In May 2011, new legislation was passed in the EU (directive 2009/136/EC) which was intended to require opt-in for tracking cookies. It comes into effect on May 26, 2012. Next Saturday.
While people are agonizing over how compliance will gut websites’ ability to identify and meet user demand, that’s not the problem. The problem is that, in order to have jurisdiction over attempts to weasel out of it by Google and Facebook, it doesn’t set clear boundaries. It’s up to judges to determine whether cookies like PHPSESSID require prior opt-in from users and not even employees of the UK government are eager to comply.
What’s worse is that it probably won’t even work. Experience with technologies like ActiveX and Windows UAC has shown that people just learn to click “Accept” without reading when constantly bombarded. Even if they don’t nag, the EFF’s Panopticlick has already demonstrated that, with an IP address and a fingerprint of a user’s browser headers, you can track individual users pretty well unless they’re all behind the same NAT and on the same IT deployment image.
A solitary 1×1-pixel transparent GIF from a 3rd-party server is a blatant violation of any privacy laws you might care to craft, but what about a reCAPTCHA? …or a Google Font Library embed? …or that copy of jQuery everyone seems to load off Google these days? Every request for one of those leaks your current location via the Referer header and you can’t turn it off because that will break sites like Snopes.com, Pixiv.net, and many others which use it for hotlinking protection. (Though individual Firefox users can use RefControl to forge a nonsense Referer on all other sites)
User analytics via server logs (eg. /var/log/apache2/access.log) predates Javascript-based analytics and, if anyone has the raw data necessary to design a robust user fingerprint which can survive minor changes like browser upgrades (and an analytics package which uses statistical probability analysis for reliability), it’s companies like Google and Facebook.
Aside from driving companies to implement tracking that’s harder to neuter without companies’ co-operation, my big concern is that some EU company with deep pockets will use this as an opportunity to cripple smaller competitors by forcing them to jump through too many compliance hoops. It’s bad enough that big U.S. companies achieve a similar effect with software patents.
Treating The Symptom: A Privacy Law Story by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.
All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.