Sunday, January 27, 2013

"Government's first duty is to protect the people, not run their lives." Ronald Reagan

Twitter Weekly Updates for EUdiscovery

Twitter Weekly Updates for EUdiscovery

Twitter Weekly Updates for EUdiscovery

Twitter Weekly Updates for EUdiscovery

The New EU Cookie Directive Leads to Cookie Wars in The Netherlands

The Dutch Ministry of Economic Affairs, Agriculture and Innovation has introduced a new bill with the goal of implementing the EU ePrivacy Directive 2002/58/EC, as amended by the so-called “Cookie Directive” 10/2009. The dealine for EU member states to implement the “Cookie Directive” into national law is May 25, 2011.
As of now, the Dutch law requires an opt-out regime for cookies: users need to be informed about the placement of tracking cookies, and they need to have an option to opt-out of having these cookies placed on their computers.
In the initial proposal for the new bill, the Minister of Economic Affairs proposed an “unambiguous consent” requirement, which caused a big uproar. That would have involved having a window pop up each time a cookie was placed with the request “Do you want this cookie placed on your computer?” and was deemed to be very impractical by the ad industry.
The Minister thereafter dropped the “unambiguous consent” requirement and changed it into just “consent”, and also mentioned that this consent can be given through activation of the appropriate browser settings, as long as the user is properly informed.
The ad industry claims that self-regulation through placement of icons by each behavioral advertisement would be sufficient to provide the user with the necessary information and opt-out choices.
Since the Independent Post and Telecommunications Authority (OPTA), will be in charge of supervising the application of the new cookie law, it has requested an independent study from TNO (Netherlands Organisation for Applied Scientific Research) and IVIR (Institute for Information Law), in order to find out how well website owners have abided until now by the current Dutch cookie law. The current law requires that the user needs to be informed and given the possibility of opting out of having tracking cookies placed on their computer.
The study, published on March 17, came to the conclusion that the majority of Dutch website owners do not abide by these laws, that the majority of Dutch people have no clue about their rights under the current law, and do not have sufficient understanding of the cookie tracking mechanisms to even make an informed choice, or to give meaningful consent. See this Dutch article.
The publication of this study has led to angry reactions from the advertisement industry. Joris van Heukelom, president of International Advertising Bureau (IAB), claimed that the study was biased and Henry Meijdam, president of the Dutch Dialogue Marketing Association (DDMA), said that the study misrepresented the current legal requirements and that the current Dutch law did not require consent for the placing of cookies.
The ad industry did aknowledge that the general public is ignorant about the placing and working of tracking cookies. Advertisers and marketers claim that they are busy with self regulating measures, like the placement of icons by each behavioral advertisement, to inform the web users of the workings of cookies and behavioral tracking and to give users the chance to opt-out of being tracked.
In this previous post, this author has made it quite clear that the way the AdChoice icons currently are implemented is very user-unfriendly and that the AdChoice icons, while giving the user a choice to opt-out of being shown behavioral advertisements, does not guarantee a choice of opting out of being tracked.

Twitter Weekly Updates for EUdiscovery

Yahoo’s AdChoice Icons and the New EU Cookie Rule

A few days ago, PCWorld announced with a big headline: \”Yahoo’s Offers Cookie Opt-out Button Ahead of New EU Law\”

It stated: “The plan allows users to click an “AdChoices” button visible in the upper right-hand corner of ads.This will provide users with information about Yahoo’s advertising business and the chance to opt out of cookies.”
Of above statements, two are right and one is wrong.
There is a button, (barely) visible in the upper right-hand corner of (some) ads. It does provide users with information about Yahoo’s advertising business.
But it does not provide a chance to opt out of cookies. And thus, it is certainly not ahead on the New EU law.
The new EU law that the headline is referring to, is the e-Privacy Directive 2002/58/EC as amended by Directive 2009/136/EC, that has to be implemented by member states by May 25, 2011.
The article most relevant to online cookies, tracking and targeted advertising, is Article 4(3) of the revised e-Privacy Directive that states that placing cookies on a user’s computer is only allowed on the condition that the user concerned has given “his or her consent, having been provided with clear and comprehensive information …  about the purposes of the processing.”
It is not clear whether this informed consent means “express” consent, but what is 100% clear is that the user has to somehow give his/her consent, which implies at a minimum a choice to opt-out of having cookies placed on his/her device. A website that informs its users of its processing practices , or more specifically, of its tracking practices via the placement of cookies on the user’s device, but does not give the user the choice to refuse those cookies, does not abide by the requirement of consent. How can the user consent to the placement of cookies, when he/she doesn’t have a choice whether to agree or not with that practice? It’s like feeding a real “cookie” intravenously to a child without asking it permission, explaining to the child what the ingredients of the intravenous cookie is and the mechanism of intravenous feeding, but not giving the child the option to disconnect the feeding tube. Did the child consent? No, because being forced is not the same as consenting.
It’s exactly the same with Yahoo’s AdChoice Button, which is NOT a cookie opt-out button. All it is, is an opt-out button for receiving targeted ads. If one opts out through the AdChoice opt-out button, one will not see “creepy” ads personally targeted to the user’s profile. That’s all. The user who opts out, will still have cookies placed on his/her computer, will still be tracked by third parties advertisers and will still end up in lists and profiles, to be sold to the highest bidder, and will still risk being dicriminated by employers, insurers, bankers etc…because of information found on these databases.
I wanted to check this for myself, so I decided to click on one of Yahoo’s AdChoice buttons and see what happens. Follow me on my oddyssee:
I first had to click on a few Yahoo pages until I found an ad with the AdChoice button. It is obviously not a widely accepted practice yet.
Finally I found one: It is the little grey icon above the “over 80%” ad: do you see it?

After I clicked on the AdChoice Button, I got the page below, offering me a slew of links to “learn more about this ad”.
I clicked on the “manage” icon under “What choices do I have about interst- based advertising from Yahoo?”

On the page that appeared next, I finally saw an icon for opting-out of Interest-based ads. I clicked.

Oh, but what did I see in tiny letters below the opt-out icon?
“To make your opt out apply to every computer you use, sign in to your Yahoo! account and choose persistent opt-out. Learn more.”
Aha, another click, if I want this to work from my laptop or my smartphone, or from the computer at work.
I clicked. That was CLICK NUMBER FOUR.
This is the page that appeared next: Yahoo Ad Interest Manager FAQ. There were 21 FAQs. I started reading.

The FAQs explained the different aspects of targeted advertising. OK, a nice long read, but what was I looking for again? I forgot.
I went back a page, ( CLICK NUMBER FIVE) looked around and found a link that said : “Additional choices:Yahoo! will apply your ad interest opt-out to certain other products we offer. By opting out of receiving interest-based ads, you will also be opting out of both receiving interest-based content and data collection through partner sites for our analytics products.”
Great! Additional choices. I like that. I clicked on “analytics products”.
And that was when I finally found out the truth:
“Yahoo! Web Analytics is a browser-based system used to collect information about visitors to our customers’ websites.
Information Collection and Use
Yahoo! Web Analytics uses web beacons and cookies to collect data about visitors to our customer’s websites. This data is sent to Yahoo! by your web browser as part of your interaction with a customer’s website. The data collected commonly includes IP address, time spent on webpages, links clicked, or advertisements viewed on those pages etc…etc..
Your Opt-out Choices
Most browsers are initially set up to accept cookies. If you would prefer, you can set your browser to reject cookies, or to reject third party cookies only. If you reject cookies, you may not be able to sign in or use other features of websites that rely on cookies to enable the user experience.
If you do not wish to have information about your activities on our customer’s websites used by Yahoo! as stated above, you can opt-out here. This opt-out applies both to use of the information on behalf of our customers and by Yahoo! for its own purposes as described above.
This page describes current Yahoo! practices with respect to this particular service. This information may change as Yahoo! revises this service by adding or removing features or using different service providers. To find out how Yahoo! treats your information, please visit our Privacy Policy”
And what does appear after my triumphant click?
This page:
If this page looks familiar, that is because it is the same page I got after CLICK NUMBER THREE, allowing me to opt out of the creepy targeted ads, but not out of any cookie placement and/or tracking.
You see, at Yahoo, there is no escaping the evil tracking cookies by clicking on some magic AdChoice button.
They do mention on the previous page that one can set the browser to reject third party cookies, but you don’t need an ADChoice button to do that.
Many people still don’t know about this option, and those people will certainly  not learn about this option through reading a text, buried somewhere after the FIFTH CLICK.
I looked around a bit more and found a link to third parties that have cookies on Yahoo. The list is quite long.

I hope I have suffiently demonstrated why the AdChoice button will not, by any standards, satisfy the new e-privacy laws in the EU.
I believe it is also clear that the AdChoice button, by requiring so many clicks to get to an actual choice button, and by requiring a user to spend a few hours on the site to actually understand what the AdChoice button is all about, falls short of satisfying all current thinking on privacy principles, whether one calls it FIPPs (Fair Information Privacy Practices), Privacy by Design or Privacy by Default.
Viviane Reding, Vice President of the European Commission, Commissioner for Justice, Fundamental Rights and Citizenship, explained at a recent meeting in Brussels, that in her concept of “Privacy by Default”,the privacy settings are designed to be easily found and manipulated by the user, so that “you don’t have to be an engineer to set your privacy settings.”
In other words, when you explain to the child what cookie you put into the feeding tube, do it in plain English, not in Chinese. At least the child will understand that it is being forcefed a cookie.
Oh, I remember now what I forgot I was looking for:
“To make your opt out apply to every computer you use, sign in to your Yahoo! account and choose persistent opt-out.”
On which page of Yahoo’s “novel” was that to be found again?
I have to make a living too.

Twitter Weekly Updates for EUdiscovery

The Review of the EU Data Protection Framework v. The State of Online Consumer Privacy in the US

Yesterday, on March 16, 2011, I had a field day.
As an attorney, licensed both in the EU and in the US, with a special interest in privacy law, I was able to observe quasi simultanuous policy making by both Brussels and Washington, D.C. on the same subject matter, from the comfort of my office in New York, thanks to the marvel of web streaming.
In Brussels, a meeting of the “European Privacy Platform” group of the European Parliament convened to hear Viviane Reding, Vice President of the European Commission, Commissioner for Justice, Fundamental Rights and Citizenship, give her insights on the “The Review of the EU Data Protection Framework”, the proposed overhaul of the European Data Protection Directive 95/46/EC. Axel Voss, Rapporteur on the Communication of the Commission on the strategy for personal data protection in the European Union shared his opinion as well. The event was chaired by  MEP Sophie in ‘t Veld, and was attended by a vast array of stakeholders, among whom I recognized attorneys Monika Kuschevsky and Tanguy Van Overstraeten, Marisa Jimenez from Google and privacy consultant Dan Manolescu.
On the same day, in Washington, D.C., the U.S. Senate Committee on Commerce, Science and Transportation, held a hearing on “The State of Online Consumer Privacy”, with a witness panel consisting of FTC Chairman Leibowitz, Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, Erich D. Andersen of Microsoft, John Montgomery, COO of GroupM Interaction, Ashkan Soltani, a researcher and consultant, Barbara Lawler, the Chief Privacy Officer of Intuit, and Chris Calabrese, Legislative Counsel for the American Civil Liberties Union.
Check out the recorded stream of the EP session here, and for a complete overview of the Senate hearing’s witnesses’ prepared statements, look  here.
In Brussels, the debate occurred in the context of the revision of the comprehensive data protection directive, passed a good 16 years ago, while in Washington the hearing was held in the context of a possible introduction of a comprehensive privacy bill for the very first time.
These two sessions, held simultaniously across the two sides of the Atlantic, exposed how very different the EU’s and US’s approaches to privacy still are.
At the basis lies a dramatically different motivation for the passing of privacy laws and regulations or systems self-regulation.
As Viviane Reding reminded the audience in her opening statement, the Charter of Fundamental Rights and the Lisbon Treaty guarantees the right to protection of personal data in the EU as a human right.
In the US, there has never been a recognition of privacy and protection of personal data as a human right. Instead, there seemed to be a consensus at the hearing that the introduction of a global privacy bill (or “Consumer Privacy Bill of Rights”) with some baseline principles should be warranted because it would offer a competitive advantage to corporations by increasing consumer trust and would improve international commerce by alignigning the US with the Asia-Pacific Economic Coordination (APEC) Privacy Principles and the E.U. Directive.
In the competing interests between individual rights and commerce, commerce always comes first in the US.
The difference in approach also gets translated in the language that is used: While in the EU the debate is about “individuals, people, EU citizens and data subjects”, in the US the only concern seems to be for “consumers”.
While in Washington, D.C., the stakeholders were debating on how to introduce some basic online privacy protection legislation, the session in Brussels was trying to finetune an entrenched, but already antiquated body of laws.
In Wasington, D.C., Jon Leibowitz, Chairman of the Federal Trade Commission (FTC), proposed a framework to balance consumer privacy with industry innovation by:
1) building privacy protections into everyday business practices (“privacy-by-design”);
2) simplifying privacy choices for consumers; and
3)improving transparency with clearer, shorter privacy notices.
The FTC also proposed a Do Not Track mechanism that would allow consumers to choose not to have their Internet browsing tracked by third parties. The testimony noted that two of the major Internet browsers – Microsoft and Mozilla – “have recently announced the development of new choice mechanisms for online behavioral advertising that seek to provide increased transparency, greater consumer control, and improved ease of use.”
Ashkan Soltani explained the two types of Do Not Track mechanisms:
The Header Approach: The user who toggles a Do Not Track setting in his web browser sends a signal to each remote server that he wishes not to be tracked. But “The online industry has not yet committed to respect the header” and ”Of course, in order this mechanism to be effective, it will depend upon a clear set of rules defining what websites should do when they receive this signal.”
The Blocking Approach: the consumer has to engage a list of unwanted servers engaged in tracking behavior, in order for the browser to block the connections to the servers. The problem is that there are about 600 domains engaged in tracking and growing…
Lawrence E. Strickling, Assistant Secretary for Communications and Information of the Department of Commerce, urged Congress to enact new legislation setting forth baseline consumer data privacy protections—that is, a “consumer privacy bill of rights” consisting of comprehensive Fair Information Practice Principles (FIPPs), providing the FTC with the authority to enforce any baseline protections. Of course, this legislation would also contain the usual loopholes, a.k.a. safe harbors for companies that implement codes of conduct that are consistent with the baseline protections.
Christopher R. Calabrese, Legislative Counsel American Civil Liberties Union, made a poignant statement, refuting the many sceptics who still dispute the possibility of harm to the consumer brought on by the status quo in datamining and lack of data protection.
“The harms caused by excessive and invasive data collection are real and pressing. They begin with straightforward invasions of privacy. Should anyone have the right to know and sell to others the fact that you are overweight, or depressed, or gay? These are all commonplace occurrences with marketers and social networking sites routinely making and selling these determinations. They have significant consequences for consumers who have no say in the collection and use of their own information.
Personal information can also reveal weaknesses that unscrupulous actors can exploit. Ninety-two year old veteran Richard Guthrie was bilked out of more than $100,000 by criminals who identified him from marketing lists. InfoUSA routinely advertised lists of:
―Elderly Opportunity Seekers,‖ 3.3 million older people ―looking for ways to make money,‖ and ―Suffering Seniors,‖ 4.7 million people with cancer or Alzheimer‘s disease.
―Oldies but Goodies‖ contained 500,000 gamblers over 55 years old, for 8.5 cents apiece. One list said: ―These people are gullible. They want to believe that their luck can change.‖
He also warned of the real risk to First Amendment Rights the status quo poses:
“Courts have uniformly recognized that government requests for records of which books, films, or other expressive materials individuals have received implicate the First Amendment and trigger exacting scrutiny.These cases are grounded in the principle that the First Amendment protects not only the right of individuals to speak and to express information and ideas, but also the corollary right to receive information and ideas through books, films, and other expressive materials. Within this protected setting, privacy and anonymity are vitally important.
An individual may desire anonymity when engaging in First Amendment activities—like reading, speaking, or associating with certain groups—because of ―fear of economic or official retaliation, . . . concern about social ostracism, or merely . . . a desire to preserve as much of one‘s privacy as possible.”
In Brussels meanwhile, Vivian Reding introduced her “four pillars” on which people’s rights need to be built:
1)The right to be forgotten:
The right ( and not the mere possibility) of the data subjects to withdraw their consent to data processing, with the burden of proof shifting to the data controller to show that retention of data is necessary.
2) More transparency:
“Individuals must be informed about which data is collected and for what purposes. They need to know how it might be used by third parties. They must know their rights and which authority to address if those rights are violated. They must be told about the risks related to the processing of their personal data so that they don’t loose control over their data or that their data is not misused. This is particularly important for young people in the online world.”
3) Privacy by Default:
Vivian Reding introcuced a new concept here, not to be confused with Anne Cavoukian’s “Privacy by Design”.
Whereas under ‘Privacy by Design” , the default settings are always set to “private”, in “Privacy by Default”, Reding explained, the privacy settings are designed to be easily found and manipulated by the user, so that “you don’t have to be an engineer to set your privacy settings.” This does not imply, however, that the default setting has to be “private” or, in other words, this does not imply an opt-in requirement, like “Privacy by Design” does.
So “Privacy By Design” implies privacy settings by default, while “Privacy by Default” does not imply privacy settings by default.
Between “Privacy by Design” and “Privacy by Default”, I am by now confused by design and perplexed by default.
4) Protection regardless of location of data:
Since personal data protection of EU citizens is a human right, Reding argued it should be safeguarded no matter the location of the data, the servers, or the controllers.
The present framework is “controller centric”. The defining criterion is the location of the data “controller”: is it/he/she located within the EU/EEA, either physically or symbolically? If yes, the controller is subject to the EU Data Protection framework.
Contrast this to the US model, which is “consumer centric”: The defining criterion for most US privacy laws, like e.g. COPPA, is the targeted market. Is the company targeting children in the US market? If yes, the US laws, in this case COPPA, are applicable, regardless of where the data controller is located.
Reding’s proposal of a “targeted market” model would actually emulate the US system.
Reding cited the following example ”For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules. To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.”
This had the headlines screaming: Facebook, Google “must adhere” to EU privacy rules.
While in the Washington, D.C., the different stakeholders seemed to finally agree on a need for more transparancy for consumers, but were still unsure on whether to implement it through legislation, regulation, self regulation, or Do Not Track mechanisms that so far have no oversight nor  enforcement of the user’s wishes, in Brussels, the regulators were arguing for more stringent transparency and for an additional right of the data subject, the right to be forgotten.
While the general understanding in the US is that we are moving towards a system of self-regulation, with maybe a very basic and vague privacy bill for good measure, the EU seems to be moving towards a much more stringent application of personal data protection of its citizens.
When asked about the possibility of including self-regulation in the future framework, Vivian Reding answered: “Self-regulation is an interesting concept, but it has to be based on EU law, has to be compatible with EU law and has to be enforceable.”
As Sophie in’t Velt woefully noted:”We still have a lot of work to do across both sides of the Atlantic.”

Computers, Freedom and Privacy

The 21st conference of Computers, Freedom & Privacy will take place at the Georgetown University Law Center in Washington, D.C. on 14-16 June 2011.
This year’s theme is “The Future is Now”, and will engage not only the experts and the policymakers, but the public as well in discussions about the information society, and the future of technology, innovation, and human rights.
Unlike most other privacy conferences that focus exclusively on the needs of the industry, this conference seeks to involve  multi-stakeholder participation as speakers and attendees that represent the diverse global community of organizations and professionals who work on policy, technology and law.
Some of the topics will revolve around hot topics such as social media’s role in the democracy movement in the Middle East and North Africa and the impact of mobile personal computing technology on freedom and privacy.
The multi-stakeholder participation at this conference will for sure generate intellectually stimulating discussions on the subjects of Computers, Freedom and Privacy.
Below is a short video with testimonials by organizers and previous participants of CFP conferences.
For the sake of full disclosure, I produced, filmed and edited this video in my spare time and I am also on the Committee of the CFP conference 2011.
For more details see and


  1. Did you know that you can shorten your long links with AdFly and get cash for every click on your shortened urls.

  2. Get daily suggestions and guides for generating $1,000s per day FROM HOME for FREE.

  3. Bluehost is ultimately one of the best website hosting provider with plans for all of your hosting needs.

  4. There is an incredible new opportunity that is trending online.

    Major companies are paying average people just for sharing their opinions!

    You can earn anywhere up to $5 - $75 per each survey!

    And it's available to anybody in the world!


Related Posts Plugin for WordPress, Blogger...