Directive to notify individuals of security breaches for all sectors, not just electronic communications. It was adopted by the French Senate on March 24, 2010 and is currently before the National Assembly. (A French version of this article is also available here.)
  • Article 29 Data Protection Working Party reports on implementation of Data Retention Directive (July 19, 2010): The Article 29 Data Protection Working Party has adopted on July 13, 2010 a report on the EU Data Retention Directive (2006/24/EC). This report is the Working Party’s contribution to the evaluation of the implementation of the Data Retention Directive by the European Commission, which is due by September 15, 2010. The report details the results of a joint inquiry made by the data protection authorities about the compliance, at the national level, with the obligations of telecom providers and Internet service providers with both the Data Retention Directive and articles 6 and 9 of the EU e-Privacy Directive (2002/58/EC).
  • Are ‘clouds’ located outside the European Union unlawful? (July 16, 2010): A central aspect of every cloud service contract is the security of data processing. It is therefore important, if only for liability reasons, that responsibility for specific security measures be clearly assigned. This can be done by using security service level agreements between the cloud service provider and its client that clearly assign who is responsible for which particular security measure. Storing data in a cloud located outside the EU raises specific legal compliance issues. According to some experts, such clouds are even unlawful. There are, however, some ways to make sure that, even if a data controller stores data into a cloud located in a third country, he is still in compliance with German data protection law. A data exporter must use, in order to satisfy the adequate level of data protection requirement, specific standard contractual clauses for all contracts with a cloud service company located outside the EU. Binding corporate rules are the alternative solution, though only for private clouds.
  • The Safe Harbor Framework: not a “safe harbor” anymore for US companies? German expert body insists on stronger compliance stance (July 9, 2010): On April 29, 2010, the Düsseldorfer Kreis, an informal group of German data protection authorities, published a decision that could have significant repercussions on U.S. companies importing personal data from organizations operating in the European Union. One of these repercussions is that German organizations exporting personal data to the United States should check if the U.S. data importer does indeed comply with the Safe Harbor Framework. Security plan recommendations will provide for a useful guideline to E.U. data exporters to help them comply with the Safe Harbor’s Security Principle.
  • Canada May Soon Have a Data Breach Law (June 5, 2010): a bill called the “Safeguarding Canadian’s Personal Information Act” (C-29) that would amend Canada’s national privacy legislation. C-29 would introduce a security breach disclosure (also called “notification” in the United States) requirement in PIPEDA. Canada does not yet have such a law, contrary to the United States where the majority of states have enacted data breach notification statutes.


European Parliament Debates “SWIFT” Transatlantic Bank Data Deal

In News digest on 10 February, 2010 at 16:02

The European Parliament discusses today, and votes tomorrow on, the transatlantic deal the US Government and the EU Council brokered last year.  It is an interim agreement (called the “FDMA” or “Agreement between the European Union and the United States of America on the processing and transfer of Financial Messaging Data from the European Union to the United States for purposes of the Terrorist Finance Tracking Program (“TFTP”)”) that was agreed between both parties last November. It will enter into force as soon as the EP votes on it, on 11 February, and last until 31 October 2010.  The EP’s consent is required under the provisions of the recent Lisbon Treaty to make the agreement enter into force.  The European Parliament can only give its consent or refuse it.

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) issued last week a Recommendation with respect to how the EP should vote on the FDMA.

What is at stake?

A bit of history is required to understand the stakes of the current vote.  In her report on behalf of the LIBE Committee, the Rapporteur, Jeanine Hennis-Plasschaert, states that each agreement that the EU and the US have negotiated on justice and home affairs issues since 11 September 2001 features many of the same problems in relation to personal data and legal protection.  To overcome these difficulties, the EP has required since 2003 the definition of a coherent EU data protection legal framework as well as negotiations for a transatlantic binding agreement on this issue.

In 2006, it was revealed that the US government had obtained access since 2001 to all of SWIFT‘s data – including European bank customers’ financial information that was originally stored on servers based in the United States.  This news story led to a storm of protest in the EU – in particular as regards the TFTP’s perceived lack of compatibility with the obligations under the EU Data Protection Directive (95/46/EC) as well as Member States’ laws implementing that Directive.

“Slippery slope”

The LIBE Committee’s report argues that:

“As far as the TFTP is concerned, it must be considered as a departure from European law and practice in how law enforcement agencies would acquire individuals’ financial records for law enforcement activities, namely individual court-approved warrants or subpoenas to examine specific transactions instead of relying on broad administrative subpoenas for millions of records.” […]

“[W]hat might have kicked off as an urgent temporary measure (in reply to 9/11) became de facto permanent without specific approval or authorisation by EU authorities or a real transatlantic evaluation of its impact and forward looking transatlantic negotiations covering at the same time security, judicial cooperation and data protection impact.”

The LIBE Committee’s report is critical of the FDMA and calls for the EP to withhold its consent on 11 February for the following reasons:

“[T]he current debate is not about SWIFT as such but about how Europe could cooperate with the US for counter-terrorism purposes and how financial messaging data providers are requested to contribute to this fight, or indeed more generally the law enforcement use of data collected for commercial purposes.” […]

“[I]t is not difficult to imagine that accepting the proposed FMDA (as it stands) could lead down the slippery slope of accepting other requests for commercial data with (f.e.) Skype, PayPal and other companies in the information-telecommunication field being potentially interesting for law enforcement purposes.”

EP Committee argues the deal violates EU data protection rules

Among the most crucial legal considerations that the LIBE Committee report highlights are:

  • Violation of the principle of proportionality: when it receives a US government’s request to produce data related to e.g. an individual, SWIFT is not able to produce that specific data because of technical reasons.  The only data it could provide is ‘data in bulk’, which may contain personal data such as the name or address of an individual, and not be limited to the specific purpose for which US authorities may need information for counter terrorism purposes.

This shows that if SWIFT has to transfer most of its data to the US Government it will not be able to comply with the EU Data Protection Directive’s principles of necessity and proportionality.  “This cannot be subsequently rectified by mechanisms of oversight and control,” writes Rapporteur Jeanine Hennis-Plasschaert.

  • Violation of the principle requiring prior judicial authorisation – Uncertainty regarding onwards data transfers to third countries: The FMDA does not provide that transfer requests be limited in time and be subject to prior judicial authorisation.  Neither does it does define enough the conditions under which the US Government plans on sharing TFTP data with third countries.  The public control and oversight of the access to SWIFT data by US authorities is not defined either.
  • Undefined retention time: The FMDA provides that all non-extracted SWIFT data will be erased after a specified period but does not provide any length of time.

By “non-extracted data”, the FDMA refers to the data US law enforcement authorities have not needed for terrorism-related investigations.  Only if such data is “no longer necessary to combat terrorism or its financing” (Article 5 (i)) will the US authorities not keep the data for longer than 5 years after their receipt (Article 5 (l)).  For all data that might be necessary “to combat terrorism or its financing”, or for data that is extracted but found not to contain usable information, the duration of retention is not indicated in the Agreement.  This implies that the US Government could legally keep that data for up to 100 years.  (See “Representations of the United States Government”.)  The same retention issue occurred during the negotiation of the EU-US PNR (“Passenger Name Record”) Agreement that the EU Council, the Commission and the US Department of Homeland Security negotiated between 2003 and 2004.  In that case, the US Government had used a 100-year retention period as the regular duration period to keep such PNR data.

  • Undetermined provisions on access, rectification, compensation and redress outside the EU: these rights are not defined adequately in the FDMA.

The EP report states:

“The FMDA does not guarantee European citizens and companies the same rights and guarantees under US law as they would enjoy in the territory of the EU.  Furthermore, the FMDA does not indicate under what circumstances an individual or company outside the territory of the US is to be informed of the fact that an unfavourable administrative decision has been taken against him/it.”

What happens next?

If Parliament refuses consent on Thursday 11 February, the FMDA will not enter into force and its provisional application would terminate upon notification by the EU to the US authorities.  In such case, the US-EU Agreement on Mutual Legal Assistance of 2003 (“MLAT”, or Mutual Legal Assistance Treaty) and bilateral agreements on mutual legal assistance between the US and certain EU Member States would provide the framework pursuant to which future financial data exchanges would have to be pursued.  This MLAT includes, but is not limited to, terrorist offences.  Not only does it greatly limit the scope of data requests to investigations of specific individuals or companies “suspected of or charged with a criminal offence”, but the transfer of data to the US is also governed by the domestic law of the Member State(s) concerned.  The request for information must identify the person (legal or natural), indicate the grounds for suspecting he/she has committed a crime, and show how the information relates to the criminal investigation or proceeding.



The place of net neutrality in the new EU telecommunications regulatory framework

In Opinions on 17 December, 2009 at 20:15

The European Union adopted last November a revised set of rules governing electronic communications operators.  Among those rules, ‘net neutrality’ is promoted as a policy objective and regulatory principle that national telecommunications regulatory authorities must defend.  Depending upon how it is implemented in practice, this policy principle has the potential to reshape the way the Internet works and how its users will be able to access it, express themselves and share information.

The meaning of ‘net neutrality’ has been often confused.  A neutral network is one where all the data traveling through it must be treated the same way from its starting point to its final destination.  In other words, no access provider has the right to interfere with what is going through its pipes.  The access provider only has to ensure that its subscribers get a connection to the Internet, at the bandwidth level or download/upload limit they paid for, without meddling in any of the content, services, applications or devices subscribers want to have access to, or that content providers want to offer them.

Contrary to what some have said, claiming neutrality of the net is not claiming the right for a free Internet or an identical quality of service for the same flat price.  Neither does this principle prevent access providers from managing their networks for legitimate reasons, such as ensuring network security (e.g., protecting against spam or distributed denial-of-service attacks), nor does it apply to unlawful content, services and applications such as unauthorized distribution of copyrighted works of authorship.  Enforcing the obligation of a neutral network and enforcing copyright or other laws are not mutually exclusive.

The reason why net neutrality should be promoted in the first place is because the Internet was originally built in an intrinsically neutral way.  The network of networks was conceived to be unbiased towards any particular application or service provider so that the infrastructure could not be in a position to prefer one over the other.  It was created in a way that puts the intelligence at the edges (in the end-user’s computer), rather than at the heart of the network.

The current controversy about net neutrality is generally polarized between two camps: content providers and access providers.  The first ones generally support neutrality, while the latter oppose it because of the fight going on between the periphery, controlled by content providers, and the heart, or infrastructure, of the network, controlled by access providers.  In this battle, opponents intend to control what gives them the opportunity to create and innovate, and therefore generate profits.  Net neutrality advocates refer to the nature of the Internet by arguing that it is precisely its neutral feature that has brought about the unprecedented level of innovation it has known since it was first developed in the late sixties.

The debate should probably not focus on who among those two stakeholders has the best arguments, but on coming up with the best way to promote the development of the Internet that is beneficial for the two of them, and address the risks or opportunities that would result from the absence of net neutrality.

Some net neutrality detractors argue that innovation and incentives for investments in new generation networks will be stifled if neutrality is promoted through regulations or if access providers cannot charge content providers for the share of network traffic their content, services, applications or devices require.  This is a way to reduce the debate – often purposefully – to who should pick up the tab between content providers, that create traffic-hungry applications (P2P, Internet telephony, video streaming) and access providers, that should not have to bear those costs.  Cost allocation seems then the only relevant issue to solve and, once you frame the debate this way, it seems obvious to charge content providers accordingly.

Beyond generating profits, there is a more general societal debate that one has to address about how the Internet might look like if access providers obtain the control over what passes through their pipes.  It is a battle that opposes Internet end-users to access providers in a quest for the control over what end-users may use, see or consume on the Internet, and about their freedom to express themselves, get access to the information of their choice and impart it the way they wish.  Will people be as free as before if access providers can curtail their right contractually – which is becoming gradually more common – to view specific content, or use a specific service or application?

Recent abuse by access providers towards their subscribers or content providers (e.g., by blocking traffic against certain users, prioritising it in favour of some content providers, or discriminating against others) demonstrates a very tangible harm of consumers’ interests and Internet users’ fundamental right to free speech.  Will the new ‘rules of the game’ applicable to Internet access providers be able to adequately address those threats? The EU competition and telecommunications regulatory framework can be interpreted to solve many cases of traffic management abuse, where access providers are blocking certain traffic or discriminating against specific content providers, but also, although to a lesser extent, in case of “access tiering”, where they are prioritising traffic in favour of specific applications, services or devices.

Under the newly enacted “Telecoms Package”, national telecoms authorities will have the powers to establish minimum quality levels for network transmission services so as to prevent traffic hindering or slowing down.  Having those rules in place is already a good step, but is the threat they represent for access providers strong enough to deter them from managing network traffic abusively? Indeed, traffic shaping policies and service quality can be – and have been – used as an excuse to discriminate against a competitor’s services or products, or block end-users’ specific applications.  Legitimate questions to raise are whether current rules are actually enforced.  Are consumers and Internet users aware of them? How easy is it to use them to file complaints? Competition and telecoms sector rules may well exist in the books, but if they are not easily accessible, actually used or effectively enforced, relying on them to preserve net neutrality may be merely wishful thinking.

Neelie Kroes was recently appointed as the Commissioner responsible for the Digital Agenda, which includes telecommunications and net neutrality.  In January, the European Parliament will hold hearings to discuss her appointment.  This is an opportunity for the public, through its representatives, to question how Commissioner Kroes intends to protect the net neutrality principle that the Commission promised to “keep […] under close scrutiny” as part of implementing the “Telecoms Package”, and to discuss what has become an important issue for the future of the Internet, but that still carries more questions than answers.



Get every new post delivered to your Inbox.

Join 727 other followers

%d bloggers like this: