Our comment to "It’s not about cookies, it’s about privacy" post on Gov.UK GDS site.

Comment to GDS blog post "It’s not about cookies, it’s about privacy"  

Mike O'Neill (@incloud)

It should be about respecting citizen’s privacy, not implementation convenience.

The law requires web publishers not place any information that could identify a visitor on their browser unless they have been given informed consent.

It was drafted in such a general way to protect citizens from having their personal information being harvested without their permission, by whatever technology that became available.

Informed consent means that citizens should be given an explanation of why the information is being stored. This should be clear, short and written in simple language. It should not consist of long lists of unintelligible cookie name (which are often random strings regenerated on every visit) which would only bore citizens with their irrelevance.

The law applies as you say to html5, http and “flash” cookies. It also applies to anything stored in the cache such as ETag values, and JavaScript files containing unique values. It probably also applies to script functions that identify citizens by recognising their keystroke patterns, or by sending fingerprinting information (such as a list of the installed fonts in a device).

Any browser fingerprinting using stored files is probably illegal. If it is based on only IP4 address (IPv6 is covered by its standard privacy extensions) combined with the other http request headers it has been shown to be not being able to identify citizens accurately enough to track them for commercial purposes.

The EFF panopticlick test was only able to accurately fingerprint devices because it used a (probably) illegal JavaScript technique that sent device identifying data back to the site. It also happened to use an http session cookie to thread the returned data with the initial request.
The major threat to the legislation, which was extensively discussed in Europe for many years before it was debated in the EU parliament (with overwhelming support across the political spectrum) is the confusion generated by those that profit from the traffic in personal information.

It is also put in danger by inaccurate information put out by influential public sector organisations.

Any cookie that contains a value that uniquely identifies a visitor can be used to track them. It is disingenuous to say that because a value does not of itself contain personally information it is not “intrusive”. Citizen’s personal data is already held in the cloud, in social networking sites, financial services websites and many more. This data can very easily be indexed and addressed by a key encoding the unique value. For example, your name is not encoded in your telephone number but databases exist that can ascertain one from the other.
It is also wrong to claim, based on an (admittedly badly worded) sentence in the ICO’s guidance, that analytics cookies are “minimally intrusive”.

As you point out the ICO guidance says “Provided clear information is given about their activities we are unlikely to prioritise first-party cookies used only for analytical purposes in any consideration of regulatory action”.

The relevant word here is “only”. If you use an analytics service from a 3rd party how can you know whether they use the cookies only for analytics purposes?

It is perfectly possible to write some server-side or client-side code that can use a 1st party cookie to identify unique visitors and use that indication only to gather analytics information. But if the value of that cookie is sent to a third party, especially one that makes the bulk of its revenue from advertising, on every visit to your site by a citizen, then the ICO guidance does not apply as it probably is not being used for “only” analytics purposes.

In the case of Google Analytics the unique value encoded in the 2 year persistent “__utma” cookie is sent in an AJAX call to Google every time a citizen visits a site using the service.
This is perfectly capable of tracking a citizen’s web behaviour whatever metaphysical term you arbitrarily apply to it.

As I have already pointed out, the GA cookies are also available to any script, perhaps located in an external site, with access to the publisher’s domain. If co-opted 1st party cookies like this are endorsed by the Government and remain ubiquitous then others would be encouraged to develop tracking techniques that could use them. They may even be able to avoid legal action.

Have you received an undertaking from Google that they will not use the unique value to behaviourally track people, perhaps using personal information held within their other properties? If so perhaps it would be a good idea to make it public. Are you sure you are not placing 3rd party script that accesses the GA cookies or may be capable of doing so in the future?

You can still get useful information from analytics services like GA even when cookies are not placed. You can record and count the number of page visits and record the browser type. You can even, in many cases, get a general idea of the source location of the visitor. Moreover with the right kind of compliance technology you can still get an indication of unique visitors. And of course you can the complete analytics information about visitors who have agreed to your 1st party cookies.

If you allow cookies to be placed without informed consent on the GovUK site you are not only giving the wrong signal to UK web publishers you are showing no respect for the privacy rights of UK citizens.

Some may not agree that citizens’ privacy rights should be protected. But these rights are a fundamental principal in the EU and all of its most economically important member states. If Government wants UK businesses to keep their unfettered access to the EU single market and its 500M consumers they need to ensure they operate under the same regulatory framework as all the other member states. Sooner or later the same will apply to US businesses.

It is perfectly possible to comply in a way that does not bore or confuse with pointless “cookie descriptions”, but still gives citizens clear information and control over their privacy.

It may be inconvenient to comply with the law but you especially have a duty to do so.