Directive on Privacy and Electronic Communications

Although it has met with a flood of outrage from computer users and service providers, this legislation is, for once, technically better-informed than most of the commentary that has been written about it.
The directive (2002/58/EC) was originally called the `Telecommunications Data Protection Directive', but has now been renamed the `Directive on Privacy and Electronic Communications'. It is due for implementation by October 2003, and must therefore be incorporated into national legislation by that date. The UK Government will probably begin consultation on how best to implement the directive early in 2003.

Scope

The legislation covers all public electronic communication systems, not just computers and the Internet, although service providers operating over the public Internet are most significantly affected. Nothing in the legislation affects the rights of agencies of the state to monitor communications. Specifically excepted are: ``public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law''. There are, of course, existing safeguards against abuse by the state of facilities for interception of communications (e.g., Regulation of Investigatory Powers Act, 2000).

Privacy

Measures are to be put in place to protect the privacy of confidential data in transit and in storage (article 3). In practice, computer-to-computer communication can easily be protected against unauthorised access by a technique such as SSL. Protection of data held by the service is part of the overall access control policy of the service provider. Presumably a provider that takes reasonable precautions to prevent unauthorized access, using the technology available at the time, will comply with this part of the directive. Interestingly, service providers will be obliged to inform end users of potential security limitations that lie outside the control of the provider. For example, providers may be obliged to warn users about the risks associated with sending and receiving information using unencrypted protocols. States are require to legislate for this privacy protection, which means that it will be made an offence to eavesdrop on Internet communications, among other things.

Cookies

The most controversial aspect of the new legislation is probably the `cookie clause' in the preamble. To be sure, the legislation does not explicitly address itself to the fact that the use of cookies is almost essential in all modern e-commerce systems. For example, cookies are used to coordinate the ongoing sequence of interactions between a Web browser and a Web server for the duration of a session. While this can be achieved in other ways, the use of cookies simplifies things considerably. In this practice, the cookie itself contains no personal data, just a token that identifies the client on the server. An attempt to prohibit this use of cookies would clearly be found unacceptable by service providers and knowledgeable users. In fact, however, the Directive does not attempt to limit the use of cookies; it merely states that users should be ``offered the opportunity to refuse'' a cookie. This could easily be accomplished by warning users on entry to a service that to proceed further will result in a cookie being dispatched. The Directive does not require service providers to find ways to operate that don't rely on cookies; on the contrary it explicitly says that use of a service may be made conditional on acceptance of a cookie.
In my opinion, this section of the legislation would have been improved if it had been explicitly limited to cookies that are capable of allowing the elucidation of personal data; in most e-commerce applications cookies are used merely for session management, and contain no such information.

Limitation on storage of personal information

Service providers may store information about subscribers for the purpose of billing and establishing communication (article 12); it appears that they need not seek explicit consent for this. Such data must only be stored as long as it is necessary for the provision of the service. All other uses of personal data -- this includes enabling the provision of other services by the same supplier -- require the informed consent of the subscriber. This means that service providers can't collect subscribers' e-mail addresses and use them for subsequent distribution of promotional material without explicitly getting consent. Subscribers must be offered the opportunity to refuse consent to further communications on each occasion a message is dispatched. The sale of e-mail addresses for marketing purposes will also be restricted.

Anti-spam measures

Another much-commented passage is in article 13: ``The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or electronic mail for the purposes of direct marketing may only be allowed in respect of subscribers who have given their prior consent.'' In other words, individuals must be protected from spamming. The Directive does not specify what technical measures are to be put in place to effect this measure (but see the discussion of sender addresses below). It appears also that spamming for purposes other than `direct marketing' might not be caught by this clause. So, for example, unsolicited invitations to sign up for free services, which lead on to further advertising, may not be `direct marketing' for these purposes.
A particular point of controversy in this measure is that it allows member states to decide whether consent should be on an `opt-in' or `opt-out' basis. `Opt-in' means that a service provider may assume consent to receiving unsolicited messages in certain circumstances, but give an opportunity to withdraw consent. `Opt-out' means that the service must seek consent before any mailing. It appears that the UK will probably adopt a `soft opt-in' scheme, where it will be lawful for an on-line service to send unsolicited mail to existing customers, but must seek consent in advance to mail to anyone else.
As part of the anti-spam measures, the use of false sender information in e-mail headers is to be prohibited. If you are familiar with the SMTP protocol you will know that the sender's e-mail address is arbitrary: senders can include any information in this field, and the e-mail service has little opportunity to check its correctness. This is exploited by spammers to avoid the flood of complaint that they would otherwise receive after each bulk mailing. The problem with this measure is that there is little or nothing that service providers can do to enforce it. As an individual Internet user I can, if I wish, set up the e-mail client on my home computer to send e-mails with a false sender address. If I do so, then it would be extremely difficult for anyone offended by one of my mailings to trace me. It would be possible, for a person with sufficient technical knowledge, to trace the message back to an ISP; going beyond that point may require the ISP to divulge information about its subscribers.

Comments

Despite the general concern, there is little for legitimate service providers to fear in the new legislation. It will be necessary to ensure that users are told about the privacy implications of using the service, and some care will have to be taken to enable users to withdraw from direct marketing systems without penalty. These are all things that most service providers currently do anyway. The measures relating to privacy of stored personal data are mostly covered by legislation already. Unscrupulous operators that don't want to comply will probably be able to avoid the consequences of their actions unless they are particularly careless. In practice the real problems tend not to arise within the EU anyway. The fact that the legislation will be difficult to enforce does not, of course, detract from its validity. The majority of computer users will probably welcome the clear condemnation of unreasonable spamming, even if it can't easily be backed up by action.