Posts by Alexander Hanff 1

Re: One way online advertising might change?

It takes no effort to not read his drivel or respond to it. Every time one of you does answer him, it gives him a rise, feeds his narcissistic need for attention. Best thing to do is completely ignore him.

Re: Server jurisdiction and legality

Under current rules (95/46/EC, 2002/58/EC) any company which is based in the EU or processes data in the EU is required to follow our laws. There is a very long list of case law supporting this not least the Right to be Forgotten case in the CJEU last year but also (for closer to home) the Vidal-Hall vs Google case in the UK, Belgian DPA vs Facebook, French DPA vs Google, French DPA vs Facebook etc etc etc.

So in short all EU companies are obliged to follow EU law and it is important to note that even if they are exporting the data outside of the EU they can only lawfully do so if the country it is being sent to has laws which are at the least equivalent to EU privacy and data protection laws.

And as stated above for any company which is not based in the EU but is processing data in the EU they also have to follow our laws.

In 2018 when the General Data Protection Regulation comes in any company (whether or not they are based in the EU or process data in the EU) which target EU citizens will be required to follow our laws in relation to EU citizens (some Judges & legislators already believe this to be the case under our existing laws but there is some ambiguity which will be removed by the new Regulation).

Re: Lots of people hate adverts...

I am not even remotely concerned about advertising - I fully support ad supported content. What I don't support is the illegal non-consensual tracking and profiling by adtech companies. Contextual Ads still generate over 90% of all display ad revenues and privacy respecting, contextual advertising is not a problem for me.

My work for the last decade has been focused on the illegal behavioural profiling and tracking.

Re: Click here to view this title.

Not sure when I will be in the North again - I am hosting a privacy event in London on 29th but I am totally booked up travelwise for the next 2-3 months speaking at events and having meetings on adblocking.

None of the cookie banner solutions currently being used are compliant with EU Law - so no they can't be used to cover adblock detectors to make it legal.

The way current cookie banners work is they simply display a message - they literally do nothing else (in most cases - there are some very limited exceptions). The cookies are placed on your machine before the cookie notice is even displayed to the user - this is illegal.

Furthermore, the cookie banners do not have a "I don't agree" option, only an "I agree" option (which is also illegal).

So yeah ICO tried to throw this idea at me when I had my meeting with them and in the end agreed that this wouldn't work and that yes currently these banners are non-compliant. ICO also agree that the detectors are illegal as well and have agreed to accept my formal complaint against UK publishers and adblock detection developers - they even expressed an interest in a joint investigation with other DPA's as they did with the Google case back in 2012.

So yes, even the usually toothless ICO are in agreement that this is ILLEGAL.

In my discussions with the EU Commission they also agreed with me that because using an adblocker is a clear facilitation of a users rights under Recital 66 and is an explicit and deliberate action - it could not be over written by any implied consent (cookie banners rely on implied consent) - the use of an adblocker is a direct denial of consent from these users.

Average ad revenues per year per user for publisher is less than £0.50 according to industry reports. Wired are currently charging > 8x that per month for their subscription.

This is one of the problems with subscription models - for some reason publishers think it is sensible to charge literally hundreds of times the amount they would get per user per year for their subscription fees. £50 per year is not a sustainable model for subscription to online content (per site) it will fail and is down to sheer greed.

Publishers need to either start forming group subscription models where users gain access to many publications giving those publishers revenues which are inline with ad revenues if they want to replace ads with subscriptions - or - they need to reduce their subscription costs to micropayment levels inline with ad revenues.

But they do the opposite - they try to charge ridiculous subscription fees far far higher than the revenues they make per user from advertising and then guess what - they still throw advertising in as well - and wonder why subscription numbers are so low?

Then the go down another illegal route and start pushing "branded content" (aka native content or "advertorials"). I was at a publishing event in Paris just a week ago and they were talking about adblocking - their solution? Disguise advertising as content - again this is also illegal.

It beggars belief.

Re: Ok, just RTFC

I don't want to seem like I am making light of everything you typed with a short reply but it is really simple - it is illegal. There has been extensive discussion on this at regulatory levels and device fingerprinting is illegal under 5(3) without consent if it doesn't fall under specific exemptions (which I can't think of any situation where it might).

I read a long research paper on Canvas Fingerprinting a number of years ago and brought it to the attention of the EU Commission - there was zero doubt in their mind it is illegal.

Re: What about..

Canvas Fingerprinting is also illegal under 5(3) of 2002/58/EC and has been covered by an Article 29 Working Party Agreement from 2014. So if you detect that sites are using this method you should first complain to the site and if they do not change their behaviour, fire off a complaint to your regulator.

If you regulator refuses to enforce, get in touch with the EU Commission and file a complaint against your country for failing to uphold your fundamental rights, request the EC initiate infringement proceedings.

And however unlikely you might think this is to succeed - it worked against Phorm and forced the UK to change RIPA. The Commission have advised me to do the same thing with Member States who do not enforce our rights regarding adblock detectors.

Re: Grey Areas

I spent the last 6 months speaking at industry events (both advertising and publishing) warning them they are breaking the law and suggesting they find a better way. 500 million (roughly 25% of Internet users globally) blocking ads because of privacy and other concerns is quite possibly the world's biggest ever protest. The current model is unsustainable and instead of trying to find a way which is acceptable to Internet users they choose instead to go to war with them using illegal tools to infringe on the fundamental rights of the people.

So don't tell me I haven't given them a chance to fix the situation, I have - repeatedly.

Now the time for action has arrived.

Re: Bull

No they don't.

Re: Grey Areas

Then they should lobby to have the law changed to allow this - because whether you agree with the law or not does not mean you are free to disobey it.

Re: Bull

The people who write the laws, the people who enforce the laws all disagree with you - so good luck arguing your incredibly poor interpretation in the courts - you will fail.

Re: Bull

The javascript file itself is stored and is illegal. Period.

Re: @Alexander Hanff 1

No you are missing the exemptions as I explained below. Also if you actually read the letter from the EU Commission you will notice they mention the exemptions as well.

Please do read the information provided, it saves me repeatedly typing the same information over and over and over again.

Re: Click here to view this title.

I live in Poland so £5 will buy a barrel lol :) (of Vodka)

Re: Publishers could simply

I am fighting for (and have been doing so for the last 10 years) the removal of non-consensual tracking and behavioural profiling (which actually only makes up around 7.5% of display ad revenues according to the industry's own research). My campaign is about privacy not about ads. Also, as I have stated a number of times there are legitimate and legal ways to detect adblockers - the issue here is non of the tools being used currently do this in a legal way.

I also think it is ok for publishers to block content to people who refuse to view their ads - but they must do it legally - currently they are doing it illegally.

But this campaign is also about publishers who are not just illegally detecting adblockers but circumventing them (which is also illegal) and no publisher has any right whatsoever to circumvent the choice of a consumer and display the ads despite knowing the user has refused consent.

Re: Grey Areas

No the law is actually quite sensible and gives some exemptions for purposes strictly necessary to provide a service the user has requested. Detecting browser resolution in order to render the page properly would fall under such an exemption.

Even detecting device via the user-agent to see what the pixel density is (retina or not) would fall under the same exemption.

But it is also about the purpose that data is used for - if the user-agent, browser resolution, font list etc are then re-used to create a device fingerprint for identification purposes - that is when it becomes illegal (this was covered by an Article 29 Working Party opinion from 2014).

It should be noted as well that making changes to existing cookie banners would not make this legal either for a number of reasons:

1. Cookie banner solutions are currently not compliant with the law (they place the cookies before the page is even rendered and the user has seen the banner)

2. Recital 66 of the ePrivacy Directive allows the use of "browser settings or other applications" to indicate whether or not you consent to the storage or access to stored information. In my discussions with regulators and the Commission, such an action by the user (installing an adblocker) would be seen as an explicit denial of consent as it is based on a specific and deliberate action of the user, which cannot be nullified by an implied consent from a "cookie banner" (these banners rely on consent being implied). Explicit trumps implied every time.

Re: Bull?

I suspect it is one of my stalkers - the language of his comment matches that of a stalker I have had for the past 8 years, I just ignore them.

Re: Bull

You are wrong - I have researched a large number of the adblock detection solutions and they all work by storing a javascript on the computer of the user which then checks how the page is rendered - whether specific elements exist or have been removed form the DOM.

Furthermore as pointed out by the EU Commission - the law is relevant for ANY information stored or accessed and is not limited to personal data. In fact the EU Commission rightfully categorise adblock detection tools as spyware as per Recital 24 and Recital 65.

I note you also spammed my Twitter feed with your nonsense - I suggest you actually go and learn something about the law before reporting back to your adblock detection company.

I have been working on these issues for 10 years and know the law very well - I have been researching adblock detection for the last 14 months and have spoken to 10 different regulators in Europe as well as the EDPS and EU Commission - all of them (yes even ICO in the UK) agree with my analysis.

I should add though that the letter from the EU Commission is not my reason for taking legal action - it was always my intention to do so which is why I started the work 14 months ago. Back in February last year I had a face to face meeting with DG Justice at the EU Commission in Brussels and they confirmed my concerns verbally. As I was approaching the point where I will begin filing legal complaints, I decided that having that opinion in writing would be useful so earlier this year I wrote to President of the EU Commission asking for them to formalise our original discussion in writing.

Re: H4rm0ny

This is utter tosh - seriously. If the US gov approach Dropbox with a s215 order (which always comes with a gag attached) are you seriously going to tell me that the executives from Dropbox are going to refuse and go to jail instead? Don't be ridiculous.

This is a PR stunt and nothing more, it makes absolutely zero difference to the US surveillance machine being able to access that data. Furthermore, the Irish DPA can't do jack about it - they don't even have the power to issue fines/penalties.

Please go and educate yourself on the matter, it might save you the 5 minutes it took you to write that nonsense you wrote above.

Re: So, the EFF gets donations from Google.

You are asking the wrong question.

What you should be asking is how many consultations, roundtables, workshops, seminars and conferences have EFF attended as civil society and presented arguments which could be seen as favourable to Google.

For example, on Do Not Track, Behavioural Advertising etc. there have been a large number of closed session events with governments and regulators in Europe and the US where often these civil society NGOs offer a less than "privacy focused" opinion (I have personally witnessed this) and offer a more "compromising" position (such as supporting pseudonymous tracking etc.)

I am not saying EFF have been responsible for this type of behaviour but then I can't claim to have been to every closed event they have attended - I have however seen this from MANY civil society groups over the last 6 years and it infuriates me as an advocate.

Don't assume that an NGO or civil group posts everything they say on their web site - because they don't. There is a huge amount of dialog going on behind the scenes every single day that the public are not privy to. What you see published is usually just the tip of the iceberg - the real news is the backroom deals, compromises and incredibly subtle opinions which whilst coming from a civil society group are actually pro-industry.

Re: As a windows phone owner

Except pretty much EVERY Windows Phone app requires permission to access location data due to a requirement in the windows phone advertising API.

Re: More info plus all court documents

I think you need to read the judgment more carefully. The Judge very clearly states (citing historical cases to support his view) that jurisdiction is determined based on where the activity took place. In the case of the Google Safari issue, the users viewed those adverts on devices in the UK - and the cookies were placed on devices in the UK - therefore the action which the complainants are asking permission to sue for took place in the UK - Douglas vs Hello! is the main supporting case cited in support of this argument.

To put this into context - if you went into a supermarket in Las Vegas, tripped over a bad piece of flooring and broke you knee - the injury took place in the US and you would sue in the US, not the UK.

As for UK companies abiding by applicable laws in the US, you need to follow the news more. For extradition to the US based on laws they have broken there (even if they have never set foot in the country), that is before you even consider SAFE Act in the US which has extra-jurisdictional powers written into it.

It is not unusual for courts to extend their jurisdictional reach beyond their borders - especially US courts.

Re: Not the full story

That would be a really dangerous decision for Google because the Spanish order is just one of many EU decisions to come. EU is one of Google's largest markets (probably their largest) and is the second largest economy in the world (last I checked a couple of months ago) - if they start playing that game, what do they do if other regulators take the same action as the Spanish (remember this was part of a regulatory "coalition" spearheaded by CNIL)? Do you seriously think they will block access to their biggest market - that would be akin to cutting their nose off to spite their face.

But all this is speculation because there is no comprehensive explanation as to what the full reach of the decision is and what the termination order actually means.

Re: Erm What?

As for who actually put the pseudonymous stuff in there, I think you will find it was Jan Albrecht MEP - it was his draft that LIBE voted on although it had been significantly edited since his original. If my memory serves me correctly the pseudonymous exemptions were in his original draft. I called him out on this in Brussels last January but didn't receive a satisfactory answer, rumour has it he had been subjected to heavy lobbying on this issue prior to the draft being published but one would have to check his diary to confirm such rumours.