About that claim that detecting Adblock may be illegal

detecting adblock is not illegal

 

Last week Twitter lit up when the European Commission indicated anti-adblocking technologies like BlockAdblock may be “illegal”.

Before getting into why this position is based on a technological misunderstanding of how adblocking detection works and how the EC was led to its position by one agenda-driven privacy entrepreneur, let’s get a little background information out of the way…

 

The 2009 ePrivacy Directive

In 2009 the EC passed the “ePrivacy Directive” as part of their Regulatory Framework for Electronic Communications. Among other things, the ePrivacy Directive requires any website using cookies to get user permission before setting or retrieving any persistent data.

Section 5.3 of the ePrivacy directive (also commonly called the “Cookie Law”) reads as follows:

 “The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”

 

As you most likely already know, browser “cookies” are persistent, locally stored user-specific data files which survive a single website visit (outside of a standard browser cache), and can be used to identify individual website visitors. Cookies can last for indefinite periods of time. A website can store your user specific data in your browser in the form of a cookie, and access it on your next visit — even months or years later. While some cookies may be used as part of advertising “tracking” systems, others are provide a vital part of basic website functionality allowing for both customization of website services and the ability to store user settings and preferences for subsequent visits.

One must note however that the rule does not use the term “cookie”. Instead, the ePrivacy directive calls for user approval before storing or retrieving “information” on a user’s browser.

But what exactly does “information” mean? Is information restricted to cookies? Might all web content be considered “information”? If so, how about images, fonts and article text? Does that mean that every website on the internet would require permission regardless or cookies?

We’ll get to those questions later.

 

An activist’s spin

Last week’s confusion started when privacy activist, Alexander Hanff revealed his cleverly crafted query to the EC regarding the scope of section 5.3 of the ePrivacy directive. While I don’t have a copy of Hanff’s original request, we can see it referenced here in the EC’s response:

storage what storage

 

Hanff’s strategic (and misplaced) use of the word “storage” intentionally loads the question. By framing the question this way, he suggests that anti-adblock technology works something like a cookie, somehow involving “storage”. Hanff’s entirely misleading premise here is that “scripts”, like cookies, must be stored and retrieved as part of their normal function.

Not so fast.

 

How does Javascript detection work anyway?

Adblock detection scripts (which are almost always “inlined” and do not even exist as separate or distinct files) are no more “stored” than any other piece of web media, and are demonstrably less stored than standard stand-alone javascript (.js) files. At the outset, Hanff’s question mis-represents the basic action of browsers by conflating the unrelated concepts of inline javascript execution with the storing and retrieval of persistent data.

Hanff leads the EC down a circular path by incorrectly asserting that persistent “storage” is part and parcel of a script’s basic function and then reflexively asking if laws governing storage might then apply.

His question is based on a false premise.

It’s important to understand what Adblock detection Javascripts can and can’t do:

  1. Anti Adblock scripts do not (and can not) report specifically which ad blocking plugins are installed on a user’s system. They are not a type of installed software, capable of reporting what users have installed on their systems. As much as I may wish otherwise, Javascript has no way of “knowing” with 100% certainty whether a user is blocking ads — let alone using Adblock, Adblock Plus, AdGuard, Ublock Origin, or any other specific ad blocking plug in. To suggest that an anti-adblocking script is “reading user data” or “reporting on settings” is grossly inaccurate. Javascript knows only what it is permitted to know by the browser.
  2. Anti Adblock scripts can only ever make educated guesses based upon the performance of a user’s browser. Those guesses are made by using the same standard javascript functionality that is used by millions of websites which don’t detect javascript. Javascript feature detection is a vital part of most modern web pages. (We’ll get to some examples below).
  3. Anti Adblock scripts do not require persistent storage (or installation) on a users’ system to function.

 

The EC’s response

Despite Hanff’s obvious misuse of the word “storage”, and his misrepresentation of the behavior of Javascript itself, the Commission clearly didn’t hesitate to lunge at the opportunity to increase the scope of its provision:

Screen Shot 2016-04-25 at 6.27.07 AM

Screen Shot 2016-04-23 at 8.06.01 AM

 

Storage by websites of scripts“?

There are so many things wrong with this it’s hard to know where to begin. Obviously the EC took the ‘bait’ of Hanff’s characterization of scripts being “stored” and leapt to the conclusion that their “Cookie Law” should therefore have bearing on not just cookies, and not just all Javascript — but all web media.

Why is the word “stored” even in the EC’s response? This obvious effort to insert the “square peg” of inline javascript into the “round hole” of the Cookie Law doesn’t even begin to make sense.

To be clear: Anti Adblock scripts do not need to be stored. Nor do they retrieve “stored” information of any kind.

And even if they did…

 

All browsers store media

All website data including images, text, CSS and some javascript are stored in the browser cache with every visit. To be clear: The very act of browsing the web is one and the same as the act of storing and accessing locally stored data via the cache. On any standard web browser window, to browse is to store.

If section 5.3 of the ePrivacy Directive is to be extended to non-cookie information, then the basic activity of web browsing itself (which uses caching) must of course be included. If as the EC now claims, the term “storage” is to be applied to all “information” (ie: any media of any kind) viewed by a web browser, then all websites must ask user permission whether or not they use cookies at all because the basic function of browsing involves storing information. Obviously this falls well outside the intent of the original ruling which centered on cookies and user-specific data, not the basic content of websites themselves.

 

But scripts don’t even need to be stored to execute

Secondly and more importantly, the action of anti-adblock scripts has nothing at all to do with persistent client storage of those scripts. Nor does Javascript have the ability to report on the presence of plugins by virtue of those plugins being stored. Ad blocking plugins alter the behavior of the browser and that behavior is detectable.

Even if the browser didn’t store any javascript across sessions, those scripts would function equally as well.

There is no connection whatsoever between persistent “storage by websites of scripts in users’ terminal equipment” and the function of said scripts.

But that’s not where things really fall apart with Hanff’s (and the EC’s) confused position.

 

All advanced websites detect browser settings and features

As discussed above, due to basic browser security restrictions, Javascript has no ability to ‘report’ plug-in information and can only make educated guesses about which plugins are installed based upon what browsers publicly reveal. The EC clearly misunderstands the mechanism by which anti adblocking scripts function: They are not stored (or installed) — and they do not directly report or reveal system settings like a browser plugin does.

But that doesn’t mean that javascript can’t safely report myriad pieces of browser information. Tens of millions of websites do detect other browser information as part of their normal operation.

Here’s a quick (and incomplete) list of the types of javascript detection that are extremely standard across the Internet:

  • Detecting Flash
  • Detecting Java
  • Detecting the language of the browser
  • Detecting the screen size of the browser window
  • Detecting the screen resolution of the client device
  • Detecting the operating system of the browser
  • Detecting the type of browser
  • Detecting the version of the browser
  • Detecting whether the user is visiting from mobile or desktop
  • Using reverse IP lookup
  • Detecting whether the browser is capable of session storage
  • Detecting whether the browser is HTML5 capable
  • Detecting the color depth of the browser
  • Detecting available system fonts
  • Determining if a browser is touch-capable

I could go on, but you get the point: Javascript detection of browser capabilities is a standard and extremely important part of basic website functionality — without which the functionality of most websites would be reduced to circa 1996.

The means by which web publishers defend themselves against ad blockers is absolutely no different from the above examples of Javascript feature- and browser behavior-detection.

 

More silliness…

Hanff goes on to inquire about Recital 66 of the Citizens’ Rights Directive. Again, both Hanff’s question and the EC’s response show a lack of understanding of the mechanism by which anti-adblock defenses work:

technically unsophisticated

 

Clearly both Hanff and the EC believe that anti-adblock defenses somehow directly access information “stored” within a browser.

To which I would ask: Please identify the specific stored information that is being accessed.

Making an educated guess based on browser behavior is absolutely not the same as accessing stored information. The conclusions reached by the EC are the result of a mischaracterization of anti-adblock defense technology — either intentional or otherwise.

 

The exceptions: It’s all subjective anyway

Lastly: Never mind for a moment that the ePrivacy Directive’s “Cookie Law” should have no bearing whatsoever on anti-adblock defenses which neither access stored data, or represent stored data themselves — the Cookie Law contains footnoted “exceptions” which render the entire law rather uselessly subjective.

exceptions

Number two explicitly states that the law does not apply when the storing of data is “strictly necessary” in order for the provider to provide the service.

Here in the real world of non-taxpayer funded entities, one typically counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly “necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.

 

The irony is

On the other side of the pond it’s quite clear that Adblock Plus and other adblockers are in direct violation of the US DMCA’s anti-circumvention rules. New updates to multiple ad blocking applications continue to bring new, purpose-built anti-access circumvention technologies designed solely to bypass publishers’ access controls to copyrighted content. Still though, much of the publishing industry’s legal firepower continues to aim in the wrong direction by questioning whether ad blocking is legal or not. (Which of course it is. Anti-access circumvention on the other hand, is quite clearly not under the US DMCA).

[As a side note, it was amusing and predictable to see Eyeo shunt its EasyList from the AdblockPlus.org domain over to GitHub in an effort to create a little legal-distance between the two entities last week. Their lawyers would seem to be earning their keep]

I’m looking forward to seeing this issue get legs in the US, where the DMCA tilts the field in the opposite direction.

,

  • booj

    “While some publishers may be going back to their legal teams just to be sure – the majority of publishers offered a quiet, unified yawn.”

    http://www.thedrum.com/opinion/2016/04/22/adblock-detector-legality-debate-not-day-reckoning-publishers-or-win-adblockers

  • While I sympathise with publishers’ need to make a living I have no desire to have ads foisted on me whether I like it or not, particularly those that track me. I don’t mind ads that just sit on the sides minding their own business but I don’t like interstitials or the ones that autoplay in a loop. Advertising is supposed to be about reaching out to the public, not hacking them off.

    • Miranda Blaaaaaaaaake

      While I symathize with shopkeepers need to make a living I have no desire to have prices foisted on me whether I like it or not, particularly prices that seem to high for me. I don’t mind prices that are extremely cheap and fit within my budget. Prices are supposed to be about being affordable, not about being outside my budget.

      • In such instances I take my business elsewhere. That’s how market forces work.

        • Monasa

          Until there is no where else to take your business.

          If you want the new “x”, you can “take your business elsewhere” however much you want; you are still going to pay a fortune for it. Some places have exceptionally low operation costs since they return none of their profits back into your local economy and bring down society as a whole, a.k.a. Amazon, and you may get a better “deal” by ruining the economy… but market forces right?

          And then, because of how much pressure you place on stores that actually contribute to the local economy, they will close out and take jobs away… but you don’t care about those jobs since you’re some high degree white collar worker right?

          And then because fewer people can afford the new “x” YOUR wages start going down and YOUR job stops becoming profitable for the company, so they fire you.

          Then YOU are looking for work, any work, and finding out… we don’t live in a capitalistic nation, we live in a corporate capitalistic nation. There is no where left to take your business to because you bankrupted them all.

          • That’s a bit histrionic, isn’t it? Other business models work and they work perfectly well. There are plenty of other places to take my business to and I do this every day.

          • Monar Davesh

            But when you block ads, you’re not “taking your business” anywhere at all. There is no business. Your leaving represents no loss to the site,

          • Precisely my point. I go to sites that don’t stop me reading their content by using anti-adblockers. Bear in mind that general advertising isn’t a problem, it’s the in-yer-face ones with the malware that I can’t be dealing with. I use adverts myself on my own blog, I just don’t force people to accept them as a condition of visiting it.

          • By that logic, neither does blocking the ads.

  • Diego

    just a little tip, if a site forces me to disable adblock, i search for a different website with the same content, because yeah, content is not exclusive in internet 🙂

    • Senechal2

      No loss.

    • Miranda Blaaaaaaaaake

      Oh.. no…. please don’t take your precious non-ad-viewing self out of the equation.

      • Adam

        He doesn’t need to tbh, he can get Anti-adblock Killer and continue to access anti-adblock sites, while still blocking their ads 😀

    • Obi Obiora

      That’s the point it’s, never been by force , you have always had the choice of finding another site, if you wanted. But whose to say that the other site won’t require you to disable ad block, I guess ultimately market forces will decide who carries the day.

  • Adam

    Long live adblock. We consumers shall not be forced to view ads!

    • Senechal2

      There are 2 options: Free with ads. And not free.

      It’s cool if you’re for the latter.

      • Adam

        Lucky Adblock is free, eh? 🙂

        • Miranda Blaaaaaaaaake

          So were Dodo birds. Delicious too.

          • Adam

            That might have been a fair comparison if not eating Dodo birds meant having to eat rotten eggs instead. Because not using adblock is a horrific experience. May as well be turning the Anti virus off, lol

        • Obi Obiora

          True ad block, shouldn’t be free, if it wasn’t I wonder how many people would actually pay

          • Adam

            I’d happily pay quite a lot for it if I had to. Still beats viewing annoying ads

    • surfgatinho

      In the long run you might have to view ads. How else is quality, up to date content supposed to be provided?
      I’d rather have a few ads than a pay wall…

  • Honestly, it’s a stupid argument. pretty much every modern website on the web now detects browser type and size in order to serve fast loading content, and content that fits the type and size of the browser, if detecting AdBlock is illegal then so is this. Are you ready to go back to the old days of the mobile web? Or must we ask your permission before we can show you tuned content.

    I know, let’s just have multiple popups asking your permission for every segment of our websites, here are some examples:

    Viewport, can we check your browser size?

    Responsive images, can we serve you the best possible image for your device?

    Font size, would you like to be able to read this text?

    Service Workers, (an awesome technology that can allow you to take websites offline), fancy another pop-up?

    Is that really better than ads? Because that’s exactly what every site I run will do if the EU goes further with this, forget the SOPA black-out, this will be much worse.

    • Monar Davesh

      Exactly. The EU bureaucrats don’t exactly understand Javascript. You can’t even make a mobile website without javascript detection.

    • Dolt

      If you are an idiot who thinks “offline webpages” are “the future” please kill yourself.

      I know that nearly 99.99% of all web users are idiots, but a simple client side program is always better. If you want to “save” a webpage, just go “file, save”

      Some pages, of course, are designed stupidly and require wget or even the user manually entering some urls because we LOVE using ajax and sockets to put all the work on the client and none on the server.

      In either case, we’re talking about a technology that was created FOR idiots who use the internet to run javascript programs rather than simply have a collection of real programs.

      • What the hell are you on about? I suggest you research what I am talking about before you call other people an idiot.

        Getting some knowledge in your brain before spouting out will be very useful.

        Offline webpages are the future of the internet, you want to know why? Because mobile is the future of the internet. Case closed. (hopefully, you can put two and two together and work out the rest for yourself, because I anit about to explain why offline pages are useful on mobile to an idiot lol).

      • Xinef

        I see a solution that both respects privacy and is simple to use.

        1. Websites need user permission to do ANYTHING on the user’s computer. To store anything (even to store the html file in RAM), to run any scripts, etc.
        2. Users configure their browser telling it what they permit and what they don’t. The browser uses this configuration to display the page the way the user wants, and may if necessary inform the server about those permissions (of course if the user permits the browser to share this information).

        To make it as simple to use as possible, the user would set DEFAULT permissions to use for any website. Then, he could set per-website permissions if he permits certain websites to do things that other websites are not permitted to do. And he could also define general rules that apply to some websites and don’t to others.

        Just like by default you don’t allow strangers into your home at all, but you might allow some (e.g. a gardener or postman) into your courtyard, and others into your dining room. And they’re only allowed to do things that you allow them, case-by-case, to do when on your property. And you can set default rules such as “anyone invited to your living room can also use the chairs” or “anyone invited into the kitchen can also use the fridge”.

        This way you’re still in total control of everything, but you don’t have to tell every single website that it is allowed to use cookies. The browser does it for you.

        And of course for the idiots there would be “suggested permission configurations”, ready to use. And don’t tell me configuring permissions is too hard for lay people. 99% of the people I know are capable of specifying who is allowed into their house and who isn’t, and what they’re allowed to do when inside. With browsers it isn’t that much different.

  • Steve Burrows

    Wow, you really do seem to have a rather limited understanding of data & computer law. Your arguments are frankly a bit irrelevant and you rely on limited interpretation of partial clauses to seek false exceptions instead of actually looking for compliance with the law. There are probably valid arguments which can be put forward in favour of anti ad-blockers, but you don’t seem to have found them yet.

    Which is, like your current arguments, irrelevant. The EU has shown repeatedly that, where data protection and e-privacy are concerned, if someone circumvents the current wording they will produce new wording and push it through. The only answer is for advertisers to get more professional about there advertising, less intrusive, and for the industry to drive out the bad boys – otherwise users and regulators will continue to tar all with the same brush – a small step up the evolutionary chain than spammers.

    Personally I’ve no problem with anti-adblocking – it’s no different to telling me I can’t read some content until I agree to pay for it, which seems quite fair, but the only way this gets fixed is by responsible advertising – no pop-ups, no click-jacking etc. – probably including criminal imprisonment sentences for anyone involved in the latter.

    • Monar Davesh

      “The EU has shown repeatedly that, where data protection and e-privacy are concerned, if someone circumvents the current wording they will produce new wording and push it through”

      No. That is absolutely not how the law works here. You must be living in some ‘other’ Europe. Laws are carefully written to mean what they say they mean. Not what you want them to mean.

  • Chilly8

    that depends on where the site is hosted. if the site is not hosted in Europe, then it is not subject to European law.

  • Chilly8

    the DMCA only applies if you do it for commercial or private financial gain. So someone circumventing anti-ablock technologies in their home without any intent to make money is not breaking the law.

    • Petal

      You’re confusing two different laws.

  • surfgatinho

    Would the EU view browser caching as unscrupulous website owners storing their data on users’ devices without their explicit permission?!