About that claim that detecting Adblock may be illegal
Last week Twitter lit up when the European Commission indicated anti-adblocking technologies like BlockAdblock may be “illegal”.
Before getting into why this position is based on a technological misunderstanding of how adblocking detection works and how the EC was led to its position by one agenda-driven privacy entrepreneur, let’s get a little background information out of the way…
The 2009 ePrivacy Directive
In 2009 the EC passed the “ePrivacy Directive” as part of their Regulatory Framework for Electronic Communications. Among other things, the ePrivacy Directive requires any website using cookies to get user permission before setting or retrieving any persistent data.
Section 5.3 of the ePrivacy directive (also commonly called the “Cookie Law”) reads as follows:
“The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent…”
As you most likely already know, browser “cookies” are persistent, locally stored user-specific data files which survive a single website visit (outside of a standard browser cache), and can be used to identify individual website visitors. Cookies can last for indefinite periods of time. A website can store your user specific data in your browser in the form of a cookie, and access it on your next visit — even months or years later. While some cookies may be used as part of advertising “tracking” systems, others are provide a vital part of basic website functionality allowing for both customization of website services and the ability to store user settings and preferences for subsequent visits.
One must note however that the rule does not use the term “cookie”. Instead, the ePrivacy directive calls for user approval before storing or retrieving “information” on a user’s browser.
But what exactly does “information” mean? Is information restricted to cookies? Might all web content be considered “information”? If so, how about images, fonts and article text? Does that mean that every website on the internet would require permission regardless or cookies?
We’ll get to those questions later.
An activist’s spin
Last week’s confusion started when privacy activist, Alexander Hanff revealed his cleverly crafted query to the EC regarding the scope of section 5.3 of the ePrivacy directive. While I don’t have a copy of Hanff’s original request, we can see it referenced here in the EC’s response:
Hanff’s strategic (and misplaced) use of the word “storage” intentionally loads the question. By framing the question this way, he suggests that anti-adblock technology works something like a cookie, somehow involving “storage”. Hanff’s entirely misleading premise here is that “scripts”, like cookies, must be stored and retrieved as part of their normal function.
Not so fast.
Hanff leads the EC down a circular path by incorrectly asserting that persistent “storage” is part and parcel of a script’s basic function and then reflexively asking if laws governing storage might then apply.
His question is based on a false premise.
- Anti Adblock scripts do not require persistent storage (or installation) on a users’ system to function.
The EC’s response
“Storage by websites of scripts“?
To be clear: Anti Adblock scripts do not need to be stored. Nor do they retrieve “stored” information of any kind.
And even if they did…
All browsers store media
But scripts don’t even need to be stored to execute
There is no connection whatsoever between persistent “storage by websites of scripts in users’ terminal equipment” and the function of said scripts.
But that’s not where things really fall apart with Hanff’s (and the EC’s) confused position.
All advanced websites detect browser settings and features
- Detecting Flash
- Detecting Java
- Detecting the language of the browser
- Detecting the screen size of the browser window
- Detecting the screen resolution of the client device
- Detecting the operating system of the browser
- Detecting the type of browser
- Detecting the version of the browser
- Detecting whether the user is visiting from mobile or desktop
- Using reverse IP lookup
- Detecting whether the browser is capable of session storage
- Detecting whether the browser is HTML5 capable
- Detecting the color depth of the browser
- Detecting available system fonts
- Determining if a browser is touch-capable
Hanff goes on to inquire about Recital 66 of the Citizens’ Rights Directive. Again, both Hanff’s question and the EC’s response show a lack of understanding of the mechanism by which anti-adblock defenses work:
Clearly both Hanff and the EC believe that anti-adblock defenses somehow directly access information “stored” within a browser.
To which I would ask: Please identify the specific stored information that is being accessed.
Making an educated guess based on browser behavior is absolutely not the same as accessing stored information. The conclusions reached by the EC are the result of a mischaracterization of anti-adblock defense technology — either intentional or otherwise.
The exceptions: It’s all subjective anyway
Lastly: Never mind for a moment that the ePrivacy Directive’s “Cookie Law” should have no bearing whatsoever on anti-adblock defenses which neither access stored data, or represent stored data themselves — the Cookie Law contains footnoted “exceptions” which render the entire law rather uselessly subjective.
Number two explicitly states that the law does not apply when the storing of data is “strictly necessary” in order for the provider to provide the service.
Here in the real world of non-taxpayer funded entities, one typically counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly “necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.
The irony is
On the other side of the pond it’s quite clear that Adblock Plus and other adblockers are in direct violation of the US DMCA’s anti-circumvention rules. New updates to multiple ad blocking applications continue to bring new, purpose-built anti-access circumvention technologies designed solely to bypass publishers’ access controls to copyrighted content. Still though, much of the publishing industry’s legal firepower continues to aim in the wrong direction by questioning whether ad blocking is legal or not. (Which of course it is. Anti-access circumvention on the other hand, is quite clearly not under the US DMCA).
[As a side note, it was amusing and predictable to see Eyeo shunt its EasyList from the AdblockPlus.org domain over to GitHub in an effort to create a little legal-distance between the two entities last week. Their lawyers would seem to be earning their keep]
I’m looking forward to seeing this issue get legs in the US, where the DMCA tilts the field in the opposite direction.
38 Replies to “About that claim that detecting Adblock may be illegal”
“While some publishers may be going back to their legal teams just to be sure – the majority of publishers offered a quiet, unified yawn.”
While I sympathise with publishers’ need to make a living I have no desire to have ads foisted on me whether I like it or not, particularly those that track me. I don’t mind ads that just sit on the sides minding their own business but I don’t like interstitials or the ones that autoplay in a loop. Advertising is supposed to be about reaching out to the public, not hacking them off.
While I symathize with shopkeepers need to make a living I have no desire to have prices foisted on me whether I like it or not, particularly prices that seem to high for me. I don’t mind prices that are extremely cheap and fit within my budget. Prices are supposed to be about being affordable, not about being outside my budget.
In such instances I take my business elsewhere. That’s how market forces work.
Until there is no where else to take your business.
If you want the new “x”, you can “take your business elsewhere” however much you want; you are still going to pay a fortune for it. Some places have exceptionally low operation costs since they return none of their profits back into your local economy and bring down society as a whole, a.k.a. Amazon, and you may get a better “deal” by ruining the economy… but market forces right?
And then, because of how much pressure you place on stores that actually contribute to the local economy, they will close out and take jobs away… but you don’t care about those jobs since you’re some high degree white collar worker right?
And then because fewer people can afford the new “x” YOUR wages start going down and YOUR job stops becoming profitable for the company, so they fire you.
Then YOU are looking for work, any work, and finding out… we don’t live in a capitalistic nation, we live in a corporate capitalistic nation. There is no where left to take your business to because you bankrupted them all.
That’s a bit histrionic, isn’t it? Other business models work and they work perfectly well. There are plenty of other places to take my business to and I do this every day.
But when you block ads, you’re not “taking your business” anywhere at all. There is no business. Your leaving represents no loss to the site,
Precisely my point. I go to sites that don’t stop me reading their content by using anti-adblockers. Bear in mind that general advertising isn’t a problem, it’s the in-yer-face ones with the malware that I can’t be dealing with. I use adverts myself on my own blog, I just don’t force people to accept them as a condition of visiting it.
By that logic, neither does blocking the ads.
just a little tip, if a site forces me to disable adblock, i search for a different website with the same content, because yeah, content is not exclusive in internet 🙂
Oh.. no…. please don’t take your precious non-ad-viewing self out of the equation.
He doesn’t need to tbh, he can get Anti-adblock Killer and continue to access anti-adblock sites, while still blocking their ads 😀
That’s the point it’s, never been by force , you have always had the choice of finding another site, if you wanted. But whose to say that the other site won’t require you to disable ad block, I guess ultimately market forces will decide who carries the day.
Long live adblock. We consumers shall not be forced to view ads!
There are 2 options: Free with ads. And not free.
It’s cool if you’re for the latter.
Lucky Adblock is free, eh? 🙂
So were Dodo birds. Delicious too.
That might have been a fair comparison if not eating Dodo birds meant having to eat rotten eggs instead. Because not using adblock is a horrific experience. May as well be turning the Anti virus off, lol
True ad block, shouldn’t be free, if it wasn’t I wonder how many people would actually pay
I’d happily pay quite a lot for it if I had to. Still beats viewing annoying ads
In the long run you might have to view ads. How else is quality, up to date content supposed to be provided?
I’d rather have a few ads than a pay wall…
Honestly, it’s a stupid argument. pretty much every modern website on the web now detects browser type and size in order to serve fast loading content, and content that fits the type and size of the browser, if detecting AdBlock is illegal then so is this. Are you ready to go back to the old days of the mobile web? Or must we ask your permission before we can show you tuned content.
I know, let’s just have multiple popups asking your permission for every segment of our websites, here are some examples:
Viewport, can we check your browser size?
Responsive images, can we serve you the best possible image for your device?
Font size, would you like to be able to read this text?
Service Workers, (an awesome technology that can allow you to take websites offline), fancy another pop-up?
Is that really better than ads? Because that’s exactly what every site I run will do if the EU goes further with this, forget the SOPA black-out, this will be much worse.
If you are an idiot who thinks “offline webpages” are “the future” please kill yourself.
I know that nearly 99.99% of all web users are idiots, but a simple client side program is always better. If you want to “save” a webpage, just go “file, save”
Some pages, of course, are designed stupidly and require wget or even the user manually entering some urls because we LOVE using ajax and sockets to put all the work on the client and none on the server.
What the hell are you on about? I suggest you research what I am talking about before you call other people an idiot.
Getting some knowledge in your brain before spouting out will be very useful.
Offline webpages are the future of the internet, you want to know why? Because mobile is the future of the internet. Case closed. (hopefully, you can put two and two together and work out the rest for yourself, because I anit about to explain why offline pages are useful on mobile to an idiot lol).
Yeah, I love me some Disquis comment section on my offline webpages. I’m posting this comment without internet. Online webpages? Pshh, who needs those anyways?
You are very late to the party dude, but just like the other guy, you have no idea what you are talking about.
Go ahead and figure out what you are talking about before you do, I was not talking about offline pages, I was talking about service workers (which can allow you to comment offline btw).
If you don’t think service workers are one of the biggest web technologies unveiled over the last few years then you simply don’t know what service workers are, or you have little to no understanding of what they do.
In which case, don’t bother talking simply.
K tnx bye.
I see a solution that both respects privacy and is simple to use.
1. Websites need user permission to do ANYTHING on the user’s computer. To store anything (even to store the html file in RAM), to run any scripts, etc.
2. Users configure their browser telling it what they permit and what they don’t. The browser uses this configuration to display the page the way the user wants, and may if necessary inform the server about those permissions (of course if the user permits the browser to share this information).
To make it as simple to use as possible, the user would set DEFAULT permissions to use for any website. Then, he could set per-website permissions if he permits certain websites to do things that other websites are not permitted to do. And he could also define general rules that apply to some websites and don’t to others.
Just like by default you don’t allow strangers into your home at all, but you might allow some (e.g. a gardener or postman) into your courtyard, and others into your dining room. And they’re only allowed to do things that you allow them, case-by-case, to do when on your property. And you can set default rules such as “anyone invited to your living room can also use the chairs” or “anyone invited into the kitchen can also use the fridge”.
And of course for the idiots there would be “suggested permission configurations”, ready to use. And don’t tell me configuring permissions is too hard for lay people. 99% of the people I know are capable of specifying who is allowed into their house and who isn’t, and what they’re allowed to do when inside. With browsers it isn’t that much different.
Wow, you really do seem to have a rather limited understanding of data & computer law. Your arguments are frankly a bit irrelevant and you rely on limited interpretation of partial clauses to seek false exceptions instead of actually looking for compliance with the law. There are probably valid arguments which can be put forward in favour of anti ad-blockers, but you don’t seem to have found them yet.
Which is, like your current arguments, irrelevant. The EU has shown repeatedly that, where data protection and e-privacy are concerned, if someone circumvents the current wording they will produce new wording and push it through. The only answer is for advertisers to get more professional about there advertising, less intrusive, and for the industry to drive out the bad boys – otherwise users and regulators will continue to tar all with the same brush – a small step up the evolutionary chain than spammers.
Personally I’ve no problem with anti-adblocking – it’s no different to telling me I can’t read some content until I agree to pay for it, which seems quite fair, but the only way this gets fixed is by responsible advertising – no pop-ups, no click-jacking etc. – probably including criminal imprisonment sentences for anyone involved in the latter.
“The EU has shown repeatedly that, where data protection and e-privacy are concerned, if someone circumvents the current wording they will produce new wording and push it through”
No. That is absolutely not how the law works here. You must be living in some ‘other’ Europe. Laws are carefully written to mean what they say they mean. Not what you want them to mean.
that depends on where the site is hosted. if the site is not hosted in Europe, then it is not subject to European law.
the DMCA only applies if you do it for commercial or private financial gain. So someone circumventing anti-ablock technologies in their home without any intent to make money is not breaking the law.
You’re confusing two different laws.
PayPal Donate Button Generator
Would the EU view browser caching as unscrupulous website owners storing their data on users’ devices without their explicit permission?!
please provide names and surnames and address, I want to eviscerate your useless bodies.
just a little tip, if a site forces me to disable adblock, i search for a different website with the same content, because yeah, content is not exclusive in internet 🙂