Tuesday 8 March 2011

EU Cookie Wars: The Nanny State Vs Common Sense

From May this year (2011), the EU are set to introduce a new law to safeguard our privacy, but this law could mean the majority of websites you visit must 'explicitly request' your permission to use a cookie, this could mean a lot of needless pop-up boxes.


EU Directive 2002/22/EC (See 66) st03674.en09.pdf 

What is a Cookie?
Most websites use a “cookie”, which is essentially a file holding a small amount of text within it, this file is locally stored on your PC. This simple text file (cookie) is actually really important for websites to operate efficiently, amongst things the cookie is used to identify you as an individual on the website. For instance the cookie is used to keep you logged into the website and to provide access to specific information meant only for you. By their nature cookies tend to provide the ability to track what you have done on any given website, which again is important for the website to work effectively, however this tracking can also be used to capture your web surfing habits. Such user tracking information is sometimes automatically used to target specific types of advertising to you within certain websites, this is fundamentally what the EU has a problem with, I guess they want this process to be more transparent to the end user.
Flaky Law
Although the EU agreed their law last year, it’s all still a bit ‘flaky’, aside from the EU law not being specific enough about how they want each member state to enforce their directive, the UK government, who were generally fighting against the directive, have not really decided how they what to interpret the directive for the UK market, even though the deadline for enforcement is only few weeks away. Oddly the Department for Culture Media and Sport (DCMS) is supposed to be leading the implementation of this EU directive in the UK. But with just weeks to go there is no sign of any guidance, so I asked the DCMS today for an update.  The DCMS promptly forwarded me to an Information Commissioners Office (ICO) statement which was released today about this subject. However the ICO statement provides no practical advice on how UK businesses should meet the EU Cookie directive requirements, and the statement goes on to say the ICO won’t be enforcing it until they do work out what to do.

ICO Statement
data_protection_officer_conference_news_release_08032011

What a Shambles
This law is suppose to come into force in May, yet the UK government through the DCMS and ICO, just don’t have a clue, and are not providing any practical advice to what UK businesses should be planning for in order to comply, it’s a complete shambles.  If they want the “Cookie pop-up accept  box” to appear on pretty much all business websites as the EU appears to be suggesting, don’t they realise it is going to take time for businesses to develop and implement. I doubt if this will happen in my view, as I cannot see that UK consumers will tolerate such an inconvenient trade off for what is a lost privacy battle.

Back off Brussels
Don’t get me wrong, I think the “Data Protection” of our personal information is still essential to have, and I do understand where the EU is coming from with this, but I’m afraid to say they are out of touch with the reality on the ground. They are actually suggesting a web browser pop-up box before accessing each website aids privacy; seemingly this pop-up box would ask permission from the user to use a “cookie” before allowing access to the website.  We’ve seen this all before with Microsoft’s failed approach to Security in Windows, crying wolf in presenting pop-up security boxes too many times is actually detriment to good security, as users just blindly click “Yes” and continue.  So what’s the point, users who care about privacy can just set an option in their favourite web browser to present a “accept” cookie pop-up box anyway, further this will work on all websites. Actually it would make more sense to mandate the law through default web browser settings rather than through individual websites, but hey that’s just not the common sense solution a non-technical politician would think of.

I think the EU folk behind this directive need to wake up and accept the Internet privacy horse has long bolted when comes down to EU citizen privacy online.  The majority of people simply do not care about their own personal privacy online to the same extend as the EU fuddy-duddies would like to think, testament to this is the popularity of Facebook. Millions of people are posting personal images and messages knowingly, these days most do people do actually understand and accept Facebook owns their posted information, especially the younger generation, or is the EU suggesting people aren’t grown up enough or are just too thick to understand, do we really need more nanny state laws, back off Brussels!


If the EU were actually serious about the protection of their citizen’s personal information, they should look further beyond the website, and take a closer look at the actual business operations, not just how the personal information is harvested, but how the information is held, shared and exploited by some businesses, but the biggest problem today is still too many businesses are doing a poor job at actually protecting the personal information in their care. The biggest problem is not businesses advertising services based on their customer needs, which after all is just a normal business practice, isn’t it?

No comments: