On 14:46:47 15 December 2003 GrahamRoss wrote:

Graham,

The argument is based on "The Privacy and
Electronic Communications (EC Directive) Regulations 2003"
URL: http://www.hmso.gov.uk/si/si2003/20032426.htm

My argument below is as follows:

1. I will show that 6(4) does not apply in a
number of cases which would mean that 6(1) must be complied with for these cases (quiet typical too)

2. I will agree about issue of "storage" - this
was however not essential for my argument

3. I will demonstrate that the issue of
gaining "access" is still present _IF_ "delete client side cookies" proposal is offered as the _ONLY_ means of compliance with
Regulations 6.

--------------
Point 1
--------------

" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to
store information, or to gain access to information
stored, in the terminal equipment of a subscriber or user
unless the requirements of paragraph (2) are met.

Sorry would not agree that it will be valid for
all cases, here is full text of 6 (4):

" (4) Paragraph (1) shall not apply to the
technical storage of, or access to, information -
(a) for the sole purpose of carrying out or
facilitating the transmission of a communication over an
electronic communications network;
or
(b) where such storage or access is strictly
necessary for the provision of an information society service requested by the subscriber or user."

6(4) won't apply in many cases such as (for
example) a cookie containing email marketing campaign id which is neither necessary nor required to facilitate the transmission as defined above.

Since 6(4) won't apply in this and other similar
cases I conclude that 6(1) and (2) must still be complied with in at least a number of pretty common cases (such as email tracking).

How typical are my cases? I'd say pretty common.
Cookies are easier to program than doing full database solution and because of that a lot of people rely on them for things that are not "strictly necessary" - almost all email marketing, banner advertising etc.

--------------
Point 2
--------------

> So the requirements of paragraph 2 relate only
> to storage in the terminal equipment of the subscriber or
> user ie client ternminal.

"Oh yeah, I agree with that." (c) Soldier #2 from
Monty Python's "Holy Grail"
URL: http://www.geocities.com/pectacon/MPHG.html

Apart from minor bit that I am argueing
about 6(1) which defines what is NOT allowed
(storing and/or accessing) to do unless 6(2) is complied with.

" 6. - (1) Subject to paragraph (4), a person
shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless
the requirements of paragraph (2) are met."

This is not my main argument however as issue
of storage arised from me using word "storing"
data on server side with main issue being discussed
below.

--------------
Point 3
--------------

My main argument however was and still is that
the "access" requirement ie 6 (2)(b) is broken in not so hypothetical case where cookie's value was logged
on server side for later access by a person (analyst like me) _IF_ user was told to "delete cookies on client side" as means
of compliance with 6(2)(b) which I quote:

In fact suggestion to delete cookies on client
side is not material in my view to compliance or non-compliance of these regulations as by itself the
deletion on client side:
a) does not make the site compliant due to broken
Reg 6(1) due to broken 6(2)(b)
b) is not necessary to suggest but might be a
good idea - "best practice" as
Ashley said but not in my view sufficient to
comply with law

------------------------------
CONCLUSION
------------------------------

It appears to be that suggesting the user
to "delete cookies" on client side as the only
means if compliance with Regulations 6 is not
right thing to do because it will violate 6(2)
of said regulations in at least a few very
realistic cases (I think many cases).

Of course everything above is IANAL and IMHO :)

regards,

Alex

>Alex - I'm afraid you are getting this all wrong.

Possible.

>Of course. But you are overlooking the fact that
>Regulation 6 does not apply AT ALL to server side data
>retention. It only applies to information stored
>"in the terminal equipment of a subscriber or
>user".

But regulations apply to "ACCESS" to cookie data "stored" as you pointed out on client side - the access is possible as the data was logged on server side. I am talking about specifically cookie values being logged in many server side logs.

>So there can be no breach of these regs for storing data
>if:-
>1. Its stored on the server or
>2. Its information coming within the categories of
>exclusion in Reg 6(b) or
>3. A warning and opportunity to remove is given.

Agreed about 3) - my original point refers to suggestion that warning to delete cookies AFTER some browsing took place that will cause cookie data to be "accessed" (by virtue of being logged on server side) will be in violation of regulation 6).

Here is the scenario:

1. I click on a link leading to site - this will set email marketing cookie.

2. I read privacy policy on site that advises me to "delete cookies" using browser's feature.

3. I keep browsing the site - this will log all accesses
with the cookie value as set in 1)

4. I finished browsing and follow site's instructions to delete cookies on client side.

5. The cookie data on server side with cookie values is still in tact - this can be accessed at later date by analysts in violation of Regs 6.

IF there was a warning that this process will take place then Reg 6 should be fine in my opinion.

IF you only give instructions to remove cookies from client side then these cookie values will still be accessed as they are also stored on server side. If you like these "removal" instructions are not complete and misleading. What's worse is that people on server side will not even know if cookies were deleted by user or just expired - in either case an ACCESS to cookie data can still take place.

Bottom line is that in the above scenario the cookie data will be accessed against wishes of a user who will be under the impression that deletion of cookies on client side will be the end of the story - which it wont because that data will have already been "accessed" (assuming a person will look at that data of course).

regards,

Alex

>I would argue that once a cookie's value is logged to the
>server, it ceases to be "cookie data" &
>becomes "just data". In your example, it is
>therefore a data protection issue rather than a cookie

Russel, I am afraid the legislation in question does not differentiate between different naming conventions such as "cookies". It addresses "information" usage - you may call it cookie, data, info etc - it does not change fact that by having this "information" logged on server side you can not claim to be compliant by giving people choice to delete cookie data on client side.

6(2) Clearly states:

"(2) The requirements are that the subscriber or user of that terminal equipment -

(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and

(b) is given the opportunity to refuse the storage of or access to that information."

Suggestion to delete cookies on client side is not sufficient to satisfy 6(b) simply because it may be logged on server side - confidentiality of data may be breached against user wishes.

Graham,

>Can we drop this now and agree to disagree, unless anyone
>else wishes to chip in.

Yes I can agree on that. I hope future application of these regulations will provide some clarity.

cheers for taking time to respond to my comments

regards,

alex