European Parliament Agrees Text For Key ePrivacy Regulation; Online Advertising Industry Hates It
from the how-dare-people-refuse-to-be-tracked-online dept
Techdirt has mentioned a couple of times the EU's important ePrivacy Regulation that is currently working its way through the legislative process. It's designed to complement the EU's new General Data Protection Regulation (GDPR), which comes into force next year, and which is likely to have far-reaching effects. Where the GDPR is concerned with personal data "at rest" -- how it is stored and processed -- the ePrivacy Regulation can be thought of as dealing with personal data in motion. That is, how it is gathered and flows across networks. Since that goes to the heart of how the Internet works, it will arguably have an even bigger impact than the GDPR on the online world -- not just in the EU, but globally too.
That's led to lobbying on an unprecedented scale. A recent report on the Regulation by Corporate Europe Observatory quoted a source in the European Parliament as saying it was "one of the worst lobby campaigns I have ever seen". Despite that pressure, and a last-minute attempt to derail proceedings, the European Parliament has just agreed a text for the ePrivacy Regulation. That's not the end of the story -- the other parts of the European Union legislative machine will weigh in with their views, and seek to make changes, but it's an important milestone.
The European Parliament has produced an excellent briefing on the background to the ePrivacy Regulation (pdf), and on its main elements. A key feature is that it will apply to every business supplying Internet-based services, not just telecom companies. It will also regulate any service provided to end-users in the EU, no matter where the company offering it may be based. There are strict new rules on tracking services -- including, but not limited to, cookies. Consent to tracking "must be freely given and unambiguous" -- it cannot be assumed by default or hidden away on a Web page that no one ever reads. Cookie walls, which only grant access to a site if the visitor agrees to be tracked online, will be forbidden under the new ePrivacy rules.
IAB Europe, the main European-level association for the digital media and advertising industry, says giving the public the right to refuse to be tracked amounts to "expropriation":
"The European Parliament's text on the ePrivacy Regulation would essentially expropriate advertising-funded businesses by banning them from restricting or refusing access to users who do not agree to the data collection underpinning data-driven advertising," warned Townsend Feehan, CEO of IAB Europe.
The press release then goes to make the claim that online advertising simply must use tracking, and that visitors to a site are somehow morally obliged to give up their privacy in order to preserve the advertiser's "fundamental rights":
"Data-driven advertising isn't an optional extra; it is online advertising," explained Feehan. "Forcing businesses to grant access to ad-funded content or services even when users reject the proposed advertising value exchange, basically deprives ad-funded businesses of their fundamental rights to their own property. They would be forced to give something in return for nothing."
However, IAB Europe graciously goes on to say it "will continue to engage constructively with the EU institutions in hopes of meaningfully improving the draft law in the remaining legislative process." Translated, that means it will lobby even harder to get the cookie wall ban removed from the text during the final negotiations. IAB Europe is naturally most concerned with the issues that affect its members. But the European Parliament's text -- not the final one, remember, so things could still change -- includes some other extremely welcome elements. For example, the Regulation in its present form would require EU Member States to promote and even make mandatory the use of end-to-end encryption. Moreover, crypto backdoors would be explicitly banned:
In order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design. Member States should not impose any obligation on encryption providers, on providers of electronic communications services or on any other organisations (at any level of the supply chain) that would result in the weakening of the security of their networks and services, such as the creation or facilitation of "backdoors".
As the above extracts indicate, the European Parliament's text offers strong support for the user's right to both encryption and privacy online. For that reason, we can expect it to be attacked fiercely from a number of quarters as haggling over the final text take place within the EU. Unfortunately, unlike the European Parliament's discussions, these negotiations will take place behind closed doors.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ads, advertising, eprivacy regulation, eu, eu parliament, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Ah, but you have a choice
No. They wouldn't. They're perfectly free to simply turn off their sites. They won't be missed: we have more than enough resources of all descriptions that are available without the filth of advertising, and more are being built every day.
Don't let the door hit you in the ass on the way out, scumbags.
[ link to this | view in thread ]
ISDS
[ link to this | view in thread ]
Breaking the internet
I actually have a problem with this part. the last time the EU did something like this we got all those useless, "This site uses cookies" banners everywhere. Now they're saying that sites must be able to operate without cookies.
First, every site that does any sort of sign on will now require a new warning banner on that page. It's useless, since the site must use cookies to make sure logged in users are who they say they are.
Second, goodbye any sort of site that does things based on sessions. Since it must work without cookies, it must work without sessions. Since that's not possible, they can't comply with the EU regulation. Things like shopping carts that don't require login run into the same issues as sing ons. They don't work without at least a session cookie.
Third, is the annoyance factor. Some sites tried doing this when the banner requirement was first introduced. The problem is since it didn't store a cookie, it assumed the user was a new visitor on every page, and constantly popped up. Sure, that can be mitigated by looking at the referrer, but every new visit will be greeted with a banner.
In theory tracking protection is a good idea. I can get behind things like banning browser fingerprinting or supercookies. Heck, I even agree with trying to regulate tracking pixels. However, the EUs track record with cookies is bad at best. I'm concerned that in their attempt to regulate the internet, they're just going to break it.
[ link to this | view in thread ]
Unintended consequences
Most of the sites you love (including this one) make some or all of their income from advertising. Targeted ads are what really pay the bills, the more they can show you that is relevant to where you have been or what you have searched for, the more likely you are to click the ad and thus, there is more value (and more pay!).
Google ads commands a big part of the market, in part because they have their fingers in the pie all the time, so to speak. They know where you go, what you search, and so on. For mobile users they add on the go location data, and boom, perfect ads - and lots of revenue.
On the other side of things, we know that the internet is a hard place to make money. When your income is often measures in tenths or hundreds of a cent per user visit or per page view, it's quite hard to find a point where you make a profit. Removing or limiting targeting in advertising would very likely kick the legs out from under the business model entirely, taking with it many of the sites you enjoy.
So who makes money? Well, the two biggest money makers (from running non-hard good businesses) are Google and Facebook - two companies who make their income through ad targeting. They are two companies who track you incessantly and turn that knowledge into cash.
Of course, the pat answer is to say "we don't need those garbage commercial sites clogging up our wonderful online commune", which sounds nice until you realize that the phone in your hand is at least partially paid via advertising. Apple holds you hostage to their app store and closed environment, and Android exists only really to further Google's grip on your data and you eyeballs. Take that away, and the point of making such things (and the money to do it) could evaporate overnight - or you could go back to paying for your OS and such, adding hundreds more dollars onto your phone price.
The EU deal sounds go from the surface, but the unintended consequences are big. Remember, Techdirt slams 55 cookies from at least a half a dozen sources at you every visit. The EU rules would seem to suggest that wouldn't be acceptable anymore. I would really love to hear Mike chime in as to what the would do for the business model here.
[ link to this | view in thread ]
Re: Unintended consequences
If a business model cannot work without the law protecting a business’s right to track people, that business model deserves to fail. The advertising companies can either adapt or perish.
[ link to this | view in thread ]
Re: Unintended consequences
[ link to this | view in thread ]
Re: Re: Unintended consequences
I am male. I don't see many (if any) ads for feminine hygiene products on Facebook, but my wife does. I do get plenty of ads for Tech gear, local restaurants, and other things that are more relevant to me.
Unless they close the loop on knowing that you have bought something, they will tend to send you more ads about things you are interested in. But over time, that tends to go away as you move on to other topics.
It would be better than showing you ads for Restaurants on the other side of the world, movies in languages you don't understand, and products that you cannot buy locally.
[ link to this | view in thread ]
Re: Re: Unintended consequences
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
Those are total non issues, as the IP address locates you, (or the TOR exit node or the VPN), and your browser gives your language.
[ link to this | view in thread ]
Re: Breaking the internet
Based on the wording of the what a cookie is in the linked PDF document, the EU are referring specifically to third-party persistent cookies, not to session or to first-party cookies , as per the sidebox on page 12:
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
[ link to this | view in thread ]
Re: Breaking the internet
If a website developer is willing to seriously think about when to set cookies and whether they are necessary, it is possible to make a website that can be browsed without cookies (trivial), only sets session cookies when someone logs in (Say: "logging in requires cookies" in the login screen.)
For a shopping cart one only needs to popup a warning once (when there is no session cookie set yet). For each subsequent addition to the cart one may assume consent for the cookie, because it has already been set.
As a web user with some web development experience I see those "in your face" cookie banners and/or cookie walls as an annoyance; either because of developer incompetence or management disagreeing with the results of a (democratic) political decision.
*DO NOT TRACK*
[ link to this | view in thread ]
Re: Breaking the internet
[ link to this | view in thread ]
Re: Breaking the internet
[ link to this | view in thread ]
https://www.i-dont-care-about-cookies.eu/
[ link to this | view in thread ]
Re: Re: Re: Re: Unintended consequences
I've seen logged in users on the sites I work on flip in a heart-beat from one end of Japan to the other because they've flipped ISP from domestic Wifi to LAN (for example) whilst keeping everything else consistent, or one mobile network to another whilst still logged in on the same device. (Of course this could also be evidence of incompetent session cookie stealing, but the behaviour is too consistent for that.)
[ link to this | view in thread ]
Re: Breaking the internet
[ link to this | view in thread ]
Re: Unintended consequences
Say What?
You dont really know much about this other than your FUD do you?
[ link to this | view in thread ]
Re: They would be forced to give something in return for nothing.
The fact that an entire world industry has built an enterprise based on violating other peoples civil rights, does not mean that their activity is somehow just. Fascists don't stop being fascists because they are successful. If any legislative body had approached this problem in 1999, most of the advertising systems architecture would have ended up differently than it is today.
Yes, preserving civil rights has a habit of upsetting billion dollar industries. We know that in states, because we experienced it in 1861 with the abolishment of slavery.
So the logic here is basically the same as "too big to fail". Which is good for the guillotine business, but not much else.
Note that while _some_ growth of the Internet was created by advertising, quality was also effected. At this point the drop in signal to noise ratio is causing the net utility of the Internet to DECLINE. IMHO it is accelerating towards equilibrium and utility will probably extend well below what it was before Internet advertising became a big thing.
There are companies paying out huge money right now to people who have basically no experience in any subject, to write reams of bad copy on all kinds of scientific issues. It is being done to dilute the effectiveness of search algorithms, in a slow war to push enthusiast driven content off the Internet, and make the whole network one big TV style broadcast system.
If these guys codify that this is acceptable behavior, then they've entrenched it even further into our cultural standards. And that is going to have consequences. Because there is a large cross section of society that finds this behavior appalling. Not just unpleasant, but utterly fucking intolerable.
And we know where that leads. We've been there before.
[ link to this | view in thread ]
I don't need three more fridges
I have no problem with ads, it's the micro payment system for free content. But I despise the user tracking. If I want some cookies, I got a great oven for baking some.
[ link to this | view in thread ]
i wonder how long before this is totally dismantled and the exact opposite happens instead?? i wonder which MEPs will be the ones who recommend the dismantling and what 'benefits' they get for doing so? and will there be any investigating done on those who do the recommending?? will there hell as like!!!
[ link to this | view in thread ]
You say that like it's a bad thing...
[ link to this | view in thread ]
Re: Ah, but you have a choice
[ link to this | view in thread ]
Re: Re: They would be forced to give something in return for nothing.
It didn't have to be this way. But advertizers themselves chose to MAKE it this way, by attacking privacy and security at every possible opportunity in order to squeeze out a few more cents of precious profit. They chose to MAKE themselves the enemy and they show no signs of regretting it.
Fine. Treat them as one. Exterminate them.
[ link to this | view in thread ]
Re: Re: Ah, but you have a choice
[ link to this | view in thread ]
Re: Unintended consequences
Really the $900 I paid for my phone that is about $200-300 in parts doesn't pay for itself? Well then I guess the CEO and other management will have to take a discount on their multiple-millions in salary.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Unintended consequences
It is worth noting that IP address space really shouldn't have ever been allocated based on geographical distance anyway, and at first it wasn't.
Before ICANN was ICANN, IP addresses was allocated based on _network_ distance, rather than geographical distance. The difference being that CIDR block allocation had to take into account datagram switching capacity. (routers aren't infinite) Geo based distance as a basis for allocation is substantially less efficient.
So Geo-IP was always really dumb. I don't know which beurocracy was responsible for it. But you can bet that it was driven by governments. And probably telco execs who had just bought out Internet providers and wanted to cement regional monopoly markets without understanding the impact of making technical decisions based on graft and political territory piss stains.
Services like Geo-IP is why you have OSI layer 5. It was just one of those things where somebody did something stupid (ICANN) with then created something that sortof looked like a marketing oportunity if you were willing to accept really bad engineering. Then a cascaded bad idea became cheaper to implement than doing the job right, and so you have this half-assed garbage instead of a proper solution.
The whole problem really boils down to bad architecture dating back to the 80's. OSI layers 4 and 5 should be transposed, with the session layer being used for crypto and things like voluntary GeoIP. But that would require pretty much reengineering the entire switching fabric of the Internet. But if you want an Internet where civil rights are respected, that is what is going to have to happen. Like it or not.
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
Why would my grocery store need to track me to accept my money?
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
I disagree. Almost anywhere you see an ad, it would be better to have nothing there... which is exactly why people use adblockers.
[ link to this | view in thread ]
Re: Unintended consequences
Maybe in theory, but in practice I'm no more likely to click them than any other ad online (read: never). Scratch that, I'm less likely to click them than the sorts of ads shown on, say, readthedocs.org. Those untargetted ads seem to actually better targeted than the targeted ones.
[ link to this | view in thread ]
Re: Re: Re: They would be forced to give something in return for nothing.
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
What a load of apologetic bull.
[ link to this | view in thread ]
Re: Re: Re: They would be forced to give something in return for nothing.
Sun took an appliance language it had on the shelf, (java) and declared that it could be a "virtual machine" would make client side execution of foreign code secure. Which was complete bullshit, and everybody knew it.
At about the same time Redmond was in litigation for using racketeering tactics in the web browser world (which they did), and so everybody was shitting themselves about http portability, and so there was a rush to adopt SOMETHING that would make clean dynamic rendering work. So java as adopted, even though everybody knew it was going to pig-fuck the next decade of web security. Which it did.
Over time hackers created tracking systems that the "virtual machine" was supposed to prevent. And even though those features violated state computer intrusion laws, which clearly demonstrated that Suns great "virtual machine" was bullshit, Sun just shrugged and sold out to Oracle.
Then later on companies starting getting nervous because they were committing (and still are) a million felonies a day, so we started seeing efforts to externalize responsibility for the problem. Which is when we got the "Do not track header". Which is also complete bullshit because it is evaluated on the server side. And if the server admins read the fucking law, they would know that they've been committing a million felonies a day for a decade, and would have already moved to Mexico.
[ link to this | view in thread ]
Re: Re: Re: Re: They would be forced to give something in return for nothing.
In the same fashion that the banks received theirs in 2008.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Ah, but you have a choice
I haven't bothered to disable them, and uBlock's off for this site. They aren't as obnoxious here as in other places.
[ link to this | view in thread ]
Re: Re: Unintended consequences
What phone? Oh, you're referring to that lojack device that I have to put in a fucking faraday cage by the front door to keep it from being used to take pictures and record audio inside my home without my consent?
Most people can't live without their cell phones. I choose to live without one. I would sincerely like to have mobile communications. I used to have several of them. But once they all became I.P. enabled, I knew the jig was up.
People who honor the Constitution are, at this time, being denied potentially life saving services (cell phones) because the only products available in the market are criminally invasive of their civil rights.
That people are conceding their rights en mass, does not mean that they are unaware of the choice that they are being forced to make. And being compelled by market leverage, is not the same thing as consent.
The industry argument is: "well people don't mind, we've been doing it for years". John C. Calhoun made similar arguments about his slaves. Failing to preserve Constitutionally recognized boundaries of interpersonal privacy in modern legislation will end up being the modern version of the three fifths compromise.
[ link to this | view in thread ]
Re: Re: Unintended consequences
Any time Google is doing something for free, the underlying premise is market position and ubiquity of their search and search products, which in turn feeds their ad market (which brings in billions).
It's not FUD. It's why they spend tons of money on an OS that brings them little direct return.
[ link to this | view in thread ]
Re: Re: Re: Unintended consequences
[ link to this | view in thread ]
Re: Re: Breaking the internet
My guess would be as new ways to track are found, they would be added to a list of unacceptable ways to track users. EU sites doing so would be in violation of at least the spirit of the law.
[ link to this | view in thread ]
Re: Re: Unintended consequences
So tell me again how I am, in some way, indebted to these companies.
[ link to this | view in thread ]
Re: Re: Unintended consequences
The MEPs should be congratulated for a burst of sanity. I predict that the demise of involuntary or extortion-based tracking cookies will make precisely no difference at all to internet economics.
[ link to this | view in thread ]
Re: Re: Ah, but you have a choice
[ link to this | view in thread ]
Re: Unintended consequences
Advertising money will circulate no matter what. If they are limited to plain old fashioned advertising, the advertising economy will adjust. Companies have always, massive tracking or none at all, been paying advertisers largely for nothing. And in a world with an internet through which you can search for things you might want, you can find options of which you had never heard, and do a much better job than any advertiser, ever.
If post-tracking ban, advertisers really want to charge less for their services and pay less for sites to host ads, or sell more ads, that's pretty much on them. They would be paying a lot less without all the tracking stuff they felt they had to do to keep up with other outfits.
Of course, ad-supported sites wouldn't have it so bad if the hosting (somewhat) and business-class ISP costs were not a few magnitudes of order out of whack with reality. Maybe they would have to adjust too.
But i can count on one hand the number of times i have ever clicked an ad out of interest, static or targeted. Ads suck, and they always will. The entire industry is built on a belief system more than reality, and they probably pretty much know that deep down, as evidenced by what their data tells them.
[ link to this | view in thread ]
Re: Re: Re: Re: They would be forced to give something in return for nothing.
Re-reading your post, i am guessing you are talking about Javascript, which has nothing to do at all with Java or virtual machines, and lolno is not secure. Netscape developed it after they re-wrote Mosaic to make a commercial web browser. (They did use Java in the browser but i don't recall java applets making up much advertising and certainly not general web page rendering. A site that ran entirely in a jvm, it think, would be far more rare than say, the dumber and far worse all-Flash sites. If you want to talk about a horribly insecure, tracky, and much abused technology...)
[ link to this | view in thread ]
Re:
I am thinking "expropriate" should be used like "defenestrate". For fun and language-creep. K-I-L-L-E-D: Revoked.
[ link to this | view in thread ]
Re: Re: Ah, but you have a choice
[ link to this | view in thread ]
Re:
http://i-am-an-idiot.eu/
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Unintended consequences
The FDA labels what may violate American body. But for psychologically abusive marketing practices, no such labels exist for the much more severe violations that are continuously perpetrated against the American mind.
The degree of engineering integral to that emotional and psychological battery has achieved a state of depravity that dwarves the techniques used in 1930's Germany.
I don't know that much. But I know enough about the psychological techniques to identify them when I see them, and I know a little about the law, and I know a lot about the technology. And what is going on right now is a fucking crime.
It has been since around 2005, and it has been getting progressively worse since then.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: They would be forced to give something in return for nothing.
TD itself is Ajax based I think. Derived from slash isn't it?
Tracking has existed since the inception of HTML. Thinking back the "previous-site" header was in the spec at least since html 1.0, (around when I first started learning it) and has been respected by all browsers that I know of since then. It preceded cookies. (I may have the header name wrong, I haven't touched that part of the protocol stack in awhile)
That header field was a questionable move at the time, but it was the easiest way to provide any context to web server logs. And the web was still for nerds then. Cookies extended that, and at the time there was a lot of grimacing that took place. Front end developers and marketing chicks liked cookies because it gave them features that their e-commerce customers wanted. But many network and infosec guys saw that the trend was really going in the wrong direction.
Now there is millions lines of source code out there, in thousands of systems fucking with peoples civil rights in ways that extend well beyond the boundaries of the law.
Instead of demanding that the engineering come into conformance with the law, the EU has decided to change the law. All because there is billion dollars worth of marketing hype built atop a weekend hack that was probably written between bong hits.
Everybody knew this was the wrong way to do it at the time. It was just that nobody wanted to pay the money to write a real solution. And market entropy evolves on whatever foundation is available. Current web architecture was created on several really bad foundations.
It is very much like the 3/5's compromise. It was ALWAYS a bad idea. The longer you wait to fix it, the worse it's going to get.
[ link to this | view in thread ]
Re: I don't need three more fridges
Whats more, because of that invasion of privacy, a lot of people simply wouldn't search for things pertinent to their own health and welfare. The tracking ends up being a DOS, because it causes people to fear seeking support in their lives.
Tracking produces leverage between people, but it does not elevate anything.
[ link to this | view in thread ]
Re: Re:
/s
[ link to this | view in thread ]