One Nation Under CCTV

Cookie policies, or data collection and processing consent, is not the most attention-grabbing subject. In fact, the corporations who profit by invading your privacy depending on you yawning, stretching, and scrolling past. But, whether you are an accept-all-er or a manage-and-blocker, your experience of The Web is decaying while they suck up your data and sell it on.

It should be simple. When you visit a website, it should restrain itself from tracking you as an individual and be satisfied to collect anonymous data about your usage of the website. It is welcome to collect and process data transactionally, but it should ask you if it wants to collect and use your data for any other purpose. For example, here at Phonotonal we know how many times this article was viewed, but we don’t know how many times you viewed the article. It sounds subtle, but it really… really… really isn’t. We have no reason to identify you as an individual, so we don’t do it. It’s simple.

Other organisations, though, are struggling to accept that you own your data. Their behaviour was bad enough for the European Union to make laws to try and stop it. So far, the response to these laws has been privacy theatre. While trying to silence their legal departments, the series of techniques used to avoid doing the right thing just keeps evolving to side-step the spirit of the laws.

Here’s a simple way all organisations could comply with the written law as well as the spirit of the law. They can collect and process your data to satisfy some request you make. If you buy something, they need to take your payment details and they have to send the item somewhere. They have to collect this data to do what you expressly ask them to do. No consent is required because, well, it’s kinda obvious.

Next, they can collect data about your use of their website as long as they don’t try and pin it on you. The key here is that they should collect information about their website, not information about you. No consent is required. You can run a whole website with these two categories of data: transactional and anonymous.

This isn’t enough, though, for the greedy corporations. They want to know as much information about you as possible, because even if you don’t buy while you’re online… you can still be sold. If they can collect a little demographic information, that becomes useful for targeting you with adverts. If they can collect more specific information, such as what products you are looking at – and if they can link that information to you personally as you move off and look at other websites; they can now start highly specific targeted advertising. This is not allowed without informed and specific consent.

Except, they know you don’t want to give this informed and specific consent. Why would you? If a stranger turned up at the door and started asking you your date of birth, your gender, what websites you looked at today, and what products you thought of buying online, surely you wouldn’t just give them this information? ‘Why do you need to know?’ you ask, sensibly. ‘Ah well, we’re sending round the door-to-door salesmen next week and if we know this information we can probably get you to buy more stuff.’ No thanks.

To ask you for permission to process your data, they should firstly tell you exactly what the data will be used for and then ask you to give your consent. Until you have agreed, they shouldn’t be doing it. It’s really simple to do.

Yet here are three very common techniques that are used to avoid asking you for consent that you wouldn’t want to give.

Ask Forgiveness, Not Permission

One frequent technique is to simply run the data collection up until the point where the user doesn’t give consent. That isn’t bad grammar, it sounds a bit wrong because it is. The website operator simply runs all the tracking code until you press the button that says “no”. By this time, it’s too late. Your visit to the website has been logged and stored and, while they can’t continue to track your every move, they already have you on camera.

User-level tracking should not be used prior to consent being given.

Technical Fault

This is next-level evil. The website operator provides all the signposts and tick-boxes for a user to fully control their preferences, but then make it hard for them to complete the process in a way that denies the desired invasion of privacy. There are a number of tricks to this. Perhaps the feature has a convenient bug that means the user’s selection doesn’t result in the tracking being denied. ‘Oops. Thanks for spotting this bug, we’ll fix it as soon as we can’.

A more sinister technique involves giving fully working controls, but if the user doesn’t opt-in like the organisation wants, they leave the legal notice splashed across the page. It gets in the way and annoys users until they hit “accept all”. It should have been removed when they saved their preferences, but by leaving it in the way it might be possible to irritate them into giving up their rights.

Another trick is to make the page for users to manage their preferences massive. Like… truly massive. List every single tracking technology that may or may not be present and make the user opt-out row by row down a hundred rows. Not nice. If you drop a “remove all” button… maybe it could not work. Maybe it could error after the first set of rows, so that all the visible buttons switch off – but all the buttons below the fold stay on.

Of course, these techniques come with plausible deniability. It’s just a mistake, right… except all these mistakes seem to result in privacy being invaded and few of them result in the tracking failing to run.

Misleading Categories

An honest website should be able to give you control over a simple list of categories such as performance (anonymous analytics), functionality (remembering the user’s sort order or favourites), and tracking (the user-level invasive stuff). The tracking category should never run by default, and when a user manages their preferences it should be switched off until they opt in. For users who really don’t care, an “accept all” button can short-cut them out of the whole process, but for those who want to control how their data is collected and used, they can easily manage and save the defaults. This is the honest mechanism that aligns to the spirit of the law.

What happens in real life, though, is that website operators hope to mislead you but putting things that clearly aren’t “performance” into the category. By the time you’ve managed consent across a number of websites, you get used to “performance yes, tracking no”, so they hope you’ll just accept their nefarious purposes without noticing.

Real Life Example

‘I get all this privacy stuff,’ you might say. ‘But, I’m savvy and I only visit trustworthy sites who would never do any of this.’

Oh! Really.

Here’s a real life example.

There’s a lot to take in here, so I’ll summarise it for you with a list:

  1. Sky News have a massive manage preferences page
  2. Sky News have a category for “measurement” that explicitly says “This does not include personalisation, the collection of information about your use of this service to subsequently personalise content and/or advertising for you in other contexts…” – remember this… the category does not include this!
  3. There’s a link called “Adobe Advertising Cloud”, this sounds a little suspect given what we just read, so let’s click though and have a look
  4. Adobe is also bad… I have another list for this below
  5. The Adobe statement says that… “The solution also allow the companies to provide you with more relevant messages within their emails, text messages, and other online and offline marketing campaigns.” This is a direct contradiction to the promise made on Sky news.

Let’s not be too down on Sky News. This has become such a common practice that people don’t even realise what they are doing is questionable. Also, to get to that information on the Adobe site, didn’t we see one of the other examples in real life?

  1. You land on the Adobe privacy policy and get a legal notice that takes up substantial screen space
  2. You click through to the rather subtle “choices” link, which is less prominent than the large blue “Accept” button, because you’re smart
  3. You opt out of all purposes and get confirmation “opting out… opted out”
  4. You return to the page and the legal notice is still there
  5. The legal notice does disappear, but only if you click “Accept”

These are big corporations. This isn’t the local indie shop whose website was thrown together by their best mate who dabbles in WordPress. This is big business. It’s entirely possible that this is all just honest mistakes. The incorrect classification of data processing purposes could be a mistake. The prominent “accept all” vs the subtle “choices” link, the choice of language for “choices” as opposed to “manage your preferences”. The notifications that won’t go unless you accept all processing purposes. It could be.

One thing is for sure, while these mistakes may slip eel-like around the laws, user trust is going to head to an all time low. We deserve better.

Fenton
Steve Fenton was Editor in Chief for The Mag and also wrote for DV8 Magazine and Spill Magazine. He was often found in venues across the country alongside ace-photographer, Mark Holloway. Steve studied Psychology at OSC, and Anarchy in the UK: A History of Punk from 1976-1978 at the University of Reading.