Robin Wilton

A member of the Gartner Blog Network

Robin Wilton
Research Director
26 years IT industry

Robin Wilton is a research director with a particular interest in digital identity and privacy (and their relationship to public policy), access control and single sign-on, and the productive use of public key infrastructures. Read Full Bio

Coverage Areas:

Uh oh. Am I breaking the law?

by Robin Wilton  |  June 1, 2011  |  Comments Off

As you may be aware, a 2009 revision to the EU’s e-Privacy Directive was transposed into UK law as the Privacy and Electronic Communications Regulations 2011,  as of May 26th. All EU member states are required to transpose EU Directives into their own national law… though experience shows that member states vary both in their sense of urgency and sometimes in their interpretation of what a given directive should look like once transposed. The e-Privacy directive is no exception. As of today, my understanding is that only Denmark, Estonia and the UK have transposed it into their respective legal systems.

According to the UK’s Information Commissioner’s Office (ICO), the e-Privacy Directive means (at least in its UK form) that UK websites are required to obtain users’ informed consent before tracking their online behaviour through means such as cookies.

Well-meaning though this legislation may be, there are a number of practical issues with its implementation. As it has never been my intent to invade, subvert or otherwise compromise your privacy, this post is a brief indication of some of those issues, and the possible impact on you as a visitor to this blog.

First, jurisdiction: is this a UK site? Well, I’m located in the UK, and it’s my blog, so I’m going to behave as though it is and assume that PECR 2011 applies to it and to me. However, as this blog is hosted by Gartner, I don’t know where it is is actually hosted, and if it is hosted in the States, it’s not entirely clear to me what impact the EU Directive is intended to have for a UK-based blogger on a US-hosted site. However, the ICO seems pretty sure that, if I install cookies on your device as a result of your visit, I need to let you know about it and get your consent. Interestingly, when transposing the Directive into UK law, parliament deleted the word “prior” from in front of the word “consent”.

Of course, my Gartner blog is only one example. Anyone in the UK who has a blog hosted on a third-party service (Google’s Blogspot, for instance) will be in a similar position. Indeed, I suspect a lot of individuals, small/medium enterprises and organisations are in the same position: their websites may or may not be hosted in the UK, and that may give rise to some question as to whether or not PECR applies.

Second, enforcement. The UK ICO has, allegedly, been ‘pressured’ by the UK government not to enforce PECR, at least for a year while companies figure out what to do about the law. On the one hand, I have little sympathy with this: EU legislation – and its transposition -  moves at a pretty normal pace for law-making, and PECR has been inching its way down the legislative alimentary canal for many months now. Its emergence should not have come as a surprise to anyone…. but let’s not take that analogy any further. On the other hand, there’s no doubt that the mechanisms for doing a good privacy-respecting job of gathering user consent are sadly lacking. Of course, as the only viable candidate for deploying such mechanisms is the browser, and as the dominant browsers on the planet are all developed outside the EU, that shouldn’t come as a surprise either. One reason cited for instructing the ICO to give UK firms some breathing space in this area is that the time can be used to encourage browser manufacturers to improve the privacy controls accessible to users.

Third, practicality. I do use a counter to track visits to the blog: it’s based on Statpress. I can give you the following assurance: I never use the stats for anything other than an occasional look at how site traffic is trending over time. I sometimes look at the search terms to see what brings people to the blog, and if I get persistent nuisance comments I may look up the IP address of a specific visitor. However, I never use the tracking details for any other purpose, and never knowingly disclose them to any other entity. Nor is it my intent to do so.

However… it is entirely possible that Gartner, as the host of the blog, gathers statistics about both my use of it and your visits to it. Over that, I have no direct control – though Gartner’s over-arching Privacy Policy sets out what it does and doesn’t do with such data.

By comparison, think for a moment about the commercial web hosting business: there may well be commercial hosting services who mine the stats for their subscribers’ sites so as to be able to target advertising at visitors to those sites.   If you are an individual, organisation or small/medium business with a hosted site in such a position, it’s not clear to me how you can comply with PECR even if you want to – and as ‘cloud’ computing continues to grow, that situation will grow with it.

As you can doubtless see by now, there’s scope for a lot of confusion here:

  • Which EU member states are implementing the e-Privacy Directive, and how many of them interpret it to cover all use of cookies?
  • Which sites are covered by UK law, and how urgently do they have to do something… and what?
  • How should users of third-party hosted services react to the legislation?

And what of the use of cookies on this blog?

1 – if you don’t like the relatively minor use of cookies I do make on this site, and/or don’t trust my promise not to abuse the data collected, I’m afraid I don’t have any nice, interactive way of gathering your consent (or withdrawal of it). Nor do I have a way of turning cookies off for you while still somehow keeping an eye on site usage. By all means block or delete my cookies at your end, if you have the means to do so; I won’t be offended (in fact, I won’t even know), and as far as I am aware, it won’t affect your ability to browse the site.

2 – if you don’t like the idea that my hosts may also be setting cookies, I can sympathise, but I doubt that they will ask for your consent via my blog. If you have a problem with that, please leave a comment, and then we can both stare at it and wonder what to do next…

So, what can we expect from the PECR 2011 amendment?

Will it immediately change the way in which UK websites track your online behaviour? No.

Will it change the way browsers handle cookies and consent? Possibly, over time.

Will it advance the debate over online privacy: I sincerely hope so, even if it’s only through increased discussion, rather than immediate improvement.

Will it resolve the tension between technologists who see the law as an inconvenient obstacle to commercial progress, and legislators who don’t understand the technology but want to be seen to be doing something? No. That, regrettably, is something we’re stuck with for the foreseeable future. Welcome to Aldous Huxley’s world.

Comments Off

Category: Uncategorized     Tags: