How the cookie crumbles

Michael DlugoschComments are off for this post.

A lot of wise stuff has been written about the appliance of the EU Directive 2009/136/EC, often commonly referred to as the “cookie law”.

One of the most thriving discussions I have followed happened and happens at Brian Clifton’s blog (with a follow-up post summarizing the discussion – here).

A very catchy and interesting contribution to the discussion was thrown in by Vicky Brock recently.

A short note on the background: In anticipation of the enforcement of this new law (which was postponed in the UK to May 2012) the ICO (UK’s “Information Commissioner’s Office”) has put up an according opt-in disclaimer on their web site (Steve Jackson nicely attributed it as a “teletext ad”, see the ICO page here), asking the visitors for their consent to accept cookies.

Vicky has then made an FOI request to see the before/after effect on the tracked visits on that site. The results are non-ambiguous and look really dramatic. See for yourself here. Bottom line: the graph depicts “how traffic measured in the web analytics tool (GA) has fallen by 90% since their explicit cookie opt in request”.

Leaving aside the poor visual design of the opt-in message on ICO’s web site (I believe this to have been done on purpose) we can derive a couple of thoughts from this easily:

(1) If the loss in tracked visits (90%) is representative for other sites data accuracy for click stream data will suffer greatly from the opt-in obligation. Dramatically decreased sample sizes will increase error margins for analysis tremendously. To be a bit more dramatic on the matter: it will render web analytics data irrelevant.

(2) Tracking of users on the server side may seem to become a suitable method of capturing data – but only technically. The aim of the directive is to prohibit the collection of individually attributable data without users’ prior consent, regardless of the underlying technology. This is a tiny, but important difference and may even restrict server log analysis.

(3) As so often in history the legislation seems to be trying to sanction the tools, not the appliance of tools. To use a very manifest analogy: if you hand a knife to a surgeon and a murderer, they both will use it in their very own way. The current legislation seems to prohibit the purchase of knifes in the future to bring down the figures for committed murders. “Oh, these good intentions…”, you may say.
On a second thought, the directive is more subtle. To stay in the “knife” analogy, its aim is “to prevent people from being cut”, in other words: from the effects of the appliance of the tools – for whatever reason.

(4) The huge fines which come along with any breach of the “cookie law” legislation makes the usage of contemporary Web Analytics tools questionable for anything but commercial organizations (preferably: large e-commerce sites with large average order values). As I suppose that the fines will be imposed on a per-case basis, this could become as expensive as p2p file sharing has become for some recently.

(5) Alternative ways of tracking stuff could be found – but will/might still be considered illegal. It will be interesting to see how data on front end actions tracking (esp. Ajax calls and element tracking in general) can be replaced in the future, particularly if you consider the rapidly increased demand for properly sessionizing click stream data in recent years for syntactic analyses.

No doubt: We’re still talking about strictly anonymized click stream data here – and as clever folks have shown, it only requires smart combinations of filters to decrease redundancy in semantically and syntactically rich data. Combining rich data from various sources (catchword: profiling) may create personalized data that is forbidden to COLLECT without consent. But what about CREATING it?

Consider purchase history data from a web shop (anonymized) with credit card purchase history data (anonymized) from a credit card company. Imagine you could get your hands on telecommunications data (which is covered and collected through the Directive 2006/24/EC) – don’t we have the potential for aggregating data sets which can be attributed to individuals?
Depending on: which demographic markers come with the “anonymized” data?

Indeed a good point to get a closer focus on what’s so tricky about the case: just look at the EU Directive 2009/136/EC (strengthening an individual’s right on their personal data) and contrast this with the EU Directive 2006/24/EC (strengthening the authorities’ rights on an individual’s telecommunications data for 6 to 24 months) – don’t we see a slight contradiction here?

Undoubtedly: the cookie law will put pressure on all Web Analytics system providers and on the online advertising industry in Europe, as the effects on the predominant tracking paradigms are not yet clear.

But if you insist on looking at the whole thing with a more moralistic (but genuine European) perspective:
Of course the real battleground in European legislation is the applied distinction between volonté particulaire vs. volonté générale, and particularly the oscillation between the two sides. One directive sets the particular interest first (privacy policy), one directive sets the general interest first (telecommunications data). I am not a lawyer, so I only can ask a categorial question about it: what is the common underlying principle? The “averting of a danger for the society”?

And if so: is it reasonable to assume that smoking is so heavily restricted in most European countries I travel to for the same reason? Are my rights as a smoker restricted so I wouldn’t harm innocent children?
And if that is: why is smoking prohibited in so many areas, but not the sale and possession of cigarettes? So that everybody in society (including myself) would be spared from inhaling dangerous smoke, while walking the dog in the morning along a six-lane inner-city main traffic route?

I’m exaggerating, of course. But as you see: as soon as you can put yourself on the side of the general interest, you are in the possession of a moral wildcard.

For the ongoing discussion the analytics industry (as well as the online advertising industry) considers itself to be on the side of the general interest, too.
The “improvement of user experience/improvement of the service” which is stated in so many web sites’ usage terms as a reason for having (anonymous!) tracking in place might be regarded a site owner’s vested interest with regard to the general audience of the web site.

It’s somewhat hard to understand why this should be restricted. But it is equally hard to understand why a web site owner should be allowed to collect (potentially) personal data in order to maximize profits.
Even harder for me becomes to clearly draw the line between data collected as-is, and data that is created by being matched with other data from other sources.

Remember: The battle between “particular interest” and “general interest” is the very same battle that has already bestowed copyright laws on us which nowadays protect content distributors rather than content creators, and a battle that has allowed governments to treat uncomfortable information as “classified” at will.
It is the same battle that has weakened the idea of political immunity for particular individuals who allegedly have committed crimes. So: which general principle is at work here?

There is no right or wrong – there is only a picture puzzle that changes appearance, depending on your own starting point.

Returning to the topic itself: Taking the commercial interests of all the entrenched players in the online industry into account, the most likely scenario for me is that that the whole “cookie law” directive will be dragged to courts across Europe with a demand to scrutinize and exploit the text as well as the loop-holes in the directive itself. Any of the big players may take the first bullet on this (a multinational company thus would be my best bet for starting the law suit cascade).

Most countries in Europe don’t clearly distinguish between “written law” and “common law”. In those countries this distinction is to be applied by Supreme Court decisions, which nevertheless have to ground their decisions on basis of the written law. Judges have to decide, in other words, whether a case is covered by the written law or not.

The distinction between “rightful” and “just” is not supposed to be made (as “just” can be considered rightful only avant la lettre, which shall clearly not be the guiding principle).
Nevertheless the public opinion and discussion is as moralistic as in other countries, and the decision between “particular interest” and “general interest” is only implicitly (if at all) drawn in public discussions in Europe.
What is heavily present in these discussions (as well as in European jurisdiction, as far as I can tell as a layman) is the principle of the individual need to be protected against forces which are said to be more powerful or said to be more ruthless than the individual. And as smoking individuals are considered more ruthless than average individuals, protection doesn’t apply for them, morally seen.

Bad cards for the web analytics/online advertising industry from this perspective, I am afraid.

And just in case you haven’t been following the discussion about the “cookie law” too closely so far – the folks from Silktide have collected valid thoughts (and an excellent, witty, and partly polemic ebook about the nitty-gritty) on the matter (here).