On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection
© Springer Science+Business Media Dordrecht 2015Serge Gutwirth, Ronald Leenes and Paul de Hert (eds.)Reforming European Data Protection LawLaw, Governance and Technology Series2010.1007/978-94-017-9385-8_2
2. On-line Behavioral Tracking: What May Change After the Legal Reform on Personal Data Protection
Department of Security and Privacy, Deloitte Bedrijfsrevisoren/Réviseurs d’Entreprises, Diegem, Belgium
Georgia Skouma (Corresponding author)
On-line tracking has gained over the last years a new dimension: it has become an intrinsic part of our Internet-driven society. It touches all levels and types of industries. Consequently, more and more individuals become the target of this trend as routinely users of the internet. On-line tracking techniques are subject to the European personal data protection rules currently in force, insofar as they process information that identifies or may potentially identify a natural person. Nevertheless, the unprecedented threats that such techniques entail to privacy must have been a core motive opening the way towards the revision of the privacy regulations applicable today. New requirements and concepts strengthening the rights of data subjects and the obligations of data controllers or processors are set forth in the current draft of the new Regulation (currently under discussion within the EU institutions). This envisaged legal reform may however prove to be insufficient unless, at the same time, effective measures are adopted to help both on-line users, especially those of young age, and the companies implementing on-line tracking tools in order to change their approach to privacy.
The opinions expressed in this article reflect the personal views of the authors and do not engage in any way whatsoever the company with whom they are working.
With the exponential growth of “smart” technologies, new forms of tracking individuals’ behavior, habits, and personality have emerged. Amongst those, the tracking of users while they are interacting over the Internet (on-line tracking), has proved its added-value primarily to marketing and advertising companies, but also other industries which increasingly use those smart techniques next to other intelligent “customer relationship management” (CRM) tools.
The majority of on-line tracking technologies today is based on cookies; by using cookies as the backbone, the designers of on-line tracking tools have developed other smart applications. On-line tracking applications of the latest technology combine users’ data through observation tags, analyze them using algorithms, and then compare them with a mass of other data that have been collected by many other users. The purpose of the data analysis and mapping to the “stock” of data already collected is to adduce some conclusions about the interests, marketing and buying habits of the tracked individuals. Other on-line tracking smart solutions dig into the traces website users leave on social networking tools, combine them with data collected off-line, and make up with sometimes (not) so great accuracy the profile of an individual.
All above on-line tracking techniques are already subject to the European personal data protection rules underpinned in the current Data Protection Directive (95/46/EC) insofar as they process information that identifies or may potentially identify a natural person. The basic personal data protection requirements stemming from the principles of purpose limitation, data minimization, proportionality, transparency, data destruction—to mention only some of those—are undoubtedly of great relevance here. Nevertheless, at the time the Directive was enacted, the EU legislator could not predict the massive use of on-line tracking tools we are all subject to nowadays as routine internet users. This is probably one of the reasons why the draft Regulation on personal data protection (“Regulation”), that is ought to replace the aforementioned Directive, reserves in its current wording very specific phrasing around users’ monitoring and profiling. First, it seems that the risks associated with online activity have been one of the major incentives to suggest the revision of the existing regulatory framework of personal data protection (Recital 7 of Regulation). Second, a number of requirements set forth in the Regulation strengthen and specify more practically legal rules that are found back in the current legislative framework. This is the case notably with the consent, transparency, and notice requirements. Finally, yet most importantly, a few new concepts formally introduced by the Regulation for the first time, such as the privacy by design principle or the right to be forgotten (or right to erasure) will have a major impact (on condition that they are effectively implemented) on the designers of the on-line tracking solutions, as well as on the companies implementing them.
Yet if the Regulation is adopted with the wording proposed today (or stricter one), will this ensure that the overarching privacy right of the on-line users and the rights resulting from it will be better protected? Undoubtedly this will not be the case if the user’s mentality around the “on-line activity” does not change. Users, especially those of young age, many times truly addicted to the network, must constantly reminded of the huge potential that their data represent for marketing companies but also for any other organization wishing to learn about them (headhunters, employers, social networks, press and media, police, law enforcement agencies and so on). Moreover, actions to incentivize on-line users and the implementers of on-line tracking technologies to demand proven controls from the designers and vendors of such tools that they adequately safeguard users’ privacy may be an addition to ensure better and effective protection. Regulators, standards-setting bodies, and public interest organizations are some of the categories of market stakeholders who could efficiently drive and monitor users’ and implementers’ awareness, education, and if needed, meaningful enforcement.
2.1 On-line Behavioral Tracking
2.1.1 Definition and Today’s Trends
If on-line behavioral tracking has its roots in the marketing industry,1 it has gained over the years and due to the emergence of smart technologies, a new dimension: currently, behavioral tracking has become an intrinsic part of our internet-driven society. From a marketing trend (known as on-line behavioral advertising), it has rapidly become a general industry trend with a deep impact on our everyday activities; it crosses the borders of our privacy. In that sense, the citizen of our Information Society today is tracked constantly on the street (camera surveillance), in car (radars and geo-localization devices), at the workplace (badging, biometrics, monitoring of PC and phone) or during the majority of his other activities (travelling, shopping – RFID –, leisure, and so on).
Amongst all these methods of tracking individuals’ behavior, the on-line behavioral tracking represents an important part, as it happens easily and is based on common technological tools an individual is carrying (such as a laptop, a smart-phone, an iPad) and which provide connection to the Internet. In other words, on-line tracking consists of recording and collecting data linked to an individual visiting the Internet through such tools over a period of time in order to gain information on this individual.2 The information collected forms a source of knowledge linked to the person in question. The knowledge involved in tracking is not empirical or technical. On-line tracking has actually been turning into a real science (part of marketing “intelligence”) in which professionals are developing advanced models and patents to optimize the analysis over the data tracked and provide “unique” insights. The on-line behavioral tracking enables the collection of many and diverse data about a person, ranging from merely identification details (such as a user name or a subscriber’s name) or the means connecting the person to the internet (IP address), to information which could reveal a lot about an individual’s personality, hobbies, interests, shopping habits, favorite activities and so on. Many times, the data tracked through the on-line behavioral techniques explained below are even sensitive data (revealing a person’s sexual orientation or philosophical beliefs, for example). If the collection of the data is the first dimension of the on-line behavioral tracking, the second is the “mapping together” or correlation of these data in order to adduce meaningful conclusions about such individual (e.g. about his habits, interests, etc.) or in order to situate him in a particular category (e.g., the type of “buyer” he is). A third dimension is the assembling of data and the comparison of this set of data with other matched data referring to other persons or categories of persons with a view to creating the user’s profile.
Examples of online behavioral tracking are broadly discussed in literature and refer to real examples from ordinary web users while surfing on the internet. Imagine yourself visiting an e-commerce website selling clothes. You are specifically searching for shoes. The day after, you visit again the same e-commerce website and the website proposes you a selection of articles you may like. The selection is only composed of pairs of shoes. Even though you did not purchase the product at the end, the site recorded your preferences and adapted the content it to your interests. The majority of the stated examples, as this one, discuss on-line behavioral tracking as used by the marketing and sales industry and, more in particular, in an advertising context.3 Yet, some types of on-line tracking technologies may target citizens for other reasons, such as in order to detect a person’s political affiliation and societal activities, work history, social networking activity, religious convictions, and other aspects of his private life and personality. In the same vein, the reasons for performing online behavioral tracking vary from merely lucrative and consumption-driven (advertising) reasons to political motives or reasons related to public and state safety, public security and the like. Thus, targeted advertising online is just a facet of tracking and probably the most widespread one, but not necessarily the only one.
2.1.2 Techniques of Online Tracking
On-line tracking techniques and intelligent “searching” over the internet evolve as fast as “smart” automated technology evolves in general. On the other hand, the research community, with sometimes contributions of industry, have been increasing their efforts to promote technological solutions that enable citizens to better control their data on-line.4 Moreover, regulators, public interest stakeholders and the EU legislative bodies seem eager to enhancing users’ awareness around the so-called Privacy Enhancing Technologies (PETs).5
Which are however the most common “business intelligent” techniques and tools nowadays which collect the human traces on the internet? The predominant technological means used remains the cookie.
The section below discusses the role that cookies could play in on-line tracking, as well as a number of other tools and market trends that systematically or inadvertently can scrutinize individuals and their behavior on-line. The purpose of the section is not to provide an exhaustive list of such techniques but to stress to the reader how tools that represent today “widely accepted” business practices may hide, each one to a less or greater extent, a threat to privacy.
126.96.36.199 On-line Scrutiny Through Cookies: Are They Always a Threat to Privacy?
A cookie is a “piece of text stored by a user’s web browser and transmitted as part of an HTTP request”. 6 It contains bits of information and it is set by a web server.
A first distinction that can be made between the different types of cookies used is between “first party” and “third party” cookies. First-party cookies are implemented by companies on their own websites enabling such companies to interact directly with the users who visit their sites. On the contrary, when a company enables other third parties to track the users visiting its website, for example, by placing advertisements of third party vendors, then we talk about “third party” cookies.7 Companies implementing first party cookies can control better the types of information that is stored on the cookies and decide on their own how to use the information collected through their own cookies. On the contrary, the companies accepting cookies of other vendors on their websites often waive any responsibility relating to how the companies having placed the cookies will treat the information collected through such cookies. It is obvious that third party cookies represent a greater risk to privacy compared to first party cookies since in the first case it becomes more complicated for users to keep an effective control over their data.
A second notable differentiator amongst the cookies used on vendors’ websites is the time of tracking. It is generally accepted that session cookies are less offensive to individual’s privacy as they capture information on the website instantly and they are automatically deleted when closing the browser. Accordingly, the session cookies store information when the user is interacting with the website. The information stored on session cookies are typically navigation choices and preferences of the users. The law and market practices tend to consider session cookies as useful for a good navigation along a website.8
Contrary to session cookies, the persistent cookies remain when closing the browser and need to be deleted by the user or with a planned cleaning set up in the browser settings. The persistent cookies aim in general to collect identifying information, interests of the users navigating on a website, preferences and authentication information. They allow the connection between pragmatic information and a specific user, and they are reactivated by design when the user comes back to the website.
For these reasons, persistent cookies raise serious concerns from a privacy point of view. The knowledge accumulated within the cookies resulting from the users’ navigation and clicking on the URL of different webpages, targets users with personalized advertisements, tailored to the purported preferences and pattern of the behavior the user expressed on-line.
To be noted that, in most cases, the way in which the company defines the parameters of information collection through cookies is a decisive factor for qualifying the cookie as really “privacy intrusive” or not. An example could help us illustrate this observation. Let us imagine a company using session cookies that instantly capture very basic details identifying an individual (e.g. the user name and password the user has used for registration on the website). Concurrently, the said company has foreseen that the data will be stored on such cookies in an encrypted form. On the opposite to that, another company displays on its website third party cookies that collect not only basic identifying information about a user but also more sensitive information, such as the number of the user’s credit card or the product purchases he effected on the site. In both cases, the same technology is used (cookies), but the way in which cookies are designed to capture information is different.
188.8.131.52 Stateless Tracking
Without using cookies or other tracking technologies, web browser identification can be used as a tracking method.10 Indeed, web browsers provide information such as fonts, screen resolution, equipment used and the like, that may allow the recognition of a web browser amongst others. This tracking method, also called Browser Fingerprinting, is more difficult to block as it is particularly difficult to detect.11
184.108.40.206 Supercookies and Evercookies
Over the years, users have taken into consideration the threats associated to their privacy by tracking techniques when navigating on a website. They have also been offered new applications that are designed to block cookies and delete them on a regular basis. Therefore, new means of tracking have emerged. Amongst these, new types of cookies have appeared: supercookies and evervookies.12 , 13 , 14
Supercookies, also called Flash cookies are robust tracking mechanisms placed on a user’s computer.15 Flash cookies are often linked and placed by Adobe Flash plug-in on websites. These cookies collect personal or technical information. As in other types of cookies, when supercookies are installed no specific notification is provided to users and they do not expire. What makes supercookies more “privacy-evasive” than the aforementioned other types of cookies is that, as they are located outside the browser’s control, it makes it more difficult for the user to delete and control them.16
220.127.116.11 Location Tracking
The geo-location plug-in installed on most of the popular browser and now installed on every smartphone, can be used as a tracking tool. On the basis of the user’s consent, the browser shares information such as the IP address, the MAC address, and so on. Although a consent is asked to start this function, the users generally do not measure the impact of their consent and the frequency and accuracy of the localization performed.
Finally, users lose their location privacy, defined as “the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use”. 19 Location privacy is considered as part of each individual’s privacy and is important to preserve. The concern here is that the new technologies enabling location tracking are becoming an increasingly widespread, cheap, easy, and accepted method to track users and collect valuable information.
18.104.22.168 Online Social Network Tracking
Social networks do not represent a particular “technology” or “tracking method” as the types of tracking techniques outlined above. Yet, online social networks constitute today an extremely popular trend encouraging people to stay continually “in contact”, “be watched” or “followed”. Surprisingly enough, such networks sometimes even promote the “tracking” as an asset of their website (for example, through an additional subscription fee, it could be possible for members to learn who other member looked at their personal details – like a cv – or who clicked on their profile to learn more about them).
Many users not only find this type of “tracking” trend normal but, all the more, they are seeking for it and are ready to pay extra to get it. On the other hand, there are social network members who usually consider the extra “tracking” features of social networking as “a necessary bad” that has to be tolerated, given that the privacy threats it entails are outweighed by the pleasure and other benefits resulting from users’ interaction on social networking sites.
This type of tracking uses users’ addiction to social networks in order to track every detail of the users’ every-day activities including those of their close family and friends. A number of heavily-used and well-known networks, such as Facebook,20 Twitter,21 Pinterest22 and LinkedIn23 have recourse to this on-line tracking technique.
Take the example provided by A. Roosendaal: the Facebook Like Button. 24 According to Facebook, this widget allows users to share their interests and preferences between them. However, the scope of this tool is far broader then what Facebook seems to tell. As explained by Roosendaal, when the users click on the Like button, a login field opens and require the user to log in his Facebook account. After the user has logged in, a link will be created in the feed of news in Facebook and the network of the user will be able to see the content of the link. No need to be connected to an account to be tracked. The simple fact of visiting a website on which a Like button has been placed is sufficient to track Facebook members, and even non-members. Non-members can also be traced if they have already visited the social network website once. The scope is therefore enlarged to other subjects that the subscribers, and to other websites than the social media website. In addition, the awareness around this tracking technique is not very extensive and, therefore, the volume of data processed is incredibly high, which represent a very high financial value.
2.1.3 Risks of On-line Tracking
A major, common trend of some of the on-line tracking techniques discussed above is that the captured information is used for an array of intentions and purposes, predominantly for marketing reasons. It is rare that users are sufficiently aware of all the current, envisaged and potential (over time) uses of their data by the companies they are interacting with on the Internet. Yet, in our view, it is encouraging that some improvement can be noticed in this direction since the entry into force of the e-Privacy directive (as discussed below). Commercial and marketing agents have well understood the financial potential25 of this knowledge and have built entire businesses on the potential of on-line behavioral tracking. Through the capturing and processing of different traces an internet user leaves on-line while visiting the same or different websites, companies are capable of creating user profiles.
Profiling is the recording and classification of behaviors. Although profiling has already been an intelligent marketing method based on information that can also be collected off-line (property and bank records, subscriptions selling, publicly available records, and so on), the Internet dynamics added an efficient, new dimension to it. Companies and on-line vendors can now track individuals constantly, and quite often, through a “voluntary” submission of personal information by the user to the network. Worse than that, many users consider the sharing of certain personal information through the internet as a “necessary bad” or a “societal necessity” (e.g., in order to adhere to a popular social network or to receive considerably discounted offers by online vendors). Profiling in general has sparked an entire industry euphemistically labeled “Customer Relations Management” (CRM) or “Personalization”.26 On-line profiling, in particular, has significantly expanded the sources for performing data correlations with a view to compiling users’ dossier of behavior, that may be correct but might even not. These dossiers of behavior may be used by marketers for target advertising but they can also be sold to governments for law enforcement or other government related purposes (national security, national defense and so on).
Moreover, today’s behavioral tracking techniques are so powerful that they allow to link anonymous data to specific individuals. The Like Button of Facebook is a good example. Marketing companies’ websites being in possession of named (true or not) profiles which are not properly secured, are more vulnerable to cyber incidents and data breach threats. It is probably not exaggerating to say that all these profiles could at the end be accessed by professional hackers, either to commit criminal acts against the profiled individuals or in their name by using their profile and identity.27
Further, one of the ultimate objectives of the on-line behavioral tracking is the personalization of the website content presented to the users. Despite the well-intended purpose of method (gain in time, result-oriented web surfing, tailored content to the users’ needs), it is not always a given that the operator using automated web personalization through cookies knows better the user’s preferences and needs than the user himself. On the contrary, a user could arguably claim that, as he is automatically directed to content which is presumed to be of interest to him, he may misses the opportunity to look at other content which is useful to him or which becomes relevant because of a change in the person’s habits or way of living. At the end, the tracking technology restrict users’ freedom to look at “neutral” information being objectively communicated to all users.
2.2 On-line Tracking Under the Current Data Protection Legal Framework
On-line tracking as a market trend supported by specific technologies (as discussed above) falls under the applicability scope of the core data protection regulation currently in-force in Europe. We briefly outline below how the major rules and core foundations of the applicable data protection framework become relevant to on-line tracking. This means that, today, on-line tracking technologies are not developed and used in a legal vacuum as explained below.
2.2.1 Personal Data Protection Directive
The processing of personal data by the use of on-line behavioral techniques as the ones referred above is subject to the requirements of the general EU Data Protection Directive (Directive 95/46/EC, herein the “Data Protection Directive”). The cornerstone principles of this directive must be observed and applied effectively by the parties involved in on-line tracking. Besides the citizen being the party who can benefit from the protection of this law, other parties concerned are: i) vendors of such on-line tracking technologies (software/hardware companies) and ii) the implementers of such applications (advertising and market research companies, as well as any other company wishing to reap up the benefits of such technologies for their own marketing and selling activities or other purposes).28
On top of the Data Protection Directive, another EU legal act specifies the requirements of the processing of personal data in the electronic communications sector (EU Directive 2002/58 as amended). One of the major changes brought by the latter Directive, the so-called e-Privacy Directive, tackled a core aspect of the subject matter under discussion here, namely the type of consent that should be obtained from the individual subject to on-line tracing techniques, including on-line behavioral tracking.
Specifically, current Article 5 §3 of the e-Privacy Directive reads:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent , having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.
In the same vein, Recital 66 of the directive which introduced the latest amendments to the e-Privacy Directive,29 stressed the importance for users to be provided with clear and comprehensive information when engaging in an activity which could result in behavioral tracking. In the same Recital, it is emphasized that the methods of providing information and offering the right to refuse should be as user-friendly as possible.
Although the aspect of user notice (consent) has appeared to be probably the biggest challenge in the interpretation of the revised e-Privacy directive (see below, Sect. 22.214.171.124), the other privacy foundations as enshrined into the Data Protection Directive are also worthy of commenting.
2.2.2 Applicability of the Core Foundations of Personal Data Protection
126.96.36.199 Purpose Limitation
Personal data must be collected for a purpose defined in advance.30 With regard to on-line tracking tools, the purpose for collecting data must be legitimate. The collection and storage of data must then be aligned with the defined purpose.31 In addition, the collection of data cannot override the purpose for which the on-line user has given his consent.32 Let us take as example the privacy statement published on the website of a market research organization explaining that, while it uses on-line tracking tools, the captured data will only be used to build up statistics on the number of visits that “hit” the website. If the market research company then uses the data for another purpose that is not directly linked to verifying the initial purpose, for example in order to sell those data to a number of companies interested in sending their on-line surveys to new prospects, then the “purpose limitation” rule has clearly been infringed.