Last week Twitter lit up when the European Commission indicated anti-adblocking technologies like BlockAdblock may be “illegal”.
Before getting into why this position is based on a technological misunderstanding of how adblocking detection works and how the EC was led to its position by one agenda-driven privacy entrepreneur, let’s get a little background information out of the way…
The 2009 ePrivacy Directive
In 2009 the EC passed the “ePrivacy Directive” as part of their Regulatory Framework for Electronic Communications. Among other things, the ePrivacy Directive requires any website using cookies to get user permission before setting or retrieving any persistent data.
Section 5.3 of the ePrivacy directive (also commonly called the “Cookie Law”) reads as follows:
“The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”
As you most likely already know, browser “cookies” are persistent, locally stored user-specific data files which survive a single website visit (outside of a standard browser cache), and can be used to identify individual website visitors. Cookies can last for indefinite periods of time. A website can store your user specific data in your browser in the form of a cookie, and access it on your next visit — even months or years later. While some cookies may be used as part of advertising “tracking” systems, others are provide a vital part of basic website functionality allowing for both customization of website services and the ability to store user settings and preferences for subsequent visits.
One must note however that the rule does not use the term “cookie”. Instead, the ePrivacy directive calls for user approval before storing or retrieving “information” on a user’s browser.
But what exactly does “information” mean? Is information restricted to cookies? Might all web content be considered “information”? If so, how about images, fonts and article text? Does that mean that every website on the internet would require permission regardless or cookies?
We’ll get to those questions later.
An activist’s spin
Last week’s confusion started when privacy activist, Alexander Hanff revealed his cleverly crafted query to the EC regarding the scope of section 5.3 of the ePrivacy directive. While I don’t have a copy of Hanff’s original request, we can see it referenced here in the EC’s response:
Hanff’s strategic (and misplaced) use of the word “storage” intentionally loads the question. By framing the question this way, he suggests that anti-adblock technology works something like a cookie, somehow involving “storage”. Hanff’s entirely misleading premise here is that “scripts”, like cookies, must be stored and retrieved as part of their normal function.
Not so fast.
Hanff leads the EC down a circular path by incorrectly asserting that persistent “storage” is part and parcel of a script’s basic function and then reflexively asking if laws governing storage might then apply.
His question is based on a false premise.
- Anti Adblock scripts do not require persistent storage (or installation) on a users’ system to function.
The EC’s response
“Storage by websites of scripts“?
To be clear: Anti Adblock scripts do not need to be stored. Nor do they retrieve “stored” information of any kind.
And even if they did…
All browsers store media
But scripts don’t even need to be stored to execute
There is no connection whatsoever between persistent “storage by websites of scripts in users’ terminal equipment” and the function of said scripts.
But that’s not where things really fall apart with Hanff’s (and the EC’s) confused position.
All advanced websites detect browser settings and features
- Detecting Flash
- Detecting Java
- Detecting the language of the browser
- Detecting the screen size of the browser window
- Detecting the screen resolution of the client device
- Detecting the operating system of the browser
- Detecting the type of browser
- Detecting the version of the browser
- Detecting whether the user is visiting from mobile or desktop
- Using reverse IP lookup
- Detecting whether the browser is capable of session storage
- Detecting whether the browser is HTML5 capable
- Detecting the color depth of the browser
- Detecting available system fonts
- Determining if a browser is touch-capable
Hanff goes on to inquire about Recital 66 of the Citizens’ Rights Directive. Again, both Hanff’s question and the EC’s response show a lack of understanding of the mechanism by which anti-adblock defenses work:
Clearly both Hanff and the EC believe that anti-adblock defenses somehow directly access information “stored” within a browser.
To which I would ask: Please identify the specific stored information that is being accessed.
Making an educated guess based on browser behavior is absolutely not the same as accessing stored information. The conclusions reached by the EC are the result of a mischaracterization of anti-adblock defense technology — either intentional or otherwise.
The exceptions: It’s all subjective anyway
Lastly: Never mind for a moment that the ePrivacy Directive’s “Cookie Law” should have no bearing whatsoever on anti-adblock defenses which neither access stored data, or represent stored data themselves — the Cookie Law contains footnoted “exceptions” which render the entire law rather uselessly subjective.
Number two explicitly states that the law does not apply when the storing of data is “strictly necessary” in order for the provider to provide the service.
Here in the real world of non-taxpayer funded entities, one typically counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly “necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.
The irony is
On the other side of the pond it’s quite clear that Adblock Plus and other adblockers are in direct violation of the US DMCA’s anti-circumvention rules. New updates to multiple ad blocking applications continue to bring new, purpose-built anti-access circumvention technologies designed solely to bypass publishers’ access controls to copyrighted content. Still though, much of the publishing industry’s legal firepower continues to aim in the wrong direction by questioning whether ad blocking is legal or not. (Which of course it is. Anti-access circumvention on the other hand, is quite clearly not under the US DMCA).
[As a side note, it was amusing and predictable to see Eyeo shunt its EasyList from the AdblockPlus.org domain over to GitHub in an effort to create a little legal-distance between the two entities last week. Their lawyers would seem to be earning their keep]
I’m looking forward to seeing this issue get legs in the US, where the DMCA tilts the field in the opposite direction.