Full Disclosure

Ian Batten ukcrypto at chiark.greenend.org.uk
Mon, 28 Apr 2008 19:16:55 +0100 

On 28 Apr 2008, at 16:06, Joel Harrison wrote:
>
> I realise that.  By "retrieve", I mean "retrieve the value of" - what
> I'm getting at is the action taken by the web server to determine and
> process the value of the webwise cookie in its domain.  Whilst the
> webwise cookie is sent to the web server automatically, I understood
> that it would require a deliberate step in the website code to
> determine the value of the webwise cookie and then do something with
> it - without that step, the webwise cookie would be sent to the web
> server but no action would be taken on it.

Not if I'm just dumping the contents of all the cookies associated  
with my domain.  Or should all websites keep careful track of all the  
cookies they might potentially have placed, on the offchance that five  
years later an ISP may be so deranged as to forge additional cookies  
for no readily apparent reason?  Phorm and the ISP have together  
forged the cookie; no-one else is under any obligation to help them  
keep secret what they have placed in plain sight.

>> In any case, this particular web server is in Peru, and what does  
>> it now or
>> care about PECR?
>
> I'm afraid Peruvian privacy law is outside my remit.  However, if the
> web server is located anywhere in the EU then it has to deal with
> 2002/58/EC, and various other countries now have laws that regulate
> the use of cookies - so this isn't a UK-specific issue.
>

Could you tell us what the regulations say about processing cookies  
marked as being in your domain but not actually placed by you?  I  
rather suspect they don't cover that case, for fairly obvious reasons.

Moreover, if you hand DPA-regulated data to an offshore location that  
doesn't have equivalent legislation, the responsibility is on you.



> You might also be interested to know that in its recent opinion on
> search engines, the Article 29 Working Party expressed the view that
> merely reading or writing cookies from/to the web browser of a user
> located in the EU was sufficient to bring an undertaking's processing
> of personal data within the scope of the Data Privacy Directive.  So
> your Peruvian web site would be subject to EU privacy law if it was
> accessed by users from within the EU.  Of course, there are legal and
> practical issues to do with enforcement, but this doesn't seem like
> the place to go into them in detail.

So if I run a Peruvian web server selling Alpaca rugs, which has no  
truck with cookies, but Phorm (of whom, being an Andean peasant, I  
have never heard) forge cookies in my domain, who is responsible to  
whom under Article 29?


ian