Just as we are hearing about how some European DPAs are gearing up for a winter of cookie discontent with new enforcement efforts, it also emerged this week that tracking companies are using new techniques in an attempt to bypass standard browser controls.
The ideas behind browser and canvas fingerprinting have been around for some time now, but a research paper from teams at Leuven and Princeton universities has uncovered new evidence of their use in the real world.
These techniques seem designed to get around standard browser controls that allow users to block tracking cookies relatively easily, but they also have an uncertain status with regard to the EU cookie laws.
One of the key provisions of those laws is that compliance may be achievable through “browser controls.” Many websites have tried to rely on this provision in the law to comply, because on the surface it seems an easy option. Simply by advising people that such controls are available, they attempt to pass back responsibility to the user and therefore avoid bringing in their own changes. The argument goes that if users don’t change their privacy settings, then their consent to tracking can be implied.
The reason this was written into the law was that browsers at the time were adding new controls, including the now pretty much defunct "Do Not Track" setting. The thinking was that if browsers could be changed to empower users, it would be a more efficient way of increasing online privacy than requiring individual website owners to make changes to each and every site.
It was noted at the time, however, that browser controls were not good enough to rely on for compliance. The UK government even tried to make a big deal out of the fact that they were "working" with browser companies to introduce the necessary changes.
Where did that "work" go? Nowhere. The government quietly stopped talking about it, and browser controls are substantially the same now as they were then.
This is why the guidance written by the UK Information Commissioner's Office (PDF pg15) in 2012 still stands: “At present, most browser settings are not sophisticated enough for websites to assume that consent has been given to allow the site to set a cookie,” and, “For now, relying solely on browser settings will not be sufficient" for compliance.
The truth is, mainstream browsers are unlikely to ever give sufficient user control over cookies or any other technology that can be used for tracking. Even if they did, what this development shows is that they would simply be engaging in a tracking arms race they could not really hope to win.
The only realistic option is for website owners to take responsibility themselves, in conjunction with the technology developers. It’s the code that goes into the site that generates cookies or other tracking methods, and website owners are the ones who have that control, along with the platform and code developers they use as suppliers.
This is why we produced our Optanon ePrivacy tools. With these, site owners can easily add or remove code elements in response to the consent state or preference of visitors. This will deal with cookies and any other tracking tech that people come up with, now or in the future.
Of course some people will blame a poorly written law. They may point to "cookie consent fatigue" and use it as an excuse to find new technological ways to get around the rules—so they can keep tracking people.
However, as recent surveys have shown, people are getting pretty fed up with that approach. What they want is proper transparency and some degree of control over their data trail.
Maybe it’s time to give it to them.
Comments
If you want to comment on this post, you need to login.