Proposed amendments to ePrivacy Regulation are great

The work on ePrivacy continues and enters a hot period. I’m interested in it from the very beginning, I’m also actively involved in these works, also as a stakeholder. The draft proposal with amendments is now public. Being involved in those works, I’m impressed how good suggestions and remarks have actually reached to the reporter’s document.

In this note I will highlight some very interesting concepts, some of them unprecedented on a world scale. If passed, it would be a major redefinition of security and privacy regulation landscape with a global impact. This is a move we should anticipate; the fact that policy is seriously considering these kind of aspects is unprecedented itself.
Let’s get on to the changes. The actual draft with proposed amendments can be found here

First and foremost - the report often highlights the need of highest technically available protection, the need to anonymize processed data, and the need for careful security and privacy designs where user data are concerned. For example, there is an intention to request making the methods used to anonymize or process sensitive information such as location data or metadata (Amendment 15) public. In other words, a Privacy Impact Assessment with description of technology and technical processing may need to be made public. This is very good as not only it builds user trust in the digital economy, but requires high standards from the parties that process data. Amendment 17 recognizes that the original proposal from June for ePrivacy decreases protection, and the whole spirit of the proposed amendments is to boost the “Privacy” part of “ePrivacy”.

Although there are plenty of tiny but very important changes, in this note I’m focusing on the big concepts.

End-to-end encryption

Ladies and Gentlemen, end-to-end encryption enters the halls of the European Parliament. Amendment 116 ships end-to-end encryption, the strongest available to mankind mode guaranteeing confidentiality of communication. In this mode, only end users have access to communication - the providers (software, or ISP even upon the request of external parties) are unable to peek into the contents of communication. We cite it in verbatim:

“the confidentiality and safety of the transmission are also guaranteed by the nature of the means of transmission used or by state-of-the-art end-to-end encryption of the electronic communications data. Furthermore, when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited. Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services”

This is means: strong confidentiality of communication, impossibility to reverse the encryption (“unlock encryption”), no backdoors, and no monitoring of such communication. There is also a clause that Member States are prohibited to request the decrease of such cybersecurity and privacy technologies. This particular Article 17 would significantly improve the cybersecurity of European Union.

Selling of web browsing history not allowed

Amendment 17 and a number of others decrease the risk that selling of web browsing history will go mainstream in Europe, as in the USA. It will not be possible to offer contracts that are bundled with additional services such as profiling, data mining or selling of web browsing history. If the user has no free choice, the consent for the whole processing becomes invalid. This stark contrast with the changes in USA is positive.

Protection of sensitive data and mechanisms

The proposal makes it clear that processing of data with the potential to reveal behavioural data, psychological features, emotional conditions, preferences requires strict protection and are subject to strict rules of user awareness and consent. This for example relates to software such as operating systems or web browsers which offers a lot of information about the user and his behavior. In this particular case, I speak not only about the widely-known tracking and profiling, but also about accessing sensors data. Since I work on this topic, you can read about some of these on this blog. Examples: stealing browsing history using light sensors, battery information bring privacy issues, even proximity sensors or vibrations deserve care). This particular amendment would require increased transparency and control from operating systems and web browsers, which often still have some room for improvements.

Consequently, ePrivacy would explicitly require web browsers to offer permissions prior accessing sensitive browser mechanisms, such as geolocation sensor, microphone, camera - but I would argue, also other sensors. In that sense, these would absolutely need to be subject to browser permissions. Web browser vendors often complain that their current permission models aren’t good enough and require a lot of consent popups and consequently users become tired from having to constantly click on the consent dialogues such as “do you allow this website to access this or that”. This is an interesting opportunity to improve the privacy user interfaces and designs (I argue for this for a few years now!). In this sense, ePrivacy Regulation would become visionary.

Do Not Track

This is a key issue. ePrivacy speaks pretty directly about the often neglected W3C-backed Do Not Track. If passed, users will be able to express their opinion about the preferences on being tracked using simple browser settings. Furthermore, ePrivacy would provide teeth and powers to Do Not Track, which would become a method to signal binding and enforceable decisions about user preferences. Websites would then be obliged to respect this setting. For users it’s good because the solution is simple. For websites, this solution is better than the previous one proposed in January, as ambiguity is removed.

That’s not all. ePrivacy finally mentions operating systems - I still don’t know why the January version did not even mention them once. This is good because operating systems are the places which may offer easy global settings that all applications would need to abide to.

Subtle point of interest. Although the concept of Do Not Track is mostly related to the web and browsers, ePrivacy envisions the same mechanism for other technologies - so for example bluetooth, connected cars, and so on. In this sense, ePrivacy would become visionary and provides for possibilities to innovate.

In fact, Do Not Track solutions are referenced in multiple places of the proposed text. Ignoring the choices of privacy settings would risk bringing fines up to 10,000,000 euros or 2% annual worldwide turnover.

Tracking walls are banned

The report proposes to ban cookie/tracking walls. In other words, if a user chooses not to be tracked, he should not be barred from accessing website content. This is a good change but its logic might be difficult to grasp. The following question is helpful: would you like to buy Internet of Things device which stops working after a year unless you consent to tracking? This is a question of whether user’s data might be treated as currency.

Internet of Things security and privacy

The proposal aims at establishing strict security and privacy protection, whenever Internet of Things devices work on data related to users. It’s a good change, as regulatory shaping is the only way to incentivize serious consideration of security and privacy in this booming sector. This move makes the whole Internet safer.

Thinking beyond cookies

Amendments to ePrivacy propose to think beyond cookies. It may start using the neutral and technically broader concept of an “identifier”. I’m very happy with this particular change. I argued and spoke about this particular item. I hope it helped.

Wifi/Bluetooth MAC/IMEI tracking

This point was among the most controversial aspects of the original January proposal of ePrivacy. The amendment intends to always require user consent, if device identifiers are used for advanced tracking (e.g. profiling) beyond the mere statistical counting. This would mean, for example, that the Transport for London plans to use wifi mac tracking for variations of personalised display of ads may not be made so effortlessly.

Security updates cannot harm privacy

Amendment to Article 8 allows access to user terminal when security updates are concerned, but only if: the user knows about it, has consented, and that the update do not changes other user-selected settings, for example referring to privacy. For example, if the user has switched on privacy settings (e.g. limit tracking), or has disabled Bluetooth (and there are justified privacy concerns here), a security update - which should be incremental - is not going to make any unwanted settings. In other words: security updates must be specific packages and should not be bundled with other unwanted things.

I attended Article 8 Roundtable and heard request for exceptions allowing additional processing. I also heard counter-arguments . I provided some. This particular changes is justified.

Privacy settings are a must

All software needs to have privacy settings. Period. These also need to offer “privacy modes”, which must be easily available during the use of software.

Lots of tiny changes

Difficult to list them all, but in overall they greatly improve security and privacy. Communication data is to be protected not only in transit but also at rest, processing is allowed only when “technically strictly necessary”, some exceptions are possible “only if” (we can call this language “active regulation hacking”, I’ll probably need to prepare a few presentations after all this ;-) - ping me if interested). On the other hand, it's puzzling why the European Commission hasted to release such a minefield back in January.

Lastly, the proposed amendments broaden the scope of infringements subject to fines up to 20,000,000 euros (or 4% worldwide annual turnover).

Executive summary

With respect to the original proposal released in January, these amendments significantly improve security and privacy properties of the regulation. This is a step in a great direction. There are also two unprecedented issues: end-to-end encryption and Do Not Track are under serious consideration.

The end-to-end aspect is additionally of interest due to the world-wide campaign of weakening cryptography and introducing backdoors. Such voices are in the USA, Australia, Germany, France, and UK. These last points put ePrivacy on a potential collision course with the supposedly imminent regulations negatively affecting cybersecurity and privacy.