The ePrivacy directive became law in 2002 and originally required the “right to refuse” access to storage held within the “private sphere” of your device or browser. One reason it was drafted like that was an attempt to cover future privacy challenging technologies and practices. It obviously already covers malware delivery and tracking cookies, and has since been taken (by the DPAs) to also apply to fingerprinting. Some people in the European Commission (though significantly not the Justice department) seem now to say it applies to AdBlocker detection
The rule on storage was amended in 2009 to require opt-in consent (“freely given, explicit and informed” as defined in the 1995 Data Protection Directive).
History has shown that opt-out consent does not work (e.g. AdChoices), while giving people real choice (e.g. AdBlockers) really can. Even though companies defy the law in Europe (and everywhere ignore clear indications of user preference i.e. DNT), they cannot stop the explosion of AdBlocker use. They are now in a technological arms race they have no chance of winning.
The trouble with AdBlockers is that they can be indiscriminate, damaging the web experience. Some of them block urls referenced in blacklists, and the lists are often arbitrarily assembled with many false positives and negatives. If components of a web application are independently blocked then the application can break. To fix this, web applications should be able to detect their presence, but not so they make the user “take-it-or-leave-it” on whitelisting (which will definitely be illegal in Europe under the GDPR in 2 years’ time), but in order to better understand and respect their preferences.
What is needed is a standard machine readable way for server to declare what choices they offer users over ads, in a similar way to how they should declare tracking practices. If a server does not make a declaration, or ignores a user’s preferences, the adblockers (or browsers) can block them.
We already have the building blocks for this in DNT e.g. the Tracking Status Resource, we should discuss how we can extend them.
Mike
From: Joseph Lorenzo Hall [mailto:joe@cdt.org]
Sent: 29 April 2016 14:26
To: Christine Runnegar <runnegar@isoc.org>
Cc: public-privacy (W3C mailing list) <public-privacy@w3.org>
Subject: Re: ad-blocker detection scripts
So, is this essentially arguing that the EU will require affirmative, opt-in consent for running any dynamic content? That doesn't seem wise.
It strike me that not all ad-blocker detection need to be done via scripting. E.g., the traditional web-beacon model of crafting the page with a personalized image URL and detecting if that asset was loaded could be a method to detect blocking of certain domains without accessing any persistent state in the UA.
Although maybe I'm misunderstanding this? best, Joe
On Fri, Apr 29, 2016 at 9:08 AM, Christine Runnegar <runnegar@isoc.org> wrote:
Hello all.
In the context of our draft Group Note on Fingerprinting Guidance for Web Specification Authors [1] and general Web privacy mandate, it might be worthwhile to discuss the specific issue of sites running scripts to detect the presence of ad-blockers/tracking blockers. This issue was recently highlighted in a tweet from Alexander Hanff and picked up by various media sources, including this article in the Register:
http://www.theregister.co.uk/2016/04/23/anti_ad_blockers_face_legal_challenges/
Christine
[1] https://www.w3.org/TR/fingerprinting-guidance/
--
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
1401 K ST NW STE 200, Washington DC 20005-3497
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871