1
Eprivacy Issues and
Their Potential Effect on Online Data Collection
Anna LongFounder and Principal Analyst
Web AnalyticaSM
2
1 - 2
Agenda
• ePrivacy – What’s the Problem?
• Three Attempts to Address ePrivacy Issues– EU ePrivacy Directive– W3C Tracking Protection Working Group– W3C Customer Experience Digital Data
Community Group
3
Online Privacy – What’s the Problem?
The landscape:
•The Wall Street Journal, The New York Times, Time Magazine, and other news organizations have written articles raising concerns about abuse of privacy online.
•The Privacy Rights Clearinghouse, Consumer Watchdog, Consumer Action, and the Center for Digital Democracy have voice concerns about online privacy.
•Politicians and regulators in the US and other regions have conducted studies, held hearings, and introduced legislation attempting to address online privacy violations.
4
Technology’s Impact on Privacy
Concerns about technology’s impact on privacy pre-date the commercialization of the World Wide Web.
March 18, 1992
5
Technology’s Impact on Privacy
“A new protocol being developed by the Internet Engineering Task Force (IETF) has raised privacy concerns. Internet Protocol Version 6 (IPv6) is the "next generation" protocol designed by the IETF to replace the current version Internet Protocol (IPv4)...
“The new addressing structure, however, may mean that every packet can be traced back to each user's unique network interface card ID… That information... forms the basis of the privacy concerns raised by some observers of the IETF process.”
Concerns about the Internet’s effect on privacy go back to the last century.
October 12, 1999
6
Online Privacy – Is This The Problem?
7
What’s to Be Done about ePrivacy Issues?
Three major initiatives are underway:
• European Union’s ePrivacy Directive: applies regulation to cookie storage
• World Wide Web Consortium (W3C) Tracking Protection Working Group: developing standards to put tracking control in the hands of individual website users
• W3C Customer Experience Digital Data Community Group: creating standards that put control in the hands of website owners
8
Europe Union ePrivacy Directive
The European Commission has had an online privacy directive (Directive 2002/058 on Privacy and Electronic Communications) in place for over a decade.
• 2002 version required website owners to inform visitors about cookie placement and offer a method of refusing cookies (opt-out)
• 2009 version requires website owners to gain permission from visitors before storing any cookies not essential to basic site operation (opt-in)
The opt-in requirement of the 2009 revision caused an uproar in the European online community. Many feared it would severely disrupt visitors’ website experiences and put European online commerce at a severe competitive disadvantage.
9
"Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing.... “
From 2009 Revision of Article 5(3) of Directive 2002/58/EC, emphasis added
EU ePrivacy Directive2009 Revision
10
European Union Legislative ActivityThe “Cookie” Laws
European Commission directed all EU members to incorporate the amended ePrivacy Directive into their national laws by 25 May 2011.
• Many members did not meet that deadline and still have not put regulation in place.
• UK enacted regulations requiring opt-in checks as of 26 May 2011 and immediately postponed enforcement for a year.
• When the UK regulation took effect, the UK Information Commissioner’s Office (ICO) urged quick action, but the law was quickly derided as anti-competitive, confusing, and harmful. Eventually, even the ICO took down its cookie opt-in pop-up.
11
BBC Food: An Example of a Cookie Opt-In (Almost)
12
David Naylor: An Example of a Cookie Opt-In (Parody)
13
From http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/#more-2942
How the UK Cookie Law has Played Out – One View
14From http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/#more-2942
What the UK Cookie Law Has Achieved – One Opinion
15
W3C Tracking Protection Working GroupBackground
In Spring 2011, the World Wide Web Consortium (W3C) created its Tracking Protection Working Group to deliver standards for communicating and conforming to website visitors’ privacy preferences.
From the beginning, this was a high-profile group with members from technical fields, governments, and industry associations, but dominated by privacy advocates and advertising industry groups.
16
W3C Tracking Protection Working GroupThe Twists and Turns
Between September 2011 and April 2014, the group’s work has included :
• Multiple drafts of two specifications•Tracking preference expression (the Do Not Track (DNT) flag)• Website compliance
• 9 face-to-face meetings in Europe and US• 111 teleconferences• 242 issues raised• 447 actions assigned• 5 co-chairs• 2 charter extensions
17
W3C Tracking Protection Working GroupWhere Does The Project Stand?
The latest:
• Summer 2013 – Digital Advertising Alliance stand-off forced co-chairs to choose sides. Result: several resignations and group went on hiatus.
• W3C surveyed the remaining working group members to determine how to proceed. Chose to proceed, but losing members and shrinking scope.
• One spec (tracking preference expression) approaching release for public comment
• Meanwhile, all major browsers as well as some software operating systems and utilities are offering the DNT flag as an option or a default. Most websites are ignoring the flag.
18
W3C Customer Experience Digital Data Community Group
Background
This W3C Project was formed by the merger of two standardization initiatives, one led by Google and Qubit, the other by IBM
It is being driven primarily by technologists and analysts
The Group’s mission is to identify a standard framework for analytics data, both for efficiency and to enhance analytics capabilities
Because much of this data is of a sensitive or private nature, privacy must be addressed along with other standardization issues
19
W3C Customer Experience Digital Data Community GroupStandard Analytics Data Object (Current as of Spec. 1)
digitalData .PageIdentifier
.Page
.Product
.Transaction
.Event
.Component
.Cart
.User
.Version
.ShippingAddress
.ShippingAddress.Securty
SAddrLine1SAddrLine2CityState/ProvincePostal CodeCountry
SAddrLine1: PrivateSAddrLine2:PrivateCity: Analytics, AdvertisingState/Province: Analytics, AdvertisingPostal Code:Analytics, AdvertisingCountry: Analytics Advertising
W3C Customer Experience Digital Data Community Group
Permissions Mapping
www.calc.com – analytics; www.adsRus.com – advertising; www.audit.com – financial;www.oursite.com – personalization;
Example of a mapping table:
21
W3C Customer Experience Digital Data Community GroupArchitecture (Current Vision)
Access Control Layer
www.calc.com – analytics; www.adsRus.com – advertising; www.audit.com - financial
Access Permissions Table
digitalData .PageIdentifier
.Page
.Product
.Transaction
.Event
.Component
.Cart
.User
.Version
www.calc.com www.BigAds.com
Request Data Request
W3C Customer Experience Digital Data Community Group
Benefits
In developing the specification with these features, the Group is attempting to set up an analytics data architecture that:
• Provides standardized data to be used by all analytics products
• Is flexible, extensible, and customizable for regions, industries, and organizations
• Offers the potential for more analytics integration (such as web application performance monitoring)
If you are interested in participating in this effort as it moves to the next stage of standardization, contact me.
23
Anna LongFounder and Principal Analyst
Web AnalyticaSM
Email: [email protected]: linkedin.com/in/annamlong
Twitter: @webbylytical
Cary, NC Washington, DC
919 349-5725