* Posts by Alexander Hanff 1

205 posts • joined 1 Jul 2009

Page:

MEPs vote to update 'cookie law' despite ad industry pressure

Alexander Hanff 1

Re: Umm WTF?

"Also in June, the Developers Alliance and IAB Europe held a round-table discussion in the European Parliament on “The impact of the proposed ePrivacy Regulation on the data-driven ecosystem”, with MEPs Michał Boni and Daniel Dalton. The event was framed as how the draft ePrivacy regulation would impact upon “innovative companies”, innovation being a key EU policy mantra which is often used to mean that nothing must get in the way of business doing business."

Having sat in sessions with him at the EP on the draft regulation I can personally verify that he has sang the song of a dutiful IAB spokesperson in every single event he has attended on the Regulation and refused to provide any evidence to support his position whilst refusing to acknowledge the vast mountain of evidence supporting the opposing view.

Just this week, he displayed his overwhelming ignorance in a series of tweets which were challenged by several long time privacy experts and groups to which he was unable and unwilling to answer or again provide supporting evidence for his position. I even offered to donate £100 to a charity of his choice if he could provide evidence of just 25% public support from a poll on his position.

2
0
Alexander Hanff 1

Re: Umm WTF?

He is in ECR Group (which should be the first alarm bell) and is in LIBE and IMCO (which does not a civil rights advocate make). Being a member of a committee doesn't mean you are pro civil liberties many of the pro corporate people join various committees in an attempt to influence votes - that's politics.

http://www.europarl.europa.eu/ep-dat/35135_16-02-2017.pdf

http://www.europarl.europa.eu/ep-dat/35135_23-08-2015.pdf

https://corporateeurope.org/power-lobbies/2017/10/big-data-watching-you

2
0
Alexander Hanff 1

Umm WTF?

"MEPs in the European Conservatives and Reformists party have responded similarly, with civil liberties spokesman Dan Dalton saying that the vote "gets the balance all wrong”" and risks the future of online services."

Dan Dalton is NOT a civil liberties spokesman - he is an industry influenced shill - I can't even believe you typed that - a clear lack of investigative journalism there. Not only is he an industry man, he is completely clueless about technology - I have seen badgers dead at the side of the road with more technical acuity than Daniel Dalton - to call him an imbecile would be an insult to Trumpsters across the world.

Seriously, change that, it is embarrassing to see such a statement on El Reg...

5
0
Alexander Hanff 1

Re: Session cookies

You should probably read the legislation before making unqualified comments - both 2002/58/EC and the draft ePR take into account session cookies (providing they are necessary and proportionate).

3
0
Alexander Hanff 1

Not really a narrow majority

The vote was opposed by members of EPP - the majority of committees approved the draft and compromises were made on many issues which were not approved. EPP were kicked out of the negotiations because they were trying to gut the entire draft and weaken existing laws. There is very little chance this will not pass a full vote of Parliament at plenary next week - the LIBE vote was the main hurdle at this stage.

The only real difficulty we face now is ensuring this gets through the Council without too much damage.

I have worked on the draft for the past 18 months and was a special adviser to the rapporteur (some of my text actually appears in the draft) so I have been very close to the discussions at all levels. It has been a tough battle but there is an urgency among many MEPs to introduce a strong regulation which protects our Article 7 rights under the EU Charter.

The very fact that there is such a tough stance on state interference with encryption is a clear indication of just how important MEPs think these rights are.

The result yesterday was a very good result for privacy and I know I and many others will continue to drive the regulation through to adoption whilst keeping as close to the current draft as possible. But it will take you guys to do some work to - you need to write to your ministers and MEPs and make it clear to them that this is an important issue and that (providing you agree of course) you will vote for a competitor in the next election if they do not represent your rights in this matter.

Do not allow the industry lobby to create a privacy underclass. See my plea on this (which I wrote on Monday night before heading to Brussels) and take action yourself to help protect your fundamental rights - we need literally 10s of thousands of people across Europe to take their elected officials to task on this issue, the risk of losing privacy is a very real if you don't. And please (as I always recommend) try to send faxes or paper letters - they cost a great deal more money to process than emails and are far more likely to attract attention when they start eating into MEP and Ministerial budgets. If 100 000 people send emails, they are cheap and easy to process - if 100 000 people send letters and faxes they require personnel and paper to process; when it comes to lobbying and campaigning, paper is ALWAYS better than bits and bytes.

https://privacy-news.net/news_article/59e5160efd15cc51097e9a47

10
0

US Congress mulls first 'hack back' revenge law. And yup, you can guess what it'll let people do

Alexander Hanff 1

So they would be able to hack the NSA, CIA and other TLAs now? Or did they include an exemption for security services hacking you?

3
0

Uber sued by Uber for tarnishing the good name of Uber

Alexander Hanff 1

How about "This is not the ride share service you are looking for..."

0
0

Scouse marketing scamps scalped £70k for 100,000+ nuisance calls

Alexander Hanff 1

Re: Unicorn hunt

I can think of several who presumably have given their utter support of the usefulness and economic value of commercial stalking^Wmarketing by consenting to automated calls:

1. Nick Stringer - IAB

2. Ed Vaizey - Former Minister of Culture, Communications and Creative Industries

3. Lord West - because there must be a surveillance angle there somewhere

4. Kent Ertugrul - CEO of the late Phorm

5. City of London Police - They love all businesses especially when they buy them nice lunches.

13
0

Apple's iPhone X won't experience the joy of 6...

Alexander Hanff 1

Umm X is not the right device for market metrics

The iPhone X was never produced as a market booster and should not be used to measure market trends - it was a concept phones that Apple knew would appeal to only a modest percentage of their customers. The iPhone 8 and 8 Plus are the phones which should be used to gauge market response - that was the primary release and is the device most customers are likely to upgrade to.

The X (and it's descendants) may be relevant next year if Apple moves towards that design for its primary market but until the two lines converge the X should simply be considered as a PoC for future generations.

3
1

VPN logs helped unmask alleged 'net stalker, say feds

Alexander Hanff 1

Re: Completely incorrect

That is a somewhat unqualified presumption. Many people use VPNs because they value privacy - that doesn't make them criminals.

3
0
Alexander Hanff 1

Completely incorrect

“There is no such thing as a VPN that doesn't keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”

This is factually incorrect, I have been running OpenVPN on my server for about 10 years and there is not a single log file - so yes a VPN can be configured to not log anything. I think what you meant was "there is no such thing as a VPN service that doesn't keep logs..." and I suspect that may be true (although there are several who claim they don't).

What the FBI did do here though is just destroy PureVPN's business as I suspect people will now run for the hills knowing that PureVPN is not only logging but working with LEAs.

11
0

Schrems busts Privacy Shield wide open

Alexander Hanff 1

Re: So Much for EU Data Privacy

The difference is we have an "effective remedy" - in other words we can take our governments to court and win (lots of case law on this in ECtHR) and EU governments can be forced to change their laws (see RIPA in the UK, Data Retention Directive etc. - again lots of case law).

There is no dispute that EU governments spy - but if they break the rules and you find out about it, you can (in theory) take them to court and win.

The Law has never been about being able to stop people doing bad things - nothing will ever stop that. The Law is about providing effective means of redress (effective remedy) when bad things are done.

0
0
Alexander Hanff 1

Re: Data exporting is a way to get around data protection laws

Actually it rarely means that your data is safe (I have written on this many times) - if the data center is owned by a US corporation or even if they set up a subsidiary (such as Twitter, Facebook etc.) then it is all fair under US law because these subsidiaries are owned by the US corps and as an asset of the corps they and any tangible things they have (such as data) can be seized under US law (no matter where they are located in the world).

The DOJ actually screwed up in the Microsoft case - they used the wrong law to try to obtain the emails (Stored Communications Act if I remember correctly) - there are multiple other instruments they could have used which would have been more effective (such as FISAAA and at the time PATRIOT or even an NSL) because they were complacent and figured they wouldn't be challenged.

With regards to the UK spying on US citizens and then sending that back tot he US - no you are mistaken in thinking that is legal it is not, it is surveillance by proxy and both Congress and the Senate have already stated this is not legal.

The biggest issue US citizens have is that companies are not protected by the 4th Amendment leaving them wide open to s215 of PATRIOT until 2015 at which time it was not renewed - however FISA has since been amended under Title 1 - Business Records to provide similar access to 'tangible things' relating to US citizens (the entire thing is currently a mess that Trump is certainly not coherent enough or interested enough to fix).

So it is a little more complex than most people might think...

0
0
Alexander Hanff 1

Re: Post Brexit this will happen the the UK

Post Brexit the UK will have to obtain an adequacy decision just the same as any other country not in the EU and given there is existing infringement proceedings against the UK for not correctly implementing 95/46/EC (the Data Protection Directive) with 7 outstanding issues that the European Commission will not disclose because they claim it would do irreparable damage to International Relations (read that as holy shit they are doing some really bad stuff at GCHQ), despite having received multiple FOI request for the details; it is HIGHLY unlikely an adequacy agreement will be forthcoming, meaning it will be illegal to send data from the EU to the UK (and actually this will be the default until an adequacy decision is made - so the day Brexit happens it will become illegal to transfer personal data to the UK).

Unless by some miracle another arrangement is put into place prior to Brexit as part of the agreement (not bloody likely).

0
0
Alexander Hanff 1

Re: Well, I told you so.

Oh please not another "the fines, the fines" - very few organisations will see large fines as a result of a breach under GDPR - this has been made clear over and over again by various Supervisory Authorities. Very serious cases where there was a lack of due diligence by the Data Controller will result in fines but even then, few will result in the maximum penalty.

GDPR should not be presented as a big stick because will not make corporations behave appropriately - what companies should be doing is look at the positive things in GDPR such as creating structured business processes with accountability, security and data protection by design, transparency. Using these positives to create a competitive advantage and build trust.

GDPR is not about huge fines and never has been - it is focused on trying to make companies behave more responsibly and at its very core it is build on the premise of protecting the Fundamental Rights of people living in the EU (Article 8 of the EU Charter specifically).

I have been doing this a long long time (waay before Schrems and Snowden) and have taken on corporations many times with some very significant successes, as well as having been directly involved in the changes to EU law - and even I don't wave the 4% stick around. Ruling by fear does not work - changing minds to work in a better, more ethical and quite frankly more efficient way is how we save privacy. Please do stop trying to undo all the hard work real privacy advocates have been doing.

0
0
Alexander Hanff 1

Ummm no - this will have no impact on Privacy Shield (yet)...

There seems to be some confusion here - this case has no bearing on Privacy Shield (yet) - this case is entirely related to Standard Contractual Clauses.

The judge stated that despite the Ombudsman (which was introduced as a role under Privacy Shield and a role which has yet to even be filled) there is still no sufficient remedy under Art.47.

When the case goes to the CJEU, they will rule solely on Standard Contractual Clauses and whether or not European Commission decisions 2991/497/EC, 2004/915/EC & 2010/87/EU are valid. These are the EU Commission decisions which make Standard Contractual Clauses a legal basis for an international transfer (and in this particular case with regards to the United States).

It is likely they will rule against these decisions and invalidate SCC's (because if they don't they contradict their previous ruling on Safe Harbor as they are addressing identical issues) but this will not invalidate Privacy Shield (or Binding Corporate Rules, which is currently the other legal basis used by many global organisation based in the US).

What will happen after that is another case will need to brought regarding Binding Corporate Rules and then another one regarding Privacy Shield (all on the same grounds as Safe Harbour and Standard Contractual Clauses).

There have already been attempts to bring Privacy Shield to the CJEU by a French NGO, but they were blocked by the European Commission on the grounds that currently, organisations cannot file cases unless they are directly impacted (this changes once GDPR starts being enforced in May - as that allows organisations to file cases on behalf of citizens). This was a shitty move by the Commission because it was obviously just a stalling tactic but you can kind of understand why they did it (to try and fix Privacy Shield before May 2018 - which of course won't happen).

TL;DR?

This case will not invalidate Privacy Shield or Binding Corporate Rules because they are not the models on trial;

This case is highly likely to invalidate Standard Contractual Clauses.

0
0

Huawei Honor 8 Pro: Makes iPhone 7 Plus look a bit crap

Alexander Hanff 1
Thumb Down

And still shovelling Android

It doesn't matter how good the hardware is (and let's forget about Huawei's ties to the Chinese Government for just a few minutes), it is still an Android phone. You couldn't pay me to use an Android device - and I mean that literally - if you offered me 5k Euros a month to use Android, I would say no.

Irrespective of whether or not Apple are keeping up with the hardware, iOS is why I buy Apple, not the hardware.

10
92

EU 'net neutrality' may stop ISPs from blocking child abuse material

Alexander Hanff 1

I haven't changed my tune - the two scenarios are completely different.

In the Phorm situation, citizens' communications were being intercepted, copied, scanned and then the content of those scans used to profile individuals behaviour. It was active surveillance over which the citizen had zero choice or control.

In the adblocking scenario, communications are scanned for specific patterns which only match advertising code. The content of the comms is not copied and used for profiling behaviour and the citizens has to opt in to the service (if they don't their comms bypass the tech).

Another big difference between the two is in the Phorm case, all parties in the communication were likely to object to the interception. However, in the adblocking case, publishers have a vested interest in not consenting to the activity because they benefit from the ads being blocked.

With the privacy and security issues surrounding programmatic ads and privacy being a fundamental right under European Law (Article 8 of the Charter of Fundamental Rights of the European Union) it is absurd to suggest that publishers should have a veto over a citizen's choice to block ads.

Furthermore, I haven't changed my tune - I have not stated that RIPA doesn't apply in the adblocking case - I have been actively lobbying to have EU Law changed to remove the all party consent requirement for situations where ISP customers have explicitly requested a service (opt in) and I still fully support the prohibition of arbitrary blocking imposed by the ISP without the explicit opt in consent of the customer.

I find it amusing that some people think I need reminding of what I wrote - I don't, I wrote it. I also find it strange that certain people think I have no right to have a different opinion in different situations - the Phorm case and the adblocking scenario are opposites in many respects and it is entirely my right to have a different opinion on both scenarios.

0
0

Ad-blocker blocking websites face legal peril at hands of privacy bods

Alexander Hanff 1

Re: confused - - - -

And you clearly are unable to read as well.

The scripts in question are used for the specific purpose of detecting adblockers - they print a lovely message on the screen saying "YOU ARE USING AN ADBLOCKER PLEASE TURN IT OFF" (or words similar depending on the tool) - their ENTIRE purpose is to detect the use of an adblocker, some even look for specific adblockers as opposed to just any adblocker (for example there are some which block AdBlock Plus but do not block other adblockers - they look for behaviour specifically related to the use of adblock plus).

So please do stop talking so much crap about other scripts, scripts which are not for detecting adblockers etc. The issue discussed between myself, regulators, lawyers and legislators has been specifically about scripts which are designed for the sole purpose of detecting/circumventing adblockers.

You have not been party to those discussions, so please stop trying to tell me what was said in those discussions because you don't know. All discussions have taken place with technical experts and legal experts present - the letter is just a formal written version of the response I received verbally 14 months ago after such a meeting.

Now no matter how many times you guys try to turn this into something it isn't, try to talk about other scripts, other tools or other technologies - it will not change what has happened, it will not change what is going to happen. Legal test cases will be filed, publishers will be investigated and judgments will be made. Get over it already.

If the regulators think there is no legal issue then the judgments will support your arguments - if the regulators think there is a legal issue then the judgments will support my arguments.

2
2
Alexander Hanff 1

Re: This FF22 guy/gal

"in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network"

Adblock detection scripts are nothing to do with carrying out the transmission in the electronic communications networks - their purpose is to detect adblockers.

"their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment."

Which just verifies exactly what I have stated - users need to give their consent - current methods of detection are happening without consent. Also note the "users should have the opportunity to refuse" so these scripts cannot be used until the user is given the opportunity to refuse such activities.

So thanks for your input but if you think it does anything other than verify -everything- I and the European Commission have stated, you seem to be having some issues with your comprehension.

2
0
Alexander Hanff 1

Re: confused - - - -

Javascript specifically developed to detect the use of an adblocker could never be considered as "for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network" - seriously where do you come up with this rubbish?

These scripts are covered by the Directive (as clarified by the European Commission) and fall into the same category as Spyware.

Let me make this clear to you once more - the European Commission -wrote- the law, trying to claim their interpretation of the law is wrong is beyond ridiculous.

It doesn't matter a damn what you think, what I think or what everyone else thinks - what matters is what the Regulators and the EU Commission thinks and they all agree that this activity is both covered by the Directive and illegal - please get that into your head.

There is a very good reason I spent 14 months traveling Europe talking to regulators and legislators before commencing with any legal actions - to ensure that they would support and act on such actions. So whether you agree with the law or not, whether you agree with my interpretation of the law or not is wholly irrelevant - those responsible for writing and enforcing the law do and we will see what action they choose to take when I file my legal complaints.

And even if these test cases end up in the CJEU - the CJEU -always- relies on recitals for interpretations of laws and the recitals support this viewpoint fully.

Nothing is certain in law (that is why these are "test cases") but there comes a point where you have to admit you are unlikely to win and in this matter the publishers and adtech industry are up against the full weight of regulators and the European Commission - it is not likely they are going to win...

So please do stop posting nonsense - read the law, understand the law and read the opinion of the Commission. I will not respond further to obvious industry trolls repeating the same deliberately incorrect and misleading crap over and over again.

5
0
Alexander Hanff 1

Re: This FF22 guy/gal

Please take the time to read the law and the recitals which explain the law. They very clearly answer your questions and show your thesis to be wrong.

Storage is defined, consent is defined, exemptions exists.

Thanks for your lazy "I cant be arsed to read" input.

1
2
Alexander Hanff 1

Re: @ Alexander Hanff / Ian Thomson

Well that might be the case had I written to the "Your Europe Advice" service but I didn't and the letter has no such disclaimer. I wrote directly to President Juncker who tasked the response directly to Gunther Oettinger.

Still it is nice to know that my stalkers are still wasting their lives obsessing over me.

7
1
Alexander Hanff 1

Re: A blocker to block the anti-blocker

The already exist - but I prefer to take the legal route than keep playing cat and mouse.

4
0
Alexander Hanff 1

Re: They might learn

One day they might actually learn that there is no such thing as "exclusive content" on the Internet - it can -always- be found somewhere else.

3
1
Alexander Hanff 1

Re: For those using HOSTS file blocking...

As I stated below, the ePD is not restricted to personal information, it covers all information.

1
0
Alexander Hanff 1

Re: Bull

The ePrivacy Directive doesn't require access to "personal information" it covers ALL information as highlighted in the European Commission's letter. The main point of the amendments in 2009 (Article 5(3)) were to deal with spyware, malvertising and behvioural tracking/profiling - it is not the Data Protection Directive it is the ePrivacy Directive and exists for completely different purposes to the DPD.

The European Commission regards adblock detection as a form of Spyware it also falls under the category of behavioural profiling (using an adblocker is a "behaviour").

3
0
Alexander Hanff 1

Re: confused - - - -

The javascript is STORED on the device before it is executed - it has to be in order to be executed.

The web page (and how it is rendered) is STORED on the device.

The STORED javascript inspects the DOM of the STORED web page to determine whether or not an Ad has been rendered.

All of this falls under the definition of 5(3).

The javascript is embedded into the html document either inline or linked to as an external script by the developer - it doesn't just magically end up in there all on its own - it is put in there with the sole purpose of accessing information on the client to determine whether or not an adblocker has been used.

Exemptions exist for a service explicitly requested by the user (so javascript which is detecting screen resolution, orientation etc for the purpose of responsive design is completely legal) and I really wish adverpologists would stop deliberately attempting to obfuscate the discussion by making these false claims that all javascript would suddenly become illegal (especially since the exemptions are listed in the Commission letter).

So it is you who are misunderstanding the law, not me misunderstanding the technology.

5
1
Alexander Hanff 1

Re: confused - - - -

It is nothing to do with personal data - the ePrivacy Directive forbids access to -any- information on the terminal equipment of the user and also forbids web sites from storing any information on that same terminal equipment without clear consent which is informed and freely given.

AdBlock detectors are embedded as javascripts into the html files the publisher puts on their web server (either embedded directly inline or linked to) - the user is not aware of this until the web page is downloaded and viewed in their browser - the script then analyses the information stored on your terminal equipment (the web page) to see if the ads have been removed, without the consent of the user.

So the detectors are in breach of both parts of the law:

1. When they are stored on the computer/device

2. When they execute and access information stored on the computer/device.

It is really straight forward.

4
1
Alexander Hanff 1

Re: One way online advertising might change?

It takes no effort to not read his drivel or respond to it. Every time one of you does answer him, it gives him a rise, feeds his narcissistic need for attention. Best thing to do is completely ignore him.

2
2
Alexander Hanff 1

Re: Server jurisdiction and legality

Under current rules (95/46/EC, 2002/58/EC) any company which is based in the EU or processes data in the EU is required to follow our laws. There is a very long list of case law supporting this not least the Right to be Forgotten case in the CJEU last year but also (for closer to home) the Vidal-Hall vs Google case in the UK, Belgian DPA vs Facebook, French DPA vs Google, French DPA vs Facebook etc etc etc.

So in short all EU companies are obliged to follow EU law and it is important to note that even if they are exporting the data outside of the EU they can only lawfully do so if the country it is being sent to has laws which are at the least equivalent to EU privacy and data protection laws.

And as stated above for any company which is not based in the EU but is processing data in the EU they also have to follow our laws.

In 2018 when the General Data Protection Regulation comes in any company (whether or not they are based in the EU or process data in the EU) which target EU citizens will be required to follow our laws in relation to EU citizens (some Judges & legislators already believe this to be the case under our existing laws but there is some ambiguity which will be removed by the new Regulation).

5
0
Alexander Hanff 1

Re: Lots of people hate adverts...

I am not even remotely concerned about advertising - I fully support ad supported content. What I don't support is the illegal non-consensual tracking and profiling by adtech companies. Contextual Ads still generate over 90% of all display ad revenues and privacy respecting, contextual advertising is not a problem for me.

My work for the last decade has been focused on the illegal behavioural profiling and tracking.

12
0
Alexander Hanff 1

Re: Click here to view this title.

Not sure when I will be in the North again - I am hosting a privacy event in London on 29th but I am totally booked up travelwise for the next 2-3 months speaking at events and having meetings on adblocking.

1
0
Alexander Hanff 1

None of the cookie banner solutions currently being used are compliant with EU Law - so no they can't be used to cover adblock detectors to make it legal.

The way current cookie banners work is they simply display a message - they literally do nothing else (in most cases - there are some very limited exceptions). The cookies are placed on your machine before the cookie notice is even displayed to the user - this is illegal.

Furthermore, the cookie banners do not have a "I don't agree" option, only an "I agree" option (which is also illegal).

So yeah ICO tried to throw this idea at me when I had my meeting with them and in the end agreed that this wouldn't work and that yes currently these banners are non-compliant. ICO also agree that the detectors are illegal as well and have agreed to accept my formal complaint against UK publishers and adblock detection developers - they even expressed an interest in a joint investigation with other DPA's as they did with the Google case back in 2012.

So yes, even the usually toothless ICO are in agreement that this is ILLEGAL.

In my discussions with the EU Commission they also agreed with me that because using an adblocker is a clear facilitation of a users rights under Recital 66 and is an explicit and deliberate action - it could not be over written by any implied consent (cookie banners rely on implied consent) - the use of an adblocker is a direct denial of consent from these users.

10
0
Alexander Hanff 1

Average ad revenues per year per user for publisher is less than £0.50 according to industry reports. Wired are currently charging > 8x that per month for their subscription.

This is one of the problems with subscription models - for some reason publishers think it is sensible to charge literally hundreds of times the amount they would get per user per year for their subscription fees. £50 per year is not a sustainable model for subscription to online content (per site) it will fail and is down to sheer greed.

Publishers need to either start forming group subscription models where users gain access to many publications giving those publishers revenues which are inline with ad revenues if they want to replace ads with subscriptions - or - they need to reduce their subscription costs to micropayment levels inline with ad revenues.

But they do the opposite - they try to charge ridiculous subscription fees far far higher than the revenues they make per user from advertising and then guess what - they still throw advertising in as well - and wonder why subscription numbers are so low?

Then the go down another illegal route and start pushing "branded content" (aka native content or "advertorials"). I was at a publishing event in Paris just a week ago and they were talking about adblocking - their solution? Disguise advertising as content - again this is also illegal.

It beggars belief.

9
2
Alexander Hanff 1

Re: Ok, just RTFC

I don't want to seem like I am making light of everything you typed with a short reply but it is really simple - it is illegal. There has been extensive discussion on this at regulatory levels and device fingerprinting is illegal under 5(3) without consent if it doesn't fall under specific exemptions (which I can't think of any situation where it might).

I read a long research paper on Canvas Fingerprinting a number of years ago and brought it to the attention of the EU Commission - there was zero doubt in their mind it is illegal.

8
1
Alexander Hanff 1

Re: What about..

Canvas Fingerprinting is also illegal under 5(3) of 2002/58/EC and has been covered by an Article 29 Working Party Agreement from 2014. So if you detect that sites are using this method you should first complain to the site and if they do not change their behaviour, fire off a complaint to your regulator.

If you regulator refuses to enforce, get in touch with the EU Commission and file a complaint against your country for failing to uphold your fundamental rights, request the EC initiate infringement proceedings.

And however unlikely you might think this is to succeed - it worked against Phorm and forced the UK to change RIPA. The Commission have advised me to do the same thing with Member States who do not enforce our rights regarding adblock detectors.

9
0
Alexander Hanff 1

Re: Grey Areas

I spent the last 6 months speaking at industry events (both advertising and publishing) warning them they are breaking the law and suggesting they find a better way. 500 million (roughly 25% of Internet users globally) blocking ads because of privacy and other concerns is quite possibly the world's biggest ever protest. The current model is unsustainable and instead of trying to find a way which is acceptable to Internet users they choose instead to go to war with them using illegal tools to infringe on the fundamental rights of the people.

So don't tell me I haven't given them a chance to fix the situation, I have - repeatedly.

Now the time for action has arrived.

26
1
Alexander Hanff 1

Re: Bull

No they don't.

15
2
Alexander Hanff 1

Re: Grey Areas

Then they should lobby to have the law changed to allow this - because whether you agree with the law or not does not mean you are free to disobey it.

20
1
Alexander Hanff 1

Why are you guys even bothering to respond to FF22 (I no longer will) he is quite obviously an industry troll. Here are the facts:

Adblock detection tools store and execute scripts on the client to detect behaviour of that client (are they using an adblocker).

The EU Commission state (very clearly in their letter to me) that this is illegal - the EU Commission wrote the law.

The Regulators have stated (in my discussions with them) that this is illegal - the Regulators enforce the law.

So again, why are we responding to some random industry troll who neither wrote the law (and therefore knows what it is meant to do) nor enforces the law?

Don't feed the troll.

28
0
Alexander Hanff 1

Re: Bull

The people who write the laws, the people who enforce the laws all disagree with you - so good luck arguing your incredibly poor interpretation in the courts - you will fail.

31
3
Alexander Hanff 1

Re: Bull

The javascript file itself is stored and is illegal. Period.

29
4
Alexander Hanff 1

Re: @Alexander Hanff 1

No you are missing the exemptions as I explained below. Also if you actually read the letter from the EU Commission you will notice they mention the exemptions as well.

Please do read the information provided, it saves me repeatedly typing the same information over and over and over again.

33
3
Alexander Hanff 1

Re: Click here to view this title.

I live in Poland so £5 will buy a barrel lol :) (of Vodka)

34
0
Alexander Hanff 1

Re: Publishers could simply

I am fighting for (and have been doing so for the last 10 years) the removal of non-consensual tracking and behavioural profiling (which actually only makes up around 7.5% of display ad revenues according to the industry's own research). My campaign is about privacy not about ads. Also, as I have stated a number of times there are legitimate and legal ways to detect adblockers - the issue here is non of the tools being used currently do this in a legal way.

I also think it is ok for publishers to block content to people who refuse to view their ads - but they must do it legally - currently they are doing it illegally.

But this campaign is also about publishers who are not just illegally detecting adblockers but circumventing them (which is also illegal) and no publisher has any right whatsoever to circumvent the choice of a consumer and display the ads despite knowing the user has refused consent.

36
1
Alexander Hanff 1

Re: Grey Areas

No the law is actually quite sensible and gives some exemptions for purposes strictly necessary to provide a service the user has requested. Detecting browser resolution in order to render the page properly would fall under such an exemption.

Even detecting device via the user-agent to see what the pixel density is (retina or not) would fall under the same exemption.

But it is also about the purpose that data is used for - if the user-agent, browser resolution, font list etc are then re-used to create a device fingerprint for identification purposes - that is when it becomes illegal (this was covered by an Article 29 Working Party opinion from 2014).

It should be noted as well that making changes to existing cookie banners would not make this legal either for a number of reasons:

1. Cookie banner solutions are currently not compliant with the law (they place the cookies before the page is even rendered and the user has seen the banner)

2. Recital 66 of the ePrivacy Directive allows the use of "browser settings or other applications" to indicate whether or not you consent to the storage or access to stored information. In my discussions with regulators and the Commission, such an action by the user (installing an adblocker) would be seen as an explicit denial of consent as it is based on a specific and deliberate action of the user, which cannot be nullified by an implied consent from a "cookie banner" (these banners rely on consent being implied). Explicit trumps implied every time.

29
1
Alexander Hanff 1

Re: Bull?

I suspect it is one of my stalkers - the language of his comment matches that of a stalker I have had for the past 8 years, I just ignore them.

24
2
Alexander Hanff 1

Re: Bull

You are wrong - I have researched a large number of the adblock detection solutions and they all work by storing a javascript on the computer of the user which then checks how the page is rendered - whether specific elements exist or have been removed form the DOM.

Furthermore as pointed out by the EU Commission - the law is relevant for ANY information stored or accessed and is not limited to personal data. In fact the EU Commission rightfully categorise adblock detection tools as spyware as per Recital 24 and Recital 65.

I note you also spammed my Twitter feed with your nonsense - I suggest you actually go and learn something about the law before reporting back to your adblock detection company.

I have been working on these issues for 10 years and know the law very well - I have been researching adblock detection for the last 14 months and have spoken to 10 different regulators in Europe as well as the EDPS and EU Commission - all of them (yes even ICO in the UK) agree with my analysis.

I should add though that the letter from the EU Commission is not my reason for taking legal action - it was always my intention to do so which is why I started the work 14 months ago. Back in February last year I had a face to face meeting with DG Justice at the EU Commission in Brussels and they confirmed my concerns verbally. As I was approaching the point where I will begin filing legal complaints, I decided that having that opinion in writing would be useful so earlier this year I wrote to President of the EU Commission asking for them to formalise our original discussion in writing.

97
4

Pro-privacy titan Caspar Bowden dies after short cancer battle

Alexander Hanff 1

He will be missed

Caspar was a rare man - his integrity, morals and conviction were paramount to everything he did. I will miss him.

6
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017