Re: cookiedemosite.eu from Bjoern Hoehrmann on 2011-10-08 (public-privacy@w3.org from October to December 2011)

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 08 Oct 2011 02:23:28 +0200
To: Rigo Wenning <rigo@w3.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <khpu87h8f0lqlkdn5tn2mo2undnj33mfpp@hive.bjoern.hoehrmann.de>
* Rigo Wenning wrote:
>http://cookiedemosite.eu/

Yes, you can look at all the things an existing site uses cookies for
and put a prompt in front of each of these things, and deny users the
content if the user does not approve, but that's obviously trolling,
as it fails to analyze whether cookies are actually necessary for the
relevant purposes.

The first purpose one might encounter there is "Frequency capping". It
is most obviously possible to store on the client side which ads have
been shown recently and make the selection of further ads on the client
aswell, without communicating a browser identifier to any site, if you
for some odd reason do not regard all the "common log information" as
such already.

Another example there is "If an application has 3 pages and most of the
users only make through the second, this data might make it clear that
the process needs to be simplified." You can tell this simply from the
number requests for each of the pages, there is no need for any cookie.
The site goes on to contradict itself on this point, telling you that
"The new law exempts a website from requesting your explicit consent
when setting a cookie relating to the website’s own content." If that's
so, then the site can simple host the 3 page application itself and use
cookies as it deems appropriate.

Another point the site raises is embedding of third party content like
articles on the front page. The site can just host the content iself
and provide the third party with aggregate usage statistics. That's in
fact better for the first party as then they have an idea what's going
on without relying on the third party. I am not in fact aware of a site
that embeds third party articles in this manner. In any case, for the
stated purpose of "how popular is this", cookies are not necessary.

The best feature is the modal prompt for "Behavioural Advertising". If
you deny that one, that does not seem to have any effect. Well, second
perhaps to the embedding of addthis.com content that sets cookies even
if you deny all the prompts. addthis.com in turn is hosted in the U.S.
does not make any Safe Harbor claims and uses Google Analytics on its
Privacy Policy page without mentioning Google Analytics, while Google
assures people that it requires all website owners to fully disclose
Google Analytics use in their privacy policy. cookiedemosite.eu itself
of course does not have a Privacy Policy that I could find.

If this is all the existing industry can come up with, and citizens of
the European Union want what is required by the directive, then there
seems to be little reason to listen to the existing industry at all, it
should rather make room for others who can deliver valuable goods and
services under the constraints imposed by the sovereign. Especially if
much of the rest of the world shares european ideas about privacy, as
Europe's solutions can then be exported to where there is demand, with
the added street creds that if you care about privacy, you are better
off dealing with Europeans.

For the public at large there is no reason to listen to cries how one
particular implementation of one particular business model might some-
how, or not, be inconvenienced by one measure or another. The biggest,
by output, beer brewer in Germany does not advertise beyond having and
displaying trademarks. One of the biggest newspapers is financed by a
mixture of membership contributions from over 10 000 members, direct
sales and subscriptions, donations, and advertisement. TV viewership
statistics are gathered from a few volunteer households and not by
spying on everybody's viewing habits. We could increase fees you have
to pay to receive public broadcasts by a little and make all recorded
music available for free as far as revenues go, taxing bank interest
with 100% would allow us to abolish all other taxes as far as revenue
goes, ignoring the economic effects that would have, and other things.

If the vast majority of people would like advertisement tailored to
their interests and the enviroment they live in and have no trouble
with businesses knowing about these interests, we could just have our
browsers make this information available while still disallowing the
tracking of our movements around the web. Maybe we do not mind if our
ISPs keep, legally tightly locked, records of what we do online, and
do not mind to pay a little extra for less ads and more privacy, and
instead have the ISPs distribute our extra money according to usage,
just as we have similar systems already in place to compensate music
artists.

Google's Peter Fleischer wrote the other day on his personal blog:

  Even so, it was a bit of a surprise when I heard a political leader
  tell me clearly: "in Germany, we want innovation, but we want you to
  ask for permission first". Innovation and permission. In fact, I
  wonder if they're oxymoron. I think of innovation as serendipitous,
  almost the opposite of bureaucratic/political process. But in a
  nutshell, there it was.

I found this most strange. It is not so much a matter of obtaining a
license but rather about making people who would be affected aware in
time, before creating facts "on the ground" if you will, so we have
the opportunity to control what affects us. If you want to drive cars
through every street in Germany taking pictures and locating all Wifi
endpoints that broadcast their contact details, you tell us, and some
might say having pictures of every street is great, others might say,
for instance, they do not know when the pictures will be updated, and
to avoid giving people a false impression of the state of the building
they own, they prefer if no picture of their premises is published.

We do not separate society into consumers and producers with the idea
that "if you don't like it, don't use it". If you talk to a german a-
bout "privacy" issues and start calling their fellow citizens, their
fellow human beings, "consumers", they will probably be offended, and
not just because it communicates that you do not understand "privacy".
We do not principially try to organize for "oh my gosh, this is the
biggest bank ever!", we are more credit union types; unionization is
relatively common, right now polls indicate our local Pirate Party is
likely get get around 8% in the next federal election. If you tell one
of them a website cannot play a video without installing cookies that
will from then on track ones movements around the web, they are likely
to laugh you out of the door.

Point being, this kind of argument is not likely to work in Germany.
That is not so much because Germans have special privacy needs, it is
rather that we have high expectations with respect to engineering,
organization, govenernance, and we are used to have them fullfilled.
Consider as a simple example that the initiative to have a privacy-
concious implementation of "Sharing" buttons came from, in the eye
of the general public, the German publishing house Heinz Heise. Like
above, if you told them you cannot have "Sharing" features without
ridiculous prompts, they, likely, are quite happy to ridicule you in
an article, pointing out that Heise can do better than you can.
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Saturday, 8 October 2011 00:23:58 UTC