Brower secrurity with privacy settings, Data Protection Regulation

Are browser based privacy settings a good idea?

On 10th of January 2017, the European Commission announced the publication of its draft Regulation on Privacy and Electronic Communications (commonly known as the ‘ePrivacy Regulation’).  Within this, it has major plans to replace pop-up/banner type cookie warnings on websites with browser specific privacy settings. Full details can found here.


ePrivacy Regulation and EU General Data Protection Regulation

It is important to understand how this proposal relates to the General Data Protection Regulation (GDPR). According to the European Commission fact sheet on this subject the GDPR focuses on data protection for individuals. It was adopted in 2016 and its provisions will apply as from May 2018. The General Data Protection Regulation will enable users to better control their personal data. However, it only applies to the processing of personal data of individuals. It does not cover business-to-business communication or communication between individuals, which does not include personal data. The proposed EU Regulation on Privacy and Electronic Communications complements the General Data Protection Regulation and ensures the fundamental right to the respect of private life with regards to communications.

The new rules also give citizens and companies specific rights and protections, which are not provided by the General Data Protection Regulation. For instance, they guarantee the confidentiality and integrity of users’ devices (i.e. laptop, smartphone, tablets), as smart devices should only be accessed if the user has given their permission. The proposed Regulation also seeks to align privacy rules with the recently adopted General Data Protection Regulation, for example by relying on its definitions. The draft regulation also repeals the security obligations outlined in the current ePrivacy Directive that have become redundant as similar provisions exist in the General Data Protection Regulation.

Pros and cons

According to the draft ePrivacy Regulation the intent is that browsers should work through privacy by default and that browsers would not allow standard cookies. This principle is satisfactory to the legislative parties because they argue that there are more options to protect privacy from a technical perspective. Advertising agencies on the other hand see the proposal as a bad thing, because it creates a lot less interesting and relevant online ads because less or indeed no useful information would therefore be stored in cookies. However, there are other reasons as to why these privacy regulations are not a good idea.

False sense of security

Cookies are not only used for tracking, but also for the core functionality of a website. Think of their importance for memorising items in a shopping cart for example. In most countries we would classify these as ‘functional cookies’ as opposed to ‘tracking cookies’. The current proposal states that the storage of all cookies by default should be completely blocked. However, blocking all cookies is not possible, because websites simply would not work anymore. Browsers would therefore need to provide options to just reject tracking cookies. There seems to be an impression from this, that it is easy and possible to distinguish between functional cookies and tracking cookies. This is not the case, because apart from a few properties such as ‘name’, it is difficult to make this distinction by just looking at the cookie. Currently, the techniques employed by browsers are not good enough in themselves to guard privacy to the extent required by the new proposal.

In addition, cookies are not the only way to store sensitive information. Via components such as session storage, local storage but also through methods such as loading (external) files, it is possible to transfer data without control to a third party. Browsers will never be able to monitor and control all of these methods.

Also, the ‘do not track’ functionality in the browsers of today, does not meet the requirements of the proposal. This setting allows users to select whether they want to be monitored (i.e. tracking cookies enabled) or not. The disadvantage is that the browser makes available only the form (or similar) for the user to complete their preferences. However, it is the website owner who must ensure that these choices are respected and actually carried out. In other words, a browser setting does not fully guarantee that no tracking data will be sent (even though a user expressed their intent not to be tracked). The responsibility and technical effort of the website owner does not change with a statutory compliance do not track functionality implemented through a browser.


Displacement of the problem

The proposed data protection through the do not track browser setting is far too general because it needs to work for all websites. The user can not choose which companies deal properly and transparently with their personal information provided, especially in terms of their privacy wishes and data collection permissions, across multiple channels. This is an all or nothing situation, especially as many companies still do not ask for permission in the right way, or indeed at all. This will again cause a lot of confusion, frustration and poor customer journeys for end users, with many ending up saying “I thought I had already done that?!” Would it not be better to ensure that governing and guarding privacy is the responsibility of the information processing party and that responsibility should not be moved to an application of the end user? Data handlers should provide options to the end users to grant explicit permission, have the right for refusal and to be able to easily withdraw from any data gathering which impacts their privacy. This investment in a browser setting moves the problem to end users, who will often make decisions based on incomplete or incorrect information presented, or worse just click to remove what they perceive to be yet another annoying advert or banner. Privacy is too important to leave to a browser setting.

There is a lot of good intent within the GDPR and ePrivacy Regulations to help protect omnichannel generated data relating to personal privacy. Together, they will help drive a much needed paradigm cultural shift around personal and sensitive data. Companies must be able, in addition to the previously described explicit permission, also be able to make clear the purpose of the data collection. All end users must have the ability to enable removal of their data in all systems where their data is sent. This is a grand and far from trivial challenge that still requires much more control over the infrastructure than is available today. It is a challenge that goes far beyond what can be facilitated via a browser setting.

Customer perception of data privacy and regulation

The 360 customer view and data privacy

The last decade has shown a rapid growth of concern among citizens about data privacy. Policy makers have made every effort to react upon that worry. As a consequence, regulations on data processing are being tightened. How do these changes have impact on data-driven entities?

Customer perception of data privacy

Historically the word privacy has a strong physical connotation like in the expression ‘the privacy of her own home’. It is broadly considered to be a normal requisite for daily life, if not a legal right. However, in the data era this has drastically changed. Nowadays, privacy is not only about ‘physical’ privacy, it also relates to ‘virtual’ privacy. It is about the protection of personal data and the right to preserve anonymity. To that extent, it still relates to a person’s comfort zone, although this is becoming increasingly difficult to define. A comparison may illustrate this. Recent academic research on perception of sustainability found that people tend to behave more on evading material loss than on an abstract profit. In an interesting experiment respondents preferred a lower price of tomatoes, yoghurt and coffee above an EKO (Dutch hallmark for organic products) hallmark. But that changed when the choice was between a cheaper product with a red crossed EKO label and the standard product, regardless if it came with a positive sustainability hallmark or none. Then the preference shifted towards the more expensive product. Unfortunately there’s no such thing as an authorised red cross through data privacy. Respected brands might substitute it by integrating protection of personal data into their set of values. But at the end of the day consumers will expect privacy to be a normal product feature, just as Tesla are sold without a petrol tank. Differently stated, making data privacy an integral part of any proposition and deliver transparency on the issue is the only way forward: privacy by design!

Regulation

The European General Data Protection Regulation (GDPR) that will come into force seamlessly joins that trend. It strengthens the position of EU citizens with regard to their data, making tough demands on organisations that collect data and raising financial sanctions on infringing the regulation. Among the ‘civil’ rights to be established by the GDPR are: easier access to people’s personal data, transparency around how these data are processed and the possibility to explicitly object to it, data portability (transfer of data to third parties) and the right to be forgotten. For many institutions the processing measures in GDPR will set new obligations like the registration of data leaks, the appointment of a dedicated Data Protection Officer and the introduction of data protection impact assessments. These boundary conditions however, pale in comparison to how data management systems are going to be affected by the rights described before.

Data governance

The explosion of generated data in the last decade has also given way to aspire to a ‘360 degree customer view’. More data allows for better insights, may facilitate new points of view or just harness already available predictive models. State-of-the-art data processing capabilities are an important requirement to successfully realise the ambition. Not only to arrange for the integration of data from different resources. Above all, these capabilities are necessary to reach a more sophisticated level of data governance – privacy by design. To become compliant with the GDPR and gain customer acceptance a new approach to data management is a conditio sine qua non. In the near future, data processors will not only be accountable on what they do, but will also actively have to support full transparency on what data they process and for what purposes it is used – e.g. profiling – and adequate data security. The only foundation for this approach is an explicit consent given by the person whose data are at stake and stringent administration of this by distinguishing between different levels of consent e.g. give anonymous or personal data (customer vs. operator in control), let data evaporate instantly (the right to be forgotten) or transfer them externally new functionalities created by the GDPR are within reach.

Conclusion

Having the consent administration in order, just as entities register an address or the birthdate on their customer records, is the basic condition to compliant data governance. This may drive data stream management technology to provide building blocks for embedding core data privacy functionality in data governance such as:

– in-memory data collection and selective storage

– encryption of data on processing

– access to all data streams exclusively to the Data Protection Officer

– in house deployment of data streams (vs. cloud)

– extensive change logging

Finally, this approach will also facilitate external audits to prove the conse