Memoirs of a Roadie

Know Your Rights

Posted on 26th May 2011

The changes required as part of the EU Privacy and Electronic Communications Directive, which I discussed last week, come into effect today (26th May 2011). The Information Commissioner's Office (ICO) released a press release on their website stating that "Organisations and businesses that run websites aimed at UK consumers are being given 12 months to 'get their houses in order'." However, this statement only serves to confuse the issue more. Does this mean that individuals are not covered by the law (the directive implies they are) or does it mean that the leniency given to businesses does not apply to individuals, and thus the full weight of the law and fines will be imposed immediately. The press release also seems to imply that the new law only applies to businesses providing ecommerce websites, so does that mean other businesses and organisations are exempt?

Or, does it mean that those implementing the law and writing press releases are so eager to get something out, they have forgotten that their peace offering to (some?) businesses still leaves a gaping hole in their policy of adhering to the original directive.

And it gets worse. Reading an article on eWeek, George Thompson, information security director at KPMG, is quoted as saying "The new law inadvertently makes the collection of consent - yet another set of sensitive, customer data - compulsory. Companies need to tighten up their data management policies and make absolutely sure that every new data composition is covered." Which leads me to believe that you can now be fined if you don't ask the user to accept cookies, and can be fined if you don't record details of those who said they don't want cookies! Then I assume you can then be fined again if that data isn't securely stored away to adhere to the Data Protection Act.

Did no-one really sit down and think of the implications of all this?

The Register reports that only 2 countries within the EU have notified the Commision that all the rulings have been passed into law, with the other Member States possibly facing infringement proceedings. With such a weight of resistence, wouldn't it be more wise to review the directive properly so all Member States understand and agree to all the implications?

It's not all doom and gloom though. Another article by Brian Clifton on Measuring Success, looks at Google Analytics, and concludes that "Google Analytics uses 1st party cookies to anonymously and in aggregate report on visits to your website. This is very much at the opposite end of the spectrum to who this law is targeting. For Google Analytics users, complying with the ToS (and not using the other techniques described above), there is no great issue here - you already respect your visitors privacy...!" (also read Brian's car counting analogy in comment 3, as well as other comments). In fact Google's own site about Google Analytics supports Brian's conclusion too.

The BBC have posted on their BBC Internet Blog, explaining how they are going to be changing to comply with the law. To begin with they have updated their list of cookies used across all their services. Interestingly they list Google Analytics as 3rd-party cookies, even though they are not, but I think that comes from the misunderstanding many of us had about GA cookies.

Although the ICO website has tried to lead by example, with a form at the top of their pages requesting you accept cookies, this doesn't suit all websites. This method of capturing consent works fine for those generating dynamic websites from self controlled applications, such as ICO's own ASP.NET application, but what about static websites? What about off-the-shelf packages that haven't any support for this sort of requirement?

On the other side of the coin, the ICO themselves have discovered that a cookie used to maintain session state is required by their own application. Providing these are anonymous, the directive would seem to imply that these cookies are exempt, as being "strictly necessary" for the runing of the site. Then again, if they did contain identifying data, but the application wouldn't work without it, is that still "strictly necessary"? A first step for most website owners will be to audit their use of cookies, as the BBC have done, but I wonder how many will view them all as strictly necessary?

It generally means this is going to be an ongoing headache for quite sometime, with ever more questions than answers. As some have noted, it is going to take a legal test case before we truly know what is and isn't acceptable. Here's hoping it goes before a judge well versed with how the internet works, and that common sense prevails.

The Sanity Assassin

Posted on 12th May 2011

An update to my recent post.

With thanks to a fellow Perler, Smylers informs me that a Flash Cookie refers to the cookie used by Flash content on a site, which saves state on the users machines, by-passing browsers preferences. Odd that the advice singles out this type of cookie by name though, and not the others.

In an article on the Wall Street Journal I found after posting my article, I found it interesting to discover that the ICO themselves use Google Analytics. So after 25th May, if you visit the ICO website and see no pop-up, I guess that means Google Analytics are good to go. Failing that they'll see a deluge of complaints that their own website fails to follow the EU directive.

I also recommend reading the StatCounter's response too. They also note the problem with the way hosting locations are (not) covered by the directive, and the fact that the protection from behavioural advertising has got lost along the way.

After a discussion about this at the Birmingham.pm Social meeting last night, we came to the considered opinion that this would likely just be a wait and see game. Until the ICO bring a test case to court, we really won't know how much impact this will have. Which brings us back to the motives for the directives. If you're going to take someone to court, only big business is worth fining. Bankrupting an individual or a small business (ICO now have powers to fine up to £500,000) is going to give the ICO, the government and the EU a lot of really negative press.

Having tackled the problem in the wrong way, those the directives sort to bring into line are only going to use other technologies to retrieve and store the data they want. It may even effect EU hoisting companies, if a sizeable portion of their market decide to register and host their websites in non-EU countries.

In the end the only losers will be EU businesses, and thus the EU economy. Did anyone seriously think these directives through?

The Planner's Dream Goes Wrong

Posted on 11th May 2011

On May 26th 2011, UK websites must adhere to a EU directive regarding cookies, that still hasn't been finalised. Other member states of the EU are also required to have laws in place that enforce the directive.

Within the web developer world this has caused a considerable amount of confusion and annoyance, for a variety of reasons, and has enabled media outlets to scaremonger the doom and gloom that could befall developers, businesses and users. It wouldn't be so bad if there was a clear piece of legislation that could be read, understood and followed, but there isn't. Even the original EU directives are vague in the presentation of their requirements.

If you have the time and/or inclination the documents to read are Article 2 of Directive 2009/136/EC (the Directive), which amends the E-Privacy Directive 2002/58/EC (the E-Privacy Directive), with both part of the EU Electronic Communications Framework (ECF).

Aside from the ludicrous situation of trying to enforce a law with no actual documentation to abide by (George Orwell would have a field day), and questioning why we are paying polictians for this shambolic situation, I have to question the motives behind the creation of this directive.

The basic Data Protection premise for tightening up the directive is a reasonable one, however the way it has been presented is potentially detremental to the way developers, businesses and users, particularly in the EU, are going to browse and use the internet. The directive needed tightening due to the way advertisers use cookies to track users as they browse the web and target adverts. There has been much to complain about in this regard, and far beyond the use of cookies with companies such as Phorm trying to track information at the server level too. However, the directive has ended up being too vague and covers too wide a perspective to tackle the problem effectively.

Others have already questioned whether it could push users to use non-EU websites to do their business because they get put off using EU based sites. Continually being asked whether you want to have information stored in a cookie every time you visit a website is going to get pretty tiresome pretty quickly. You see, if you do not consent to the use of cookies, that information cannot be saved in a cookie, and so when revisiting the site, the site doesn't know you said no, and will ask you all over again. For those happy to save simple preferences and settings stored in cookies, then you'll be asked once and never again. If you need an example of how bad it could get, Paul Carpenter took a sartirical look at a possible implementation.

On Monday 9th May 2011, the Information Commissioner's Office (ICO) issued an advice notice to UK businesses and organisation on how to comply with the new law. However even their own advice states the document "is a starting point for getting compliant rather than a definitive guide." They even invent cookie types that don't exist! Apparently "Flash Cookies" is a commonly used term, except in the web technology world there are just two types of cookie, Persistent Cookies and Session Cookies. They even reference the website AllAboutCookies, which makes no mention of "Flash Cookies". Still not convinced this is a complete shambolic mess?

The directives currently state that only cookies that are "strictly necessary" to the consumer are exempt from the ruling. In most cases shopping carts have been used as an example of cookie usage which would be exempt. However, it doesn't exempt all 1st party cookies (those that come from the originating domain), and especially targets 3rd party cookies (from other domains). The advice states "The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users' preferences or if you decide to use a cookie to collect statistical information about the use of your website." Both of which have significant disruption potential for both websites and their visitors.

Many of the 1st party cookies I use are Session Cookies, which either store an encrypted key to keep you logged into the site, or store preferences to hide/show elements of the site. You could argue both are strictly necessary or not depending on your view. Of the 3rd party cookies, like many people these days, I use Google Analytics to study the use of my websites. Of particular interest to me is how people find the site, and the search words used that brough the visitor to the site. It could be argued that these are strictly necessary to help allow the site visitor find the site in the first place. Okay its a weak argument, but the point remains that people use these types of analysis to improve their sites and make the visitor experience more worthwhile.

Understandly many people have questioned the implications of using Google Analytics, and on one Google forum thread, the Google approved answer seems to imply that it will only mean websites make it clearer that they use Google Analtyics. However this is at odds with the ICO advice, which says that that isn't enough to comply with the law.

If the ruling had been more explicit about consent for the storing of personal data in cookies, such as a name or e-mail address, or the use of cookies to create a personal profile, such as with advertisier tracking cookies, it would have been much more reasonable and obvious what is permissible. Instead it feels like the politicians are using a wrecking ball to take out a few bricks, but then aiming at the wrong wall.

For a site like CPAN Testers Reports, it is quite likely that I will have to block anyone using the site, unless they explictly allow me to use cookies. The current plan is to redirect people to the static site, which will have Google Analytics switched off, and has no other cookies to require consent. It also doesn't have the full dynamic driven content of the main site. In Germany, which already has much stricter requirements for data protection, several personal bloggers have choosen to not use Google Analytics at all in case they are prosecuted. I'm undecided at the moment whether I will remove GA from my websites, but will watch with interest whether other bloggers use pop-ups or remove GA from their sites.

Perhaps the most frustrating aspect of the directives and the advice is that it discusses only website compliance. It doesn't acknowledge that the websites and services may be hosted on servers outside the EU, although the organisation or domain may have been registered within the EU. It also doesn't differentiate between commercial businesses, voluntary organisations or individuals. Personal bloggers are just as at risk to prosecution as multinational, multibillion [currency of choice] businesses. The ICO is planning to issue a separate guidance on how they intend to enforce these Regulations, but no timescale is given. I hope that they make it absolutely clear that commercial businesses, voluntary organisations or individuals will all be treated differently from each other.

In their eagerness to appear to be doing something, the politicians, in their ignorance, have crafted a very misguided ruling that will largely fail to prevent the tracking of information and creation of personal profiles, which was the original intent of the changes. When companies, such as Phorm, can create all this personal information on their servers, using the same techology to capture the data, but sending it back to a server, rather than saving a cookie, have these directives actually protected us? By and large this will be a resounding No. Have they put in place a mission to disrupt EU business and web usage, and deter some from using EU based websites? Definitely. How much this truly affects web usage remains to be seen, but I suspect initially there will be an increase in pop-ups appearing on websites asking to use cookies.

It will also be interesting to see how many government websites adhere to the rulings too.

Suffer The Little Children

Posted on 24th December 2008

Following on from my previous post regarding the Internet Watch Foundation, a fellow Perl programmer, Jacinta Richardson, recently posted on her use.perl blog regarding currently proposed legislation in Australia. To get a bit of background on the subject, read the articles she links to in her post, before reading her reply.

For myself, working in the filtering industry, I'm well aware of the fact that it is impossible to get filtering 100% accurate all the time. Even our Service Level Agreements (SLAs) don't state that, as it is just too difficult to manage. We get very close, and our filter systems are considered to be the best in the world, but we'll never be 100% perfect. As Jacinita highlights in her reply, the owners of the bad stuff change their domains on a regular basis, swap IP addresses and even server locations to avoid detection. In some cases the server locations are beyond law enforcement agencies as they are in countries that have limited or no resources to shut down these operations.

However, the part that irritates Jacinita and the reason why I find objections to this kind of thing important, is the blindly ignorant "you're either with us or with the terrorists" style of retort from officials or self-appointed puritants for the world. Having children of my own, I would never want them to be subjected to indecent or illegal material on the internet. However, the vast majority of that kind of material is very unlikely to be something you would accidentally stumble across. Putting in aggressive filters to scan absolutely everything all of the time, is rarely going to stop those wishing to find that kind of material, and is likely to block more innocent websites than potentially harmful ones. Using scare tactics and accusing your opposition of advocating child pornography is insensitive and irresponsible, and only serves to make you and your arguments look ignorant.

I would be interested to know what recourse a company or individual has on the Australian government, should they block an innocent website that is hosted outside of Australia? The chances are none, and who would you complain to anyway? If your domain is blocked, you'll never get through!

In her reasoning, Bernadette McMenamin uses examples of countries such as the UK who use filtering. Yes we do, and the self-appointed body that tells us what we can and can't see also makes some stupid mistakes and disrupts internet use for the whole country. For all the protection these self-appointed bodies provide, I would rather see more effort put into shutting down the source operations and protecting the children from being abused in the first place, rather than waiting after the fact for government officials to wave their hands limpy, crying "oh, how could this happen, let's ban the internet for children so they can't see it!".

McMenamin claims that British Telecom block 35,000 attempts per day to illegal material. However, how many of them were to truly illegal material and not "potentially illegal" as was highlighted by The Scorpions/Wikipedia incident? How many requests were made by children accessing the content? How many prosecutions were made from these access attempts? How many of the block domains/URLs were taken down? It's easy to throw numbers around, but without substance they are worthless numbers.

Jacinta picked up on an interesting quote by McMenamin - "[T]hose who are aware [of all the facts] are, in effect, advocating child pornography." So by McMenamin's own admission she must be ignorant of all the facts, otherwise she too would be advocating child pornography. Forrest Gump has a reply for Bernadette McMenamin - "Stupid is as stupid does."

Pictured Life

Posted on 24th December 2008

Earlier this month there was a rather confusing and worrying blanket "Moral Majority" ban of a page on Wikipedia. The page in question has now been unblocked and the actual image that started it all has also been unblocked, with the Internet Watch Foundation that instigating the block now backing down in the face of overwhelming resistance to their actions.

The image in question is from the original front cover of the 1976 album release "Virgin Killer" by The Scorpions. At the time of its release in 1976, it courted controvesy and although widely available to all in numerous retail outlets across the world, some outlets did insist on selling it only over the counter in a sealed paper bag, and only a few refused to stock it at all. Following feedback from the retail outlets, the band reissued the album with a cover featuring a group shot of the band. However, the original album cover is still widely available in second record stores and on eBay. Following remastered reissues and boxset packages, the CD is once again available with the original artwork. It has also appeared in many books over the years, often cited amongst a list of worst album covers, some of which can found in public libraries.

I don't know the retail figures, but I can imagine that several thousand heavy metal fans in the UK alone have a copy of the original album, or a reissued remastered CD featuring the image in their collections.

So the decision to ban the image ONLY on wikipedia now (some 32 years after the original image was widely available) seems absolutely idiotic. At first the main page regarding the album was blocked, and appartently it is the first time the IWF has banned a complete work of text. Wikipedia volunteer David Gerard and Sarah Robertson from the IWF were interviewed on BBC Radio 4 as I was driving into work on the day the block was instigated and it was very evident that the woman representing the IWF was rather ignorant of the situation, trying to focus on the fact that they had shown it to the police who had said it was "potentially illegal". Blaming the police, who are NOT judge and jury regarding obscene material is rather irresponsible at best, and only serves to highlight their lack of process in ensuring that if an image is considered illegal, a botched attempt at banning is the best of their abilities.

Wikipedia themselves issued a statement that reads "Due to censorship by the UK self-regulatory agency the Internet Watch Foundation (IWF), most UK residents can no longer edit the volunteer-written encyclopedia, nor can they access an article in it describing a 32-year-old album by German rock group the Scorpions." In addition Wikimedia Foundation's General Counsel, Mike Godwin, is also quoted as saying "We have no reason to believe the article, or the image contained in the article, has been held to be illegal in any jurisdiction anywhere in the world."

So although the image was deemed "potentially illegal" by the UK police the IWF spoke to, for the past 32 years no country has ever passed a judgement and condemed the image as illegal. It might be inappropriate, but not illegal.

And so to a bigger question. Why Wikipedia? In fact why ONLY Wikipedia? The image was wide spread across the internet, in places such as Google's image cache, on various retail sites, including Amazon, The Scorpions own website and countless others. Could it be that Wikipedia is unlikely to be in a position to sue them for blocking their site? I can well imagine that Amazon and any other major retailer would have drafted in lawyers within seconds and be issuing writs for comercial damages. Not something the IWF would be equipped to deal with, particularly since they are an independent self-appointed body, without official government backing.

Following on from that last point, the perhaps more important question is if this body is self-appointed, without government backing, who is reviewing the practices of the Internet Watch Foundation? While in many instances they may well be protecting us from illegal images, without proper regulation and governance, instances like the blocking of Wikipedia will happen again.

The scary thing in all of this is that possessing the album has never been considered illegal, and indeed would have been very difficult to prosecute now 32 years later, but the IWF seem to believe that that doesn't matter and effectively attempted to criminalise a potentially significant portion of the UK population. Should they have that power? In my opinion no, as it should be the police and the courts who govern what is actually illegal.

Because of the fact that most ISPs in the UK currently sign up to the IWF block lists, this incident was felt instantly across the UK for anyone contributing to Wikipedia. Having now blown such a big hole in their metaphorical foot, I suspect the IWF may well be a little more careful about what they block and maybe, just maybe, they might even provide better justification for blocking images and pages in the future. However, it still worries me that they can potentially criminalise a publicly available image by dubious means and make criminals out of the population, without having any jurisdiction to do so. It's not big brother we have to worry about any more it's the nanny state. Tipper Gore still has a lot to answer for.