Dear Chairman,
I write to you for clarification regarding a move by the advertising and data broker industries towards server side “fingerprinting” as a means to circumvent the rules governing the practice of online behavioural tracking as outlined in Article 5(3) of Directive 2002/58/EC (ePrivacy Directive).
The wording of the Directive states:
“Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.”
And I welcomed the opinion published by the Article 29 Working Party that this would require “prior informed consent”.
However, I am concerned that to date the debate has centred around the use of Cookies with no discussion on other aspects of the Article referencing “accessing information already stored”. As a result, various members of the advertising and data broker industries believe they are able to circumvent the Article simply by moving away from cookie based tracking systems to serverside fingerprinting.
In particular BlueCava (a US company) state in a press release on their web site:
“BlueCava (www.bluecava.com), the leading provider of device identification technology that enables businesses to improve online advertising effectiveness and reduce fraud risk, today announced the latest version of its device identification platform. The new release provides an immediate solution for companies doing business in the European Union affected by the EU’s ePrivacy Directive.”
(source: http://www.bluecava.com/news-release/bluecava-releases-cookie-less-device-identification-technology-for-online-advertisers/ - Accessed 6th February 2012)
This raises significant concerns on a number of points.
Firstly, the purpose of the changes to the ePrivacy Directive was specifically to protect consumers from the covert tracking of their online activities – BlueCava and others are clearly attempting to undermine these rules to the detriment of EU Citizens’ fundamental right to privacy.
Secondly, there seems to be some misunderstanding as to whether or not the wording of Article 5(3) actually covers serverside fingerprinting and DeviceIDs.
From a technical perspective it is my opinion that the wording of Article 5(3) does sufficiently cover such practices for technical reasons which I will now attempt to articulate in non-technical terms.
In order to generate a DeviceID or Fingerprint, certain information is required to uniquely identify a device. Such information includes (but is not limited to) Internet Protocol Address (IP Address), fonts, user-agent string, operating system, screen resolution etc.
This is, from a technical perspective, information stored in the terminal equipment of the subscriber and in fact it would not be possible to generate such unique identifiers without accessing the information stored in the terminal equipment of the subscriber; and would therefore, seem to be explicitly covered by the wording in Article 5(3).
During my discussions with various parties on this issue, the following two arguments have been presented in disagreement:
1. The web server does not “gain access” to this information, it is freely given by the subscriber; and
2. This information is not stored on the terminal equipment of the subscriber but is stored in the web browser itself.
Allow me to answer both these arguments in turn.
Firstly, it cannot be considered that the information is freely given as this data is provided by a series of automatic processes of which the subscriber has no knowledge and over which the subscriber has no control – it is part of the Hypertext Transfer Protocol (HTTP).
Secondly, this data is not “stored in the browser”; the web browser application accesses various system files and Application Programming Interfaces (API) in order to retrieve this data to provide to the web server and therefore is covered by the wording “gaining of access to information already stored, in the terminal equipment of a subscriber or user” in Article 5(3).
My concern is that without clarification of these points, the debate will continue to focus on the use of Cookies whilst serverside fingerprinting techniques are adopted by the advertising and data broker industry as a means to circumvent the Article.
I would appreciate it if the Article 29 Working Party would consider the information I have provided above and publish an opinion to clarify the situation.