EU Cookie Law Is A Flop
Written by Mike James   
Tuesday, 30 May 2017

If you are fed up with repeated requests to store a cookie, or if you feel that all sites should show the request, you might be interested to know that the whole EU Cookie Law is pretty much a flop.

cookies

 

The EU Cookie law is interesting because it is an example of trying to control the World Wide Web and the emphasis here is on "worldwide". In 2002, the European Union (EU) introduced the ePrivacy Directive to regulate the usage of online tracking technologies. From 2013 the Directive is mandatory, and now most of European websites embed a “Cookie Bar” to explicitly ask users' consent. It is one of the most strict regulations on the usage of online tracking mechanisms. Article 5 requires websites to ask:

“prior informed consent for storage or for access to information stored on a user’s terminal equipment”. 

Now a team of appropriately European researchers Martino Trevisan, Stefano Traverso, Hassan Metwalley and Marco Mellia of the Politecnico di Torino  and Ermes Cyber Security SRL have conducted an online survey to find out how much impact the law has had. 

"The Directive has been criticized as a case of regulatory failure: it impairs user browsing experience, and it is ineffective in increasing the awareness about online tracking. Here, we show that the Directive is a failure from the enforcement perspective too."

It is also interesting to note that the directive doesn't just ban cookies:

The Directive has been amended in 2002 and 2009. In the last version, it explicitly disciplines the use of any tracking “devices” (e.g., cookies, supercookies, fingerprinting, etc.), and it is based on the “explicit consent” principle. It states that the website must i) provide a clear description of the entities wishing to install tracking devices, ii) install them only after explicit consent is provided by the user, and iii) describe how the gathered information will be used.

However non-tracking cookies aren't banned. Session cookies for example are perfectly OK.

 

cookie

 

To find out how cookies were being used in practice, the team built a tool - CookieCheck. They then picked websites that were popular in EU countries and four countries not in the EU. A country by category table was constructed showing the percentage of sites that serve tracking cookies without asking. The details are interesting but the overall conclusion is:

First, we notice that there exists no category whose fraction is close to 0. On average 66% of websites violates the ePrivacy Directive.

The category that was best isn't a surprise - Law and Government at 31%. The big surprise is that "Adult" web sites came in second. The only win for the directive is that, when compared to countries outside of the EU, the tracking cookie percentage was lower. The US and Russia, for example, scored 75% and 86%. So a small, but not very significant, reduction is due to the directive. 

Looking more closely at the behaviour of web sites makes the position worse. For example, in France and Italy 69 and 53 out of 100 web sites respectively provided a Cookie bar. Of the sites that did provide a Cookie bar most 80.5% installed tracking cookies before consent had been given and installed more if consent was given. 

Yes, you are correct all along, your answer to the cookie question is mostly irrelevant. The conclusion is:

"Despite being conservative, our results clearly uncover that the majority of websites ignores the ePrivacy Directive, testifying its flop."

The researchers offer five reasons why the directive was a flop, but they mostly boil down to politicians and law makers not understanding the technology that they are aiming to control. They provided no guidelines or tools for auditing web sites to see if they are breaking the directive. In particular no help was given with the difficult task of working out if the Cookie bar is just a decoration or a real way to block tracking cookies. There was also no consideration of how easy it is for small web sites to control tracking cookies and still accept advertising and analytics services. 

Even the EU agency in charge of verifying the effectiveness of directive concludes:

“the constant stream of cookie pop-upboxes that users are faced with completely eclipses the general goal of privacy protection as the result is that users blindly accept cookies”

Currently the EU is drafting a replacement law, but it seems to be even more flawed and ambiguous than the original. 

cookies

More Information

Uncovering the Flop of the EU Cookie Law

Related Articles

When cookies leak data

Evercookie - the cookie you can't kill

High-Tech, Cross-Browser Fingerprinting

SilentKeys A Privacy Aware Keyboard

The Canvas Fingerprint - How?

Cat Photos - A Potential Security Risk?

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


WasmCon 2023 Sessions Now Online
01/03/2024

The recorded session of the premier conference for technical developers and users interested in exploring the potential of WebAssembly are now online.



Crazy Clocks
10/03/2024

It's that time again when the clocks change and  time is of the essence and I indulge my interest in crazy clocks. I am always surprised that there are still new ideas for how to display the time [ ... ]


More News

 

raspberry pi books

 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Tuesday, 30 May 2017 )