Last week Twitter lit up?when?the European Commission indicated?anti-adblocking technologies like BlockAdblock may?be “illegal”.
Before getting into?why this position is based on a technological misunderstanding of how adblocking detection works and how the EC?was led to its position?by one agenda-driven privacy entrepreneur, let’s?get?a little background information out of the way…
The 2009 ePrivacy Directive
In 2009 the EC passed the “ePrivacy Directive” as part of their Regulatory Framework for Electronic Communications. Among other things, the ePrivacy Directive requires any website using cookies to get user permission before setting or retrieving any persistent data.
Section 5.3 of the ePrivacy directive (also commonly called the “Cookie Law”) reads as follows:
?”The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent?”
As you most likely already know, browser “cookies” are persistent, locally stored user-specific data files which survive a single website visit?(outside of a standard browser cache), and can be used to identify individual website visitors. Cookies?can last for indefinite periods of time. A website can store your user specific data in?your browser in the form of a?cookie, and access it on your next visit — even months or years later. While some cookies may be used as part of advertising “tracking” systems, others?are provide a vital part of basic?website functionality allowing for both customization of website services and the ability to store user settings and preferences for subsequent visits.
One must note however that the rule does not use the term “cookie”. Instead, the ePrivacy?directive calls for?user approval before storing?or retrieving “information” on a user’s browser.
But what exactly does “information” mean? Is information restricted to cookies? Might?all web content be considered “information”? If so, how?about images, fonts and article text? Does?that mean that every website on the internet would require permission regardless or cookies?
We’ll get to those questions?later.
An activist’s spin
Last week’s confusion?started when privacy activist, Alexander Hanff revealed his?cleverly?crafted?query?to the EC regarding the scope of section 5.3 of the ePrivacy directive. While I?don’t have a copy of Hanff’s original request, we can see it referenced here in the EC’s response:
Hanff’s strategic?(and misplaced)?use of the word “storage” intentionally loads?the question. By framing the question this way, he suggests that anti-adblock technology works something like a cookie, somehow involving?”storage”. Hanff’s entirely misleading premise?here is that “scripts”, like cookies, must be?stored and retrieved as part of their normal function.
Not so fast.
Hanff?leads the EC down a circular path by incorrectly?asserting?that persistent “storage” is part and parcel of a script’s basic?function and then reflexively asking?if laws governing storage?might then apply.
His question is based on a false premise.
- Anti Adblock scripts do not require persistent?storage (or installation) on a users’ system to function.
The EC’s response
“Storage by websites of scripts“?
To be clear: Anti Adblock scripts do not need to be stored. Nor do they?retrieve?”stored” information of any kind.
And even if they did…
All browsers store media
But scripts?don’t even need to be stored to execute
There is no connection whatsoever between persistent “storage by websites of scripts in users’ terminal equipment” and the function of said scripts.
But that’s not where things really fall apart with Hanff’s (and the EC’s)?confused position.
All advanced websites detect browser settings and features
- Detecting Flash
- Detecting Java
- Detecting the language of the browser
- Detecting the screen size of the browser window
- Detecting the screen resolution of the client device
- Detecting the operating system of the browser
- Detecting the type of browser
- Detecting the version of the browser
- Detecting whether the user?is visiting from mobile or desktop
- Using reverse IP lookup
- Detecting whether the browser is capable of session storage
- Detecting whether the browser is HTML5 capable
- Detecting the color depth of the browser
- Detecting available system fonts
- Determining if a browser is touch-capable
Hanff goes?on to inquire about Recital 66 of the Citizens’ Rights Directive. Again, both Hanff’s question and the EC’s response show?a?lack of understanding of the mechanism by which anti-adblock defenses work:
Clearly both Hanff and the?EC believe that anti-adblock defenses somehow directly access information “stored” within a browser.
To which I?would ask: Please identify the specific stored information that is being?accessed.
Making an educated guess based on browser behavior is absolutely not the same as accessing stored information. The conclusions reached by the EC are the result of a mischaracterization of anti-adblock defense technology — either intentional or otherwise.
The exceptions: It’s all subjective anyway
Lastly: Never mind for a moment that the ePrivacy Directive’s “Cookie Law” should have?no bearing whatsoever on anti-adblock defenses which neither access stored?data, or represent?stored data themselves — the Cookie Law contains footnoted “exceptions” which render the entire law rather uselessly subjective.
Number two explicitly states that the law does not apply when the storing of data is?”strictly necessary” in order for the provider to provide the service.
Here in the real world of non-taxpayer funded entities,?one typically?counts the existential financial viability of a newspaper among its necessities. If without advertising revenue the “service” itself would cease to exist, then the defense of vital and life-sustaining revenue streams are clearly?”necessary” to provide the service. So even if anti-adblock defenses did “store” and “access” locally stored information (which they do not), it would appear that the ePrivacy Directive would protect the right to store and access data when said actions are “necessary” to provide the service.
The irony is
On the other side of the pond?it’s quite clear that Adblock Plus and other adblockers are?in direct violation of the US DMCA’s anti-circumvention rules. New updates to multiple?ad blocking applications continue to bring?new, purpose-built anti-access circumvention technologies designed solely to bypass publishers’ access controls to copyrighted content. Still though, much of the publishing industry’s legal firepower?continues to aim in the wrong direction by questioning whether ad blocking is legal or not. (Which of course it is. Anti-access circumvention on the other hand, is quite clearly not under the US DMCA).
[As a side note, it was amusing and predictable to see Eyeo shunt its EasyList from the AdblockPlus.org domain over to GitHub in an effort to create a little legal-distance between the two entities last?week. Their lawyers would seem to be earning their keep]
I’m looking forward to seeing this issue?get legs in the US, where the DMCA?tilts the field?in the opposite direction.