Full Disclosure

Joel Harrison ukcrypto at chiark.greenend.org.uk
Sun, 27 Apr 2008 22:29:31 +0100 

On Thu, Apr 24, 2008 at 2:49 PM, Ian Batten <igb@batten.eu.org> wrote:
>  Yes, the web server that captured the pairs has been a bad boy morally,
> although it's hard to see what they've done wrong legally: they took a
> cookie that's legitimately in their domain and published the contents,
> contents that they're assured aren't personally identifiable.

I don't agree.  If I've correctly understood Richard's explanation of
how the Phorm system works, the webwise cookie in the web server's
domain is clearly distinguishable from other cookies genuinely placed
by the web server in its own domain (i.e. it is tagged as being
associated with webwise).  So, in your example, the web server is
deliberately accessing a cookie that it 'knows' has been placed there
by a third party - the webmaster can't claim he was accessing cookies
in good faith that appeared to originate from his own domain.

Consider PECR reg. 6.  In your example, in order for the web server's
retrieval of the webwise cookie to be lawful, the web server would
have to provide "clear and comprehensive information about the
purposes of the ... access to ... [the webwise cookie]".  So, the web
server would need to state clearly in its privacy policy that one of
the purposes for which it accesses cookies is to retrieve data placed
there by ISPs participating in the Phorm system.  You may think that
the chances of anyone owning up to this sort of practice are small.

Of course, you might also think that the cookie should never have been
placed in the web server's domain in the first place.  But that
doesn't, in my view, justify the webmaster from compounding the harm
by deliberately retrieving data from a cookie that it knows perfectly
well has been placed there by a third party (unless, as I say, this is
done transparently).

>From a DPA perspective, if the data extracted by using the webwise
cookie can be associated with personally identifiable information
already in the webmaster's possession, the extraction counts as
processing of personal data (as does anything that is subsequently
done with that data) and would need to comply with the DP Principles.
If this were done covertly, without the user's knowledge or consent,
it is difficult to see how this could ever be lawful.

>  What about Phorm?  They've sworn blind that the cookie isn't dangerous
> personally identifiable information, after all.

Yes.  Well.  That all depends on the hands into which it falls, doesn't it?

>  And what about the ISP?  They placed the original tracing cookie, but,
> again, it's not personally identifiable.

Again, PECR reg. 6 - this time it's the purposes of the storage of the
cookie, rather than the access to it, that need to be clearly and
comprehensively described to the user.  In my view, the ISP should
include in its explanation the fact that it is placing cookies in
foreign domains and that the practices you've described may be
possible by the owners of those domains.  Otherwise, users can't make
an informed choice about whether to allow the ISP to do what it
proposes.

Joel