A legal problem with planting a cookie in another site's domain
Nicholas Bohm
ukcrypto at chiark.greenend.org.uk
Fri, 11 Apr 2008 13:35:13 +0100
Roland Perry wrote:
> In article <005301c89b22$90918b70$e57ea8c0@Jinja>, James Firth
> <james2@jfirth.net> writes
>> The mention of the Electronic Privacy Directive brought one potential
>> issue to my mind.
>>
>> Websites must notify users about their use of cookies, how their data
>> is used and give users information or a mechanism to prevent use of
>> cookies.
>
> I'm not sure it's all websites (in practice very few do, anyway).
>
> Someone who ought to know,
I feel this might be someone who ought to know better - see below.
> once told me that because of the way the
> Directive (and hence Regs) were worded the provision only applied to
> activities of Network Operators [1], and therefore only the websites of
> such people (ie a small subset like "buy your ISP services here").
The Directive says at Art 5 para 3:
"Member States shall ensure that the use of electronic communications
networks to store information or to gain access to information stored in
the terminal equipment of a subscriber or user is only allowed on
condition that the subscriber or user concerned is provided with clear
and comprehensive information in accordance with Directive 95/46/EC,
inter alia about the purposes of the processing, and is offered the
right to refuse such processing by the data controller. This shall not
prevent any technical storage or access for the sole purpose of carrying
out or facilitating the transmission of a communication over an
electronic communications network, or as strictly necessary in order to
provide an information society service explicitly requested by the
subscriber or user."
The recitals make it clear this is about cookies. (The other directive
mentioned in the paragraph is the Data Protection Directive.)
This is transposed in the UK Regulations as follows:
"6. - (1) Subject to paragraph (4), a person shall not use an
electronic communications network to store information, or to gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that
terminal equipment -
(a) is provided with clear and comprehensive information about
the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access
to that information.
(3) Where an electronic communications network is used by the same
person to store or access information in the terminal equipment of a
subscriber or user on more than one occasion, it is sufficient for the
purposes of this regulation that the requirements of paragraph (2) are
met in respect of the initial use."
(4) is as you have already quoted.
> And there's an "operational" exemption very similar to that in RIPA:
>
> a) for the sole purpose of carrying out or facilitating the
> transmission of a communication over an electronic
> communications network; or
>
> (b) where such storage or access is strictly necessary for the
> provision of an information society service requested by the
> subscriber or user.
[text snipped]
> [1] I have not yet identified the exact words which convey this meaning,
> sorry.
There are no such words that I can see. The Directive is about use by
anyone of the network; and the Regulations say "a person shall not use
an electronic communications network," which is as general as you can
get. The claim that the only persons who use electronic networks are
network operators is patently absurd.
I agree that the rules are widely broken. I wish that excuse worked
when I'm had up for parking infringements.
Nicholas
--
Salkyns, Great Canfield, Takeley,
Bishop's Stortford CM22 6SX, UK
Phone 01279 870285 (+44 1279 870285)
Mobile 07715 419728 (+44 7715 419728)
PGP public key ID: 0x899DD7FF. Fingerprint:
5248 1320 B42E 84FC 1E8B A9E6 0912 AE66 899D D7FF