In my previous post on cookies and privacy in the new EU Directive, I mentioned, in passing, the question of user consent. I think it’s time to return to that for a closer look. First, a couple of references to set context:

• Ralf Bendrath’s comment, here, on the recently-adopted Stockholm Programme. This, he notes, includes an amendment in which the European Parliament

“… stresses that the EU is rooted in the principle of freedom. Security, in support of freedom, must be pursued through the rule of law and subject to fundamental rights obligations. The balance between security and freedom is to be seen in that perspective”.

This is a clear indication of the way the Parliament thinks that balance ought to tilt.

• This analysis from Pinsent Masons’ Out-Law blog, in which they compare the text of the new cookie law with the interpretation of the same by some online advertising bodies. The advertisers point to a clause in the preamble of the telecom package, which says:

“Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC [the Data Protection Directive], the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application.”

According to the advertisers, this lets them off the hook – because a user’s consent can be inferred from the fact that their browser is set to allow cookies or block them.

However, there are several rather fatal flaws in that argument. A couple are pointed out by Struan Robertson (whose previous analysis I quoted in my other post):

“Most browsers don’t default to blocking all cookies and most people don’t change their browser settings, so it’s hard to say that effective consent is conveyed by browser settings,” said Robertson. “Also, browsers can’t tell you the purpose of a cookie.”

On a strict interpretation, the point about “purpose” ought to be fatal in itself: it would generally mean that relying on the browser setting to imply consent would fail the test of compliance with the Data Protection Directive (purpose of collection == purpose of use); if the user has no indication of purpose of collection, how can they meaningfully consent (and how can inappropriate use be detected)?

Next – given the number of people who pay little or no attention to the default cookie settings of their browsers (assuming they are even aware of them in every browser or internet terminal they use), it would be tough for a website owner to prove that the setting in effect on a given visit was chosen by the user, as opposed to merely being a default setting. What’s more, the new law repeatedly mentions the need for the user to be clearly informed before access is effected to their device – so this law isn’t just calling for implied consent, it’s calling for informed and explicit consent. (Note the clear qualification in the preamble: “Where it is technically possible and effective…”).

Now, it’s fair to argue that explicit consent is an unreasonable expectation unless and until there is a general change in people’s awareness of cookies… and advertisers will doubtless maintain that it’s not their fault we like to ignore or dispense with cookie warnings in the interests of convenience. But that argument can also reasonably be countered by saying that poor consent-seeking practice up to now can hardly be used to excuse it in future.

Finally, the Pinsent Masons article makes one other extremely valuable contribution to the debate, in quoting Commissioner Reding’s clarificatory comments on the question. I use the word clarificatory in its loosest possible sense.

According to the Commissioner, there are two kinds of cookie: “technical cookies”, without which the internet would cease to function (and which, therefore, we are presumably to allow without question), and “spy cookies”, which are the ones this law is clearly intended to regulate.

This reminds me of that Not The Nine O’Clock News sketch in which a disgruntled aide induces his president to include phrases like “cupcakes” and “big, floppy, dangly bits” in a public address.

Quite apart from the glaring absurdity of browser manufacturers now having to enhance their products to include a Privacy Settings option which allows users to turn “spy cookies” off while leaving “technical cookies” in place, there’s also the minor (though not entirely unexpected) problem that the law itself does not, of course, make any mention of these mythical creatures.

We all understand the difficulties which can arise when a legislator tries to express technical concepts in terms which are meant to be accessible either to other legislators or to the general public – but the perfectly-coiffured Commissioner has been in post now for almost exactly five years. Surely that – and her professional career as a journalist – must have taught her the danger of such ill-conceived dumbing-down?

Reusable, trustworthy electronic identities are “a must” for emerging Health Information Exchanges and the Nationwide Health Information Network. This seminar focuses on the role the Kantara Identity Assurance Framework (IAF) will play in making this a reality. The co-Chairs of the Kantara Healthcare Identity Assurance Work Group provide a walk-through of the IAF, a description of standardized assurance levels, a review of the IAF Accreditation Program, and a call for participation to the Healthcare IT community.

• Listen: Healthcare Identity Assurance WG Seminar (Length: 1:10 | 32 MB | MP3)
• Supporting Slides are posted here

Noted anti-virus vendor Eugene Kaspersky has weighed extravagantly into the larger security problem, arguing that  “anonymity causes security headaches and should be outlawed <http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity>” (http://blogs.computerworld.com/14940/eugene_kaspersky_wants_no_net_anonymity).  So he wants an Internet Passport.

This is surely madness.  The social repercussions are obvious, while it’s not at all clear what problem it might solve.

Most cybercrime is actually associated with an *excess* of arbitrary identification, with inadequate safeguards.  For the average user, anonymity in reality has become a luxury.  The simplest credit card purchase requires an inordinate amount of identifying information to be divulged, to total strangers, who then pass it all onto third party processors no one has ever heard of.

Mainstream authentication is so difficult to use that most users choose the same password for all services.  The Federated Identity and Single Sign On movements, typified by OpenID, amount to the same thing.  Everything gets linked to everything else.  This is hardly the “anonymity” that Kaspersky so dreads.

It’s also likely that, like many before him, he’s underestimated the legal complexity and cost associated with general purpose Internet identities.  Who will issue and warrant an Internet passport, vouchsafing the bearer in all contexts?  This is what’s stopped authentication brokers schemes to date.  Some of my own analysis of these issues is presented in brief at  http://lockstep.com.au/library/babysteps/babyste13-identity-silos and http://lockstep.com.au/library/babysteps/babystep-15-introducing-ident.

Of course, what would happen is that any real world Internet passport would come with risk-managed warranty limitations.  It wouldn’t be good for all conceivable transactions, only ones that the issuer has been able to analyse and circumscribe.  For other uses, the holder would need to supplement their passport with other credentials suited to teh context … and we’d be back where we started.
Advocates of Internet passports should re-visit how a conventional passport works, and reconsider their metaphor.  A passport is not a universal key to cross all borders; many countries require you need to obtain a visa, to make sure you meet their security, cultural and political norms.  That is, risk profile, appetite and management strategies vary from one country to another (just as they vary in e-business from one segment to another) and there really is no universal passport.

So I say to Kaspersky, an Internet passport is utopian, and proper anonymity would be a blessing!  To solve cybercrime, we don’t need any new passport, rather we need to protect the plurality of identities we already have against online theft and abuse.

Posted on behalf of:

Stephen Wilson
Lockstep Group
http://www.lockstep.com.au

UK readers will probably remember one of those legal wrangles which make for such easy satire – the protracted argument over whether a Jaffa Cake is a cake or a biscuit (for VAT purposes, of course…)

It looks as though the European Commission is heading towards a similar argument about cookies – though there may not be much discussion, as the Directive in question has apparently already been approved and merely awaits a few signatures and a rubber stamps or two.

This is about amendments to 2002/58/EC; the Directive on Privacy and Electronic Communications. There are amendments to several areas of the original Directive, but the one which is currently exercising an articulate group of higher-education identity federation experts is nicely summarised here, by Struan Robertson of law firm Pinsent Mason. I recommend a read of his blog post; it isn’t often you see a lawyer describe proposed legislation as “breathtakingly stupid”… but I should also point out that he makes that comment off his own bat, so to speak, and not on behalf of his employers.

The amendments in question are apparently intended to regulate the storing and use of cookies on end users’ devices. I say “apparently”, because the further one gets into the practicalities of it, the less clear it is how the legislation could be put into any meaningful practice.

I’ve no doubt the intent of the amendments is both clear and laudable: to improve privacy outcomes for (EU) citizens going about their online life. In practice, though, there are pitfalls which the legislation seems doomed to encounter – several of them probably fatal.

The way the amendment is phrased (it’s a replacement of Article 5.3, for those who like to read that kind of thing – see Struan’s post, or read p.77 of the document here if you prefer the unexpurgated version) makes it fairly clear to me that what they are trying to regulate is access to the end user’s machine. In other words, if you want to put something on my PC, or read something you put their earlier, you will need to be able to show that I gave my consent. As I say, laudable and straightforward. Until you start to go through the permutations:

• What if I’m using my PC outside the EU?
• What if I’m inside the EU, but accessing a cookie-setting site which is outside the EU?
• What about non-EU citizens, in the EU, accessing EU sites?
• Or non-EU citizens accessing EU sites from elsewhere?
• Or non-EU citizens accessing non-EU sites via a mobile device, roaming through an EU telco?
• … and so on and so on…

There are many other aspects one could dive into similarly – such as “what counts as consent?”, or “how on earth will users cope with all those pop-ups” – but we haven’t got all week.

Before long, a yawning gap opens up between what the legislation is capable of saying, and what it would take to describe something implementable. Depressingly, this really should not have come as a surprise either to the legislators or their drafters. After all, this is merely the next evolution of some quite long-standing network-mediated problems:

• the advent of satellite broadcasting introduced us to the problems of whether such services were to be regulated at the “up-link”, the “down-link”, or some combination of both;
• internet e-commerce has given us plenty of opportunities to work out how you establish distance contracts, between parties under different regulatory regimes.

On that basis, there seems to me to be no excuse for this current legislative initiative to be so woefully half-baked.

All of which brings us back, in a way, to the humble Jaffa Cake; and why not? For those who didn’t follow the saga, this went as far as a court case between leading manufacturer McVitie and Her Majesty’s Customs and Excise, as they were at the time. The conclusion was that legally, they are cakes. The court found that a cake is something which starts off soft and goes hard when it gets stale… whereas a biscuit, they found, starts off hard and goes soft as it gets stale. The majesty of the law leaves me awe-struck sometimes, it really does.

Please Note: This article was originally written in Dutch and appears on the site Automatisering Gids (English: “Automation Guides”). The article has been translated by Google Translate here: http://bit.ly/3Dqc4A. The direct link to the original article is here: http://bit.ly/1cvvwg

October 23rd, 2009 – by Richard Keijzer

Various parties have tried to be a general purpose, secure login system for distributed environments to develop, resulting in a series of such systems. The Kantara Initiative aims to a diversity to that end, to forge one whole of the individual systems.

These are mainly the XML-based SAML, Microsoft and the OpenID Information Cards of the OpenID Foundation.

The latter is particularly recommended by sites like Google and Yahoo!, Info Cards while a major role in the sites that Microsoft holds sway. SAML is used by commercial websites that are ’single sign-on’-able. “The three techniques allow the user to log on to one point, after which he or she gets access to all related sites,” said Matthew Gardiner of CA in the United States. Gardiner, on behalf of his employer, is involved in the Kantara-project, which is an amalgam of individual techniques. Gardiner: “The three methods seem broadly similar to each other, the differences are in the details. For us, the trick is to make all the difference in mapping to make a joint mechanism. ”

Single sign-on approach is one that arises in distributed ICT systems of large companies. An employee only has a single logging in and has access to all subsystems and applications to which they are authorized. This approach has migrated from the intranet to Internet, with all the dangers that entails. Where in an intranet is not necessary to constantly guard against the interception of communications, the Internet is indeed necessary.

“And do not forget privacy. You’re working on a public network and you must ensure that additional information does not fall into the wrong hands. It’s bad enough when personal information gets to the wrong parties and then we end up not even on liability. Look at the situation that large numbers of login credentials on the street to lie, as recently by Hotmail. Who is to blame and who should be responsible to pay if a lawsuit is brought up. More importantly, how could this have been avoided?” says Gardiner. After determining the liability may have another trial to follow, with regard to the amount of compensation payable.

The security of a complex-making process, can prevent data falling into the wrong hands. The methods mentioned are known as Federated Security, meaning that they work in a combination of environments. “A federation of websites, you may call it. Within this combined environment, the user can do anything, his identity as it were travels with him. The user calls a specific function, then an identity background check can be conducted on the basis of the previous login. How about universal control, the more effectively it works. And that is the purpose of Kantara. We are seeking a security system that is not dependent on a specific platform or a particular technology. The ultimate goal is an electronic door waiting on all systems in the world can run, “said Gardiner.

Kantara sees itself as a standard organization, where the members in control. Gardiner: “It is a peer-to-peer structure consultation, without a firm direction from above. Because the members freedom, new ideas can be quickly submitted and discussed. In practice, that is okay, if we have been able to establish. The start of Kantara was mid year, so actually we are still too short in time operating in this way for definitive statements to be allowed. ”

OpenID, Information Cards and SAML OpenID: This method allows an existing log to provide additional information, so that access can be given to services on other websites. Examples include an email address or other personal information. OpenID was created in 2005 as an open-source system. The technique is already used by sites like Google, Facebook and Yahoo!

Info Cards: As OpenID is an identification with the user. The mechanism is designed for Vista, an end to the situation that people need to remember long strings passwords. “The password is soon past, orakelde Bill Gates at the launch in 2006.” It is the successor to Passport, Microsoft security method that has flopped.
SAML: The Security Assertion Markup Language is the oldest technology. The foundation was laid in 2001, first working version appeared one years later. The technique is based on XML and uses strong encryption thereof. The method takes each IP packet in which information is sent and whether it fits within the prescribed limits. Always be certain to ask permission to send data without the user’s experience these.